Updates for MDE on Windows and Linux #140
Conversation
|
Hi @jonade , thanks again for another contribution to this project! 🙏 QQ - I assume that these events are not searchable through the search query so they’ll be marked down as “partially”. Could you please confirm? |
|
@tsale I always struggle to decide what qualifies as a Yes, and what as a Partial, when it comes to the AH queries (despite the FAQ), so I tried to follow existing telemetry as a guidance. For the agent stop, it appears in multiple tables, DeviceEvents for the PowerShell command and WMI calls, and DeviceRegistryEvents for the modification of the setting that resulted. For the Service Modification, the events show in AH due to writing the service files, but I guessed this wouldn't meet the threshold |
Thanks for sharing this, and that’s a fair interpretation. For the Service Modification, you’re right that writing the service file under /etc/systemd/system/ shows up in AH due to file operations, but that alone wouldn’t qualify as implemented. To count as a Yes, we expect the product to capture the actual systemd or service configuration change event, not just the file write activity. For a Partial label, we’re only looking for telemetry that directly represents the service modification action, such as a record showing a configuration change or systemd update. File creation or deletion events, even if part of the process, don’t qualify since they reflect generic file operations rather than the actual service modification. Appreciate you double-checking and keeping the interpretation consistent across categories, it’s one of the trickier ones. |
EDR Telemetry Pull Request
Contribution Details
Telemetry Validation
Documentation or Evidence:
Type of Contribution
Validation Details
EDR Product Information
Testing Methodology
Using the Windows / Linux testing script(s)
Set-MpPreference -DisableRealtimeMonitoring $trueshows in the timeline viewAdditional Notes