diff --git a/EDR_telem_linux.json b/EDR_telem_linux.json index f402c3c..8affc57 100644 --- a/EDR_telem_linux.json +++ b/EDR_telem_linux.json @@ -2,421 +2,421 @@ { "Telemetry Feature Category":"Process Activity", "Sub-Category":"Process Creation", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"Yes", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"Yes", + "Elastic":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"Yes", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"Yes", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"Process Termination", - "SentinelOne":"No", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"Yes", - "Sysmon":"Yes", + "Elastic":"Yes", "LimaCharlie":"Yes", "MDE":"No", - "Elastic":"Yes", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"Yes", + "SentinelOne":"No", + "Sysmon":"Yes", + "Uptycs":"Yes" }, { "Telemetry Feature Category":"File Manipulation", "Sub-Category":"File Creation", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"Yes", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"Yes", + "Elastic":"Yes", "LimaCharlie":"No", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"Yes", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"Yes", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"File Modification", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"Yes", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"No", + "Elastic":"Yes", "LimaCharlie":"No", "MDE":"No", - "Elastic":"Yes", - "Auditd":"Yes", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"File Deletion", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"Yes", + "Carbon Black Cloud":"Yes", "CrowdStrike":"No", - "Sysmon":"Yes", + "Elastic":"Yes", "LimaCharlie":"No", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"Yes", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"Yes", + "Uptycs":"Yes" }, { "Telemetry Feature Category":"User Activity", "Sub-Category":"User Logon", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"Yes", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"User Logoff", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"Logon Failed", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"Yes" }, { "Telemetry Feature Category":"Script Activity", "Sub-Category":"Script Content", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"Yes", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":"Network Activity", "Sub-Category":"Network Connection", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"Yes", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"Yes", + "Elastic":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"Yes", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"Yes", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"Network Socket Listen", - "SentinelOne":"No", - "Qualys":"Partially", - "Uptycs":"No", + "Auditd":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"Yes", - "Sysmon":"No", + "Elastic":"Yes", "LimaCharlie":"Partially", "MDE":"No", - "Elastic":"Yes", - "Auditd":"Yes", - "Carbon Black Cloud":"No" + "Qualys":"Partially", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":null, "Sub-Category":"DNS Query", - "SentinelOne":"Yes", - "Qualys":"Via EnablingTelemetry", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"Yes", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"Yes", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"Via EnablingTelemetry", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"Yes" }, { "Telemetry Feature Category":"Scheduled Task Activity", "Sub-Category":"Scheduled Task", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":"User Account Activity", "Sub-Category":"User Account Created", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":null, "Sub-Category":"User Account Modified", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":null, "Sub-Category":"User Account Deleted", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":"Driver\/Module Activity", "Sub-Category":"Driver Load", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"Yes", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":null, "Sub-Category":"Image Load", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"Yes", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":null, "Sub-Category":"eBPF Event", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"Via EnablingTelemetry", + "Auditd":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"Yes", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"Yes", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"Via EnablingTelemetry" }, { "Telemetry Feature Category":"Access Activity", "Sub-Category":"Raw Access Read", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"Via EnablingTelemetry", + "Auditd":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"Yes", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"Yes", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"Yes", + "Uptycs":"Via EnablingTelemetry" }, { "Telemetry Feature Category":null, "Sub-Category":"Process Access", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"Via EnablingTelemetry", + "Auditd":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"Yes", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"Via EnablingTelemetry" }, { "Telemetry Feature Category":"Process Tampering Activity", "Sub-Category":"Process Tampering", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"Via EnablingTelemetry", + "Auditd":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"Yes", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"Via EnablingTelemetry" }, { "Telemetry Feature Category":"Service Activity", "Sub-Category":"Service Creation", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":null, "Sub-Category":"Service Modification", - "SentinelOne":"Yes", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"Yes", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"Yes", + "Sysmon":"Yes", + "Uptycs":"No" }, { "Telemetry Feature Category":null, "Sub-Category":"Service Deletion", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"No", "CrowdStrike":"No", - "Sysmon":"No", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"No" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"No", + "Uptycs":"No" }, { "Telemetry Feature Category":"EDR SysOps", "Sub-Category":"Agent Start", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"No", + "Elastic":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"No", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"Agent Stop", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"No", + "Elastic":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"No", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"No", + "Uptycs":"Yes" }, { "Telemetry Feature Category":"Hash Algorithms", "Sub-Category":"MD5", - "SentinelOne":"No", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"Yes", + "Elastic":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"No", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"No", + "Sysmon":"Yes", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"SHA", - "SentinelOne":"Yes", - "Qualys":"Yes", - "Uptycs":"Yes", + "Auditd":"No", + "Carbon Black Cloud":"Yes", "CrowdStrike":"Yes", - "Sysmon":"Yes", + "Elastic":"Yes", "LimaCharlie":"Yes", "MDE":"Yes", - "Elastic":"Yes", - "Auditd":"No", - "Carbon Black Cloud":"Yes" + "Qualys":"Yes", + "SentinelOne":"Yes", + "Sysmon":"Yes", + "Uptycs":"Yes" }, { "Telemetry Feature Category":null, "Sub-Category":"IMPHASH", - "SentinelOne":"No", - "Qualys":"No", - "Uptycs":"No", + "Auditd":"No", + "Carbon Black Cloud":"Yes", "CrowdStrike":"No", - "Sysmon":"Yes", + "Elastic":"No", "LimaCharlie":"No", "MDE":"No", - "Elastic":"No", - "Auditd":"No", - "Carbon Black Cloud":"Yes" + "Qualys":"No", + "SentinelOne":"No", + "Sysmon":"Yes", + "Uptycs":"No" } ] \ No newline at end of file