Elastic SIEM v7.4
Elastic Endpoint Security v3.14
Elastic Endpoint Security (formerly Endgame) is a centrally managed solution that unifies prevention, detection, response, and threat hunting to stop attacks. It delivers layered, signatureless preventions; deep, contextualized visibility into endpoint events; and a rich set of response capabilities – all within a single, lightweight agent. It is driven by a scalable and easy-to-use SaaS or on-prem management platform and supports easy integration with other tools through a fully documented API. The technology can ship, scale, and store security data efficiently in Elasticsearch via Elastic SIEM to identify attacks across your organization.
Elastic Endpoint Security has layered, high-confidence, signatureless protections mapped to MITRE ATT&CK™ to cover the entire attack lifecycle. Kernel behavioral preventions operate in-line at the lowest level, blocking techniques like exploits, process injection, credential dumping, token theft, and more. Lightweight static and dynamic machine learning malware prevention models are third-party validated to block 99%+ of malware, malicious macro-enabled documents, and ransomware before damage can occur.
The technology also provides tradecraft protections to monitor system activity in real time, alerting on techniques across all tactics in ATT&CK with very high confidence. These behavioral protections operate in unison to provide high confidence breach prevention and early detection. Users can view security data structured by the Elastic Common Schema and made accessible by the Event Query Language (EQL), an elegant, powerful, and extensible language that drives Elastic Endpoint Security. Using EQL, practitioners can hunt for attacker behaviors and turn those queries into preventions via Reflex™.
Elastic Endpoint Security users can easily interact with alerts and query results through Resolver™, a graphical, interactive UI that visualizes the full extent of an attack and allows for rapid, single-click response. Endpoint Security provides a rich set of response actions such as file quarantine, host isolation, file retrieval or deletion, process memory dumps, and more — in most cases eliminating the need for responders to bring in other tools.
Default Policy (detect-only, per test criteria)