Convert Figma logo to code with AI

elastic logoprotections-artifacts

Elastic Security detection content for Endpoint

1,074
121
1,074
4
View on GitHub

Top Related Projects

Azure's avatar

Azure-Sentinel

4,657

Cloud-native SIEM for intelligent security analytics for your entire enterprise.

splunk's avatar

security_content

1,274

Splunk Security Content

mitre's avatar

cti

1,731

Cyber Threat Intelligence Repository expressed in STIX 2.0

OTRF's avatar

ThreatHunter-Playbook

4,001

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

SigmaHQ's avatar

sigma

8,256

Main Sigma Rule Repository

Quick Overview

The elastic/protections-artifacts repository is a collection of detection rules, machine learning jobs, and other security content for Elastic Security. It provides a centralized location for security analysts and researchers to access and contribute to Elastic's security detection capabilities, enhancing threat detection and response across Elastic deployments.

Pros

  • Comprehensive set of detection rules and machine learning jobs
  • Community-driven contributions and updates
  • Regularly maintained and updated by Elastic and the community
  • Integrates seamlessly with Elastic Security products

Cons

  • Requires an Elastic Stack deployment to utilize effectively
  • Some advanced features may require paid Elastic subscriptions
  • Learning curve for users unfamiliar with Elastic Security ecosystem
  • Limited standalone functionality outside of Elastic environment

Code Examples

This repository primarily contains YAML configuration files for detection rules and machine learning jobs, rather than executable code. However, here are a few examples of how the content might be used:

  1. Importing a detection rule:
name: Potential DLL Side-Loading via Microsoft Antimalware Service Executable
type: eql
risk_score: 47
description: Detects potential DLL side-loading attempts using the Microsoft Antimalware Service Executable
query: |
  process where event.type == "start" and
    process.name : "MsMpEng.exe" and
    not process.executable : ("C:\\Program Files\\Windows Defender\\*", "C:\\ProgramData\\Microsoft\\Windows Defender\\*")
  1. Configuring a machine learning job:
job_type: anomaly_detector
description: "Detect unusual process relationships"
groups: ["process"]
analysis_config:
  bucket_span: 15m
  detectors:
    - function: rare
      by_field_name: "process.parent.name"
      over_field_name: "process.name"
  1. Using a threat intelligence indicator:
name: Known Malicious IP
type: threat_match
threat:
  framework: MITRE ATT&CK
  tactic:
    name: Command and Control
    id: TA0011
  technique:
    name: Application Layer Protocol
    id: T1071
indicator:
  type: ip
  ip: 192.0.2.1

Getting Started

To use the protections-artifacts:

  1. Clone the repository:

    git clone https://github.com/elastic/protections-artifacts.git

  2. Navigate to the desired content (e.g., detection rules, machine learning jobs).

  3. Import the YAML files into your Elastic Security deployment using Elastic's documentation and tools.

  4. Monitor and tune the imported content as needed for your environment.

Competitor Comparisons

Azure logo

Azure-Sentinel

4,657

Cloud-native SIEM for intelligent security analytics for your entire enterprise.

Pros of Azure-Sentinel

  • More comprehensive security solution, integrating with broader Azure ecosystem
  • Larger community and more frequent updates
  • Advanced analytics and machine learning capabilities for threat detection

Cons of Azure-Sentinel

  • Steeper learning curve due to complexity
  • Higher cost, especially for large-scale deployments
  • Tighter integration with Microsoft products may limit flexibility

Code Comparison

Azure-Sentinel (KQL query):

SecurityEvent
| where EventID == 4624
| where AccountType == "User"
| summarize count() by Account

Protections-artifacts (YAML rule):

rule:
  name: Suspicious User Login Activity
  type: threshold
  index: winlogbeat-*
  threshold:
    field: user.name
    value: 10

Both repositories provide security-related artifacts, but Azure-Sentinel offers a more comprehensive SIEM solution, while Protections-artifacts focuses on detection rules for Elastic Security. Azure-Sentinel uses KQL for queries and analytics, whereas Protections-artifacts primarily uses YAML for rule definitions. Azure-Sentinel is better suited for large enterprises deeply invested in the Microsoft ecosystem, while Protections-artifacts may be more appropriate for organizations using Elastic Stack for security monitoring.

splunk logo

security_content

1,274

Splunk Security Content

Pros of security_content

  • More comprehensive content, covering a wider range of security use cases
  • Better documentation and examples for each detection rule
  • Active community contributions and regular updates

Cons of security_content

  • Primarily focused on Splunk-specific implementations
  • May require more customization for non-Splunk environments
  • Larger repository size, potentially making it harder to navigate

Code Comparison

security_content (YAML format):

name: Suspicious PowerShell Script with Encoding
id: 3d6d3ff3-871c-4c6d-8bda-2d7c89b62b04
description: Detects suspicious PowerShell scripts using encoding techniques
search: |
  index=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104
  (EncodedCommand=* OR Base64Encoded=*)

protections-artifacts (TOML format):

