[Update] EDR Telemetry for Linux - Elastic Defend

[Aegrah]

EDR Telemetry Pull Request

Contribution Details

Adding a new PR that provides evidence for the addition of 4 new data sources the Elastic Defend for Linux:

• DNS Query
• Driver Load
• Process Access
• Process Tampering

Telemetry Validation

Documentation or Evidence:

• Official documentation (link: )
• Screenshots attached
• Sanitized logs provided
• Private documentation (will share confidentially)

Type of Contribution

• Adding telemetry information for an existing EDR product
• Adding a new EDR product that meets eligibility criteria
• Proposing new event categories/sub-categories
• Documentation improvement
• Tool enhancement

Validation Details

EDR Product Information

• EDR Product Name: Elastic Defend
• EDR Version: 9.4.1
• Operating System(s) Tested: N/A (https://www.elastic.co/support/matrix)

DNS Query

Since 9.3.0, Elastic Defend adds the option to enable DNS lookups & results. By enabling the toggle in the Elastic Defend setting:

There are two new event categories available: lookup_requested and lookup_result.

For the lookup_requested data source, the following information is available:

For the lookup_result data source, the following information is available:

Driver Load

Since 9.1.4, Elastic Defend captures init_module()/finit_module() LKM (driver) loading. This is available via a process event, with the load_module event.action:

The screenshot above showcases several fileless loading techniques via memfd_create(), although not relevant for the data source here.

Ptrace

Since 9.1.4, Elastic Defend captures the ptrace() syscall for process access and tampering. The relevant fields are available here:

The key field is:

• process.Ext.ptrace.request

This field contains the raw Linux ptrace request value. The ptrace() syscall uses this request argument to define the operation being performed, commonly represented as ptrace(PTRACE_<operation>, pid, addr, data). The Linux man page documents these operations and separates read/inspect-style requests, such as PTRACE_PEEK* and PTRACE_GETREGS, from write/modify-style requests, such as PTRACE_POKE* and PTRACE_SETREGS: https://man7.org/linux/man-pages/man2/ptrace.2.html

Observed request values:

Number	ptrace operation	Classification
3	PTRACE_PEEKUSR / PTRACE_PEEKUSER	Process Access
12	PTRACE_GETREGS	Process Access
16	PTRACE_ATTACH	Process Access
16896 / 0x4200	PTRACE_SETOPTIONS	Process Access / tracing setup
5	PTRACE_POKEDATA	Process Tampering
13	PTRACE_SETREGS	Process Tampering
17	PTRACE_DETACH	Cleanup / detach

Relevant fields exposed by Elastic Defend:

• process.executable
• process.command_line
• event.action
• process.Ext.ptrace.child_pid
• process.Ext.ptrace.request
• process.Ext.ptrace.addr
• process.Ext.ptrace.data

Process Access

The screenshot shows /usr/bin/gdb generating ptrace events with request values such as 16, 12, 3, and 16896, mapping to attach/read/inspect behavior.

Example:

process.executable: /usr/bin/gdb
event.action: ptrace
process.command_line: gdb
process.Ext.ptrace.child_pid: 1
process.Ext.ptrace.request: 16
process.Ext.ptrace.addr: 0
process.Ext.ptrace.data: 0

Process Tampering

The screenshot also shows /home/ruben_groenewoud/Infector/infect generating ptrace request value 5 (PTRACE_POKEDATA) and request value 13 (PTRACE_SETREGS), mapping to memory write and register modification behavior.

Example:

process.executable: /home/ruben_groenewoud/Infector/infect
event.action: ptrace
process.command_line: ./infect 58218
process.Ext.ptrace.child_pid: 58218
process.Ext.ptrace.request: 5
process.Ext.ptrace.addr: 96446014459928
process.Ext.ptrace.data: 12708687932510789632

This confirms that Elastic Defend exposes enough ptrace telemetry to distinguish process access from process tampering using process.Ext.ptrace.request, while also exposing the source process, target PID, address, and data arguments.