With each new Elastic stack version over the last year has come a generous package of Elastic Security detection rules. This demonstrates Elastic’s commitment to continually add new protections to its Security platform, expanding its coverage of possible security compromises and threat behaviour. Elastic ensures this coverage by categorising its rules using the Mitre Att&ck framework.
Even though the current Elastic release is 7.10, we can take a sneak peak at what new detection rules we might expect to see in the coming 7.11 and even 7.12 versions, by taking a look at Elastic’s Detection Rule GitHub repository. The repository is public allowing security experts from around the world to contribute, alongside Elastic’s own experts.
Firstly, what are detection rules?
Elastic Security, like most SIEM platforms, detects threats through queries on the log data ingested. These queries can be static or somewhat dynamic by making us of backlists/whitelists or through machine learning capabilities. Each platform tends to have its own syntax. Elastic offers a choice of two super easy to learn languages – Kibana Query Language (KQL), or Event Query Language (EQL) for more complex needs.
What can we expect to see next?
A strong focus on new Endpoint detection rules is clear. This shows Elastic’s commitment to rolling out its new EDR (Endpoint Detection and Response) fire power over coming releases. It is easy to also note many OSX rules are scheduled for the next release, Mac protections being substantially beefed up as a result.
The second observation would be the large number of cloud-based detection rules coming. These rules make use of Filebeat modules that connect to cloud providers to ingest security logs. Many of the rules relate to Microsoft 365 and Microsoft Azure security issues, but there are also many Google Cloud and AWS rules coming.
In the coming 7.11 release will also seemingly be released rules that relate the SolarWinds security breach that occurred late last year. These rules focus on, amongst other things, analysing the behaviour of outgoing network connections made by SolarWinds executables, which are been identified as indicated a compromised binary file.
We don’t yet have any concrete details of when Elastic will release version 7.11 but stay tuned and we will let you know the full details of the new release as soon as it drops.