Home  >  APT29  >  Results  >  Elastic  >  Configuration

Product Versions

Elastic SIEM v7.4

Elastic Endpoint Security v3.14

Description

Elastic Endpoint Security​ (formerly Endgame) is a centrally managed solution that unifies prevention, detection, response, and threat hunting to stop attacks. It delivers layered, signatureless preventions; deep, contextualized visibility into endpoint events; and a rich set of response capabilities – all within a single, lightweight agent. It is driven by a scalable and easy-to-use SaaS or on-prem management platform and supports easy integration with other tools through a fully documented API. The technology can ship, scale, and store security data efficiently in ​ Elasticsearch​ via ​ Elastic SIEM​ to identify attacks across your organization.

Elastic Endpoint Security has layered, high-confidence, signatureless protections mapped to MITRE ATT&CK™ to cover the entire attack lifecycle. Kernel behavioral preventions operate in-line at the lowest level, blocking techniques like exploits, process injection, credential dumping, token theft, and more. Lightweight static and dynamic machine learning malware prevention models are third-party validated to block 99%+ of malware, malicious macro-enabled documents, and ransomware before damage can occur.

The technology also provides tradecraft protections to monitor system activity in real time, alerting on techniques across all tactics in ATT&CK with very high confidence. These behavioral protections operate in unison to provide high confidence breach prevention and early detection. Users can view security data structured by the ​ Elastic Common Schema​ and made accessible by the ​ Event Query Language (EQL),​ ​an elegant, powerful, and extensible language that drives Elastic Endpoint Security. Using EQL, practitioners can hunt for attacker behaviors and turn those queries into preventions via ​Reflex™​.

Elastic Endpoint Security users can easily interact with alerts and query results through Resolver™, a graphical, interactive UI that visualizes the full extent of an attack and allows for rapid, single-click response. Endpoint Security provides a rich set of response actions such as file quarantine, host isolation, file retrieval or deletion, process memory dumps, and more — in most cases eliminating the need for responders to bring in other tools.

Product Configuration

Default Policy (detect-only, per test criteria)