SOLVED

MDE for Linux and audit logs

%3CLINGO-SUB%20id%3D%22lingo-sub-2837776%22%20slang%3D%22en-US%22%3EMDE%20for%20Linux%20and%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2837776%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20confirming%20that%20MDE%20for%20Linux%20will%20ingest%20events%20from%20the%20audit%20logs%20based%20on%20the%20following%20statement%20from%20Microsoft's%20documentation%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESystem%20events%20captured%20by%20rules%20added%20to%20%2Fetc%2Faudit%2Frules.d%2F%20will%20add%20to%20audit.log...%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EWe%20need%20to%20monitor%20file%20access%20and%20our%20Linux%20admin%20has%20configured%20the%20audit%20rules%20to%20record%20that%20information%20and%20with%20that%2C%20I%20just%20want%20to%20verify%20that%20the%20MDE%20for%20Linux%20agent%20will%20ingest%20those%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2837776%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eendpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elinux%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2838969%22%20slang%3D%22en-US%22%3ERe%3A%20MDE%20for%20Linux%20and%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2838969%22%20slang%3D%22en-US%22%3EHi%20Jeff.%20Let%20me%20follow%20up%20on%20that%20for%20you.%20Should%20have%20an%20answer%20soon.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2839143%22%20slang%3D%22en-US%22%3ERe%3A%20MDE%20for%20Linux%20and%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2839143%22%20slang%3D%22en-US%22%3ETYVM!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2841476%22%20slang%3D%22en-US%22%3ERE%3A%20MDE%20for%20Linux%20and%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841476%22%20slang%3D%22en-US%22%3ETYVM%20for%20the%20reply%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2839644%22%20slang%3D%22en-US%22%3ERE%3A%20MDE%20for%20Linux%20and%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2839644%22%20slang%3D%22en-US%22%3EYou%20are%20correct.%20MDE%20for%20Linux%20leverages%20and%20configures%20auditd%20rules%20on%20the%20device%20for%20the%20purpose%20of%20providing%20EPP%20%26amp%3B%20EDR%20functionality.%20Thank%20you!%3C%2FLINGO-BODY%3E
Contributor

Just confirming that MDE for Linux will ingest events from the audit logs based on the following statement from Microsoft's documentation:

System events captured by rules added to /etc/audit/rules.d/ will add to audit.log...

We need to monitor file access and our Linux admin has configured the audit rules to record that information and with that, I just want to verify that the MDE for Linux agent will ingest those events.

 

Thx

 

4 Replies
Hi Jeff. Let me follow up on that for you. Should have an answer soon.
TYVM!
best response confirmed by Jeff Walzer (Contributor)
Solution
You are correct. MDE for Linux leverages and configures auditd rules on the device for the purpose of providing EPP & EDR functionality. Thank you!
TYVM for the reply
www.000webhost.com