Hey there,
I need some help figuring out what the best practice is for collecting logs. What I would like to accomplish is to replace my current XDR solution with Elastic Endpoint Security (all without breaking the bank). I then want to take those alerts and feed them into my SOAR.
Currently have 900+ endpoints and all the endpoints are enrolled via fleet. Elastic Endpoint Security is installed on all the endpoints, but have all the event collections turned off due to sheer amount of information that comes in. I am instead using System and Windows integrations to collect, and drop the logs that create too much noise.
Is it better to continue collecting logs the way I am, or should I move to event collection from Endpoint Security?
As a general recommendation, the endpoint security integration will give you very relevant security data for your use as an EDR/XDR solution. It may be a best approach to start with endpoint security and use the event filtering capabilities to reduce the log volume if necessary. Event filters | Elastic Security Solution [8.0] | Elastic
Sysmon and Windows can also be helpful, but depending on the configuration may miss relevant context.
In my production environment, I'm using the security + winlogbeat + sysmon endpoint because I noticed that with just the Elastic endpoint, it lacked some specific information to detect brute force actions.
It is also important to enable GPOs to apply security policies and logs bringing data enrichment. For example: powershell logs which are not enabled on Windows.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.