From 9ea3b0dc92fbd1efd4078fb93864f0c43f07644d Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 15 May 2024 12:35:30 -0400 Subject: [PATCH] Elastic Defend event capture explainer (#5194) * First draft * Rename to "event capture" * Apply suggestions from review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 85a06cbfba8881c9a885f6ff7deae415b33bad71) --- .../admin/endpoint-event-capture.asciidoc | 50 +++++++++++++++++++ docs/management/manage-intro.asciidoc | 1 + 2 files changed, 51 insertions(+) create mode 100644 docs/management/admin/endpoint-event-capture.asciidoc diff --git a/docs/management/admin/endpoint-event-capture.asciidoc b/docs/management/admin/endpoint-event-capture.asciidoc new file mode 100644 index 0000000000..011ef7a7ca --- /dev/null +++ b/docs/management/admin/endpoint-event-capture.asciidoc @@ -0,0 +1,50 @@ +[[endpoint-event-capture]] +[chapter] += Event capture and {elastic-defend} + +{elastic-defend} collects selective data on system activities in order to detect and prevent as many threats as possible, while balancing storage and performance overhead. To that end, {elastic-defend} isn't designed to provide a complete capture of all system events. The event data that {elastic-defend} generates might be aggregated, truncated, or deduplicated as needed to optimize threat detection and prevention. + +You can supplement {elastic-defend}'s protection capabilities with additional {integrations-docs}[Elastic integrations] and tools that provide more visibility and historical data. Consult the following sections to expand data collection for specific system events. + + +[discrete] +== Network port creation and deletion + +{elastic-defend} tracks TCP connections. If a port is created but no traffic flows, no events are generated. + +For complete capture of network port creation and deletion, consider capturing Windows event ID 5158 using the {integrations-docs}/winlog[Custom Windows Event Logs] integration. + +[discrete] +== Network in/out connections + +{elastic-defend} tracks TCP connections, which don't include network in/out connections. + +For complete network capture, consider deploying {packetbeat} using the https://docs.elastic.co/en/integrations/network_traffic[Network Packet Capture] integration. + +[discrete] +== User behavior + +{elastic-defend} only captures user security events required by its behavioral protection. This doesn't include every user event such as logins and logouts, or every time a user account is created, deleted, or modified. + +For complete capture of all or specific Windows security events, consider the https://docs.elastic.co/en/integrations/winlog[Custom Windows Event Logs] integration. + +[discrete] +== System service registration, deletion, and modification + +{elastic-defend} only captures system service security events required by its behavioral protection engine. Service creation and modification can also be detected in registry activity, for which {elastic-defend} has internal rules such as https://github.com/elastic/protections-artifacts/blob/6d54ae289b290b1d42a7717569483f6ce907200a/behavior/rules/persistence_registry_or_file_modification_from_suspicious_memory.toml[Registry or File Modification from Suspicious Memory]. + +For complete capture of all or specific Windows security events, consider the https://docs.elastic.co/en/integrations/winlog[Custom Windows Event Logs] integration. In particular, capture events such as https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697[Windows event ID 4697]. + +[discrete] +== Kernel driver registration, deletion, and queries + +{elastic-defend} scans every driver as it is loaded, but it doesn't generate an event each time. + +Drivers are registered in the system as system services. You can capture this with Windows event ID 4697 using the https://docs.elastic.co/en/integrations/winlog[Custom Windows Event Logs] integration. + +Also consider capturing Windows event ID 6 using {winlogbeat}'s {winlogbeat-ref}/winlogbeat-module-sysmon.html[Sysmon module]. + +[discrete] +== System configuration file creation, modification, and deletion + +{elastic-defend} tracks creation, modification, and deletion of all files on the system. However, as mentioned above, the data might be aggregated, truncated, or deduplicated to provide only what's required for threat detection and prevention. diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index 724352fd44..ec3911baab 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -15,5 +15,6 @@ include::{security-docs-root}/docs/management/admin/event-filters.asciidoc[level include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1] +include::{security-docs-root}/docs/management/admin/endpoint-event-capture.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-self-protection.asciidoc[leveloffset=+1]