Introduction
The following article outlines what types of data is logged by Field Effect MDR for analysis. To see our policy requirements that will maximize Field Effect MDR's effectiveness, see Audit Policy Requirements for Field Effect MDR.
Data Collected by Field Effect
Endpoint Agents
Field Effect collects all the fundamental telemetry points from an endpoint, including, (but not limited to):
- Process execution
- User sessions
- Installed software
- module and driver loading
- Network activity
- Removable media activity
- System event logs
These fundamental telemetry points apply to all operating systems supported by Field Effect MDR. With Windows specifically, Field Effect MDR can collect crash dumps.
Log Collection: Windows Advanced Audit Policy
Field Effect MDR collects the following Advanced Audit Policy event logs:
| Event ID | Category | Subcategory | Details |
|---|---|---|---|
| 4624 | Logon/Logoff | Logon | An account was successfully logged on. |
| 4625 | Logoff, Audit Logon | An account failed to log on. | |
| 4663 | Object Access | Kernel Object | An attempt was made to access an object. |
| 4672 | Privilege Use | Audit Non-Sensitive Privilege Use | Special privileges assigned to new logon |
| 4720 | Account Management | User Account Management | A user account was created. |
| 4722 | A user account was enabled. | ||
| 4725 | A user account was disabled. | ||
| 4728 | Security Group Management | A member was added to a security-enabled global group. | |
| 4729 | A member was removed from a security-enabled global group. | ||
| 4732 | A member was added to a security-enabled local group. | ||
| 4738 | Security Group Management | A user account was changed. | |
| 4740 | User Account Management | A user account was locked out. | |
| 4741 | Computer Account Management | A computer account was created. | |
| 4743 | A computer account was deleted. | ||
| 4768 | Account Logon | Kerberos Authentication Service | A Kerberos authentication ticket (TGT) was requested. |
| 4769 | Kerberos Service Ticket Operations | A Kerberos service ticket was requested. | |
| 4770 | A Kerberos service ticket was renewed. | ||
| 4781 | Account Management | User Account Management | The name of an account was changed. |
Additional Event Log Sources
The event IDs listed below are logged and applied in certain analytics but not enabled from Windows Advanced Audit Policy.
| Source | Event ID |
|---|---|
| List: WEL Source = System | 5829 |
| 5828 | |
| 5827 | |
| 7031 | |
| 1074 | |
| 41 | |
| WEL Source = Application | 15 |
| 51 | |
| List: Source = Microsoft-Windows-Windows Defender/Operational | 1015 |
| 1116 | |
| 1008 | |
| 1007 | |
| 1006 | |
| 1117 | |
| 1118 | |
| 1119 | |
| 1120 | |
| BList: Source = Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | 21 |
| 25 | |
| List: Source = Microsoft-Windows-WLAN-AutoConfig/Operational | 11000 |
Network Sensor (traffic)
The network sensor is able to collect the following metrics for analysis:
- Connection Information
- Source IP / Port
- Destination IP / Port
- Bytes In
- Bytes Out
- Total number of packets
- DNS Resolutions
- TLS Certificates
- SMB Resource usage
- FTP Traffic Summary
- Traffic fingerprinting: DHCP, MDNS, NetBIOS information
Cloud Integrations
The following data is collected from cloud service providers that are integrated with Field Effect MDR. To learn more about out cloud integrations, see our Help Center chapter on the topic.
| Provider | Event Type | Description | Provider Resources |
|---|---|---|---|
| AWS | AWS CloudTrail Management Events | Provides information about the management operations performed on resources within an AWS account. These are also known as _control plane operations_ | Learn More |
| AWS GuardDut Findings | This must be enabled in AWS. Represents potentials security issues detected within the network. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in an AWS environment. | Learn More | |
| Azure AD | Office 365 Management Activity API | Used to retrieve information about user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs. | Learn More |
| Google Workspace | Reports API activity data | Reports list information for activities in a specific Google Workspace application or service. Activity reports include the date, time, user, and type of activity. | Learn More |
| Okta | System log data | Records system events related to your organization. This provides an audit trail that can be used to understand platform activity and to diagnose problems. | Learn More |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article