-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding Trellix EDR (mcafee) #5
Conversation
adding Trellix EDR (mcafee) to EDR_telem.json
Thank you very much for submitting this proposal @mthcht! Could you please include the below information so we can validate before merging?
Thanks again! |
Here are the EventTypes present in my logs:
|
This is great! Please give me some time to review and I'll reach out if I have any questions 🙂 |
Hey @mthcht, unfortunately, the link you provided me of the API documentation does not include a definitive answer to the fields we are looking for. It would be great if you can provide some sanitized data to me on a private channel. I will also try to do some testing myself if I manage to get a trial of the product. I will have to reach out to Trellix for that. |
@tsale here is a raw log extract for each EventType i have:
|
@tsale here is an extract for each EventTypen: Account Changed Account Created Account Deleted Account Disabled Account Enabled Api COM Api Code Injected Code Injection Context Changed DNS Query Epp File Scan Epp Process Response Epp Process Scan File Attribute Changed File Created File Deleted File Executed File Modified File Moved File Read Image Loaded NamedPipe Connected Network Accessed Password Reset Process Accessed Process Created Process Hollowed Process Reputation Changed RegKey Created RegKey Deleted RegKey Read RegValue Created RegValue Deleted RegValue Modified ScheduledTask Changed Script Executed Service Changed SysInfo User Login User Logout Username Changed WMI Activity Account Created Account Deleted Account Disabled Account Enabled Api COM Api Code Injected Code Injection Context Changed DNS Query Epp File Scan Epp Process Response Epp Process Scan File Attribute Changed File Created File Deleted File Executed File Modified File Moved File Read Image Loaded NamedPipe Connected Network Accessed Password Reset Process Accessed Process Created Process Hollowed Process Reputation Changed RegKey Created RegKey Deleted RegKey Read RegValue Created RegValue Deleted RegValue Modified ScheduledTask Changed Script Executed Service Changed SysInfo User Login User Logout Username Changed WMI Activity |
Hey @mthcht, Thanks for that! Are you also considering the value 'Via Windows Eventlogs' (WEL) besides the Yes/No? For example: User Login If that relies on WEL, is the agent automatically taking care of necessary audit policy changes? |
@inodee i was thinking of this category I hadn't considered this category as the method through which the EDR generates the log, using the Windows event logs behind the scenes by default, so it could fall into this category for logs displaying "eventid" I believe that there might be other EDR solutions generating numerous logs via Windows EventLogs by default without clearly indicating it in the log like trellix does. It can be difficult to know without examining the EDR internals. As for the policy on the agent, it is done automatically, nothing to configure on our end. |
That is awesome @mthcht, thank you very much for all the info much appreciated! It will take me some time to go through and validate. I will reach out with any questions, if any. |
@mthcht, I reviewed the submission and I have some questions regarding some of the sub-categories. See below:
Looking forward to the info, thanks again! We will soon be releasing a tool that will make telemetry generation easy 🙂. |
the url requests from process are logged in the here is a sample:
same for UDP requests, another sample:
Driver Loaded is not logged, my mistake. For the |
Thanks for the info @mthcht! For the EDR SysOps, logged locally is acceptable as well. You could edit the commit to include what you see in regards to it and I’ll approve it. |
ok i added what i saw, will make another PR if i find a way to collect more with the API |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you so much @mthcht for this contribution!
* adding Trellix EDR (mcafee) to EDR_telem.json --------- Fixing typo as a result of the last commit.
a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring, the agent is monitored via ePO (separate management plane). |
Thank you. I am also collecting McAfee ePO syslogs and have not come across any events related to EDR agent monitoring. Could you confirm if you have seen such events on your end and provide some samples for reference? |
Epo won't have logs of this, it's reflected in the dashboard - if you filter the system tree view to show last agent communication is one way, the other way is to build a report with the data out of the sql database to show last agent communications. Hope this help. |
No description provided.