SlideShare a Scribd company logo

Automate threat detections and avoid false positives

Elasticsearch, profile picture
Elasticsearch

The document discusses automated threat detection using Elastic's solutions, highlighting the data dilemma organizations face with the analysis of over a billion events daily. It emphasizes a detection philosophy focused on behaviors rather than tools, promoting the use of prebuilt protections and open repositories for effective threat detection. Additionally, it details the principles of creating rules to enhance detection while minimizing false positives, and encourages community collaboration through public resources.

Technology
1 of 32
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
1 ElasticON Security Samir Bennacer Principal Solutions Architect, EMEA Security Specialist Automate Threat Detection
Agenda Automated Threat Detection Recapping the Data Dilemma 1 Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 2
5 1B 5 Data Domains Practitioners analyze hosts, cloud, network devices, application performance, user, and more! Events Per Day Most organizations average 1 billion events per day SOC Analysts Security Operation Centers vary in size, but most have less than 5 analysts THE DATA DILEMMA
The Elastic Agent Of Course!
5 Get Data Protect My Org
Agenda Automated Threat Detection Recapping the Data Dilemma Using Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
Detection Engine It’s as simple as search. • Speed and scale of Elasticsearch to detect known and unknown threats • Easily automate threat detection using queries (KQL/DSL, machine learning, thresholds, and more! • 200 free protections; built in the open
8 DEMO #1 Detection Engine
Agenda Automated Threat Detection Recapping the Data Dilemma Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
200 Free Rules. Built in the Open attack.mitre.org
Prebuilt Protections By Data Domain 55% Windows, Linux, MacOS
MITRE ATT&CK™ Knowledge Base attack.mitre.org
Prebuilt Protections Threat Detection and SecOps 27% Defense Evasion
14 DEMO #2 Rule Metadata
...but my data is special... <random security professional>
16 DEMO #3 Rule Editing and Exceptions
17 Get Data Protect My Org
Agenda Automated Threat Detection Data Dilemma Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
Our Approach to Detection Engineering github.com/elastic/detection-rules/.../PHILOSOPHY.md ● Shaped by our collective real-world experience ● Focus on behaviors more than custom tools ● Write logic independent from the data source ● Detect true positives while avoiding false positives
Behaviors vs Indicators ● Emphasize technique, not indicators ○ Forces you to write generic detections ○ Avoids the risk of overfitting ○ Similar philosophy to MITRE ATT&CK® ● Make exceptions where it makes sense ○ When a high-fidelity behavioral detection is nontrivial https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf github.com/elastic/detection-rules/.../PHILOSOPHY.md
Detect Behaviors, not the Tool ✖ Indicator ✔ Behavior process.name:mimikatz.exe or process.command_line:*sekurlsa* event.module:sysmon and event.code:10 and winlog.event_data.TargetImage: lsass.exe github.com/elastic/detection-rules/.../PHILOSOPHY.md
Using Elastic Common Schema (ECS github.com/elastic/ecs ● Defines a common set of field names and types ● Enumerates categorization fields and values to bin similar events together ● Designed to be extensible and grow with our needs ● ECS is adopted throughout the Elastic Stack
Write Logic Independent of Data Sources ✖ Specific to each source ✔ With standard ECS field src:10.42.42.42 or client_ip:10.42.42.42 or apache2.access.remote_ip: 10.42.42.42 or context.user.ip:10.42.42.42 source.ip:10.42.42.42 github.com/elastic/detection-rules/.../PHILOSOPHY.md
Detect True Positives and avoid False Positives ● Create or Modify System Process: Windows Service ○ ATT&CK technique T1543 subtechnique 003 ● System Services: Service Execution ○ ATT&CK technique T1569, subtechnique 002 github.com/elastic/detection-rules/.../PHILOSOPHY.md
✖ Too vague ✖ Too many false positives process.name:sc.exe process.name:sc.exe and process.args:(create or config) Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
✖ Too easy to evade ✖ Too easy to evade process.command_line: "sc *create * binPath*" process.name:sc.exe and process.command_line: "* create * binPath*" Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
✖ Too overfitted ✔ Good FP and TP balance process.name:sc.exe and process.args:(create or config) and process.parent.name:cmd.exe process.name:sc.exe and process.args:(create or config) and (process.args:* or not user.name:SYSTEM) https://github.com/elastic/detection-rules/issues/47 Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
✔ Good FP and TP balance process.name:sc.exe and process.args:(create or config) and (process.args:* or not user.name:SYSTEM) Use command line arguments to infer adversary intent Lateral movement Privilege escalation Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
Agenda Automated Threat Detection Data Dilemma Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
A Public Repo! github.com/elastic/detection-rules Community & Collaboration • A dev-first mentality for malicious behavior detection The Rules • A place to engage on rules for all users of Elastic Security Contribution Guides • Creating issues, submitting PRs, our philosophy, and more! Developer Tools • Interactive CLI to create rules • Syntax validation, ECS schemas, metadata checker, etc.
Try free on Cloud: ela.st/security-trial Take a quick spin: demo.elastic.co Connect on Slack: ela.st/slack Join the Elastic Security community
Thank You Search. Observe. Protect.

