Skip to content

Better document what the subparts of Elastic Defend mean #3186

@111andre111

Description

@111andre111

At this time there is a lack of information of what exactly is meant by the subparts of Elastic Defend:
https://www.elastic.co/guide/en/security/master/configure-endpoint-integration-policy.html#event-collection

We should add some more information of what exactly we mean by Event collection. What does that mean from an Endpoint perspective.
I would review the following subparts as a first start:

  • Ransomware Protection
  • Memory threat protection
  • Malicious behaviour detection
  • Event Collection
    • Credential Access
    • DLL and Driver Load
    • DNS
    • File
    • Network
    • Process
    • Registry
    • Security
      Especially for the latter what means e.g. a File Event under Windows respectively Linux or MacOS?

^^ @jmikell821

Metadata

Metadata

Assignees

No one assigned

    Labels

    Effort: LargeIssues that require significant planning, research, writing, and testingFeature: Elastic DefendPriority: MediumIssues that have relevance, but aren't urgentTeam: EDR WorkflowsFormerly Defend Workflows, Onboarding and Lifecycle ManagementTeam: EndpointEndpoint related issuesv8.8.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions