Add logging support for ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME

[pmarkowsky]

Add full support for logging process suspend/resume events:

• updated the proto to add a ProcSuspendResume message with instigator, target, and Type enum
• updated enriched types and serializers
• updated the Telemetry map with a new key kProcSuspendResume
• updated notifier subscriptions to include the NOTIFY_PROC_SUSPEND_RESUME event
• updated metrics
• updated tests

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds support for a new PROC_SUSPEND_RESUME event across telemetry, ES mapping, enrichment, protobuf, recorder subscription, serializers (BasicString/Protobuf/Empty), metrics, tests, and config/test fixtures.

Changes

Cohort / File(s)	Summary
Telemetry Mapping Source/common/TelemetryEventMap.h, Source/common/TelemetryEventMap.mm, Source/common/TelemetryEventMapTest.mm	Added TelemetryEvent::kProcSuspendResume, mapped "procsuspendresume", and translated ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME to the telemetry flag; updated tests.
Enriched Types Source/common/es/EnrichedTypes.h	Added EnrichedProcSuspendResume class and included it in the EnrichedType variant to carry instigator and optional target.
Enricher Source/common/es/Enricher.mm	Handled ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME in Enricher::Enrich(), enriching instigator and conditional target.
Protobuf Schema Source/common/santa.proto	Added ProcSuspendResume message and enum, and added proc_suspend_resume to SantaMessage oneof (tag 35).
EndpointSecurity Recorder Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm, Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm	Subscribed to ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME and updated tests to expect the subscription and telemetry mapping.
Serializer Interface & Implementations Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h, .../BasicString.h, .../BasicString.mm, .../Empty.h, .../Empty.mm, .../Protobuf.h, .../Protobuf.mm	Added pure-virtual SerializeMessage(const EnrichedProcSuspendResume&) and implemented serializers: BasicString (textual fields, conditional target info), Protobuf (message encoding and type mapping), Empty (no-op).
Serializer Tests Source/santad/Logs/EndpointSecurity/Serializers/BasicStringTest.mm, .../ProtobufTest.mm	Added tests for serializing PROC_SUSPEND_RESUME for BasicString and Protobuf paths, and test helpers/fixtures updates.
Metrics Source/santad/Metrics.mm	Added kEventTypeNotifyProcSuspendResume and mapped ES event to the string.
Config / Docs docs/src/lib/santaconfig.ts	Added "ProcSuspendResume" to telemetry possibleValues.
Test Fixtures Source/santad/testdata/protobuf/v4/.../v8/.../proc_suspend_resume.json	Added v4–v8 protobuf JSON fixtures describing instigator/target suspend events.

Sequence Diagram(s)

sequenceDiagram
    participant ES as EndpointSecurity
    participant Rec as SNTEndpointSecurityRecorder
    participant Enr as Enricher
    participant Ser as Serializer
    participant Sink as Telemetry/Storage

    ES->>Rec: notify ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME
    Rec->>Enr: forward raw ES Message
    Enr->>Enr: enrich instigator (and optional target)
    Enr->>Ser: Serialize EnrichedProcSuspendResume
    Ser->>Sink: emit bytes (log/protobuf/telemetry)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Move ES library wrappers to Source/common/es/ #853 — modifies EndpointSecurity enriched types and enricher sources; likely related to enriched-type handling and refactors touched by this PR.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: adding logging support for the ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME event type.
Description check	✅ Passed	The description is directly related to the changeset, outlining the main components updated (proto, enriched types, serializers, telemetry map, subscriptions, metrics, and tests).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

Source/common/TelemetryEventMapTest.mm (1)

115-115: Add config-key coverage for ProcSuspendResume too.

Great that ES mapping is tested; please also add a TelemetryConfigToBitmask case for the new string key so both mapping paths are covered.

✅ Suggested test addition

   std::map<std::string_view, TelemetryEvent> eventNameToMask = {
       {"ExeCUTion", TelemetryEvent::kExecution},
@@
       {"LaunchItem", TelemetryEvent::kLaunchItem},
       {"TCCModification", TelemetryEvent::kTCCModification},
       {"XProtect", TelemetryEvent::kXProtect},
+      {"ProcSuspendResume", TelemetryEvent::kProcSuspendResume},

       // special cases
       {"none", TelemetryEvent::kNone},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Source/common/TelemetryEventMapTest.mm` at line 115, Add a unit test case to
cover the config-key path for the new ProcSuspendResume mapping: add a
TelemetryConfigToBitmask test that uses the string key corresponding to
TelemetryEvent::kProcSuspendResume (the same key added for
ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME) and assert the returned bitmask
includes the TelemetryEvent::kProcSuspendResume bit; update or add the test in
TelemetryEventMapTest to exercise TelemetryConfigToBitmask with that string key
so both mapping paths (ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME ->
TelemetryEvent::kProcSuspendResume and config-key ->
TelemetryEvent::kProcSuspendResume) are covered.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Source/common/TelemetryEventMapTest.mm`:
- Line 115: Add a unit test case to cover the config-key path for the new
ProcSuspendResume mapping: add a TelemetryConfigToBitmask test that uses the
string key corresponding to TelemetryEvent::kProcSuspendResume (the same key
added for ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME) and assert the returned
bitmask includes the TelemetryEvent::kProcSuspendResume bit; update or add the
test in TelemetryEventMapTest to exercise TelemetryConfigToBitmask with that
string key so both mapping paths (ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME ->
TelemetryEvent::kProcSuspendResume and config-key ->
TelemetryEvent::kProcSuspendResume) are covered.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d3f1d642-22be-462a-a0cc-7cd0f8954c82

📥 Commits

Reviewing files that changed from the base of the PR and between 41e4ca0 and 6810219.

📒 Files selected for processing (17)

• Source/common/TelemetryEventMap.h
• Source/common/TelemetryEventMap.mm
• Source/common/TelemetryEventMapTest.mm
• Source/common/es/EnrichedTypes.h
• Source/common/es/Enricher.mm
• Source/common/santa.proto
• Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm
• Source/santad/EventProviders/SNTEndpointSecurityRecorderTest.mm
• Source/santad/Logs/EndpointSecurity/Serializers/BasicString.h
• Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
• Source/santad/Logs/EndpointSecurity/Serializers/Empty.h
• Source/santad/Logs/EndpointSecurity/Serializers/Empty.mm
• Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.h
• Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm
• Source/santad/Logs/EndpointSecurity/Serializers/Serializer.h
• Source/santad/Metrics.mm
• docs/src/lib/santaconfig.ts

[coderabbitai]

🧹 Nitpick comments (1)

Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm (1)

1568-1579: Consider adding fixture coverage for nullable target and another type variant.

This test validates only TYPE_SUSPEND with a populated target. Adding at least one target = NULL case and one non-suspend type would better lock in the new serializer branches.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm` around lines
1568 - 1579, The current test testSerializeMessageProcSuspendResume only covers
ES_PROC_SUSPEND_RESUME_TYPE_SUSPEND with a non-null target; add coverage for the
serializer branches by adding at least two additional cases: one where
esMsg->event.proc_suspend_resume.target = NULL and one where
esMsg->event.proc_suspend_resume.type is set to a non-suspend variant (e.g.,
ES_PROC_SUSPEND_RESUME_TYPE_RESUME or another enum value) and then call the same
helper ([self serializeAndCheckEvent:messageSetup:]) to assert correct
serialization for those paths; locate the test helper usages and es_msg
population in testSerializeMessageProcSuspendResume to copy the pattern and
create the new test methods (or parametrized subcases) validating null target
and alternate type handling.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm`:
- Around line 1568-1579: The current test testSerializeMessageProcSuspendResume
only covers ES_PROC_SUSPEND_RESUME_TYPE_SUSPEND with a non-null target; add
coverage for the serializer branches by adding at least two additional cases:
one where esMsg->event.proc_suspend_resume.target = NULL and one where
esMsg->event.proc_suspend_resume.type is set to a non-suspend variant (e.g.,
ES_PROC_SUSPEND_RESUME_TYPE_RESUME or another enum value) and then call the same
helper ([self serializeAndCheckEvent:messageSetup:]) to assert correct
serialization for those paths; locate the test helper usages and es_msg
population in testSerializeMessageProcSuspendResume to copy the pattern and
create the new test methods (or parametrized subcases) validating null target
and alternate type handling.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7da61dab-81f7-4c26-a137-9322f5d4869b

📥 Commits

Reviewing files that changed from the base of the PR and between 83cf58c and df078dd.

📒 Files selected for processing (9)

• Source/common/TelemetryEventMapTest.mm
• Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm
• Source/santad/Logs/EndpointSecurity/Serializers/BasicStringTest.mm
• Source/santad/Logs/EndpointSecurity/Serializers/ProtobufTest.mm
• Source/santad/testdata/protobuf/v4/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v5/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v6/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v7/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v8/proc_suspend_resume.json

✅ Files skipped from review due to trivial changes (6)

• Source/santad/testdata/protobuf/v8/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v5/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v7/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v4/proc_suspend_resume.json
• Source/santad/testdata/protobuf/v6/proc_suspend_resume.json
• Source/santad/Logs/EndpointSecurity/Serializers/BasicString.mm

🚧 Files skipped from review as they are similar to previous changes (1)

• Source/common/TelemetryEventMapTest.mm