Console logs category

[mthcht]

Is it possible to add a "console" category for logs generated through actions performed on the EDR console? This category could include:

• User login attempts: Successful/Failed
• Remote Commands/Shell executed on endpoint agents by logged-in users
• User management: creation, modification, and deletion
• MFA operations: enabling and disabling

[inodee]

Hey @mthcht, that's interesting. I would definitely monitor those when available.

Perhaps we should evaluate an "EDR Management Activity" as distinct category. However, the initial focus is on the logs generated by the agent deployed to target monitored endpoints, not on the overall EDR platform.

How many products you know already provide at least 2 of those 'subs' assuming that would fall into a wider category?

I will let @tsale provide his comments as well.

[mthcht]

Hey @mthcht, that's interesting. I would definitely monitor those when available.

Perhaps we should evaluate an "EDR Management Activity" as distinct category. However, the initial focus is on the logs generated by the agent deployed to target monitored endpoints, not on the overall EDR platform.

How many products you know already provide at least 2 of those 'subs' assuming that would fall into a wider category?

I will let @tsale provide his comments as well.

ok makes sense, i have and monitor these logs for sentinelone and crowdstrike, i am not sure for the others EDR solutions.

[tsale]

Although it would be useful, I am not sure if these type of logs is something that needs to be included in this project, agree with @inodee. I'll close this for now and we can re-evaluate in the future if we find the need. Thanks for this suggestions tho @mthcht!