Syscalls tapped by elastic defend

Elastic Security Endpoint Security
1

i could see the below list of events tapped by elastic defend, apart from this, what are the list of syscalls tapped by elastic defend?

end (process event)
fork (process event)
exec (process event)
uid_change (process event)
gid_change (process event)
session_id_change (process event)
already_running (process event)
process-started (process event)
session_id_change (process event)
connection_accepted (network event)
connection_attempted (network event)
disconnect_received (network event)
creation (file event)
rename (file event)
deletion (file event)

1 Like
2

@Christian_Dahlqvist / @stephenb could you pls help?

3

@Christian_Dahlqvist / @stephenb could you pls help?

Er, thats a bit rude, though at least you included a "pls".

Remember its public forum, anyone (volunteers) can choose to answer whichever threads they wish. Or not. There's no SLA here.

4

I find pinging specific people very rude and usually ignore people who do this completely. Will do so this time as well once I am done with this point. This is as @RainTown pointed out a community forum manned by volunteers and you do not know which areas different users have experience with. Have you ever seen me respond to any question around Elastic Defend? (The answer is no as I do not use this product.)

5

For some reason discuss didn't send this to me before today.

Assuming you're running an ebpf enabled system, our ebpf probes are maintained in the elastic/ebpf repo. There's a list of the "events" we're creating here: ebpf/GPL/Events/EbpfEventProto.h at main · elastic/ebpf · GitHub

Specific events and probe locations can vary over time and versions, but it is all built from that repo.

2 Likes