Support for FAA policies that check process parent / ancestry

[craigjbass]

Summary

Distinguish legitimate threat hunting activity from living off the land attacks

Description

Microsoft Defender allows system administrators / threat hunting teams to execute e.g. system python scripts to gather intelligence from devices. These scripts have a parent of wdavdaemon_enterprise which is code signed.

We'd like to be able to configure a policy to allow python to execute in this manner if it is owned by wdavdaemon_enterprise.

Suggestion is to allow FAA policies that support matching rules on https://developer.apple.com/documentation/endpointsecurity/es_process_t/parent_audit_token

[pmarkowsky]

First off thanks for the FR.

To make sure I understand, what you're asking you'd like to control file accesses based on the parent process, correct?

For executions we'll be supporting a similar feature for executions by exposing ancestors to the CEL context when using Workshop in 2026.2.

I assume you'd at least a similar match on parent process using all the same identifiers e.g. signing ID, teamID, name, etc. The idea being you'd be able to specify your policy as parent.signing_id == "UBF8T346G9:<wdavedaemon_enterprise's signingID>

I don't think the parent audit token would be a good fit here for policies as it's tied to a specific execution.

[craigjbass]

Yes that’s correct.

Not sure what you mean, is there macOS side caching?

[craigjbass]

Ah, I completely understood the nature of the audit token, I had assumed it would expose parent process code signing signatures in a safe way.

Are you planning to create a safe lookup component so that it's possible to resolve parent code signatures in 2026.2 ?