[rule.suspicious_powershell_encoding]
name = "Suspicious PowerShell Encoding"
type = "query"
index = "winlogbeat-*"
language = "kuery"
risk_score = 50
query = '''
process.name:powershell.exe AND process.args:(*encodedcommand* OR *enc*)
'''

Both repositories provide valuable security content, with security_content offering a broader scope and more detailed documentation, while protections-artifacts focuses on Elastic-specific implementations with a more concise structure.

mitre logo

cti

1,731

Cyber Threat Intelligence Repository expressed in STIX 2.0

Pros of cti

  • Comprehensive MITRE ATT&CK framework data in STIX format
  • Regular updates with new threat intelligence
  • Widely adopted and used in the cybersecurity community

Cons of cti

  • Requires STIX/TAXII knowledge for effective use
  • May contain more general threat data, less focused on specific detections

Code comparison

cti (STIX 2.1 JSON):

{
  "type": "attack-pattern",
  "id": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
  "created": "2020-05-12T18:33:51.152Z",
  "modified": "2020-05-12T18:33:51.152Z",
  "name": "Exploitation for Privilege Escalation"
}

protections-artifacts (YAML):

- rule:
    name: Potential Privilege Escalation via Vulnerable Service
    type: eql
    risk_score: 73
    severity: high
    query: >
      process where event.type == "start" and
        process.name : ("sc.exe", "net.exe", "net1.exe") and
        process.args : ("config", "start") and
        process.args : ("binPath", "binpath", "bin_path")

The cti repository focuses on providing structured threat intelligence data, while protections-artifacts offers specific detection rules and logic for security products.

OTRF logo

ThreatHunter-Playbook

4,001

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Pros of ThreatHunter-Playbook

  • Comprehensive threat hunting methodology with detailed playbooks
  • Community-driven project with regular contributions and updates
  • Includes analytics for multiple data sources and platforms

Cons of ThreatHunter-Playbook

  • Less focused on specific product integration compared to protections-artifacts
  • May require more manual effort to implement and customize

Code Comparison

ThreatHunter-Playbook (YAML):

title: Suspicious PowerShell Download Cradle
id: 1
description: Detects suspicious PowerShell download cradles
author: Open Threat Research
detection:
    selection:
        EventID: 4104
        ScriptBlockText|contains:
            - 'Net.WebClient'
            - 'DownloadString'
    condition: selection

protections-artifacts (YAML):

name: Suspicious PowerShell Download
rule_id: 7f8c6d3e-6f6d-41f1-9c9d-8e5b3e8c8c8c
type: eql
risk_score: 73
description: Detects suspicious PowerShell download activity
query: |
  process where process.name : "powershell.exe" and
    process.args : ("*Net.WebClient*", "*DownloadString*")

Both repositories provide valuable resources for threat detection and hunting. ThreatHunter-Playbook offers a more comprehensive approach with detailed playbooks, while protections-artifacts is more focused on Elastic-specific implementations. The code comparison shows similar detection logic for suspicious PowerShell downloads, but with different syntax and structure tailored to their respective purposes.

SigmaHQ logo

sigma

8,256

Main Sigma Rule Repository

Pros of Sigma

  • Broader community support and contributions
  • Platform-agnostic rule format, allowing for wider compatibility
  • Extensive documentation and examples for rule creation

Cons of Sigma

  • May require additional conversion tools for specific platforms
  • Less tightly integrated with a specific product ecosystem
  • Potentially slower update cycle for emerging threats

Code Comparison

Sigma rule example:

title: Suspicious Process Creation
detection:
    selection:
        EventID: 1
        Image|endswith: '\cmd.exe'
    condition: selection

Elastic rule example:

rule:
  name: Suspicious Command Execution
  type: eql
  query: |
    process where process.name : "cmd.exe"

Both repositories focus on providing detection rules for security threats, but Sigma offers a more generic approach, while Protections-artifacts is tailored specifically for Elastic products. Sigma's platform-agnostic nature allows for greater flexibility, but may require additional steps for implementation. Protections-artifacts provides a more streamlined experience for Elastic users, with rules that can be directly applied to their security solutions.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

ATT&CK navigator coverage

Protections Artifacts

Elastic Security prevents ransomware and malware, detects advanced threats, and arms responders with vital context. It’s free and open, ready for every endpoint.

Protections-Artifacts is the home of our detection logic (rules, yara, etc) for Elastic Security for endpoint. At Elastic, we believe that being open and transparent is critical for the success of us and our users. Check out our blog post if you are interested in additional background.

Directory

Below you will find the artifacts we have opened in this repository:

FolderDescription
behavior/EQL based malicious behavior rules
yara/Yara rules for malware protection
ransomware/Elastic ransomware protection artifact

Questions? Problems? Suggestions?

If you would like you to provide feedback or contribute to this repository, please familiarize yourself with the applicable artifact’s readme and open an issue using one of the provided templates. We cannot accept pull requests at this time because this repository is automatically generated.

You can also reach us in our Slack Workspace or in the Security Discuss forum.

License

Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use these artifacts except in compliance with the Elastic License 2.0

Contributors must sign a Contributor License Agreement before contributing code to any Elastic repositories.