diff --git a/.github/workflows/compare.yml b/.github/workflows/compare.yml new file mode 100644 index 0000000..d951b09 --- /dev/null +++ b/.github/workflows/compare.yml @@ -0,0 +1,37 @@ +name: Run compare.py and update README + +on: + push: + branches: + - '**' # This will trigger the workflow on any branch + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository content + uses: actions/checkout@v2 + + - name: Set up Python environment + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r Tools/compare-requirements.txt # If you have dependencies + + - name: Run Python script to update README + run: python Tools/compare.py # Update the script to edit README.md directly + + - name: Commit and push changes + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add README.md + git commit -m "Update EDR scores table in README" + git push diff --git a/.github/workflows/update-contributors.yml b/.github/workflows/update-contributors.yml new file mode 100644 index 0000000..76c8afd --- /dev/null +++ b/.github/workflows/update-contributors.yml @@ -0,0 +1,41 @@ +name: Update Contributors + +on: + pull_request: + types: [closed] # Trigger when a PR is closed + +jobs: + update-contributors: + if: github.event.pull_request.merged == true # Run only if the PR is merged + runs-on: ubuntu-latest + + steps: + # Checkout the repository + - name: Checkout repository + uses: actions/checkout@v3 + + # Set up Python + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + # Install dependencies + - name: Install Python requests library + run: python -m pip install requests + + # Run the script to fetch contributors and update README + - name: Fetch contributors and update README + run: | + python Tools/fetch_contributors.py + + # Commit and push changes + - name: Commit and push changes + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add README.md + git commit -m "Update contributors list after PR merge" + git push diff --git a/EDR_telem.json b/EDR_telem.json index 2f0a66a..a02aa95 100644 --- a/EDR_telem.json +++ b/EDR_telem.json @@ -1,1168 +1,1168 @@ [ - { - "Telemetry Feature Category":"Process Activity", - "Sub-Category":"Process Creation", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Process Termination", - "Carbon Black":"Partially", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"No", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"No", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"No", - "Trend Micro":"Via EnablingTelemetry", - "Uptycs":"No", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Process Access", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Partially", - "Elastic":"Yes", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"No", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Image\/Library Loaded", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Remote Thread Creation", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Process Tampering Activity", - "Carbon Black":"Partially", - "Cortex XDR":"Partially", - "CrowdStrike":"Yes", - "Cybereason":"Pending Response", - "ESET Inspect":"No", - "Elastic":"Yes", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Partially", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"File Manipulation", - "Sub-Category":"File Creation", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Partially", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Partially" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"File Opened", - "Carbon Black":"Yes", - "Cortex XDR":"No", - "CrowdStrike":"Partially", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Partially", - "MDE":"No", - "Qualys":"Yes", - "SentinelOne":"No", - "Symantec SES Complete":"Yes", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EnablingTelemetry", - "Uptycs":"Yes", - "WatchGuard":"Partially" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"File Deletion", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"No", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Via EnablingTelemetry", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"File Modification", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"File Renaming", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Partially", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Partially" - }, - { - "Telemetry Feature Category":"User Account Activity", - "Sub-Category":"Local Account Creation", - "Carbon Black":"No", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Via EventLogs", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Local Account Modification", - "Carbon Black":"No", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Partially", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Via EventLogs", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Via EventLogs", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Local Account Deletion", - "Carbon Black":"No", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Via EventLogs", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Via EventLogs", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EnablingTelemetry", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Account Login", - "Carbon Black":"Via EventLogs", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Yes", - "LimaCharlie":"Partially", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Account Logoff", - "Carbon Black":"Via EventLogs", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Yes", - "LimaCharlie":"Via EventLogs", - "MDE":"No", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":"Network Activity", - "Sub-Category":"TCP Connection", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"UDP Connection", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"No", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"No", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"URL", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"Partially", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"No", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Via EnablingTelemetry", - "Symantec SES Complete":"Partially", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"Partially" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"DNS Query", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"File Downloaded", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"Yes", - "Cybereason":"Partially", - "ESET