Security events and rules matching

We are trying to understand what security events Elastic SIEM covers but it’s quite difficult cause there is no list of such events in the documentation or may be we don’t know where it is. We've decided to start with Windows and only I can see are rules and its conditions. It’s not clear which security events are covered and which are not. For example event_id 4730 (A security-enabled global group was deleted) is it covered by rules? Also it’s not clear what rules require sysmon and what rules monitor registry changes - these can’t be filtered.
We decided to create our own events id mapping for rules to detect events which are not covered. You can find it here. May be it will help someone.

Hey @Alexander_A ,

I hope you're doing well! Apologies for the delay in responding, we've been running your questions up the ladder to find a best answer. Heres what the head of the detections team had to say about it:

"We had some discussion about this, and we generally do not rely on the event ids for detections, and try to give info on the policy setup to the users in the setup guide in rules. We see the room for improvement, and will have further discussion."

"In addition most of our rules using process execution events 4688 need to be enabled with command line logging enabled or Sysmon configured to log process execution."

In short we do not have an event to rule mapping, but we see how this can be helpful, and may be added in a future release. We have also sparked a conversation about how well the rule filters work with the goal of being able to better find the ones youre looking for.

I know this isn't quite the response you were hoping for but it will hopefully lead us to a more fulfilling application down the road.

Thanks for your reply. I'm glad that you see a room for improvement here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.