Learn how the Elastic Infosec team created a full inventory of all browser extensions using osquery and Elastic Security with examples on building detections to alert the security team when a known bad browser extension is installed on a workstation.

Threat actors targeting browser extensions

Enterprise challenges

Deploy and manage osquery within Kibana

Advantages of using osquery with Elastic

Using osquery in Elastic

Live query

Query pack

Creating an inventory of all extensions with osquery

image1.png

image4.png

image2.png

Creating detection rules for bad extensions

Example indicator match rule configuration 

image3.png

Try it out

blog-3-puzzle-pieces.webp

How to detect malicious browser extensions using Elastic

See how Elastic’s asset inventory has evolved into a critical tool for InfoSec, transforming from a basic inventory to a powerful solution that addresses real-world cybersecurity challenges.

Adopting naming conventions

Standardizing metadata and fields

Enriching indices and creating relationships between assets

Logical view of the user relationships with other assets

Visualizing the workflow

High-level architecture of the asset inventory

Real-world use cases for an asset inventory

SIEM alert enrichment 

Example use case of SIEM alert enrichment

Using the asset inventory to create alerts

Example use case of using the asset inventory to create alerts

image5.png

Wrapping up

universal-profiling-blog-720x420.jpg

Inventory to insight: How Elastic’s asset inventory powers InfoSec use cases

Discover how Elastic's InfoSec team saves thousands of hours per month by using Tines to automate SIEM alert investigations while reducing false positives and detect compromised accounts.

Automating SIEM alert initial investigation

1.png

Sending the alerts to any SOAR

2.png

3.png

4.png

Using tags to route the automation

5.png

Building blocks for the automation

6-2.png

7.png

Managed workstation triage example

8.png

The close alert Send to Story

9.png

Escalating open alerts to Slack

6.png

10.png

Challenges we’ve encountered

Example detections

Achieving new levels of protection

stratus clouds.jpg

Reducing false positives with automated SIEM investigations from Elastic and Tines

Detecting a compromised account is one of the most challenging detections to build. This blog shows one approach we are using internally at Elastic to create detections that alert when multiple new events are seen for a user.

Threat detection at Elastic 

The problem: Detecting a compromised account

The solution: UEBA detection packages

How to create a UEBA detection package in Elastic Security

elastic-blog-1-create-new-rule.png

elastic-blog-2-tags.png

elastic-blog-3-building-block.png

elastic-blog-4-and-10-threshold-dataview-open.png

Example UEBA package for GitHub

GitHub UEBA building block rules

elastic-blog-5-githubrepo.png

elastic-blog-6-username.png

elastic-blog-7-event-action.png

elastic-blog-8-jsontoken.png

elastic-blog-9-false.png

GitHub UEBA threshold alerts

Example: UEBA package for Slack

Slack UEBA building block rules

elastic-blog-11-logs-slack.png

elastic-blog-12-slack-audit.png

elastic-blog-13-sourceip.png

elastic-blog-14-downloaded.png

elastic-blog-15-preview.png

elastic-blog-16-threshold-dataview-closed.png

Keep critical assets safe with faster detection and response

alert-management.jpg

Detecting account compromise with UEBA detection packages

Using Threshold rules to create alerts on your alerts is a great way to maximize your analyst effectiveness without sacrificing visibility. By using these rules, security analysts spend less time investigating false positives.

blog-open-security-720x420-A.png

Detection engineering — Maximizing analyst efficiency using Cardinality Threshold rules on your alerts

在这篇博文中，我们将演示 Elastic Infosec 团队如何借助整合了 Elastic Endpoint Security 的 Elastic Stack，使用免费软件来构建一个功能齐备的恶意软件分析沙箱。

blog-banner-security-endpoint.png

blog-thumb-security-endpoint.png

How to build a malware analysis sandbox with Elastic Security

如何使用 Elastic 安全构建一个恶意软件分析沙箱

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

AaronJewitt.jpg

Principal Security Analyst

Aaron Jewitt

By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_self">Terms of Service</a>, and you agree to receive the <a href="/legal/privacy-statement#how-we-use-the-information" target="_self">selected communications</a> at the contact details you provided above. See <a href="/legal/privacy-statement/" target="_self">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Communication Preferences - ONLY for /communication-preferences

提交即表示您确认您已阅读并同意我们的<a href="/cn/legal/elastic-cloud-account-terms" target="_self">服务条款</a>，并且您同意通过您提供的上述联系方式接收<a href="/cn/legal/privacy-statement#how-we-use-the-information" target="_self">所选的通信</a>。如需了解更多信息，或想随时取消订阅，请参阅 <a href="/cn/legal/privacy-statement/" target="_self">Elastic 的隐私声明</a>。

By submitting you acknowledge that you've read and agree to our <a href="/legal/serverless-preview-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Serverless GDPR Text

提交即表示您确认您已阅读并同意我们的<a href="/cn/legal/serverless-preview-terms" target="_self">服务条款</a>，并且 Elastic 可以使用您提供的上述详细信息与您联系，以向您介绍我们相关的<a href="/cn/legal/privacy-statement#how-we-use-the-information" target="_self">产品和服务</a>。如需了解更多信息，或想随时取消订阅，请参阅 <a href="/cn/legal/privacy-statement/" target="_self">Elastic 的隐私声明</a>。

By submitting you agree to <a href="/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud Terms of Service</a>. Your personal data will be processed in accordance with <a href="/legal/privacy-statement">Elastic's Privacy Statement</a>.

Cloud Trial GDPR Text

提交即表示您同意 <a href="/cn/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud 服务条款</a>。我们将会按照 <a href="/cn/legal/privacy-statement">Elastic 的隐私声明</a>处理您的个人数据。

By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.

Newsletter GDPR Text

提交即表示您确认您已阅读并同意我们的<a href="/cn/legal/terms-of-use" target="_self">服务条款</a>，并且 Elastic 可以使用您提供的上述详细信息与您联系，以向您介绍我们相关的<a href="/cn/legal/privacy-statement#how-we-use-the-information" target="_self">产品和服务</a>。如需了解更多信息，或想随时取消订阅，请参阅 <a href="/cn/legal/privacy-statement/" target="_self">Elastic 的隐私声明</a>。

Explore similar demos

Overview

Speakers

Close

See more insights

The content on this page is not available in the selected language. As Elastic grows globally, we continue to support content in multiple languages.

The content on this page is not available in the selected language.

本页内容尚不支持所选语言。Elastic 正在不断努力，以实现对多种语言内容的支持。感谢您在此期间给予的耐心与陪伴！

Author

Articles by

Learn more

Watch now (no PT)

Watch now

See all top stories

All (no PT translation)

Contact information

Press Release

Share on Reddit

Share this story

Share by Email

Thank you for your interest!

Contact Info

Follow us on Youtube

Load More

Share on LinkedIn

Follow us on LinkedIn

Search Integrations

All Solutions

Video for

Follow us on Twitter

See when this webinar starts in my time zone

查看本次网络研讨会在我的时区的开始时间

Register to Watch

Register now

See All Posts

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

无法实时参加？注册后我们会给您发送录像。您还将收到相关内容的电子邮件。

Author

Articles by Aaron Jewitt

Principal Security Analyst, Elastic

How to detect malicious browser extensions using Elastic

Inventory to insight: How Elastic’s asset inventory powers InfoSec use cases

Reducing false positives with automated SIEM investigations from Elastic and Tines

Detecting account compromise with UEBA detection packages

Detection engineering — Maximizing analyst efficiency using Cardinality Threshold rules on your alerts

如何使用 Elastic 安全构建一个恶意软件分析沙箱