Inspect":"Partially", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"No", - "LimaCharlie":"Partially", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"No", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"Yes", - "Uptycs":"Partially", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":"Hash Algorithms", - "Sub-Category":"MD5", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"SHA", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"IMPHASH", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"No", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"Partially", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"No", - "MDE":"No", - "Qualys":"No", - "SentinelOne":"No", - "Symantec SES Complete":"No", - "Sysmon":"Yes", - "Trellix":"No", - "Trend Micro":"No", - "Uptycs":"No", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"Registry Activity", - "Sub-Category":"Key\/Value Creation", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Partially", - "Cybereason":"Partially", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Key\/Value Modification", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Partially", - "Cybereason":"Partially", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Key\/Value Deletion", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"No", - "Cybereason":"Partially", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":"Schedule Task Activity", - "Sub-Category":"Scheduled Task Creation", - "Carbon Black":"No", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Via EventLogs", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"Via EventLogs", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Scheduled Task Modification", - "Carbon Black":"No", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"No", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Via EventLogs", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Scheduled Task Deletion", - "Carbon Black":"No", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Via EventLogs", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"Via EventLogs", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"Service Activity", - "Sub-Category":"Service Creation", - "Carbon Black":"Partially", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Yes", - "MDE":"Via EventLogs", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"Partially" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Service Modification", - "Carbon Black":"No", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Partially", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Via EventLogs", - "LimaCharlie":"Yes", - "MDE":"No", - "Qualys":"Yes", - "SentinelOne":"Via EnablingTelemetry", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"Partially" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Service Deletion", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"No", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"Via EventLogs", - "FortiEDR":"Via EventLogs", - "Harfanglab":"No", - "LimaCharlie":"Pending Response", - "MDE":"No", - "Qualys":"No", - "SentinelOne":"No", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"Driver\/Module Activity", - "Sub-Category":"Driver Loaded", - "Carbon Black":"No", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EnablingTelemetry", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"Yes", - "Trellix":"No", - "Trend Micro":"Via EnablingTelemetry", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Driver Modification", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"No", - "LimaCharlie":"Yes", - "MDE":"No", - "Qualys":"Yes", - "SentinelOne":"No", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Driver Unloaded", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"No", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"No", - "LimaCharlie":"No", - "MDE":"No", - "Qualys":"No", - "SentinelOne":"Partially", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"No", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"Device Operations", - "Sub-Category":"Virtual Disk Mount", - "Carbon Black":"No", - "Cortex XDR":"Partially", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"No", - "LimaCharlie":"Yes", - "MDE":"No", - "Qualys":"No", - "SentinelOne":"No", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"USB Device Unmount", - "Carbon Black":"No", - "Cortex XDR":"Partially", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"No", - "LimaCharlie":"Partially", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Via EnablingTelemetry", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"USB Device Mount", - "Carbon Black":"Partially", - "Cortex XDR":"Partially", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"No", - "LimaCharlie":"Partially", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Via EnablingTelemetry", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":"Other Relevant Events", - "Sub-Category":"Group Policy Modification", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"No", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"No", - "LimaCharlie":"No", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Yes", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"No", - "Trend Micro":"No", - "Uptycs":"Via EventLogs", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"Named Pipe Activity", - "Sub-Category":"Pipe Creation", - "Carbon Black":"Partially", - "Cortex XDR":"No", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Via EnablingTelemetry", - "Symantec SES Complete":"No", - "Sysmon":"Yes", - "Trellix":"No", - "Trend Micro":"Via EnablingTelemetry", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Pipe Connection", - "Carbon Black":"No", - "Cortex XDR":"No", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"No", - "SentinelOne":"Via EnablingTelemetry", - "Symantec SES Complete":"No", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Via EnablingTelemetry", - "Uptycs":"No", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"EDR SysOps", - "Sub-Category":"Agent Start", - "Carbon Black":"Yes", - "Cortex XDR":"Partially", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Via EventLogs", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"Yes", - "Trellix":"Pending Response", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Agent Stop", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"No", - "Elastic":"Yes", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Via EventLogs", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"Yes", - "Trellix":"Pending Response", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Agent