tsale
commented
3 days ago What's the telemetry option to enable on MDE? What do the data look like? Can you provide some evidence?
Also, what are the additional categories proposed to be included?
Open Gandalf098 opened 3 days ago
tsale
commented
3 days ago What's the telemetry option to enable on MDE? What do the data look like? Can you provide some evidence?
Also, what are the additional categories proposed to be included?
the good people at microsoft, contributed to zeek to make it complie-able on windows. and they now include it as an optional log source in MDE
this is a great move, since EDRs lack this kind of visibility on network level (most of them just provide a netflow like data, some provide more such as DNS and some http info) but Zeek on the endpoint, in case of MDE, is super good for visibility, even better than NDR appliance.
because NDR appliance for an example: 1.doesn't give visibility over everything (horizontal traffic in the same subnet crosses over the switch and usually doesn't arrive to the NDR, and most NDRs will drop stuff if traffic is high and are practically deployed only based on avg. consumption).
all in all, MDE is actually much better than crowdstrike is configured to log the missing logs through native logging, but with Zeek on the endpoint enabled it is much better, and crowdstrike doesn't have a similar option, even though it is relatively simple to integrate zeek on any EDR
I hope vendors will move into adding zeek to their EDR by default, and by adding a section for this kind of detailed metadata from zeek it will show the value this addition brings (currently only to MDE).
Thanks!