update Elastic telemetry based on evidence in public rules repos

[jdu2600]

Description

Please provide the below information so we can validate before merging:

1. Does the proposed EDR feature align with our definition of telemetry?
2. Could you please provide documentation to support the telemetry you are proposing?

1: Yes 2: Yes

Elastic includes 12 Scheduled Task and 12 Windows Service rules out of the box. The raw telemetry is the low-level file and registry events associated with this activity. https://github.com/search?q=repo%3Aelastic%2Fprotections-artifacts%20%22T1053.005%22&type=code https://github.com/search?q=repo%3Aelastic%2Fprotections-artifacts%20%22T1543.003%22&type=code

Elastic also includes 1 Local Account rule out of the box. The raw telemetry for this is the Windows EventLog collection from Elastic agent (winlogbeat) - but this integration must be enabled by the user. https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_user_account_creation_event_logs.toml

Type of change

• [x] Feature Improvement (non-breaking change which fixes an issue)

Checklist:

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [x] I have made corresponding changes to the documentation
• [ ] I have added tests that prove my corrections or additions are accurate
• [x] I have checked my code and corrected any misspellings

[tsale]

Thank you for taking the time to create this PR @jdu2600!

This was considered the initial commit for Elastic. However, this does not align with the purpose of this project because one would have to enable the ingesting of Windows event logs on the end host for many of those Windows events, as they don't come by default. In addition, one would have to enable the feature of ingesting these logs to their elastic instance. On other EDRs, the vendor generates the telemetry by enabling the Windows event logs necessary. The user does not have to intervene to do anything.

[jdu2600]

So it should be Via EnablingTelemetry then? (change pushed)

And the telemetry for both Scheduled Tasks and Windows Services is enabled by default though.

[tsale]

Thanks @jdu2600 . The thing is that they don't collect the telemetry by default. The user must go and enable the event logs to be ingested. Ideally, we would need two separate entries for it: Via EventLogs and Via EnablingTelemetry. This is why I say it might not be applicable to this project. I'll have to think about this a bit more but feel free to comment back and we can discuss.

[jdu2600]

Ah. So are you are saying that other vendors explicitly adjust the host's audit policy?

Or are you saying that Elastic's flexibility with respect to EventLog collection is considered a negative? And that you want an explicit toggle in the UI for 'Local Account Activity' events rather than the ability to collect arbitrary EventLogs?

[tsale]

Yes, a combination of those two things you just mentioned. I'm as conflicted as the first time we discussed this upon the initial commit. I just want to be fair and that's a fine line. I don't know. @inodee, what do say on this?

[jdu2600]

Given that User Account Management Audit is enabled by default on Windows, there is nothing for the user to do with respect to the first point.

Over to you on the second though. I can see your point re: usability and that Elastic might perhaps offer a simpler 'default' setting for security-relevant EventLog configuration. Though a counterpoint is that many teams would prefer the flexibility currently offered. 😃

[LaZyDK]

Should we have the category called "Optional Telemetry"?

[tsale]

I don't think we need to introduce more categories lol. I was waiting for Alex to respond but looks like he's busy so I think we should go ahead and approve this. It would make much sense as the telemetry is already enabled by default. I will go ahead and give it a final review later today and approve these fixes.

[jdu2600]

Modify it to Via EventLogs as discussed

@tsale - Sorry for the confusion. Only the Local Account telemetry is via the EventLog.
The Scheduled Task and Service telemetry is via the underlying file & registry activity.