Hello,
If I use "Elastic Defend" integration, will all the Elastic Security detection rules get enough information to be triggered or do I need to enhance the logging on the endpoints (for example with Sysmon on Windows and auditd on Linux) ?
My question specifically apply to endpoints using Windows or Linux.
Thanks !
Hey @h49nakxs,
Our Detection rules use different data sources, some exclusively use Defend, others Auditbeat or Sysmon, but this must be checked in a per rule basis to evaluate whether or not is beneficial for you (and also possible performance-wise) collect additional data.
Generally, to know which data sources are needed to trigger the rule, you can refer to:
We are also working in setup guides that could answer this question in a per rule basis. These can be accessed in the Setup section of the rule details:
Hello,
Thanks a lot for your reply !
Would you say that the data source list is exhaustive for every rule ?
Because this is not the impression I have. For example, the rule :
seems pretty feasible with data coming from auditbeat, even if it's not listed in the data source.
Most importantly, what are your criteria to include / exclude data source ? For example, is there a list of fields that are exclusive to one or the other data source ?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
