Elastic modernizes SecOps with advanced entity analytics

Combines machine learning-based behavioral analytics, risk-based context, and generative AI to accelerate security analyst workflows


You may have read about our recent introduction of Elastic AI Assistant, but this isn’t just a new feature — it’s a key component of a unified approach to security operations workflows that we call advanced entity analytics.

Advanced entity analytics combines Elastic’s highly operationalized machine learning capabilities for the detection of unusual behaviors, our entity-centric presentation of risk context to guide investigation and response, and our new generative AI sidekick. Together, these capabilities offer analysts the information they need to make fast and accurate decisions about potential threats encountered in their ecosystem.

The future of SIEM

Elastic Security unifies the capabilities of SIEM, endpoint security, and cloud security in a single product. Organizations can harness this power at cloud scale, on their infrastructure of choice. As a result, Elastic® has grown into one of the fastest-growing SIEM vendors (according to IDC) and a Leader in Security Analytics Platforms (per Forrester).

We’re just getting started.

Today’s announcement may remind you of “user and entity behavior analytics,” or UEBA. These tools were devised as an “add-on brain for SIEM” to help the SOC spot attacks targeting entities like users, devices, and applications. In retrospect, augmenting the SIEM with advanced analytics was a clumsy architecture for a terrific technology because practitioners rightfully expect the SIEM to solve these use cases. Consequently, as the person who coined the concept predicted, the UEBA market has been almost entirely subsumed by SIEM.

Industry analysts have proposed that the SIEM must evolve into a holistic platform for “threat detection, investigation and response,” or TDIR, that equips the SOC to take a risk-based approach to threat management. Consistent with this view, we envision a holistic platform for “threat detection, investigation and response” (TDIR) that offers:

  • Entity behavior analytics
  • Threat intelligence management
  • SOAR-like functionality
  • Deep detection engineering expertise

“TDIR” is a good moniker, but we call these capabilities something else: the future of SIEM.

Advanced entity analytics

“Advanced entity analytics” is our term for the UEBA-like analytics of Elastic Security. These capabilities are differentiated by the following attributes:

  1. Our advanced entity analytics are a native component of Elastic Security, in contrast to the clunky partial integrations of certain SIEMs with UEBA-like features.

  2. We’ve tightly integrated our entity-centric risk scoring into analyst triage, investigation, and escalation workflows.

  3. Our behavioral detections apply the most sophisticated machine learning of any SIEM/TDIR platform. With both unsupervised and supervised capabilities, practitioners can hone analytics for their environment.

  4. The researchers and engineers of Elastic Security Labs create, validate, and maintain prebuilt analytics ready for immediate use.

  5. We integrated a fully operational Elastic AI Assistant leveraging generative AI into those same workflows, arming analysts with context and guidance. 

And yes, we do address traditional UEBA use cases with our open entity behavioral analytics.

Democratizing security

Elastic users have long benefited from an analytics platform that dramatically reduces the cost and complexity of data collection, storage, and analysis. With advanced entity analytics and built-in generative AI, practitioners now have access to state-of-the-art security analytics from within the SIEM.

Please, give it a try and share your thoughts. Existing Elastic Cloud customers can access these capabilities directly from the Elastic Cloud console. Get started with a free 14-day trial of Elastic Cloud or download and deploy the Elastic Stack for free.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.