FAQ for Defend event capture #5028
Description
Description
We often get questions from users and customers looking to clarify what specific events are captured with Elastic Defend and why. @gabriellandau put together a great outline explaining why certain events are not captured and reasoning behind it. This would be useful to put in our docs to provide more insight as to how our event capture works with Defend, and other options if users require additional telemetry.
Summary
Defend does not aim to provide "complete" event capture. It collects what our team deems necessary to detect as many threats as possible, while keeping storage costs and performance overhead reasonable for as many customers as possible. Defend will aggregate and truncate events as deemed necessary. Defend will also perform deduplication so it's not, for example, generating 10,000 registry write events because LSASS generated 10,000 random numbers and updated the RNG seed value in the registry each time.
Below are answers to your questions as though they do not include the word "complete":
Do you have complete records and visibility into network port creation and deletion activities?
- Defend tracks TCP connections. If a port is created but no traffic flows, no events will be generated.
- If you want a complete capture of network port creation/deletion, consider event ID 5158 via the Custom Windows Event Logs integration: https://docs.elastic.co/en/integrations/winlog
Does it provide complete history and visibility of network in/out connections?
- Defend currently tracks TCP connections. We are investigating the performance and storage costs of UDP events.
- If you want complete network capture, consider deploying PacketBeat via the Network Packet Capture integration: https://docs.elastic.co/integrations/network_traffic
Does it provide complete history and visibility of user login/logoff/creation/deletion/modification behavior?
- Defend only captures security events required by its behavioral protection.
- If you want a complete capture of all or specific windows security events, consider the Custom Windows Event Logs integration: https://docs.elastic.co/en/integrations/winlog
Does it provide complete records and visibility of system service registration, deletion, and modification activities?
- Defend only captures security events required by its behavioral protection engine. Service creation and modification can also be detected via registry activity, for which Defend has rules such as https://github.com/elastic/protections-artifacts/blob/6d54ae289b290b1d42a7717569483f6ce907200a/behavior/rules/persistence_registry_or_file_modification_from_suspicious_memory.toml
- If you want a complete capture of all or specific windows security events, consider capturing events via the Custom Windows Event Logs integration: https://docs.elastic.co/en/integrations/winlog.
- You would be interested in events like 4697: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
Does it provide complete history and visibility of kernel driver registration, deletion, and query activity?
- Defend scans every driver as it is loaded, but it does not generate an event each time.
- Drivers are registered in the system as system services. The aforementioned Event ID 4697 would cover this.
- Also consider Event ID 6 from the Sysmon integration: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-sysmon.html
Does it provide complete history and visibility into the creation, modification, and deletion of key system configuration files?
- Defend tracks creation, modification, and deletion of all files on the system, subject to the aforementioned truncation, deduplication, and aggregation.
Background & resources
- PRs: N/A
- Issues/metas: N/A
- Point of contact: @gabriellandau @ferullo @caitlinbetz @roxana-gheorghe
- Test environments: N/A
Docs issue info
- Which documentation set does this change impact? ESS and serverless
- ESS release: 8.12
- Serverless release: N/A
- Feature differences: N/A
- API docs impact: N/A
- Prerequisites, privileges, feature flags: N/A
### Pull requests
- [x] Classic docs — https://github.com/elastic/security-docs/pull/5194
- [x] Serverless docs — https://github.com/elastic/staging-serverless-security-docs/pull/352