Elastic Defend Missing File Change Record or Wrong Event Action Record

[jasoncyp]

When Elastic Defend Full EDR activated, it should collect the file change events by which users, but when I try to collect event. file creation and deletion are normal and can be recorded correctly. But when file change using below command, it got problem.

1. using nano to modify existing file, no event collected.
2. using vi/vim to modify existing file, event.action shows "creation", which is wrong description.

For confirmed bugs, please report:

• Version: 8.10
• Operating System: ubuntu 20.04
• Discuss Forum URL:
• Steps to Reproduce:

1. when use "nano" command to make change of existing linux file, it does not record the event, only when nano command to create new file, the event.action with "creation" will be recorded.
2. when use "vi/vim" command, the event will be recorded, but the event.action shows "creation", which is wrong category, this will affect the security analysis.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

If this is for Elastic Defend then I think the issue is best logged in https://github.com/elastic/endpoint.

[efd6]

Also note that some editors work in a temporary file and then create the final on write-out, so vim is very probably writing a new file when you make a change.