Opt-In Full Event Capture for Elastic Defend (Sysmon-like Functionality)

[teamthanos]

Description:

Currently, Elastic Defend’s event capture design prioritizes efficiency by focusing on detecting malicious behaviour in a cost-effective way, which involves deduplication and filtering of events deemed unnecessary for detection purposes. While this approach optimizes for CPU, bandwidth, and storage usage, it may not meet the needs of some organizations seeking full event visibility for comprehensive threat hunting or forensic analysis.

Problem Statement:

Many companies are opting to use Elastic Defend as their sole endpoint security solution, under the assumption that it provides full event capture akin to Sysmon. However, they are not aware that Elastic Defend filters and deduplicates events before sending them to the SIEM. This results in situations where critical events might be filtered out, potentially missing some scenarios or behaviours that an organization needs to monitor.

Organizations that require comprehensive monitoring often find themselves needing to install Sysmon alongside Elastic Defend, which increases complexity and resource consumption on the endpoint.

Feature Request:

Introduce an opt-in feature for Elastic Defend to provide full event capture capabilities, similar to what Sysmon offers. This feature would allow customers to:

Enable full event capture: A checkbox or configuration setting to capture all possible events without deduplication or filtering, effectively serving as a 1:1 replacement for Sysmon’s event monitoring.

Maintain the default efficiency mode: By default, Elastic Defend would continue to filter and deduplicate events for customers who prioritize performance and storage savings. The full capture mode would be an opt-in setting for those willing to accept higher resource usage for complete event monitoring.

Benefits:

Provides customers with the flexibility to choose between performance optimization and full visibility.
Reduces the need to install additional monitoring solutions (like Sysmon), thereby simplifying endpoint configuration and management.
Enhances Elastic Defend's value for customers who use the SIEM for advanced threat hunting and incident response.
Potential Challenges:

Full event capture may increase CPU usage, bandwidth, and storage requirements. However, organizations that opt-in would be doing so with this trade-off in mind.
Additional configuration options may increase the complexity of the Elastic Defend setup, requiring clear documentation and guidance for customers.

Conclusion:

This feature would offer a balanced approach to endpoint monitoring, catering to different organizational needs by making full event capture an optional, configurable setting. This would help bridge the gap for customers who seek a Sysmon-like experience within the Elastic ecosystem, enabling Elastic Defend to serve as a more comprehensive solution.

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[ferullo]

Hi @teamthanos, Defend is focused on emitting security-relevant event telemetry, not full system telemetry. So we don't have near term plans to produce all the event telemetry you're probably imaging. However, we do seriously consider requests for individual event types on a case-by-case basis. So if there's something specific you're looking for let us know.