elasticmachine
commented
2 weeks ago Pinging @elastic/security-detections-response (Team:Detections and Resp)
Open teamthanos opened 2 weeks ago
elasticmachine
commented
2 weeks ago Pinging @elastic/security-detections-response (Team:Detections and Resp)
Description:
Currently, in Elastic Security, response actions can be configured for custom detection rules using KQL, allowing users to execute actions such as running OSquery queries or Elastic Defend actions on endpoints immediately after an alert is triggered. However, this capability is limited to alerts generated from SIEM detection rules and does not extend to endpoint alerts generated by Elastic Defend itself.
Problem Statement:
Elastic Defend triggers alerts for various unusual or malicious activities detected on endpoints. While these alerts provide valuable insights, the current system lacks an automated way to gather additional context or perform further investigation on the affected endpoint immediately after the alert is generated. This leaves security teams with a manual follow-up process to collect further endpoint data.
Feature Request:
Extend the response actions capability, particularly OSquery integration, to endpoint alerts generated by Elastic Defend. This feature would allow customers to:
Run a predefined set of OSqueries automatically on the affected endpoint right after an alert is triggered by Elastic Defend, regardless of the specific alert type. Configure custom OSqueries based on the type of endpoint alert, allowing for more tailored response actions. For example, if a process injection alert is triggered, a specific OSquery related to process details could be executed. Combine multiple OSqueries to be run sequentially or in parallel, based on customer-defined configurations. Benefits:
Provides immediate, automated context gathering on affected endpoints, enhancing investigation speed and accuracy. Reduces manual work for security teams by automating the collection of endpoint data following alerts. Offers a flexible configuration that enables both generic and specific responses to different types of endpoint alerts. Helps identify additional indicators of compromise (IoCs) or affected processes on endpoints. Potential Challenges:
There could be a significant number of different endpoint alerts, which may complicate configuring specific OSquery responses for each type. Running automated queries may introduce additional load on endpoints, so there should be safeguards to prevent performance impacts, especially on resource-constrained devices. Conclusion:
By enabling OSquery-based response actions for Elastic Defend's endpoint alerts, Elastic Security can offer a more integrated and proactive approach to threat detection and response. This feature would help security teams quickly gather necessary data and take appropriate actions, making the endpoint protection process more comprehensive.