exeronn
commented
1 year ago I thought I'd try & get this started by mapping out SysmonForLinux & seeing how it fits in with a hybrid of the current mapping for Windows & the suggestions from @craighrowland.
There was more initial overlap than I thought there would be, if we abstract things like "Services" to include systemd or service in Linux & similar for shceduled tasks. I'm very much taking the Windows one as the lead & I'm thinking items like file attributes, creation times, etc might be Yes/Partial/No requriements rather than fields.
We also need to think if we want to include some more specific but common data feeds such as apparmour & selinux. I briefly looked at the evented tables in OSQuery to get an idea for other data sets.
I added the evidence for SysmonForLinix to https://github.com/exeronn/Linux-Detection/tree/main/Sysmon/EventTypes - so we can fill it out in the pull request once we've got a way of doing it.
For reference the partials are:
Process Access: It only looks to include ptrace events File Read: This may be better as a no, currently it's only raw read access that shows up in this Tampering: You can see config changes
It would be good to break out Windows vs. Linux telemetry for EDR as the two platforms have much different coverage needs. Linux coverage can cover process attacks like Windows. However, it also has a lot of non-process based data that need to have good telemetry to detect attacks.
I'd propose as a starting point these high level-categories for telemetry type data:
Processes (process activity, creation times, owners, binary data, network activity, etc.) Files (general coverage for file attributes, creation times, owners, hashes, entropy, etc.) Directories (general directory coverage for attributes like files above, etc.) Logs (syslog, utmp, btmp, wtmp, lastlog, log data, etc.) Users (accounts, passwords, SSH keys, login activity, etc.) Kernel (kernel modules, status, etc.) Systemd (services, lingering processes, general systemd units). Scheduled Tasks (cron/at/systemd running, owners, etc.)