Elastic Security combines SIEM threat detection features with endpoint prevention and response capabilities in one solution. These analytical and protection capabilities, leveraged by the speed and extensibility of Elasticsearch, enable analysts to defend their organization from threats before damage and loss occur.
Elastic Security provides the following security benefits and capabilities:
- A detection engine to identify attacks and system misconfigurations
- A workspace for event triage and investigations
- Interactive visualizations to investigate process relationships
- Inbuilt case management with automated actions
- Detection of signatureless attacks with prebuilt machine learning anomaly jobs and detection rules
Elastic Security components and workflowedit
The following diagram provides a comprehensive illustration of the Elastic Security workflow.
Here’s an overview of the flow and its components:
Data is shipped from your hosts to Elasticsearch via beat modules and the Elastic Endpoint Security agent integration:
- Windows: Process, network, file, DNS, registry, DLL and driver loads, malware security detections
- Linux/macOS: Process, network, file
- Beat modules: Beats are lightweight data shippers. Beat modules provide a way of collecting and parsing specific data sets from common sources, such as cloud and OS events, logs, and metrics. Common security-related modules are listed here.
The Elastic Security app in Kibana is used to manage the Detection engine, Cases, and Timeline, as well as administer hosts running Endpoint Security:
Detection engine - Automatically searches for suspicious host and network activity via:
- Detection rules: Periodically search the data (Elasticsearch indices) sent from your hosts for suspicious events. When a suspicious event is discovered, a detection alert is generated. External systems, such as Slack and email, can be used to send notifications when alerts are generated. You can create your own rules and make use of our prebuilt ones.
- Exceptions: Reduce noise and the number of false positives. Exceptions are associated with rules and prevent alerts when an exception’s conditions are met. Value lists contain source event values that can be used as part of an exception’s conditions. When Elastic Endpoint Security is installed on your hosts, you can add malware exceptions directly to the endpoint from the Security app.
- Machine learning jobs: Automatic anomaly detection of host and network events. Anomaly scores are provided per host, and can be used with detection rules.
- Timeline: Workspace for investigating alerts and events. Timelines use queries and filters to drill down into events related to a specific incident. Timeline templates are attached to rules and use predefined queries when alerts are investigated. Timelines can be saved and shared with others, as well as attached to Cases.
- Cases: Internal system for opening, tracking, and sharing security issues directly in the Security app. Cases can be integrated with external ticketing systems.
- Administration: View and manage hosts running Elastic Endpoint Security.
Ingest data to Elastic Security and Configure and install Elastic Endpoint Integration (beta) describe how to ship security-related data to Elasticsearch.
For more background information, see:
- Elasticsearch: A real-time, distributed storage, search, and analytics engine. Elasticsearch excels at indexing streams of semi-structured data, such as logs or metrics.
- Kibana: An open source analytics and visualization platform designed to work with Elasticsearch. You use Kibana to search, view, and interact with data stored in Elasticsearch indices. You can easily perform advanced data analysis and visualize your data in a variety of charts, tables, and maps.
Additional Elastic Endpoint Security informationedit
The Elastic Endpoint Security agent integration provides capabilities such as collecting events, detecting and preventing malicious activity, exceptions, and artifact delivery. The Ingest Manager is used to install and manage Elastic agents and integrations on your hosts.
Integration with other Elastic productsedit
You can use Elastic Security with other Elastic products and features to help you identify and investigate suspicious activity:
APM transaction data sourcesedit
By default, Elastic Security monitors APM
apm-*-transaction* indices. To add additional APM indices, update the
index patterns in the
securitySolution:defaultIndex setting (Kibana → Stack Management → Advanced Settings →
Third-party collectors mapped to ECSedit
The Elastic Common Schema (ECS) defines a common set of fields to be used for storing event data in Elasticsearch. ECS helps users normalize their event data to better analyze, visualize, and correlate the data represented in their events.
Elastic Security can ingest and normalize events from any ECS-compliant data source.