Elastic released 1000+ yara rules and 200+ endpoint behavior rules as a commitment to open security and transparency

Published by Reza Rafati on

Elastic has released 1000+ yara rules and 200+ endpoint behavior rules as a commitment to open security and transparency. The signatures can be found on their Github page.

Elastic YARA rules screenshot

Elastic Security provides signature-based YARA rules within the Elastic Endpoint product. These rules are used to detect and prevent emerging threats within Linux, Windows, and macOS systems.

The Elastic repository holds over 1,000 YARA rules that are used every day to stop a wide range of threats including: Trojans, ransomware, cryptominers, attack penetration frameworks, and more.

These YARA rules can be leveraged by the community and for different use cases such as:

  • Network Defending
  • Threat Hunting
  • Incident Response/Forensics
  • Alert Triage / Enrichment
  • Malware Analysis

Elastic Security Malicious Behavior Protection Rules

Prebuilt high signal EQL rules that runs on the endpoint to disrupt malicious behavior, this layer of prevention equips Elastic Agent to protect Linux, Windows, and macOS hosts from a broad range of attack techniques with a major focus on the following tactics :

Prevention is achieved by pairing post-execution analytics with response actions to kill a specific process or a full process tree tailored to stop the adversary at the initial stages of the attack. Each protection rule is mapped to the most relevant MITRE ATT&CK tactic, technique and subtechnique.

The true positive rate that Elastic aims to maintain is at least 70%, thus they prioritize analytics logic precision to reduce detection scope via prevention.

Another example of their commitment to openness in security is their existing public Detection Rules repository where they share EQL rules that run on the SIEM side, and that have a broader detection logic which make them more suitable for detection and hunting.

Share this information
Categories: Downloads

Reza Rafati

Founder of Cyberwarzone.com.