-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Living off the Land Detection - Update supported data [Investigation] #9359
Comments
After following up with @susan-shu-c and @sodhikirti07 it turns out this isn't an issue. Elastic Defend provides
@sodhikirti07 verified that Elastic Defend was working with the integration.
|
Thanks for testing! As for updating documentation wording, it seems that we can say that we support |
@susan-shu-c That's a good point, the agent integrations aren't mentioned in https://github.com/elastic/security-team/issues/8774, only checking if a package conforms to ECS. So you're right, it wouldn't fall under #8774. This ticket is a good place to start for testing agent integrations, along the way I would suggest writing some team documentation on this process for repeatablilty. After this we could also check how Lastly, we could consider providing system tests for the common data stream providers (IE |
It was difficult to get the Elastic Windows Agent up and running. Thank you @sodhikirti07 for the help today and Friday! A couple of the older guides no longer work for this purpose. Here is a list of everything I tried:
If the approach in 4 send the correct data there are two other things I can try:
|
Thanks for sharing these points! Notes from meeting:
|
I was able to gather some sample logs from the Windows integration, along with a log to compare with from Elastic Defend.
|
The inference pipeline of Living off the Land works fine with the Windows integration using sysmon. Looking into updates to the documentation. |
@susan-shu-c For one last sanity check, I compared the three results from the different records above and now I'm not so sure this is a good idea without further investigation. In all three tests I launched
Edit: see below |
Added a more rigorous test (under "Test on live data from Elastic integrations") and I was able to collect the results from the same run of
Now the predictions are returning similar results, however there are still two differences:
|
Hi Gus, so it seems like we can't simply claim that it'll work with Windows Agent (Elastic Agent) due to some of these differences. Thanks a lot for finding them! I think we can close this ticket for now. Next steps: I'm currently reaching out to people working on Windows Agent to see who I can track down to answer if these differences are intentional; and what we need to keep in mind if we go down the route of supporting Windows Agent. I'll keep you in the loop once I get any info. |
Thanks @susan-shu-c ! |
Overview
For the ProblemChild (Living off the land detection) integration package, look into support for Elastic agent - Windows, aka Windows agent integration.
Currently the package explicitly support
winlogbeat
andElastic Defend
.Elastic Defend(see discussion below)user.id
is inconsistent betweenstring
andint
, while the package expectsstring
, leading to errors when theuser.id
type isint
Windows agent integration coverage is same if not more than winlogbeat, and we should consider testing the indices the package looks at to support integrations including (but not limited to) agent.This includes testing, updating documentation wording, and editing the package if needed.[Update] Found differences in featurization and PowerShell records (see more info); so will not claim to support Windows Agent until we understand more.
Integration release checklist
All changes
The text was updated successfully, but these errors were encountered: