exec_fingerprint
Binds audit token bytes, child path, policy version, and ES global_seq_num so retries do not duplicate SIEM rows.
Export from Mac
mf export-siemWrites to /Users/Shared/macfirewall_soc_telemetry.ndjson.
Documentation
SIEM & audit
Visual pipeline from exec fingerprint to decision_hash and fleet APIs.
exec_fingerprint
DECIDE v2
policy_epoch
manifest_verdict
SHA-256
decision_hash
Pipe-delimited preimage → hex decision_hash embedded in governance events for SIEM replay
Fleet spine (enterprise)
POST /api/v1/spine/events accepts InstallEvent / ExecutionEvent batches. GET /api/v1/fleet/sync returns policy + control-decision tail. Bearer tokens: MF_SPINE_INGEST_TOKEN, MF_FLEET_SYNC_TOKEN (operator console).Ingest
POST /api/v1/spine/eventsSync
GET /api/v1/fleet/sync?tenant_id=&device_id=Running AI agents on Mac at scale? We'll tune policy with you.
Design partners →