Install", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"No", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"No", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Via EventLogs", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"No", - "Uptycs":"No", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Agent Uninstall", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"No", - "LimaCharlie":"No", - "MDE":"No", - "Qualys":"No", - "SentinelOne":"Yes", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"No", - "Uptycs":"No", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Agent Keep-Alive", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"No", - "FortiEDR":"No", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Via EventLogs", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"No", - "Trellix":"Pending Response", - "Trend Micro":"No", - "Uptycs":"No", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"Agent Errors", - "Carbon Black":"Yes", - "Cortex XDR":"Yes", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Yes", - "Harfanglab":"Yes", - "LimaCharlie":"Yes", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Via EnablingTelemetry", - "Sysmon":"Yes", - "Trellix":"Pending Response", - "Trend Micro":"No", - "Uptycs":"Yes", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"WMI Activity", - "Sub-Category":"WmiEventConsumerToFilter", - "Carbon Black":"No", - "Cortex XDR":"Via EnablingTelemetry", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Yes", - "LimaCharlie":"No", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"Partially", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"WmiEventConsumer", - "Carbon Black":"No", - "Cortex XDR":"Via EnablingTelemetry", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Yes", - "LimaCharlie":"No", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"Partially", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":null, - "Sub-Category":"WmiEventFilter", - "Carbon Black":"No", - "Cortex XDR":"Via EnablingTelemetry", - "CrowdStrike":"Yes", - "Cybereason":"Yes", - "ESET Inspect":"Yes", - "Elastic":"Yes", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Yes", - "LimaCharlie":"No", - "MDE":"Yes", - "Qualys":"Via EventLogs", - "SentinelOne":"Yes", - "Symantec SES Complete":"Partially", - "Sysmon":"Yes", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"Yes", - "WatchGuard":"Yes" - }, - { - "Telemetry Feature Category":"BIT JOBS Activity", - "Sub-Category":"BIT JOBS Activity", - "Carbon Black":"No", - "Cortex XDR":"Via EnablingTelemetry", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"No", - "Elastic":"No", - "FortiEDR":"Via EventLogs", - "Harfanglab":"No", - "LimaCharlie":"No", - "MDE":"No", - "Qualys":"Yes", - "SentinelOne":"No", - "Symantec SES Complete":"No", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Via EventLogs", - "Uptycs":"No", - "WatchGuard":"No" - }, - { - "Telemetry Feature Category":"PowerShell Activity", - "Sub-Category":"Script-Block Activity", - "Carbon Black":"Yes", - "Cortex XDR":"Via EventLogs", - "CrowdStrike":"Yes", - "Cybereason":"No", - "ESET Inspect":"Yes", - "Elastic":"No", - "FortiEDR":"Via EventLogs", - "Harfanglab":"Yes", - "LimaCharlie":"Via EventLogs", - "MDE":"Yes", - "Qualys":"Yes", - "SentinelOne":"Yes", - "Symantec SES Complete":"Yes", - "Sysmon":"No", - "Trellix":"Yes", - "Trend Micro":"Yes", - "Uptycs":"Yes", - "WatchGuard":"No" - } - ] \ No newline at end of file + { + "Telemetry Feature Category":"Process Activity", + "Sub-Category":"Process Creation", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Process Termination", + "Carbon Black":"Partially", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"No", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"No", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"No", + "Trend Micro":"Via EnablingTelemetry", + "Uptycs":"No", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Process Access", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Partially", + "Elastic":"Yes", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"No", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Image\/Library Loaded", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Remote Thread Creation", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Process Tampering Activity", + "Carbon Black":"Partially", + "Cortex XDR":"Partially", + "CrowdStrike":"Yes", + "Cybereason":"Pending Response", + "ESET Inspect":"No", + "Elastic":"Yes", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Partially", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"File Manipulation", + "Sub-Category":"File Creation", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Partially", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Partially" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Opened", + "Carbon Black":"Yes", + "Cortex XDR":"No", + "CrowdStrike":"Partially", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Partially", + "MDE":"No", + "Qualys":"Yes", + "SentinelOne":"No", + "Symantec SES Complete":"Yes", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EnablingTelemetry", + "Uptycs":"Yes", + "WatchGuard":"Partially" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Deletion", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"No", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Via EnablingTelemetry", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Modification", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Renaming", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Partially", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Partially" + }, + { + "Telemetry Feature Category":"User Account Activity", + "Sub-Category":"Local Account Creation", + "Carbon Black":"No", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Via EventLogs", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Local Account Modification", + "Carbon Black":"No", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Partially", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Via EventLogs", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Via EventLogs", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Local Account Deletion", + "Carbon Black":"No", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Via EventLogs", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Via EventLogs", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EnablingTelemetry", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Account Login", + "Carbon Black":"Via