BLOG Featured Recent Video Category Start Free Trial Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities March 11, 2026 | Ash Leslie - Colton Terrace - Chris Kent | Endpoint Security & XDR The much-anticipated Enhanced Network Visibility feature for macOS is now generally available in sensor version 7.29 or later. This new capability provides insight and improved visibility into network traffic occurring on macOS endpoints, creating a more sophisticated and comprehensive model of process behavior. In this blog, we provide an in-depth overview of this new capability. We showcase detection enablement and numerous threat hunting applications, now enabled by Enhanced Network Visibility for macOS, and dive into new network capabilities built to empower threat hunters and detection teams against threat actor activity. What Is Enhanced Network Visibility? Enhanced network visibility supplements process activity monitoring with attributes derived from the contents of network traffic. Moving beyond basic network address and port data, this enhanced monitoring identifies specific application protocols, analyzes TLS (encrypted) traffic characteristics, and examines plaintext HTTP traffic attributes, further enriching the robust data set the Falcon sensor provides. This capability leverages the latest Apple-native content filter APIs to enable enhanced network visibility with the least possible impact on network performance. The content filter API allows the sensor to intercept the least amount of data possible, allowing data for a network flow to bypass interception completely once the traffic has been identified. This targeted approach offers significant efficiency advantages over packet-based inspection methods, minimizing system impact while maximizing detection capabilities, all the while being an opt-in feature, allowing customers the choice to enable within their environments One of the new exciting features is the integration of JA4 fingerprinting (ref: https://foxio.io/). JA4 provides a summarized representation, or “signature,” of the capabilities and configuration of a specific TLS client library. This signature is derived from the TLS "client hello" packet, the first step in establishing a secure connection. JA4 can be used to differentiate between otherwise indistinguishable TLS connections, and can provide evidence of proxying, if a single process exhibits several unique signatures. JA4 was designed by FoxIO to replace JA3, which is not compatible with the TLS client extension randomized reordering employed by modern browsers and bots. Supported Protocols At launch, Enhanced Network Visibility will support parsing of plaintext HTTP requests and responses and TLS client hello packets. Additionally, the feature will identify the use of HTTP, TLS, SOCKS4/5, Wireguard, SSH, SMB, VNC, ARD, and DNS on any network port, emitting an AppProtocolDetected event when a process makes use of one of these protocols. Proxy visibility is also supported. Protocol AppProtocol Value Capability Description HTTP 1.x 110 Identify & Inspect Plaintext HTTP requests and responses TLS 102 Identify & Inspect TLS client hello (client session establishment) SOCKS4 SOCKS5 104 Identify & Inspect Traffic encapsulated within a SOCKS4 or SOCKS5 proxy is supported transparently Wireguard 105 Identify Wireguard VPN SSH 108 Identify Secure shell SMB 112 Identify File sharing VNC, ARD 107 Identify Apple Remote Desktop (ARD) or VNC screen sharing QUIC 103 Identify IETF QUIC (and HTTP/3) traffic. Encrypted, but can process the embedded TLS client hello. DNS 100 Identify & Inspect Domain Name System New CrowdStrike Falcon Next-Gen SIEM Events #event_simpleName=HttpRequest This event contains the request type, URL, headers, and body of a plaintext HTTP request. New interesting key/value pairs for this event are outlined below: #event_simpleName=HttpResponse This event contains the response code and headers of a plaintext HTTP response. New interesting key/value pairs for this event are outlined below: #event_simpleName=TlsClientHello This event contains information derived from the client side of a TLS client connection establishment, including the server name indication value (SNI), next protocol (ALPN), and the JA3 and JA4 client fingerprints. New interesting key/value pairs for this event are outlined below: #event_simpleName=AppProtocolDetected This event contains the network protocol in use that has been identified. It supplements host/port information provided by existing network-based telemetry, including NetworkConnect, NetworkAccept, etc. New interesting key/value pairs for this event are outlined below: How to Enable macOS