Event capture and Elastic Defend

edit

Elastic Defend collects select data on system activity in order to detect and prevent as many threats as possible, while balancing storage and performance overhead. To that end, Elastic Defend isn’t designed to capture all system events. Some event data that Elastic Defend generates gets aggregated, truncated, or deduplicated as needed to optimize threat detection and prevention.

You can supplement Elastic Defend’s protection capabilities with Elastic integrations and tools that provide more visibility and historical data. Consult the following sections to expand data collection for specific types of system events.

Network port creation and deletion
edit

Elastic Defend tracks TCP connections. If a port is created but no traffic flows, no events are generated.

For complete capture of network port creation and deletion, consider capturing Windows event ID 5158 using the Custom Windows Event Logs integration.

Network in/out connections
edit

Elastic Defend tracks TCP connections, which don’t include network in/out connections.

For complete network capture, consider deploying Packetbeat using the Network Packet Capture integration.

User behavior
edit

Elastic Defend only captures user security events required by its behavioral protection. This doesn’t include every user event such as logins and logouts, or every time a user account is created, deleted, or modified.

For complete capture of all or specific Windows security events, consider the Custom Windows Event Logs integration.

System service registration, deletion, and modification
edit

Elastic Defend only captures system service security events required by its behavioral protection engine. Service creation and modification can also be detected in registry activity, for which Elastic Defend has internal rules such as Registry or File Modification from Suspicious Memory.

For complete capture of all or specific Windows security events, consider the Custom Windows Event Logs integration. In particular, capture events such as Windows event ID 4697.

Kernel driver registration, deletion, and queries
edit

Elastic Defend scans every driver as it is loaded, but it doesn’t generate an event each time.

Drivers are registered in the system as system services. You can capture this with Windows event ID 4697 using the Custom Windows Event Logs integration.

Also consider capturing Windows event ID 6 using Winlogbeat’s Sysmon module.

System configuration file creation, modification, and deletion
edit

Elastic Defend tracks creation, modification, and deletion of all files on the system. However, as mentioned above, the data might be aggregated, truncated, or deduplicated to provide only what’s required for threat detection and prevention.