How to Monitor and Correlate File Upload/Download and Modification Events on macOS?

I want to know if there is any way to log events for every file upload, download, creation, modification (including create, edit, delete), and transfer/sharing on macOS — regardless of whether these events occur in browsers or other applications. My goal is to identify which file was uploaded or downloaded, and if possible, determine the destination or source URL for network transfers, despite encryption (HTTPS). I understand that getting a full-proof solution might not be feasible using a single method, and I'm open to combining several approaches. I prefer not to use a proxy-based solution because: - A proxy can interfere with existing services if one is already running on the host. - Proxies can add inefficiency and performance overhead. - I do not need to block events; I only want to monitor and log them. I have considered these options: 1. **Audit Logs / OpenBSM:** Using the macOS audit framework to log file system events (file creations, modifications, deletions) is one possibility. This can capture low-level file operations, but it does not directly correlate file operations with network upload or download events. 2. **Endpoint Security Framework (ESF):** ESF can observe system events such as file accesses and process activities. While it can efficiently log file events, an inherent challenge is to correlate these system-level events with network-level events (i.e. to determine which file has been uploaded, and *where* — the URL or hostname). 3. **Dynamic Instrumentation / Hooking:** Hooking network system calls (or even HTTPS library functions such as SSL_write) using tools like Frida could capture plaintext data before encryption. However, this raises challenges: - Handling different network libraries (SecureTransport vs. OpenSSL). - Ensuring reliability in capturing HTTP/HTTPS uploads. - Accurately correlating intercepted network data with file system activity. **Primary Challenges:** - **Correlating Files with Network Uploads:** I need to not only log when a file operation occurs locally but also determine the corresponding network event (for instance, an HTTP POST request to an upload URL) that transfers the file. - **Handling Encrypted Traffic:** Most modern browsers use HTTPS by default. Intercepting such traffic to extract payload details (like file names) involves overcoming challenges in TLS decryption, which is non-trivial without proxying or in-depth instrumentation. **My Question:** Is there a unified or combined approach to monitor and correlate file system events (uploads/downloads, modifications) with the network requests that represent those file transfers on modern macOS (e.g., macOS Sequoia 15.4.1)? In essence, how do I: - Log detailed file events (creation, modification, deletion) using the built-in macOS tools like the Audit Framework or Endpoint Security Framework? - Correlate these file events with network activity (uploads/downloads) to determine which file was transferred to which website? - Handle HTTPS-encrypted traffic to reliably extract the transfer details (e.g., target URL/hostname), without resorting to a proxy solution? I would appreciate any insights, sample code, or references on how to achieve this using macOS-native mechanisms, dynamic instrumentation, or a combination of both approaches. Thanks in advance for your help!