Enhanced Network Visibility To enable this feature, navigate to the Mac Prevention Policies and configure an existing policy, or create a new policy, with the “Enhanced Network Visibility” toggle enabled ([US-1] [US-2] [EU]). Figure 1. Enhanced Network Visibility toggle Threat Hunting Examples Threat hunting is by nature designed to surface activity that is interesting or suspicious, and with further refinement can lead to the creation of detections to alert on the activity if observed again. CrowdStrike Falcon® Next-Gen SIEM provides this capability via an easy single-click button that guides the user through the conversion of the Falcon Next-Gen SIEM search query into a Falcon Next-Gen SIEM detection rule. Figure 2. Create rule single-click functionality The following Falcon Next-Gen SIEM Advanced Event Search queries are provided to empower customers to hunt for abnormal activity and create detections relevant to their threat models. Please note, in the following searches, the generated “GraphExplorer” URL is for US-1 customers. For US-2 and EU-based customers, please modify the URL to be “https://falcon.us-2.crowdstrike.com” and “https://falcon.eu-1.crowdstrike.com” as required. Hunting for ClickFix and Abnormal LOLBIN Activity Let's take a look at a recently reported ClickFix sample. What we see here is a common methodology to lure victims into downloading malicious payloads. Figure 3. ClickFix social engineering example First, the user is socially engineered into copying and executing a malicious shell script into the terminal. This shell script reaches out to a URL and pipes the contents straight into another shell. The second shell script, once passed through some decoding routines, executes malicious instructions telling Curl to reach out to another URL (which contains malicious AppleScript) and pass the contents straight into Osascript for further execution. If allowed to continue this far, the AppleScript undertakes relatively standard host reconnaissance, resulting in downloading and executing an infostealer MachO binary. Common HTTP URL Structure First, we can hunt for the common URL and HttpPath structure that is observed in the various HTTP requests during the delivery of the shell scripts and AppleScript payloads. #event_simpleName="HttpRequest" event_platform=Mac HttpPath=/(?:build|dynamic\?)txd\=/i | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) We can also hunt for the UserAgent string “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36” observed by Curl in this attack chain. #event_simpleName="HttpRequest" event_platform=Mac ImageFileName=/curl/ HttpUserAgent=/AppleWebKit\/537\.36/ | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) | table([@timestamp, aid, GraphExplorer, HttpUserAgent, HttpPath, HttpHost, CommandLine, ImageFileName], limit=20000) | sort(cid, limit=20000) LOLBIN Activity Chain A commonly observed pattern of activity with the “ClickFix” style of social engineering and InfoStealer delivery is the pattern of using living off the land binaries (LOLBINs) to undertake the downloading of binaries (via curl), removing the quarantine attribute (via xattr) and setting the binary as executable (via chmod). We can hunt for this sequence within Falcon Next-Gen SIEM using a combination of the newly provided network telemetry, as well as existing process-related data, using the former to enrich the latter. Using the Falcon LogScale function “correlate” allows us to define a set of requirements (similar to subsearches), which we can use to identify the usage of the common LOLBINs and suspicious network traffic within a set time frame across a single endpoint — providing us with a curated data set of possible attacker activity that may indicate malicious payloads arriving in our environments. event_platform=Mac | correlate( Macho_Written: { #event_simpleName="MachOFileWritten" | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) } include: [ContextBaseFileName, TargetFileName, ContextProcessId, GraphExplorer], Curl_HttpRequest: { #event_simpleName=HttpRequest FileName=curl | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "ContextProcessId"], as=GraphExplorer) } include: [ImageFileName, CommandLine, HttpHost, HttpPath, ContextProcessId, GraphExplorer], Remove_Quarantine: { #event_simpleName=ProcessRollup2 FileName=xattr | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) } include: [FileName, CommandLine, TargetProcessId, GraphExplorer], Add_chmod: { #event_simpleName=ProcessRollup2 FileName=chmod | format("[GraphExplorer](https://falcon.crowdstrike.com/graphs/process-explorer/tree?id=pid:%s:%s)", field=["aid", "TargetProcessId"], as=GraphExplorer) } includ