Elastic released 1000+ yara rules and 200+ endpoint behavior rules as a commitment to open security and transparency
Elastic has released 1000+ yara rules and 200+ endpoint behavior rules as a commitment to open security and transparency. The signatures can be found on their Github page.
Elastic Security provides signature-based YARA rules within the Elastic Endpoint product. These rules are used to detect and prevent emerging threats within Linux, Windows, and macOS systems.
These YARA rules can be leveraged by the community and for different use cases such as:
- Network Defending
- Threat Hunting
- Incident Response/Forensics
- Alert Triage / Enrichment
- Malware Analysis
Elastic Security Malicious Behavior Protection Rules
Prebuilt high signal EQL rules that runs on the endpoint to disrupt malicious behavior, this layer of prevention equips Elastic Agent to protect Linux, Windows, and macOS hosts from a broad range of attack techniques with a major focus on the following tactics :
Prevention is achieved by pairing post-execution analytics with response actions to kill a specific process or a full process tree tailored to stop the adversary at the initial stages of the attack. Each protection rule is mapped to the most relevant MITRE ATT&CK tactic, technique and subtechnique.
The true positive rate that Elastic aims to maintain is at least 70%, thus they prioritize analytics logic precision to reduce detection scope via prevention.
Another example of their commitment to openness in security is their existing public Detection Rules repository where they share EQL rules that run on the SIEM side, and that have a broader detection logic which make them more suitable for detection and hunting.