EventLogs", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Yes", + "LimaCharlie":"Partially", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Account Logoff", + "Carbon Black":"Via EventLogs", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Yes", + "LimaCharlie":"Via EventLogs", + "MDE":"No", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":"Network Activity", + "Sub-Category":"TCP Connection", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"UDP Connection", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"No", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"No", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"URL", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"Partially", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"No", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Via EnablingTelemetry", + "Symantec SES Complete":"Partially", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"Partially" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"DNS Query", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Downloaded", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"Yes", + "Cybereason":"Partially", + "ESET Inspect":"Partially", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"No", + "LimaCharlie":"Partially", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"No", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"Yes", + "Uptycs":"Partially", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":"Hash Algorithms", + "Sub-Category":"MD5", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"SHA", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"IMPHASH", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"No", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"Partially", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"No", + "MDE":"No", + "Qualys":"No", + "SentinelOne":"No", + "Symantec SES Complete":"No", + "Sysmon":"Yes", + "Trellix":"No", + "Trend Micro":"No", + "Uptycs":"No", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"Registry Activity", + "Sub-Category":"Key\/Value Creation", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Partially", + "Cybereason":"Partially", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Key\/Value Modification", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Partially", + "Cybereason":"Partially", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Key\/Value Deletion", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"No", + "Cybereason":"Partially", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":"Schedule Task Activity", + "Sub-Category":"Scheduled Task Creation", + "Carbon Black":"No", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Via EventLogs", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"Via EventLogs", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Scheduled Task Modification", + "Carbon Black":"No", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"No", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Via EventLogs", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Scheduled Task Deletion", + "Carbon Black":"No", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Via EventLogs", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"Via EventLogs", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"Service Activity", + "Sub-Category":"Service Creation", + "Carbon Black":"Partially", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Yes", + "MDE":"Via EventLogs", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"Partially" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Service Modification", + "Carbon Black":"No", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Partially", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Via EventLogs", + "LimaCharlie":"Yes", + "MDE":"No", + "Qualys":"Yes", + "SentinelOne":"Via EnablingTelemetry", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"Partially" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Service Deletion", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"No", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"Via EventLogs", + "FortiEDR":"Via EventLogs", + "Harfanglab":"No", + "LimaCharlie":"Pending Response", + "MDE":"No", + "Qualys":"No", + "SentinelOne":"No", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"Driver\/Module Activity", + "Sub-Category":"Driver Loaded", + "Carbon Black":"No", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EnablingTelemetry", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"Yes", + "Trellix":"No", + "Trend Micro":"Via EnablingTelemetry", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Driver Modification", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"No", + "LimaCharlie":"Yes", + "MDE":"No", + "Qualys":"Yes", + "SentinelOne":"No", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Driver Unloaded", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"No", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"No", + "LimaCharlie":"No", + "MDE":"No", + "Qualys":"No", + "SentinelOne":"Partially", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"No", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"Device Operations", + "Sub-Category":"Virtual Disk Mount", + "Carbon Black":"No", + "Cortex XDR":"Partially", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"No", + "LimaCharlie":"Yes", + "MDE":"No", + "Qualys":"No", + "SentinelOne":"No", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"USB Device Unmount", + "Carbon Black":"No", + "Cortex XDR":"Partially", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"No", + "LimaCharlie":"Partially", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Via EnablingTelemetry", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"USB Device Mount", + "Carbon Black":"Partially", + "Cortex XDR":"Partially", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"No", + "LimaCharlie":"Partially", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Via EnablingTelemetry", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":"Other Relevant Events", + "Sub-Category":"Group Policy Modification", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"No", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"No", + "LimaCharlie":"No", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Yes", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"No", + "Trend Micro":"No", + "Uptycs":"Via EventLogs", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"Named Pipe