I have configured a fleet server with elastic defend integration to start using elastic security.
Currently only 2 servers are enrolled with the agent. Here is the integrations of the policy that we use:
Endpoint Security
Elastic APM
Auditd Logs
ModSecurity Audit
System (desactivated process,network,file)
Everything works fine but I would like to share with you my disk usage for the elastic integration because I think that its huge amount for only 2 servers enrolled.
It happens Some processes are particularly noisy and quickly fill out the indexes. It's possible to suppress such events, but it makes blind spots in your data so it's an opt-out for users.
See details here Event Filters
I forgot to mention that since we added the Event Filters, we also started looking closely which events have little value and are curating an out-of-the box filter. This filter can be toogled off by an advanced policy option
Events filtered out by Endpoint are dropped just before going to the wire so all detections work internally raising appropriate Alerts, moving malware into quarantine, etc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
Some processes are particularly noisy and quickly fill out the indexes. It's possible to suppress such events, but it makes blind spots in your data so it's an opt-out for users.