Closed jdu2600 closed 6 months ago
Thank you for taking the time to create this PR @jdu2600!
This was considered the initial commit for Elastic. However, this does not align with the purpose of this project because one would have to enable the ingesting of Windows event logs on the end host for many of those Windows events, as they don't come by default. In addition, one would have to enable the feature of ingesting these logs to their elastic instance. On other EDRs, the vendor generates the telemetry by enabling the Windows event logs necessary. The user does not have to intervene to do anything.
So it should be Via EnablingTelemetry
then? (change pushed)
And the telemetry for both Scheduled Tasks and Windows Services is enabled by default though.
Thanks @jdu2600 . The thing is that they don't collect the telemetry by default. The user must go and enable the event logs to be ingested. Ideally, we would need two separate entries for it: Via EventLogs and Via EnablingTelemetry. This is why I say it might not be applicable to this project. I'll have to think about this a bit more but feel free to comment back and we can discuss.
Ah. So are you are saying that other vendors explicitly adjust the host's audit policy?
Or are you saying that Elastic's flexibility with respect to EventLog collection is considered a negative? And that you want an explicit toggle in the UI for 'Local Account Activity' events rather than the ability to collect arbitrary EventLogs?
Yes, a combination of those two things you just mentioned. I'm as conflicted as the first time we discussed this upon the initial commit. I just want to be fair and that's a fine line. I don't know. @inodee, what do say on this?
Given that User Account Management Audit is enabled by default on Windows, there is nothing for the user to do with respect to the first point.
Over to you on the second though. I can see your point re: usability and that Elastic might perhaps offer a simpler 'default' setting for security-relevant EventLog configuration. Though a counterpoint is that many teams would prefer the flexibility currently offered. 😃
Should we have the category called "Optional Telemetry"?
I don't think we need to introduce more categories lol. I was waiting for Alex to respond but looks like he's busy so I think we should go ahead and approve this. It would make much sense as the telemetry is already enabled by default. I will go ahead and give it a final review later today and approve these fixes.
Modify it to Via EventLogs as discussed
@tsale - Sorry for the confusion. Only the Local Account telemetry is via the EventLog.
The Scheduled Task and Service telemetry is via the underlying file & registry activity.
Description
Please provide the below information so we can validate before merging:
1: Yes 2: Yes
Elastic includes 12 Scheduled Task and 12 Windows Service rules out of the box. The raw telemetry is the low-level file and registry events associated with this activity. https://github.com/search?q=repo%3Aelastic%2Fprotections-artifacts%20%22T1053.005%22&type=code https://github.com/search?q=repo%3Aelastic%2Fprotections-artifacts%20%22T1543.003%22&type=code
Elastic also includes 1 Local Account rule out of the box. The raw telemetry for this is the Windows EventLog collection from Elastic agent (winlogbeat) - but this integration must be enabled by the user. https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_user_account_creation_event_logs.toml
Type of change
Checklist: