From 2b9b910a5cda7c108f49938add3025ee57c21fe8 Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 12 Dec 2024 17:08:57 -0800 Subject: [PATCH 1/7] Update README.md and compare.py: Adjust EDR scores and improve telemetry descriptions (#96) --- README.md | 118 ++++++++--------------------------------------- Tools/compare.py | 2 +- 2 files changed, 21 insertions(+), 99 deletions(-) diff --git a/README.md b/README.md index 78e2385..04ad768 100644 --- a/README.md +++ b/README.md @@ -58,23 +58,24 @@ For more details, you can refer to the [Pull Request #61](https://github.com/tsa | **No.** | **EDRs** | **Score** | |---------|-----------------------|-----------| -| 1 | CrowdStrike | 37.45 | -| 2 | Uptycs | 35.52 | -| 3 | MDE | 34.8 | -| 4 | Sentinel One | 34.62 | -| 5 | Harfanglab | 32.22 | -| 6 | Cortex XDR | 31.42 | -| 7 | LimaCharlie | 30.7 | -| 8 | Trellix | 30.6 | -| 9 | Qualys | 29.57 | -| 10 | ESET Inspect | 28.1 | -| 11 | Elastic | 28.02 | -| 12 | Cybereason | 25.65 | -| 13 | Symantec SES Complete | 24.3 | -| 14 | Sysmon | 23.2 | -| 15 | WatchGuard | 20.4 | -| 16 | Carbon Black | 20.37 | -| 17 | Trend Micro | 20.3 | +| 1 | CrowdStrike | 37.45 | +| 2 | Uptycs | 35.52 | +| 3 | MDE | 34.8 | +| 4 | Sentinel One | 34.62 | +| 5 | Harfanglab | 32.22 | +| 6 | Cortex XDR | 31.42 | +| 7 | LimaCharlie | 31.2 | +| 8 | Trellix | 30.6 | +| 9 | Qualys | 29.57 | +| 10 | ESET Inspect | 28.1 | +| 11 | Elastic | 28.02 | +| 12 | Cybereason | 25.65 | +| 13 | Symantec SES Complete | 24.3 | +| 14 | Sysmon | 23.2 | +| 15 | WatchGuard | 20.9 | +| 16 | Carbon Black | 20.37 | +| 17 | Trend Micro | 20.3 | + ## EDR Telemetry Table @@ -87,8 +88,8 @@ Below is information about the EDR table, including all values for each EDR and | ❌ | No | Not Implemented | ⚠️ | Partially | Partially Implemented | ❓ | Pending | Pending Response -| 🪵 | Via EventLogs | Via Windows EventLogs -| 🎚️ | Via EnablingTelemetry | Additional telemetry that can be enabled easily as part of the EDR product but is not on by default. +| 🪵 | Via EventLogs | Collected from Windows Event Logs if enabled at the system level; not independently collected by the EDR via ETW. +| 🎚️ | Via EnablingTelemetry | Additional telemetry collection capability that can be enabled as part of the EDR product but is not ON by default.
**References to Documentation for each EDR product:** [Link](https://github.com/tsale/EDR-Telemetry/wiki#product-documentation-references) \ @@ -97,84 +98,5 @@ Below is information about the EDR table, including all values for each EDR and ![Alt text](./images/edr-telemetry_website_screenshot.png) - - - -# ✨ Contributors Wall - -Thanks to these amazing contributors: - -

-

- - - tsale - - - jdu2600 - - - j91321 - - - mthcht - - - thiboog - - - thomaspatzke - - - xC0uNt3r7hr34t - - - inodee - - - alwashali - - - Guzzy711 - - - joshlemon-uptycs - - - LuKePicci - - - maximelb - - - nasbench - - - NicolasSchn - - - QueenSquishy - - - Robert-HarfangLab - - - alextrender - - - idev - - - johnk3r - - - pep-un - - - zbeastofburden - -
-

- ## Current Primary Maintainers Kostas - [@kostastsale](https://twitter.com/Kostastsale) diff --git a/Tools/compare.py b/Tools/compare.py index e00f776..29f6936 100644 --- a/Tools/compare.py +++ b/Tools/compare.py @@ -10,7 +10,7 @@ # Scoring definitions FEATURES_DICT_VALUED = { "Yes": 1, "No": 0, "Via EnablingTelemetry": 1, - "Partially": 0.5, "Via EventLogs": 0.75, + "Partially": 0.5, "Via EventLogs": 0.5, "Pending Response": 0 } CATEGORIES_VALUED = { From 7906c425b57811300ec77751bdad9f9111051905 Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 12 Dec 2024 17:19:23 -0800 Subject: [PATCH 2/7] Update update-contributors.yml --- .github/workflows/update-contributors.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-contributors.yml b/.github/workflows/update-contributors.yml index f084f1b..76c8afd 100644 --- a/.github/workflows/update-contributors.yml +++ b/.github/workflows/update-contributors.yml @@ -27,7 +27,7 @@ jobs: # Run the script to fetch contributors and update README - name: Fetch contributors and update README run: | - python Tools/update_readme_contributors.py + python Tools/fetch_contributors.py # Commit and push changes - name: Commit and push changes From c3861da244dfedfcac26ab8314b3d68333328d74 Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 12 Dec 2024 17:45:34 -0800 Subject: [PATCH 3/7] Update README.md: Revise EDR scores and add Contributors Wall section --- README.md | 115 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 96 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 04ad768..d279a91 100644 --- a/README.md +++ b/README.md @@ -58,24 +58,23 @@ For more details, you can refer to the [Pull Request #61](https://github.com/tsa | **No.** | **EDRs** | **Score** | |---------|-----------------------|-----------| -| 1 | CrowdStrike | 37.45 | -| 2 | Uptycs | 35.52 | -| 3 | MDE | 34.8 | -| 4 | Sentinel One | 34.62 | -| 5 | Harfanglab | 32.22 | -| 6 | Cortex XDR | 31.42 | -| 7 | LimaCharlie | 31.2 | -| 8 | Trellix | 30.6 | -| 9 | Qualys | 29.57 | -| 10 | ESET Inspect | 28.1 | -| 11 | Elastic | 28.02 | -| 12 | Cybereason | 25.65 | -| 13 | Symantec SES Complete | 24.3 | -| 14 | Sysmon | 23.2 | -| 15 | WatchGuard | 20.9 | -| 16 | Carbon Black | 20.37 | -| 17 | Trend Micro | 20.3 | - +| 1 | CrowdStrike | 37.45 | +| 2 | Sentinel One | 34.25 | +| 3 | MDE | 34.2 | +| 4 | Uptycs | 33.85 | +| 5 | Trellix | 30.6 | +| 6 | Harfanglab | 30.45 | +| 7 | Cortex XDR | 29.65 | +| 8 | LimaCharlie | 29.25 | +| 9 | ESET Inspect | 28.1 | +| 10 | Qualys | 27.45 | +| 11 | Elastic | 26.35 | +| 12 | Cybereason | 25.65 | +| 13 | Symantec SES Complete | 24.3 | +| 14 | Sysmon | 23.2 | +| 15 | WatchGuard | 20.4 | +| 16 | Carbon Black | 20.1 | +| 17 | Trend Micro | 19.1 | ## EDR Telemetry Table @@ -98,5 +97,83 @@ Below is information about the EDR table, including all values for each EDR and ![Alt text](./images/edr-telemetry_website_screenshot.png) + + +# ✨ Contributors Wall + +Thanks to these amazing contributors: + +

+

+ + + tsale + + + jdu2600 + + + j91321 + + + mthcht + + + thiboog + + + thomaspatzke + + + xC0uNt3r7hr34t + + + inodee + + + alwashali + + + Guzzy711 + + + joshlemon-uptycs + + + LuKePicci + + + maximelb + + + nasbench + + + NicolasSchn + + + QueenSquishy + + + Robert-HarfangLab + + + alextrender + + + idev + + + johnk3r + + + pep-un + + + zbeastofburden + +
+

+ ## Current Primary Maintainers -Kostas - [@kostastsale](https://twitter.com/Kostastsale) +Kostas - [@kostastsale](https://twitter.com/Kostastsale) \ No newline at end of file From eb0652d598bdb9dce2a96da3620b27cf9fb9e7d2 Mon Sep 17 00:00:00 2001 From: Kostas Date: Thu, 12 Dec 2024 17:46:11 -0800 Subject: [PATCH 4/7] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d279a91..612198d 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ For more details, you can refer to the [Pull Request #61](https://github.com/tsa - Partially: 0.5 - Pending Response: 0 - Via EnablingTelemetry: 1 -- Via EventLogs: 0.75 +- Via EventLogs: 0.5 - Yes: 1 ### EDR Scores @@ -176,4 +176,4 @@ Thanks to these amazing contributors:

## Current Primary Maintainers -Kostas - [@kostastsale](https://twitter.com/Kostastsale) \ No newline at end of file +Kostas - [@kostastsale](https://twitter.com/Kostastsale) From 0691a0e8be9c3aac80edafa02f27d2fbf8518c77 Mon Sep 17 00:00:00 2001 From: SecurityAura <20073832+SecurityAura@users.noreply.github.com> Date: Fri, 13 Dec 2024 13:09:08 -0500 Subject: [PATCH 5/7] EDR Addition - FortiEDR (#84) * Update EDR_telem.json * Update EDR_telem.json * Update EDR_telem.json * Update EDR_telem.json * Update EDR_telem.json * Update FortiEDR telemetry status to 'Via EventLogs' in EDR_telem.json --------- Co-authored-by: Kostas --- EDR_telem.json | 163 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 108 insertions(+), 55 deletions(-) diff --git a/EDR_telem.json b/EDR_telem.json index 595f9d1..652ce9a 100644 --- a/EDR_telem.json +++ b/EDR_telem.json @@ -8,11 +8,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -29,11 +30,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"No", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"No", @@ -50,11 +52,12 @@ "Cybereason":"Yes", "ESET Inspect":"Partially", "Elastic":"Yes", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -71,11 +74,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -92,11 +96,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"Yes", @@ -113,11 +118,12 @@ "Cybereason":"Pending Response", "ESET Inspect":"No", "Elastic":"Yes", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Partially", + "SentinelOne":"Partially", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -134,11 +140,12 @@ "Cybereason":"Yes", "ESET Inspect":"Partially", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -155,11 +162,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Partially", "MDE":"No", "Qualys":"Yes", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", @@ -176,11 +184,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"No", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -197,11 +206,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", @@ -218,11 +228,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Partially", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", @@ -239,11 +250,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Via EventLogs", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", @@ -260,11 +272,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Via EventLogs", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Via EventLogs", + "SentinelOne":"Via EventLogs", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", @@ -281,11 +294,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Via EventLogs", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Via EventLogs", + "SentinelOne":"Via EventLogs", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", @@ -302,11 +316,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EventLogs", "Harfanglab":"Yes", "LimaCharlie":"Partially", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", @@ -323,11 +338,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EventLogs", "Harfanglab":"Yes", "LimaCharlie":"Via EventLogs", "MDE":"No", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", @@ -344,11 +360,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"Yes", "Trellix":"Yes", @@ -365,11 +382,12 @@ "Cybereason":"Yes", "ESET Inspect":"No", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"Via EventLogs", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"Yes", "Trellix":"Yes", @@ -386,11 +404,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"Partially", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"No", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Via EnablingTelemetry", + "SentinelOne":"Via EnablingTelemetry", "Symantec SES Complete":"Partially", "Sysmon":"No", "Trellix":"Yes", @@ -407,11 +426,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"Yes", @@ -428,11 +448,12 @@ "Cybereason":"Partially", "ESET Inspect":"Partially", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"No", "LimaCharlie":"Partially", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -449,11 +470,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -470,11 +492,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -491,11 +514,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"Partially", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"No", "MDE":"No", "Qualys":"No", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"No", @@ -512,11 +536,12 @@ "Cybereason":"Partially", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -533,11 +558,12 @@ "Cybereason":"Partially", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -554,11 +580,12 @@ "Cybereason":"Partially", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", @@ -575,11 +602,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Via EventLogs", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -596,11 +624,12 @@ "Cybereason":"Yes", "ESET Inspect":"No", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Via EventLogs", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", @@ -617,11 +646,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Via EventLogs", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -638,17 +668,18 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Yes", "MDE":"Via EventLogs", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", "Trend Micro":"No", "Uptycs":"Yes", - "WatchGuard":"No" + "WatchGuard":"Partially" }, { "Telemetry Feature Category":null, @@ -659,11 +690,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"Via EventLogs", "LimaCharlie":"Yes", "MDE":"No", "Qualys":"Yes", - "Sentinel One":"Via EnablingTelemetry", + "SentinelOne":"Via EnablingTelemetry", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", @@ -680,11 +712,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", "Harfanglab":"No", "LimaCharlie":"Pending Response", "MDE":"No", "Qualys":"No", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -701,11 +734,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"No", @@ -722,11 +756,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"No", "LimaCharlie":"Yes", "MDE":"No", "Qualys":"Yes", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -743,11 +778,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"No", "LimaCharlie":"No", "MDE":"No", "Qualys":"No", - "Sentinel One":"Partially", + "SentinelOne":"Partially", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -764,11 +800,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"No", "LimaCharlie":"Yes", "MDE":"No", "Qualys":"No", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -785,11 +822,12 @@ "Cybereason":"Yes", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"No", "LimaCharlie":"Partially", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Via EnablingTelemetry", + "SentinelOne":"Via EnablingTelemetry", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"No", "Trellix":"No", @@ -806,11 +844,12 @@ "Cybereason":"Yes", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"No", "LimaCharlie":"Partially", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Via EnablingTelemetry", + "SentinelOne":"Via EnablingTelemetry", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"No", "Trellix":"No", @@ -827,11 +866,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"No", "LimaCharlie":"No", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", @@ -848,11 +888,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Via EnablingTelemetry", + "SentinelOne":"Via EnablingTelemetry", "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"No", @@ -869,11 +910,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"No", - "Sentinel One":"Via EnablingTelemetry", + "SentinelOne":"Via EnablingTelemetry", "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"Yes", @@ -890,11 +932,12 @@ "Cybereason":"Yes", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Via EventLogs", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"Yes", "Trellix":"Pending Response", @@ -911,11 +954,12 @@ "Cybereason":"Yes", "ESET Inspect":"No", "Elastic":"Yes", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Via EventLogs", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"Yes", "Trellix":"Pending Response", @@ -932,11 +976,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"No", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Via EventLogs", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"No", "Trellix":"Yes", @@ -953,11 +998,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"No", "LimaCharlie":"No", "MDE":"No", "Qualys":"No", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"No", "Trellix":"Yes", @@ -974,11 +1020,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"No", + "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Via EventLogs", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"No", "Trellix":"Pending Response", @@ -995,11 +1042,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"Yes", + "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Via EnablingTelemetry", "Sysmon":"Yes", "Trellix":"Pending Response", @@ -1016,11 +1064,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"No", + "FortiEDR":"Via EventLogs", "Harfanglab":"Yes", "LimaCharlie":"No", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Partially", "Sysmon":"Yes", "Trellix":"Yes", @@ -1037,11 +1086,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"No", + "FortiEDR":"Via EventLogs", "Harfanglab":"Yes", "LimaCharlie":"No", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Partially", "Sysmon":"Yes", "Trellix":"Yes", @@ -1058,11 +1108,12 @@ "Cybereason":"Yes", "ESET Inspect":"Yes", "Elastic":"No", + "FortiEDR":"Via EventLogs", "Harfanglab":"Yes", "LimaCharlie":"No", "MDE":"Yes", "Qualys":"Via EventLogs", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Partially", "Sysmon":"Yes", "Trellix":"Yes", @@ -1079,11 +1130,12 @@ "Cybereason":"No", "ESET Inspect":"No", "Elastic":"No", + "FortiEDR":"Via EventLogs", "Harfanglab":"No", "LimaCharlie":"No", "MDE":"No", "Qualys":"Yes", - "Sentinel One":"No", + "SentinelOne":"No", "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", @@ -1100,11 +1152,12 @@ "Cybereason":"No", "ESET Inspect":"Yes", "Elastic":"No", + "FortiEDR":"Via EventLogs", "Harfanglab":"Yes", "LimaCharlie":"Via EventLogs", "MDE":"Yes", "Qualys":"Yes", - "Sentinel One":"Yes", + "SentinelOne":"Yes", "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", @@ -1112,4 +1165,4 @@ "Uptycs":"Yes", "WatchGuard":"No" } -] +] \ No newline at end of file From b6f1b181b8711ab17a1832c912406dbdea66fa9f Mon Sep 17 00:00:00 2001 From: My Peaches <31301492+MyPeaches@users.noreply.github.com> Date: Sat, 14 Dec 2024 06:00:08 +1100 Subject: [PATCH 6/7] Trend micro edr updates (#73) * Updated no to yes Updated to reflect https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-what-telemetry-collect-windows * Updated changes to Trend Micro https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-what-telemetry-collect-windows * Updated changes to Trend Micro Updated to reflect - https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-what-telemetry-collect-windows * Generated CSV JSON to CSV * Remove EDR telemetry CSV and update Trend Micro references as per my last comment on the PR * Resolving conflicts with updated JSON file * Update EDR scores table in README * Update EDR_telem.json * Update EDR scores table in README --------- Co-authored-by: MyPeaches Co-authored-by: Kostas Co-authored-by: github-actions[bot] --- EDR_telem.json | 34 +++++++++++++++++----------------- README.md | 21 +++++++++++---------- 2 files changed, 28 insertions(+), 27 deletions(-) diff --git a/EDR_telem.json b/EDR_telem.json index 652ce9a..67f0627 100644 --- a/EDR_telem.json +++ b/EDR_telem.json @@ -171,7 +171,7 @@ "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"Partially", + "Trend Micro":"Via EnablingTelemetry", "Uptycs":"Yes", "WatchGuard":"Partially" }, @@ -193,7 +193,7 @@ "Symantec SES Complete":"Yes", "Sysmon":"Yes", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EnablingTelemetry", "Uptycs":"Yes", "WatchGuard":"No" }, @@ -237,7 +237,7 @@ "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Yes", "Uptycs":"Yes", "WatchGuard":"Partially" }, @@ -259,7 +259,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"Via EventLogs", "WatchGuard":"No" }, @@ -281,7 +281,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"Via EventLogs", "WatchGuard":"No" }, @@ -303,7 +303,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EnablingTelemetry", "Uptycs":"Via EventLogs", "WatchGuard":"No" }, @@ -633,7 +633,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"Via EventLogs", "WatchGuard":"No" }, @@ -655,7 +655,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"Via EventLogs", "WatchGuard":"No" }, @@ -677,7 +677,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"Yes", "WatchGuard":"Partially" }, @@ -699,7 +699,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"Yes", "WatchGuard":"Partially" }, @@ -721,7 +721,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"No", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"Yes", "WatchGuard":"No" }, @@ -743,7 +743,7 @@ "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"No", - "Trend Micro":"No", + "Trend Micro":"Via EnablingTelemetry", "Uptycs":"Via EventLogs", "WatchGuard":"No" }, @@ -897,7 +897,7 @@ "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"No", - "Trend Micro":"No", + "Trend Micro":"Via EnablingTelemetry", "Uptycs":"Yes", "WatchGuard":"No" }, @@ -919,7 +919,7 @@ "Symantec SES Complete":"No", "Sysmon":"Yes", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EnablingTelemetry", "Uptycs":"No", "WatchGuard":"No" }, @@ -1139,7 +1139,7 @@ "Symantec SES Complete":"No", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Via EventLogs", "Uptycs":"No", "WatchGuard":"No" }, @@ -1161,8 +1161,8 @@ "Symantec SES Complete":"Yes", "Sysmon":"No", "Trellix":"Yes", - "Trend Micro":"No", + "Trend Micro":"Yes", "Uptycs":"Yes", "WatchGuard":"No" } -] \ No newline at end of file +] diff --git a/README.md b/README.md index 612198d..cc74a3f 100644 --- a/README.md +++ b/README.md @@ -59,22 +59,23 @@ For more details, you can refer to the [Pull Request #61](https://github.com/tsa | **No.** | **EDRs** | **Score** | |---------|-----------------------|-----------| | 1 | CrowdStrike | 37.45 | -| 2 | Sentinel One | 34.25 | +| 2 | SentinelOne | 34.25 | | 3 | MDE | 34.2 | | 4 | Uptycs | 33.85 | | 5 | Trellix | 30.6 | | 6 | Harfanglab | 30.45 | | 7 | Cortex XDR | 29.65 | | 8 | LimaCharlie | 29.25 | -| 9 | ESET Inspect | 28.1 | -| 10 | Qualys | 27.45 | -| 11 | Elastic | 26.35 | -| 12 | Cybereason | 25.65 | -| 13 | Symantec SES Complete | 24.3 | -| 14 | Sysmon | 23.2 | -| 15 | WatchGuard | 20.4 | -| 16 | Carbon Black | 20.1 | -| 17 | Trend Micro | 19.1 | +| 9 | Trend Micro | 28.85 | +| 10 | ESET Inspect | 28.1 | +| 11 | Qualys | 27.45 | +| 12 | Elastic | 26.35 | +| 13 | Cybereason | 25.65 | +| 14 | Symantec SES Complete | 24.3 | +| 15 | FortiEDR | 23.9 | +| 16 | Sysmon | 23.2 | +| 17 | WatchGuard | 20.9 | +| 18 | Carbon Black | 20.1 | ## EDR Telemetry Table From d735c607075fa1d914df2f129bb99bf50b12c612 Mon Sep 17 00:00:00 2001 From: Kostas Date: Fri, 13 Dec 2024 11:05:19 -0800 Subject: [PATCH 7/7] Update README.md and partially_value_explanations.json: Add SecurityAura to Contributors Wall and remove description for Trend Micro --- README.md | 4 ++++ partially_value_explanations.json | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cc74a3f..595e294 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ Below is information about the EDR table, including all values for each EDR and + # ✨ Contributors Wall Thanks to these amazing contributors: @@ -158,6 +159,9 @@ Thanks to these amazing contributors: Robert-HarfangLab + + SecurityAura + alextrender diff --git a/partially_value_explanations.json b/partially_value_explanations.json index 8b6375f..f933ef2 100644 --- a/partially_value_explanations.json +++ b/partially_value_explanations.json @@ -163,7 +163,7 @@ "Symantec SES Complete":"", "Sysmon":"", "Trellix":"", - "Trend Micro":{"Partially":"Only certain files are recorded (+ You need the Hypersensitive mode)"}, + "Trend Micro":"", "Uptycs":"", "WatchGuard":{"Partially":"Only tracks via dedicated event the opening of compressed files."} },