Add MDE monitoring configured via advanced features

[jonade]

Pull Request Template

Description

Please provide the below information so we can validate before merging:

1. Does the proposed EDR feature align with our definition of telemetry?(definition here)
2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

1: Yes
2: Yes, see below:

• Driver loading monitored through eBPF -https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#configure-monitoring-of-module-load-events-using-ebpf
• Network socket listen - https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#configure-monitoring-of-raw-socket-events and https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#configure-scanning-of-raw-socket-events
• Driver Load - https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#module-load-feature

3: Not Applicable

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my corrections or additions are accurate
• I have checked my code and corrected any misspellings

[tsale]

This information is not available to the customers through the portal. Please read the eligibility criteria on the website.

If you disagree, please provide evidence with screenshots after running the telemetry generator script available in this repository.

[jonade]

Yes, Kernel load events show up in the Timeline view:

Network Sockets however doesn't appear, so I guess it should be removed

[jonade]

@tsale Retested it again today and these show up.

The NetworkRawSocket test shows up in the Timeline view for the device:

As well as the NetworkListen test:

[jonade]

There was also an issue with the testing script and dependencies on my Debian machine which meant the Cron test had previously been failing. Once I resolved that, the telemetry shows up in the Timeline view:

I'll push an update to also mark Service Creation as a Yes.

@tsale Should I also revert back the change for the Network Socket checks back to their original state? (Enabled via Telemetry)

[tsale]

Can you please show us a screenshot from the hunting page to make sure those attributes are searchable and can show the whole event?

[jonade]

@tsale NetworkListen is in the DeviceNetworkEvents table:

NetworkRawSocket and Cron I can't see which table it would be.

[tsale]

Thank you @jonade! We do not keep track of NetworkRawSocket anymore. I changed the service creation to Partially with the explanation that it is not searchable and it's only available in the timeline platform.

[jonade]

Thanks @tsale. What about Network Listen? That one I provided the evidence for, but it never got updated in the result table.

[tsale]

I might have missed it. Will make the change directly shortly.