detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

Review Linux and macOS rules for Endgame compatibility

Open Mikaayenson opened this issue 3 years ago • 3 comments

Description

Review rules for Endgame compatibility and add index.

  • Create an endgame stack for testing purposes.
  • Check datasets and make sure our rule query aligns.
  • Check the fields in the query to make sure the field is available in the endgame event.
  • Document differences between the Endgame dataset and Endpoint dataset if any appear.

cc @DefSecSentinel @Samirbous @w0rk3r @shashank-elastic

Mikaayenson avatar Oct 18 '22 19:10 Mikaayenson

@Aegrah If you already did this on the Linux side, then maybe we should rename/scope this issue for macOS only so @DefSecSentinel can pick it up as BAU?

Mikaayenson avatar Jun 13 '24 12:06 Mikaayenson

@Mikaayenson I did this a few months ago, but many new rules were introduced since then, so some inconsistencies might have slipped through. It's never bad to check. It would make sense to bucket this with a full round of DR tuning, which would only make sense in about 2-3 weeks, since 20-ish rules got pushed last 3 weeks that should first gather some telemetry.

Aegrah avatar Jun 13 '24 15:06 Aegrah

@w0rk3r did a great job also adding Endgame compatibility to the Linux rules in his 3rd party EDR initiative Meta: https://github.com/elastic/security-team/issues/8029#issuecomment-2578900206. Linux should, after merging all of these in, be g2g in terms of the endgame compatibility.

We may either close this out, or scope it specifically for MacOS. @Mikaayenson

Aegrah avatar Jan 09 '25 08:01 Aegrah