Closed idev closed 6 months ago
tsale
commented
9 months ago Hello @idev , and thank you very much for this contribution 🙏. I visited the link that you have with the documentation, but it doesn't provide specific event fields or categories with the telemetry that this EDR makes available to the customers.
could you please provide evidence for this submission either privately or in this PR.
idev
commented
9 months ago Can share evidence privately, how can I share?
idev
commented
9 months ago Maybe also these links help:
inodee
commented
9 months ago @idev do you have screenshots to share in priv? What's the content about? Happy to review it.
idev
commented
9 months ago Do you had a look at the shared links above? These should answere most of your questions. If needed I could share screenshots of policies / settings / data models, depends on your needs.
tsale
commented
7 months ago Thanks @idev, those links from above are very helpful. I'm reviewing this and will either merge or ask any questions here shortly.
tsale
commented
7 months ago @idev, could you please provide an explanation on the "Partially 🟧" events? We need to document the reason. Thanks 🙏
idev
commented
7 months ago @tsale, I try to describe in the following, why I choose partially:
"Sub-Category":"URL" - depends on Firewall / IPS settings / policy; if only IPS is enabled URL will just logged malicious connections, but not clean connections "Sub-Category":"DNS Query", - Event "DNS Query Event" is not general logging DNS Queries, only on suspicious / malicious process behaviour "Sub-Category":"File Downloaded", - There is no "file downloaded" event, a file download has to be identified via a browser process and file created / file modifed action Regarding the WMI: SES has a WMI Response Event and a WMI Instance Object, the WMI Response Event describes: unknown, blocked, allowed, no action, logged, command script, uncorrected, delayed, deleted, quarantined, restored, detected Details: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Alerts-and-Events/investigation-page-overview-v134374740-d38e87486/edr-event-detection-types-and-descriptions-v134600024-d38e88380.html (Event ID 8015) and https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud/Endpoint-Detection-and-Response/About-Incidents/detecting-the-lateral-movement-of-incidents.html
hope this helps
tsale
commented
6 months ago Thanks @idev, Based on what you mentioned earlier about the partially implemented categories, I will remove the DNS query and file download and mark them as not implemented. The reason for this is that we require the telemetry to exist by default or by enabling additional telemetry via the EDR settings/policy. It's important to note that we don't want the events to be triggered by a detection.
Regarding the Bitjobs category, I could not find any related documentation for that telemetry. Therefore, I will also change it to not implemented.
Pull Request Template
Description
Please provide the below information so we can validate before merging:
1: (Yes)\ 2: (Documentation is available here: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-security/sescloud.html; but the Event Field description is private)\ 3: (if necessary I can provide screenshots)
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Test Configuration:
Checklist:
Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂
Please notice, that Symantec SES Complete is utilizing the classical Symantec Agent (SEPM, with Application Device Control, AV Signatures, ...) and extending it with a Cloud Console and EDR Features.