If I use "Elastic Defend" integration, will all the Elastic Security detection rules get enough information to be triggered or do I need to enhance the logging on the endpoints (for example with Sysmon on Windows and auditd on Linux) ?
My question specifically apply to endpoints using Windows or Linux.
Our Detection rules use different data sources, some exclusively use Defend, others Auditbeat or Sysmon, but this must be checked in a per rule basis to evaluate whether or not is beneficial for you (and also possible performance-wise) collect additional data.
Generally, to know which data sources are needed to trigger the rule, you can refer to:
Data Source Tags
Such as "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon Only", etc
We are also working in setup guides that could answer this question in a per rule basis. These can be accessed in the Setup section of the rule details:
Would you say that the data source list is exhaustive for every rule ?
Because this is not the impression I have. For example, the rule :
seems pretty feasible with data coming from auditbeat, even if it's not listed in the data source.
Most importantly, what are your criteria to include / exclude data source ? For example, is there a list of fields that are exclusive to one or the other data source ?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.