More Related Content

PDF
Keynote: Elastic Security evolution and vision
Elasticsearch
 
PDF
Keynote: Elastic Security evolution and vision
Elasticsearch
 
PDF
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
PDF
Full time PII data protection: How Randstad uses Elastic Security to keep cli...
Elasticsearch
 
PDF
Automatisez la détection des menaces et évitez les faux positifs
Elasticsearch
 
PDF
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Elasticsearch
 
PDF
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Elasticsearch
 
PDF
Oscar Cabanillas - Elastic - OSL19
marketingsyone
 
Keynote: Elastic Security evolution and vision
Elasticsearch
 
Keynote: Elastic Security evolution and vision
Elasticsearch
 
Palestra de abertura: Evolução e visão do Elastic Security
Elasticsearch
 
Full time PII data protection: How Randstad uses Elastic Security to keep cli...
Elasticsearch
 
Automatisez la détection des menaces et évitez les faux positifs
Elasticsearch
 
Opérez vos processus avec l'alerting, les tableaux de bord personnalisés et l...
Elasticsearch
 
Obtén visibilidad completa y encuentra problemas de seguridad ocultos
Elasticsearch
 
Oscar Cabanillas - Elastic - OSL19
marketingsyone
 

What's hot (20)

PDF
Automate threat detections and avoid false positives
Elasticsearch
 
PDF
Elastic SIEM (Endpoint Security)
Kangaroot
 
PDF
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
PDF
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Elasticsearch
 
PDF
Operacionalize com alerta, dashboards customizados e linhas do tempo
Elasticsearch
 
PDF
Conferencia principal: Evolución y visión de Elastic Security
Elasticsearch
 
PDF
Operationalize with alerting, custom dashboards, and timelines
Elasticsearch
 
PDF
Operar con alertas, dashboards customizados y cronología
Elasticsearch
 
PDF
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elasticsearch
 
PDF
October 2020 meetup
Daliya Spasova
 
PDF
End-to-End Security Analytics with the Elastic Stack
Elasticsearch
 
PDF
What is the Future of SIEM?
Elasticsearch
 
PDF
Elastic Security: Your one-stop OODA loop shop
Elasticsearch
 
PDF
Get full visibility and find hidden security issues
Elasticsearch
 
PPTX
Getting Started with Azure Sentinel
Samik Roy
 
PDF
Limitless xdr meetup
Daliya Spasova
 
PDF
7 Experts on Implementing Azure Sentinel
Mighty Guides, Inc.
 
PPTX
Journey to Azure Sentinel
Cheah Eng Soon
 
PDF
Elastic Security Brochure
Joseph DeFever
 
PDF
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elasticsearch
 
Automate threat detections and avoid false positives
Elasticsearch
 
Elastic SIEM (Endpoint Security)
Kangaroot
 
Elastic Security: Proteção Empresarial construída sobre o Elastic Stack
Elasticsearch
 
Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo
Elasticsearch
 
Operacionalize com alerta, dashboards customizados e linhas do tempo
Elasticsearch
 
Conferencia principal: Evolución y visión de Elastic Security
Elasticsearch
 
Operationalize with alerting, custom dashboards, and timelines
Elasticsearch
 
Operar con alertas, dashboards customizados y cronología
Elasticsearch
 
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elasticsearch
 
October 2020 meetup
Daliya Spasova
 
End-to-End Security Analytics with the Elastic Stack
Elasticsearch
 
What is the Future of SIEM?
Elasticsearch
 
Elastic Security: Your one-stop OODA loop shop
Elasticsearch
 
Get full visibility and find hidden security issues
Elasticsearch
 
Getting Started with Azure Sentinel
Samik Roy
 
Limitless xdr meetup
Daliya Spasova
 
7 Experts on Implementing Azure Sentinel
Mighty Guides, Inc.
 
Journey to Azure Sentinel
Cheah Eng Soon
 
Elastic Security Brochure
Joseph DeFever
 
Elastic Security: Enterprise Protection Built on the Elastic Stack
Elasticsearch
 
Ad

Similar to Automate threat detections and avoid false positives (20)