Activity", + "Sub-Category":"Pipe Creation", + "Carbon Black":"Partially", + "Cortex XDR":"No", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Via EnablingTelemetry", + "Symantec SES Complete":"No", + "Sysmon":"Yes", + "Trellix":"No", + "Trend Micro":"Via EnablingTelemetry", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Pipe Connection", + "Carbon Black":"No", + "Cortex XDR":"No", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"No", + "SentinelOne":"Via EnablingTelemetry", + "Symantec SES Complete":"No", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Via EnablingTelemetry", + "Uptycs":"No", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"EDR SysOps", + "Sub-Category":"Agent Start", + "Carbon Black":"Yes", + "Cortex XDR":"Partially", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Via EventLogs", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"Yes", + "Trellix":"Pending Response", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Stop", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"No", + "Elastic":"Yes", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Via EventLogs", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"Yes", + "Trellix":"Pending Response", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Install", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"No", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"No", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Via EventLogs", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"No", + "Uptycs":"No", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Uninstall", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"No", + "LimaCharlie":"No", + "MDE":"No", + "Qualys":"No", + "SentinelOne":"Yes", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"No", + "Uptycs":"No", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Keep-Alive", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"No", + "FortiEDR":"No", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Via EventLogs", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"No", + "Trellix":"Pending Response", + "Trend Micro":"No", + "Uptycs":"No", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Errors", + "Carbon Black":"Yes", + "Cortex XDR":"Yes", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Yes", + "Harfanglab":"Yes", + "LimaCharlie":"Yes", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Via EnablingTelemetry", + "Sysmon":"Yes", + "Trellix":"Pending Response", + "Trend Micro":"No", + "Uptycs":"Yes", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"WMI Activity", + "Sub-Category":"WmiEventConsumerToFilter", + "Carbon Black":"No", + "Cortex XDR":"Via EnablingTelemetry", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Yes", + "LimaCharlie":"No", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"Partially", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"WmiEventConsumer", + "Carbon Black":"No", + "Cortex XDR":"Via EnablingTelemetry", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Yes", + "LimaCharlie":"No", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"Partially", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"WmiEventFilter", + "Carbon Black":"No", + "Cortex XDR":"Via EnablingTelemetry", + "CrowdStrike":"Yes", + "Cybereason":"Yes", + "ESET Inspect":"Yes", + "Elastic":"Yes", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Yes", + "LimaCharlie":"No", + "MDE":"Yes", + "Qualys":"Via EventLogs", + "SentinelOne":"Yes", + "Symantec SES Complete":"Partially", + "Sysmon":"Yes", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"Yes", + "WatchGuard":"Yes" + }, + { + "Telemetry Feature Category":"BIT JOBS Activity", + "Sub-Category":"BIT JOBS Activity", + "Carbon Black":"No", + "Cortex XDR":"Via EnablingTelemetry", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"No", + "Elastic":"No", + "FortiEDR":"Via EventLogs", + "Harfanglab":"No", + "LimaCharlie":"No", + "MDE":"No", + "Qualys":"Yes", + "SentinelOne":"No", + "Symantec SES Complete":"No", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Via EventLogs", + "Uptycs":"No", + "WatchGuard":"No" + }, + { + "Telemetry Feature Category":"PowerShell Activity", + "Sub-Category":"Script-Block Activity", + "Carbon Black":"Yes", + "Cortex XDR":"Via EventLogs", + "CrowdStrike":"Yes", + "Cybereason":"No", + "ESET Inspect":"Yes", + "Elastic":"No", + "FortiEDR":"Via EventLogs", + "Harfanglab":"Yes", + "LimaCharlie":"Via EventLogs", + "MDE":"Yes", + "Qualys":"Yes", + "SentinelOne":"Yes", + "Symantec SES Complete":"Yes", + "Sysmon":"No", + "Trellix":"Yes", + "Trend Micro":"Yes", + "Uptycs":"Yes", + "WatchGuard":"No" + } +] \ No newline at end of file diff --git a/Tools/compare-requirements.txt b/Tools/compare-requirements.txt new file mode 100644 index 0000000..11041fe --- /dev/null +++ b/Tools/compare-requirements.txt @@ -0,0 +1,2 @@ +prettytable==3.10.0 +wcwidth==0.2.13 diff --git a/Tools/fetch_contributors.py b/Tools/fetch_contributors.py new file mode 100644 index 0000000..dffcf61 --- /dev/null +++ b/Tools/fetch_contributors.py @@ -0,0 +1,84 @@ +import re +import requests + +# GitHub repository details +OWNER = "tsale" +REPOSITORY = "EDR-Telemetry" + +# Define the README file path +readme_path = "README.md" + +# Define the section markers +start_marker = "# ✨ Contributors Wall" +end_marker = "## Current Primary Maintainers" + +# Fetch contributors using GitHub API +def fetch_contributors(): + """ + Fetch contributors from GitHub and generate HTML for their icons. + """ + url = f"https://api.github.com/repos/{OWNER}/{REPOSITORY}/contributors" + response = requests.get(url) + + if response.status_code != 200: + raise Exception(f"Failed to fetch contributors: {response.status_code}") + + contributors = response.json() + contributors_html = '
\n' + + for contributor in contributors: + username = contributor["login"] + avatar_url = contributor["avatar_url"] + profile_url = contributor["html_url"] + contributors_html += f""" + + {username} + """ + + contributors_html += "\n
" + return contributors_html + + +# Generate the new content for the Contributors Wall section +def generate_new_content(contributors_html): + return f""" +# ✨ Contributors Wall + +Thanks to these amazing contributors: + +

+{contributors_html} +

