add NDR metadata on the endpoint (MDE only!)

[Gandalf098]

the good people at microsoft, contributed to zeek to make it complie-able on windows. and they now include it as an optional log source in MDE

this is a great move, since EDRs lack this kind of visibility on network level (most of them just provide a netflow like data, some provide more such as DNS and some http info) but Zeek on the endpoint, in case of MDE, is super good for visibility, even better than NDR appliance.

because NDR appliance for an example:
1.doesn't give visibility over everything (horizontal traffic in the same subnet crosses over the switch and usually doesn't arrive to the NDR, and most NDRs will drop stuff if traffic is high and are practically deployed only based on avg. consumption).

2. endpoints out of your network will not pass through NDR, so Zeek on the Endpoint would give you that visibility

all in all, MDE is actually much better than crowdstrike is configured to log the missing logs through native logging, but with Zeek on the endpoint enabled it is much better, and crowdstrike doesn't have a similar option, even though it is relatively simple to integrate zeek on any EDR

I hope vendors will move into adding zeek to their EDR by default, and by adding a section for this kind of detailed metadata from zeek it will show the value this addition brings (currently only to MDE).

Thanks!

[tsale]

What's the telemetry option to enable on MDE? What do the data look like? Can you provide some evidence?

Also, what are the additional categories proposed to be included?

[Gandalf098]

Hi @tsale

I checked, and here are the results

MDE (sometimes) adds network details collected by Zeek, into a JSON field "Additional details"

Unfortunately not public documentation of this is available

I can't share screenshots without my clients approval (who runs MDE)

I will run more tests and will contact Microsoft if they can provide a demo of this or sth to have final confirmation on this

[SecurityAura]

Providing additional context around this:

The telemetry should be enabled by default AFAIK. The events are part of the DeviceNetworkEvents table.

https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/new-network-based-detections-and-improved-device-discovery-using-zeek/3682111
https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/enrich-your-advanced-hunting-experience-using-network-layer-signals-from-zeek/3794693

ActionTypes are listed in the 2nd URL. It also has screenshots of how the events (data) looks like.

FWIW, Carbon Black Cloud now has something similar with their XDR module. Which, if you have it, allows you to turn on NDR (through XDR Network Data Collection: https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-57ABB6F2-A48E-4FF3-A4A4-36C29252D7A5.html). Telemetry now includes stuff regarding SSL cert and even JA3 fingerprints and so on.

https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-938830FC-A730-42D5-9789-CCA3A65C7264.html
https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-6B772E70-A82D-41D0-9EB9-C3BB3EFEC47B.html

Therefore, we can probably expected more EDR products to jump in that bandwagon at some point. I suspect that SentinelOne and CrowdStrike also have that kind of telemetry through their EDR agent, but I can't remember off the top of my head.