Events

The Events interface provides visibility into events across your Santa-protected fleet. This feature lets administrators track, analyze, and respond to binary executions throughout your organization.

Overview

The Events interface displays information about each execution event:

• Host Name: The name of the endpoint where the event occurred
• File Name: The name of the executed binary
• Decision: Whether the execution was allowed or blocked
• Reason: The reason for the decision
• Timestamp: When the execution attempt occurred

Event Details

Clicking on a file name in the events table opens a detailed view with additional information about the binary:

• SHA-256: The cryptographic hash of the binary
• CDHash: The code directory hash used by macOS for code signing verification
• Team ID: The Apple Developer Team ID associated with the binary
• Signing ID: The signing identity used to sign the binary
• Entitlements: A list of entitlements granted to the binary
• First Seen: When this binary was first observed in your environment

Creating Rules from Event Details

From the event details page, you can create execution rules directly using the Create Rule dropdown. The dropdown lets you pick which identifier type to use (CDHash, Binary SHA-256, Signing ID, Certificate SHA-256, or Team ID) based on the event's binary.

tip

Hold the Option key (macOS) or Alt key (Windows/Linux) while clicking a menu item to automatically scope the new rule to the host that generated the event. The dropdown shows a "Scoped to this host" indicator when the key is held.