Hello,
right now I'm testing the Elastic-Agent with the endpoint security integration in a lab environment and I'm very happy with it so far.
Via integration settings we can define the events to be collected on windows (process, file, network, ...). Those events power most of the prebuilt windows detection rules. Additionally the endpoint integration comes with protection features like malware protection, memory threat protection, malicious behavior protection and more.
I guess those agent prevention/protection mechanisms also use (amongst other things?) the events mentioned above.
Is there any documentation about the data sources that are used by the endpoint security integration or which are planned for the future?
I already have read a great blog post on elastic.co by Gabriel Landau where he mentioned kernel callbacks like PsSetCreateProcessNotify and saw in another question on discuss.elastic.co that AMSI is on the road map.
I would be grateful if you can elaborate a bit more about the mentioned sources (and, if used, others like EtwTi or user-mode hooks, memory scanning, ..)
Thank You!