PDF
Automatize a detecção de ameaças e evite falsos positivos
Elasticsearch
 
PDF
Automatiza las detecciones de amenazas y evita los falsos positivos
Elasticsearch
 
PDF
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
PDF
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
PPTX
c0c0n Elastic Security Workshop - 7.7 [Elastic SIEM].pptx
cemybone
 
PDF
Elastic Security : Protéger son entreprise avec la Suite Elastic
Elasticsearch
 
PDF
ECS: Delivering Better Cyber Intelligence and Compliance
Elasticsearch
 
PDF
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
PDF
The importance of normalizing your security data to ECS
Elasticsearch
 
PPTX
How Elastic Security Meets SOC Needs
Anna Ossowski
 
PDF
SIEM, malware protection, deep data visibility — for free
Elasticsearch
 
PDF
Reinventing enterprise defense with the Elastic Stack
Elasticsearch
 
PDF
Advanced correlations for threat detection and more
Elasticsearch
 
PDF
Reinventing enterprise defense with the Elastic Stack
Elasticsearch
 
PDF
Breaking silos between DevOps and SecOps with Elastic
Elasticsearch
 
PDF
Elastic Security under the hood
Elasticsearch
 
PDF
Log Monitoring and Anomaly Detection at Scale at ORNL
Elasticsearch
 
PDF
BSides Lisbon - Data science, machine learning and cybersecurity
Tiago Henriques
 
PDF
Scaling Security Threat Detection with Apache Spark and Databricks
Databricks
 
PDF
Monitoring modern applications using Elastic
Elasticsearch
 
Automatize a detecção de ameaças e evite falsos positivos
Elasticsearch
 
Automatiza las detecciones de amenazas y evita los falsos positivos
Elasticsearch
 
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
c0c0n Elastic Security Workshop - 7.7 [Elastic SIEM].pptx
cemybone
 
Elastic Security : Protéger son entreprise avec la Suite Elastic
Elasticsearch
 
ECS: Delivering Better Cyber Intelligence and Compliance
Elasticsearch
 
Empower your security practitioners with the Elastic Stack
Elasticsearch
 
The importance of normalizing your security data to ECS
Elasticsearch
 
How Elastic Security Meets SOC Needs
Anna Ossowski
 
SIEM, malware protection, deep data visibility — for free
Elasticsearch
 
Reinventing enterprise defense with the Elastic Stack
Elasticsearch
 
Advanced correlations for threat detection and more
Elasticsearch
 
Reinventing enterprise defense with the Elastic Stack
Elasticsearch
 
Breaking silos between DevOps and SecOps with Elastic
Elasticsearch
 
Elastic Security under the hood
Elasticsearch
 
Log Monitoring and Anomaly Detection at Scale at ORNL
Elasticsearch
 
BSides Lisbon - Data science, machine learning and cybersecurity
Tiago Henriques
 
Scaling Security Threat Detection with Apache Spark and Databricks
Databricks
 
Monitoring modern applications using Elastic
Elasticsearch
 
Ad

More from Elasticsearch (20)

PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
PDF
From MSP to MSSP using Elastic
Elasticsearch
 
PDF
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
PDF
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
PDF
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
PDF
Comment transformer vos données en informations exploitables
Elasticsearch
 
PDF
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
PDF
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
PDF
Welcome to a new state of find
Elasticsearch
 
PDF
Building great website search experiences
Elasticsearch
 
PDF
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
PDF
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
PDF
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
PDF
Comment transformer vos données en informations exploitables
Elasticsearch
 
PDF
Transforming data into actionable insights
Elasticsearch
 
PDF
Opening Keynote: Why Elastic?
Elasticsearch
 
PDF
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
PDF
The opportunities and challenges of data for public good
Elasticsearch
 
PDF
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
From MSP to MSSP using Elastic
Elasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
Elasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
Elasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Elasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
Elasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
Elasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
Elasticsearch
 
Welcome to a new state of find
Elasticsearch
 
Building great website search experiences
Elasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
Elasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
Elasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
Elasticsearch
 
Comment transformer vos données en informations exploitables
Elasticsearch
 
Transforming data into actionable insights
Elasticsearch
 
Opening Keynote: Why Elastic?
Elasticsearch
 
Empowering agencies using Elastic as a Service inside Government
Elasticsearch
 
The opportunities and challenges of data for public good
Elasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
Elasticsearch
 

Recently uploaded (20)

PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Cloud computing and distributed systems.
kkkkkhan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation theory and applications.pdf
gurumoop
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Approach and Philosophy of On baking technology
30anthuong17
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Teaching material agriculture food technology
LiaRayya
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

