If I use "Elastic Defend" integration, will all the Elastic Security detection rules get enough information to be triggered or do I need to enhance the logging on the endpoints (for example with Sysmon on Windows and auditd on Linux) ?
My question specifically apply to endpoints using Windows or Linux.
Our Detection rules use different data sources, some exclusively use Defend, others Auditbeat or Sysmon, but this must be checked in a per rule basis to evaluate whether or not is beneficial for you (and also possible performance-wise) collect additional data.
Generally, to know which data sources are needed to trigger the rule, you can refer to:
Data Source Tags
Such as "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon Only", etc