Santamon is a lightweight detection sidecar designed for Santa, a macOS endpoint security tool. It processes Endpoint Security telemetry locally using CEL (Common Expression Language) rules, forwarding only the relevant detection signals to a backend server. This approach minimizes unnecessary data transfer since raw telemetry remains on the endpoint. Santamon targets home labs and small fleets, so users should expect some bugs and API changes during its early release phase. The core features of Santamon include local event detection through CEL-based rules, which come in three types: simple matching, time-window correlation, and baseline detection. The tool also tracks process lineage, allowing users to attach full process trees to execution signals. It uses BoltDB for lightweight state management, ensuring efficient correlation and deduplication of signals while maintaining low infrastructure costs. Santamon relies on Santa's robust handling of Endpoint Security events, avoiding the need for additional entitlements required for custom ESF tools. Data flows through several components: the Watcher monitors Santa's spool directory for new protobuf files, the Decoder processes these files, and the Rules Engine evaluates events against defined CEL expressions. When a match occurs, the Signal Generator creates context-rich signals, which are then sent to the backend via the Shipper component. The system maintains an in-memory cache to track recent process executions, allowing for detailed context during detections. Configuration involves setting up Santa to write protobuf events and adjusting Santamon's config files to specify backend details and API keys. Users can create rules using CEL expressions, allowing for flexible detection scenarios. For example, a simple rule can identify non-interactive processes invoking curl or wget, while a correlation rule can flag a single process accessing multiple credential stores within a set timeframe. Baseline rules help detect first-time executions of unsigned binaries from user paths. Validation of rules before deployment is essential, and a minimal FastAPI backend is included to receive and manage signals from Santamon.