Automate threat detections and avoid false positives

  • 1. 1 ElasticON Security Samir Bennacer Principal Solutions Architect, EMEA Security Specialist Automate Threat Detection
  • 2. Agenda Automated Threat Detection Recapping the Data Dilemma 1 Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 2
  • 3. 5 1B 5 Data Domains Practitioners analyze hosts, cloud, network devices, application performance, user, and more! Events Per Day Most organizations average 1 billion events per day SOC Analysts Security Operation Centers vary in size, but most have less than 5 analysts THE DATA DILEMMA
  • 4. The Elastic Agent Of Course!
  • 6. Agenda Automated Threat Detection Recapping the Data Dilemma Using Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
  • 7. Detection Engine It’s as simple as search. • Speed and scale of Elasticsearch to detect known and unknown threats • Easily automate threat detection using queries (KQL/DSL, machine learning, thresholds, and more! • 200 free protections; built in the open
  • 9. Agenda Automated Threat Detection Recapping the Data Dilemma Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
  • 10. 200 Free Rules. Built in the Open attack.mitre.org
  • 11. Prebuilt Protections By Data Domain 55% Windows, Linux, MacOS
  • 12. MITRE ATT&CK™ Knowledge Base attack.mitre.org
  • 13. Prebuilt Protections Threat Detection and SecOps 27% Defense Evasion
  • 15. ...but my data is special... <random security professional>
  • 16. 16 DEMO #3 Rule Editing and Exceptions
  • 18. Agenda Automated Threat Detection Data Dilemma Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
  • 19. Our Approach to Detection Engineering github.com/elastic/detection-rules/.../PHILOSOPHY.md ● Shaped by our collective real-world experience ● Focus on behaviors more than custom tools ● Write logic independent from the data source ● Detect true positives while avoiding false positives
  • 20. Behaviors vs Indicators ● Emphasize technique, not indicators ○ Forces you to write generic detections ○ Avoids the risk of overfitting ○ Similar philosophy to MITRE ATT&CK® ● Make exceptions where it makes sense ○ When a high-fidelity behavioral detection is nontrivial https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 21. Detect Behaviors, not the Tool ✖ Indicator ✔ Behavior process.name:mimikatz.exe or process.command_line:*sekurlsa* event.module:sysmon and event.code:10 and winlog.event_data.TargetImage: lsass.exe github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 22. Using Elastic Common Schema (ECS github.com/elastic/ecs ● Defines a common set of field names and types ● Enumerates categorization fields and values to bin similar events together ● Designed to be extensible and grow with our needs ● ECS is adopted throughout the Elastic Stack
  • 23. Write Logic Independent of Data Sources ✖ Specific to each source ✔ With standard ECS field src:10.42.42.42 or client_ip:10.42.42.42 or apache2.access.remote_ip: 10.42.42.42 or context.user.ip:10.42.42.42 source.ip:10.42.42.42 github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 24. Detect True Positives and avoid False Positives ● Create or Modify System Process: Windows Service ○ ATT&CK technique T1543 subtechnique 003 ● System Services: Service Execution ○ ATT&CK technique T1569, subtechnique 002 github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 25. ✖ Too vague ✖ Too many false positives process.name:sc.exe process.name:sc.exe and process.args:(create or config) Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 26. ✖ Too easy to evade ✖ Too easy to evade process.command_line: "sc *create * binPath*" process.name:sc.exe and process.command_line: "* create * binPath*" Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 27. ✖ Too overfitted ✔ Good FP and TP balance process.name:sc.exe and process.args:(create or config) and process.parent.name:cmd.exe process.name:sc.exe and process.args:(create or config) and (process.args:* or not user.name:SYSTEM) https://github.com/elastic/detection-rules/issues/47 Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 28. ✔ Good FP and TP balance process.name:sc.exe and process.args:(create or config) and (process.args:* or not user.name:SYSTEM) Use command line arguments to infer adversary intent Lateral movement Privilege escalation Detect True Positives and avoid False Positives github.com/elastic/detection-rules/.../PHILOSOPHY.md
  • 29. Agenda Automated Threat Detection Data Dilemma Elastic Prebuilt Protections 3 Detection Philosophy 4 An Open Detection Repo 5 The Detection Engine 1 2
  • 30. A Public Repo! github.com/elastic/detection-rules Community & Collaboration • A dev-first mentality for malicious behavior detection The Rules • A place to engage on rules for all users of Elastic Security Contribution Guides • Creating issues, submitting PRs, our philosophy, and more! Developer Tools • Interactive CLI to create rules • Syntax validation, ECS schemas, metadata checker, etc.
  • 31. Try free on Cloud: ela.st/security-trial Take a quick spin: demo.elastic.co Connect on Slack: ela.st/slack Join the Elastic Security community