Possible "via Event Logs" Categorization Issue

[MarDeus]

I wanted to inquire about the usage of "via Event Logs" within the EDR Telemetry Table. Specifically how one EDR could support the ingestion of a Windows Event Log for a sub-category, but another sub-category that other EDRs allow for "via Event Logs", can't be ingested?

For instance, Elastic EDR shows within the Telemetry Feature Category field that "User Account Activity" can be collected via Windows Event Logs. However, for the Sub-Category "Driver Unloaded", you show "No", although for Uptycs, you show it accomplishes it "via Event Logs". I was wondering what the difference could be considering both show the capability for Event Log ingestion, but only one EDR has the capability marked "via Event Logs".

Another Telemetry Feature Category for Elastic is "WMI Activity". Qualys shows the capability to use "via Windows Event Logs". Wouldn't this replicate across any EDR that has Event Log ingestion capabilities?

[joshlemon-uptycs]

For Uptycs, it pulls the Event log into the platform and stores it once the Driver Unloaded Event occurs in the Event Logs. I'm unsure about Elasic, but it may not be counted if Elasitc doesn't pull that Event ID into their EDR.

[MarDeus]

There is truth to be had that I am considering Elasticsearch Filebeat capabilities in tandem with ElasticEDR, but I believe that is ElasticEDRs main forwarder? Again, could be wrong, but just my observation.

[MarDeus]

Filebeat's capabilities entail forwarding ANY event logs you target within your xml configuration. Including Windows Service application logs, etc.