+""" + +# Update the specific section in the README file +def update_readme(new_section_content): + # Read the README file + with open(readme_path, "r") as file: + readme_content = file.read() + + # Use a regex pattern to replace the section + pattern = re.compile( + f"{re.escape(start_marker)}.*?{re.escape(end_marker)}", + re.DOTALL + ) + updated_content = pattern.sub(new_section_content + "\n" + end_marker, readme_content) + + # Write the updated content back to the README file + with open(readme_path, "w") as file: + file.write(updated_content) + + print("README.md has been updated successfully!") + +# Main function to orchestrate the process +def main(): + try: + contributors_html = fetch_contributors() + new_section_content = generate_new_content(contributors_html) + update_readme(new_section_content) + except Exception as e: + print(f"Error: {e}") + +# Execute the script +if __name__ == "__main__": + main() diff --git a/images/edr-telemetry_website_screenshot.png b/images/edr-telemetry_website_screenshot.png new file mode 100644 index 0000000..e912200 Binary files /dev/null and b/images/edr-telemetry_website_screenshot.png differ diff --git a/mitre_att&ck_mappings.json b/mitre_att&ck_mappings.json new file mode 100644 index 0000000..bee627a --- /dev/null +++ b/mitre_att&ck_mappings.json @@ -0,0 +1,320 @@ +[ + { + "" : "", + "MITRE ATT&CK Mappings" : "Process Creation - DS0009", + "Sub-Category" : "Process Creation", + "Telemetry Feature Category" : "Process Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Process Termination - DS0009", + "Sub-Category" : "Process Termination", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Process Access - DS0009", + "Sub-Category" : "Process Access", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Module Load - DS0011", + "Sub-Category" : "Image\/Library Loaded", + "Telemetry Feature Category" : "" + }, + { + "" : "Process Access (Partial) - DS0009", + "MITRE ATT&CK Mappings" : "OS API Execution (Partial) - DS0009, Process Access (Partial) - DS0009", + "Sub-Category" : "Remote Thread Creation", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Process Modification - DS0009", + "Sub-Category" : "Process Tampering Activity", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "File Creation - DS0022", + "Sub-Category" : "File Creation", + "Telemetry Feature Category" : "File Manipulation" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "File Opened - DS0022", + "Sub-Category" : "File Opened", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "File Deletion - DS0022", + "Sub-Category" : "File Deletion", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "File Modification - DS0022", + "Sub-Category" : "File Modification", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "File Renaming - DS0022", + "Sub-Category" : "File Renaming", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Local Account Creation - DS0002", + "Sub-Category" : "Local Account Creation", + "Telemetry Feature Category" : "User Account Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Local Account Modification - DS0002", + "Sub-Category" : "Local Account Modification", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Local Account Deletion - DS0002", + "Sub-Category" : "Local Account Deletion", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Account Login (User Account Authentication) - DS0002, Account Login (Logon Session Creation) - DS0028", + "Sub-Category" : "Account Login", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "-", + "Sub-Category" : "Account Logoff", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "TCP Connection - DS0029", + "Sub-Category" : "TCP Connection", + "Telemetry Feature Category" : "Network Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "UDP Connection - DS0029", + "Sub-Category" : "UDP Connection", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "URL - DS0029", + "Sub-Category" : "URL", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "DNS Query - DS0029", + "Sub-Category" : "DNS Query", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "File Downloaded (Network Traffic Content) - DS0029,File Downloaded (File Creation) - DS0022", + "Sub-Category" : "File Downloaded", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "MD5 - DS0022", + "Sub-Category" : "MD5", + "Telemetry Feature Category" : "Hash Algorithms" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "SHA - DS0022", + "Sub-Category" : "SHA", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "IMPHASH - DS0022", + "Sub-Category" : "IMPHASH", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Key\/Value Creation - DS0024", + "Sub-Category" : "Key\/Value Creation", + "Telemetry Feature Category" : "Registry Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Key\/Value Modification - DS0024", + "Sub-Category" : "Key\/Value Modification", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Key\/Value Deletion - DS0024", + "Sub-Category" : "Key\/Value Deletion", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Scheduled Task Creation - DS0003", + "Sub-Category" : "Scheduled Task Creation", + "Telemetry Feature Category" : "Schedule Task Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Scheduled Task Modification - DS0003", + "Sub-Category" : "Scheduled Task Modification", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Scheduled Task Deletion - DS0003", + "Sub-Category" : "Scheduled Task Deletion", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Service Creation - DS0019", + "Sub-Category" : "Service Creation", + "Telemetry Feature Category" : "Service Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Service Modification - DS0019", + "Sub-Category" : "Service Modification", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Service Deletion - DS0019", + "Sub-Category" : "Service Deletion", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Driver Loaded - DS0027", + "Sub-Category" : "Driver Loaded", + "Telemetry Feature Category" : "Driver\/Module Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Driver Modification - DS0022", + "Sub-Category" : "Driver Modification", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "-", + "Sub-Category" : "Driver Unloaded", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Virtual Disk Mount - DS0016", + "Sub-Category" : "Virtual Disk Mount", + "Telemetry Feature Category" : "Device Operations" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "USB Device Unmount - DS0016", + "Sub-Category" : "USB Device Unmount", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "USB Device Mount - DS0016", + "Sub-Category" : "USB Device Mount", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Group Policy Modification - DS0026", + "Sub-Category" : "Group Policy Modification", + "Telemetry Feature Category" : "Other Relevant Events" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Pipe Creation - DS0023", + "Sub-Category" : "Pipe Creation", + "Telemetry Feature Category" : "Named Pipe Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Pipe Connection - DS0023", + "Sub-Category" : "Pipe Connection", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Agent Start - DS0013", + "Sub-Category" : "Agent Start", + "Telemetry Feature Category" : "EDR SysOps" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Agent Stop - DS0013", + "Sub-Category" : "Agent Stop", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Agent Install - DS0013", + "Sub-Category" : "Agent Install", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Agent Uninstall - DS0013", + "Sub-Category" : "Agent Uninstall", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Agent Keep-Alive - DS0013", + "Sub-Category" : "Agent Keep-Alive", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Agent Errors - DS0013", + "Sub-Category" : "Agent Errors", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "WmiEventConsumerToFilter - DS0005", + "Sub-Category" : "WmiEventConsumerToFilter", + "Telemetry Feature Category" : "WMI Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "WmiEventConsumer - DS0005", + "Sub-Category" : "WmiEventConsumer", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "WmiEventFilter - DS0005", + "Sub-Category" : "WmiEventFilter", + "Telemetry Feature Category" : "" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "PowerShell Activity - DS0012,PowerShell Activity - DS0017", + "Sub-Category" : "BIT JOBS Activity", + "Telemetry Feature Category" : "BIT JOBS Activity" + }, + { + "" : "", + "MITRE ATT&CK Mappings" : "Script-Block Activity - DS0012", + "Sub-Category" : "Script-Block Activity", + "Telemetry Feature Category" : "PowerShell Activity" + } + ] \ No newline at end of file diff --git a/partially_value_explanations.json b/partially_value_explanations.json new file mode 100644 index 0000000..cce8869 --- /dev/null +++ b/partially_value_explanations.json @@ -0,0 +1,1115 @@ +[ + { + "Telemetry Feature Category":"Process Activity", + "Sub-Category":"Process Creation", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Process Termination", + "Carbon Black": {"Partially":"Only observed as file operations."}, + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Process Access", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":{"Partially":"Only for LSASS.exe process"}, + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Image\/Library Loaded", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Remote Thread Creation", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Process Tampering Activity", + "Carbon Black":{"Partially":"Only via cross-process."}, + "Cortex XDR":{"Partially":"Needs the tamper protection enabled."}, + "CrowdStrike":"", + "Cybereason":"Pending Response", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":{"Partially":"Only provides cross process info like remote thread creation and process handles, it doesn't give much more detail beyond that."}, + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"File Manipulation", + "Sub-Category":"File Creation", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":{"Partially":"Only for binaries created on disk."}, + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":{"Partially":"Only tracks via dedicated event the renaming of Portable Executables (PE) and compressed files."} + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Opened", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":{"Partially":"Only contains modification from a user added to a group."}, + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":{"Partially":"Visibility on File Read only"}, + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":{"Partially":"Only tracks via dedicated event the opening of compressed files."} + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Deletion", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Modification", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Renaming", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":{"Partially":"Events are reported as a delete+write."}, + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":{"Partially":"Only tracks via dedicated event the renaming of Portable Executables (PE) and compressed files."} + }, + { + "Telemetry Feature Category":"User Account Activity", + "Sub-Category":"Local Account Creation", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Local Account Modification", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":{"Partially":"Only contains modification from a user added to a group."}, + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Local Account Deletion", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Account Login", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":{"Partially":"Only tracks when user is seen first time per endpoint."}, + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Account Logoff", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Network Activity", + "Sub-Category":"TCP Connection", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"UDP Connection", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"URL", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":{"Partially":"Only if activity is generated by a NON-Browser application."}, + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":{"Partially":"Depends on Firewall / IPS settings / policy; if only IPS is enabled URL will just logged malicious connections, but not clean connections"}, + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":{"Partially":"Mainly when the URL is fetched via HTTP/S GET and not from a modern browser."} + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"DNS Query", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"File Downloaded", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":{"Partially":"Only for documents and binaries."}, + "ESET Inspect":{"Partially":"Only for binaries created on disk."}, + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":{"Partially":"Only if the activity is generated via Chrome browser[https://doc.limacharlie.io/docs/documentation/0b189c00533e5-reference-events#http_request]"}, + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":{"Partially":"Limited to certain processes."}, + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Hash Algorithms", + "Sub-Category":"MD5", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"SHA", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"IMPHASH", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":{"Partially":"Only available for drivers and DLL files."}, + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Registry Activity", + "Sub-Category":"Key\/Value Creation", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":{"Partially":"Tracks only only specific keys (ASEP = 'AutoStarting Entry Point')."}, + "Cybereason":{"Partially":"By default, only RUN keys and some registry values that are commonly abused."}, + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Key\/Value Modification", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":{"Partially":"Tracks only only specific keys (ASEP = 'AutoStarting Entry Point')."}, + "Cybereason":{"Partially":"By default, only RUN keys and some registry values that are commonly abused."}, + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Key\/Value Deletion", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":{"Partially":"By default, only RUN keys and some registry values that are commonly abused."}, + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Schedule Task Activity", + "Sub-Category":"Scheduled Task Creation", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Scheduled Task Modification", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Scheduled Task Deletion", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Service Activity", + "Sub-Category":"Service Creation", + "Carbon Black":{"Partially":"Via monitoring the registry changes."}, + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Service Modification", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":{"Partially":"Tracks only modification of service binaries."}, + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":{"Partially":"The dedicated event tracking service activity only tracks parent/child processes related to a service change, no further details."} + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Service Deletion", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"Pending Response", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Driver\/Module Activity", + "Sub-Category":"Driver Loaded", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Driver Modification", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Driver Unloaded", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":{"Partially":"It only shows a specific driver unload method use by attacker instead of every unloaded drivers"}, + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Device Operations", + "Sub-Category":"Virtual Disk Mount", + "Carbon Black":"", + "Cortex XDR":{"Partially":"Device Control should be in block mode"}, + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"USB Device Unmount", + "Carbon Black":"", + "Cortex XDR":{"Partially":"Device Control should be in block mode"}, + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":{"Partially":"Only mount/unmount events related to 'Volumes'. No other device visibility on this."}, + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"USB Device Mount", + "Carbon Black":{"Partially":"Mounted USBs are recorded in a separate table within the platform for administrative approval."}, + "Cortex XDR":{"Partially":"Device Control should be in block mode"}, + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":{"Partially":"Only mount/unmount events related to 'Volumes'. No other device visibility on this."}, + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Other Relevant Events", + "Sub-Category":"Group Policy Modification", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"Named Pipe Activity", + "Sub-Category":"Pipe Creation", + "Carbon Black":{"Partially":"Reports only named pipes for file creation events."}, + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Pipe Connection", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"EDR SysOps", + "Sub-Category":"Agent Start", + "Carbon Black":"", + "Cortex XDR":{"Partially":"Only if the start action fails"}, + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"Pending Response", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Stop", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"Pending Response", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Install", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Uninstall", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Keep-Alive", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"Pending Response", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"Agent Errors", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"Pending Response", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"WMI Activity", + "Sub-Category":"WmiEventConsumerToFilter", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":{"Partially":"SES has a WMI Response Event and a WMI Instance Object, the WMI Response Event describes: unknown, blocked, allowed, no action, logged, command script, uncorrected, delayed, deleted, quarantined, restored, detected"}, + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"WmiEventConsumer", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":{"Partially":"SES has a WMI Response Event and a WMI Instance Object, the WMI Response Event describes: unknown, blocked, allowed, no action, logged, command script, uncorrected, delayed, deleted, quarantined, restored, detected"}, + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":null, + "Sub-Category":"WmiEventFilter", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":{"Partially":"SES has a WMI Response Event and a WMI Instance Object, the WMI Response Event describes: unknown, blocked, allowed, no action, logged, command script, uncorrected, delayed, deleted, quarantined, restored, detected"}, + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"BIT JOBS Activity", + "Sub-Category":"BIT JOBS Activity", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + }, + { + "Telemetry Feature Category":"PowerShell Activity", + "Sub-Category":"Script-Block Activity", + "Carbon Black":"", + "Cortex XDR":"", + "CrowdStrike":"", + "Cybereason":"", + "ESET Inspect":"", + "Elastic":"", + "Harfanglab":"", + "LimaCharlie":"", + "MDE":"", + "Qualys":"", + "SentinelOne":"", + "Symantec SES Complete":"", + "Sysmon":"", + "Trellix":"", + "Trend Micro":"", + "Uptycs":"", + "WatchGuard":"" + } +]