Elastic Defend - Is default logging on the endpoint enough?


If I use "Elastic Defend" integration, will all the Elastic Security detection rules get enough information to be triggered or do I need to enhance the logging on the endpoints (for example with Sysmon on Windows and auditd on Linux) ?

My question specifically apply to endpoints using Windows or Linux.

Thanks !

1 Like

Hey @h49nakxs,

Our Detection rules use different data sources, some exclusively use Defend, others Auditbeat or Sysmon, but this must be checked in a per rule basis to evaluate whether or not is beneficial for you (and also possible performance-wise) collect additional data.

Generally, to know which data sources are needed to trigger the rule, you can refer to:

  • Data Source Tags
    • Such as "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon Only", etc
  • Related Integrations
    • E.g. windows, auditd_manager, elastic defend, etc

We are also working in setup guides that could answer this question in a per rule basis. These can be accessed in the Setup section of the rule details:


Thanks a lot for your reply !

Would you say that the data source list is exhaustive for every rule ?

Because this is not the impression I have. For example, the rule :

seems pretty feasible with data coming from auditbeat, even if it's not listed in the data source.

Most importantly, what are your criteria to include / exclude data source ? For example, is there a list of fields that are exclusive to one or the other data source ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.