Topic
Detection science
We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.
Bit ByBit - emulation of the DPRK's largest cryptocurrency heist
A high-fidelity emulation of the DPRK's largest cryptocurrency heist via a compromised macOS developer and AWS pivots.
Now available: the 2025 State of Detection Engineering at Elastic
The 2025 State of Detection Engineering at Elastic explores how we create, maintain, and assess our SIEM and EDR rulesets.
Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure
In this article, we explore what hotkey-based keyloggers are and how to detect them. Specifically, we explain how these keyloggers intercept keystrokes, then present a detection technique that leverages an undocumented hotkey table in kernel space.
未公開のカーネルデータ構造を使ったホットキー型キーロガーの検知
本記事では、ホットキー型キーロガーとは何かについてと、その検知方法について紹介します。具体的には、ホットキー型キーロガーがどのようにしてキー入力を盗み取るのかを解説した後、カーネルレベルに存在する未公開(Undocumented)のホットキーテーブルを活用した検知手法について説明します。
Linux Detection Engineering - A Continuation on Persistence Mechanisms
This document continues the exploration of Linux detection engineering, emphasizing advancements in monitoring persistence mechanisms. By building on past practices and insights, it provides a roadmap for improving detection strategies in complex environments.
Elastic releases the Detection Engineering Behavior Maturity Model
Using this maturity model, security teams can make structured, measurable, and iteritive improvements to their detection engineering teams..
Linux Detection Engineering - A Sequel on Persistence Mechanisms
In this final part of this Linux persistence series, we'll continue exploring persistence mechanisms on Linux systems, focusing on more advanced techniques and how to detect them.
Linux Detection Engineering - A primer on persistence mechanisms
In this second part of the Linux Detection Engineering series, we map multiple Linux persistence mechanisms to the MITRE ATT&CK framework, explain how they work, and how to detect them.
Now in beta: New Detection as Code capabilities
情報窃取から端末を守る
本記事ではElastic Securityにおいて、エンドポイント保護を担っているElastic Defendに今年(バージョン8.12より)新たに追加された、キーロガーおよびキーロギング検出機能について紹介します。
Protecting your devices from information theft
In this article, we will introduce the keylogger and keylogging detection features added this year to Elastic Defend (starting from version 8.12), which is responsible for endpoint protection in Elastic Security.
Elastic Advances LLM Security with Standardized Fields and Integrations
Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.
Embedding Security in LLM Workflows: Elastic's Proactive Approach
Dive into Elastic's exploration of embedding security directly within Large Language Models (LLMs). Discover our strategies for detecting and mitigating several of the top OWASP vulnerabilities in LLM applications, ensuring safer and more secure AI-driven applications.
Linux detection engineering with Auditd
In this article, learn more about using Auditd and Auditd Manager for detection engineering.
Accelerating Elastic detection tradecraft with LLMs
Learn more about how Elastic Security Labs has been focused on accelerating our detection engineering workflows by tapping into more generative AI capabilities.
Using LLMs and ESRE to find similar user sessions
In our previous article, we explored using the GPT-4 Large Language Model (LLM) to condense Linux user sessions. In the context of the same experiment, we dedicated some time to examine sessions that shared similarities. These similar sessions can subsequently aid the analysts in identifying related suspicious activities.
Peeling back the curtain with call stacks
In this article, we'll show you how we contextualize rules and events, and how you can leverage call stacks to better understand any alerts you encounter in your environment.
Using LLMs to summarize user sessions
In this publication, we will talk about lessons learned and key takeaways from our experiments using GPT-4 to summarize user sessions.
Into The Weeds: How We Run Detonate
Explore the technical implementation of the Detonate system, including sandbox creation, the supporting technology, telemetry collection, and how to blow stuff up.
Detect domain generation algorithm (DGA) activity with new Kibana integration
We have added a DGA detection package to the Integrations app in Kibana. In a single click, you can install and start using the DGA model and associated assets, including ingest pipeline configurations, anomaly detection jobs, and detection rules.
Exploring Windows UAC Bypasses: Techniques and Detection Strategies
In this research article, we will take a look at a collection of UAC bypasses, investigate some of the key primitives they depend on, and explore detection opportunities.
Click, Click… Boom! Automating Protections Testing with Detonate
To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.
Exploring the Future of Security with ChatGPT
Recently, OpenAI announced APIs for engineers to integrate ChatGPT and Whisper models into their apps and products. For some time, engineers could use the REST API calls for older models and otherwise use the ChatGPT interface through their website.
Hunting for Suspicious Windows Libraries for Execution and Defense Evasion
Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.
Automating the Security Protections rapid response to malware
See how we’ve been improving the processes that allow us to make updates quickly in response to new information and propagate those protections to our users, with the help of machine learning models.
Detect Credential Access with Elastic Security
Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.
Detecting Living-off-the-land attacks with new Elastic Integration
We added a Living off the land (LotL) detection package to the Integrations app in Kibana. In a single click, you can install and start using the ProblemChild model and associated assets including anomaly detection configurations and detection rules.
Hunting for Lateral Movement using Event Query Language
Elastic Event Query Language (EQL) correlation capabilities enable practitioners to capture complex behavior for adversary Lateral Movement techniques. Learn how to detect a variety of such techniques in this blog post.
Identifying beaconing malware using Elastic
In this blog, we walk users through identifying beaconing malware in their environment using our beaconing identification framework.
Ingesting threat data with the Threat Intel Filebeat module
Tutorial that walks through setting up Filebeat to push threat intelligence feeds into your Elastic Stack.
Stopping Vulnerable Driver Attacks
This post includes a primer on kernel mode attacks, along with Elastic’s recommendations for securing users from kernel attacks leveraging vulnerable drivers.
The Elastic Container Project for Security Research
The Elastic Container Project provides a single shell script that will allow you to stand up and manage an entire Elastic Stack using Docker. This open source project enables rapid deployment for testing use cases.