Elastic Defend not providing library load events for CldApi.dll

[briandoesdev]

My team is trying to build a simple detection rule to alert on non-standard processes loading C:\Windows\System32\CldApi.dll.
Example detection in KQL:

event.dataset : "endpoint.events.library" and 
	host.os.family : "windows" and 
	dll.name : *CldApi.dll and not 
	( process.name.caseless : (
		"onedrive.exe" or 
		"onedrivesetup.exe" or
		"filecoauth.exe" or
		"explorer.exe" ) and 
	  process.code_signature.subject_name : "Microsoft Corporation" and 
	  process.code_signature.status : "trusted" 
	)

Unfortunately, during testing of our rule we figured out that Elastic Defend is not forwarding library events related to the loading of this DLL. We were able to test this using powershell:

PS C:\Users\user> Add-Type -TypeDefinition @"
>> using System;
>> using System.Runtime.InteropServices;
>> public class NativeLoader {
>>     [DllImport("kernel32.dll", SetLastError = true)]
>>     public static extern IntPtr LoadLibrary(string lpFileName);
>> }
>> "@
PS C:\Users\user> $cldapi = [NativeLoader]::LoadLibrary("CldApi.dll")
PS C:\Users\user> Get-Process -Id $PID | Select -ExpandProperty Modules | ? { $_.ModuleName -like "*CldApi*" }

This shows that we are loading the cloud api library but this event never appears in Elasticsearch/Kibana. We have already tried disabling [linux,mac,windows].advanced.event_filter.default (setting value to false) in the Elastic Defend policy advanced settings. We also validated we have no custom event filters that would be removing these events.

Is there another setting we are missing? Or is this expected of defend?

---

Environment

• OS: Windows 11 25H2 (build 26200.8246)
• Elastic Agent: 9.3.3

[briandoesdev]

As a test to see if Elastic Defend was only filtering Microsoft Windows signed binaries loading cldapi.dll (which is also signed by Microsoft Windows), I compiled my own small binary that loads cldapi.dll

#include <stdio.h>
#include <Windows.h>

int main()
{
    HMODULE cldDll = LoadLibraryA("C:\\Windows\\System32\\cldapi.dll");
    if (cldDll) {
        printf("loaded cldapi.dll\n");
        FreeLibrary(cldDll);
    }

    printf("exiting program\n");
    exit(0);
}

When running this binary the same thing happens. No event is delivered to Elastic. So it looks like some filter on endpoint itself is stopping these events from being forwarded even with [linux,mac,windows].advanced.event_filter.default set to false and no custom Event Filters in place.