Learn how the Elastic Infosec team created a full inventory of all browser extensions using osquery and Elastic Security with examples on building detections to alert the security team when a known bad browser extension is installed on a workstation.

Threat actors targeting browser extensions

Enterprise challenges

Deploy and manage osquery within Kibana

Advantages of using osquery with Elastic

Using osquery in Elastic

Live query

Query pack

Creating an inventory of all extensions with osquery

image1.png

image4.png

image2.png

Creating detection rules for bad extensions

Example indicator match rule configuration 

image3.png

Try it out

Elastic Banner_11 (2).jpg

How to detect malicious browser extensions using Elastic

See how Elastic’s asset inventory has evolved into a critical tool for InfoSec, transforming from a basic inventory to a powerful solution that addresses real-world cybersecurity challenges.

Adopting naming conventions

Standardizing metadata and fields

Enriching indices and creating relationships between assets

Logical view of the user relationships with other assets

Visualizing the workflow

High-level architecture of the asset inventory

Real-world use cases for an asset inventory

SIEM alert enrichment 

Example use case of SIEM alert enrichment

Using the asset inventory to create alerts

Example use case of using the asset inventory to create alerts

image5.png

Wrapping up

universal-profiling-blog-720x420.jpg

Inventory to insight: How Elastic’s asset inventory powers InfoSec use cases

Discover how Elastic's InfoSec team saves thousands of hours per month by using Tines to automate SIEM alert investigations while reducing false positives and detect compromised accounts.

Automating SIEM alert initial investigation

1.png

Sending the alerts to any SOAR

2.png

3.png

4.png

Using tags to route the automation

5.png

Building blocks for the automation

6-2.png

7.png

Managed workstation triage example

8.png

The close alert Send to Story

9.png

Escalating open alerts to Slack

6.png

10.png

Challenges we’ve encountered

Example detections

Achieving new levels of protection

stratus clouds.jpg

Reducing false positives with automated SIEM investigations from Elastic and Tines

Detecting a compromised account is one of the most challenging detections to build. This blog shows one approach we are using internally at Elastic to create detections that alert when multiple new events are seen for a user.

Threat detection at Elastic 

The problem: Detecting a compromised account

The solution: UEBA detection packages

How to create a UEBA detection package in Elastic Security

elastic-blog-1-create-new-rule.png

elastic-blog-2-tags.png

elastic-blog-3-building-block.png

Compute 👋 storage: A new Elastic architecture for what’s next

elastic-blog-4-and-10-threshold-dataview-open.png

Example UEBA package for GitHub

GitHub UEBA building block rules

elastic-blog-5-githubrepo.png

elastic-blog-6-username.png

elastic-blog-7-event-action.png

elastic-blog-8-jsontoken.png

elastic-blog-9-false.png

GitHub UEBA threshold alerts

Example: UEBA package for Slack

Slack UEBA building block rules

elastic-blog-11-logs-slack.png

elastic-blog-12-slack-audit.png

elastic-blog-13-sourceip.png

elastic-blog-14-downloaded.png

elastic-blog-15-preview.png

elastic-blog-16-threshold-dataview-closed.png

Keep critical assets safe with faster detection and response

alert-management.jpg

Detecting account compromise with UEBA detection packages

Using Threshold rules to create alerts on your alerts is a great way to maximize your analyst effectiveness without sacrificing visibility. By using these rules, security analysts spend less time investigating false positives.

blog-open-security-720x420-A.png

Detection engineering — Maximizing analyst efficiency using Cardinality Threshold rules on your alerts

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

AaronJewitt.jpg

Principal Security Analyst

Aaron Jewitt

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Newsletter GDPR Text

Load more

Overview

View next

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content.

You'll also receive an email with related content.

You'll also receive an email with related content

Speakers

Close

See more insights

Learn more

Author

Watch now (no PT)

Watch now

See all top stories

All (no PT translation)

Contact information

Press Release

Share on Reddit

Articles by

Share this story

Share by Email

Read less

Search Integrations

All Solutions

Thank you for registering. We will send you a confirmation email soon.

Thank you for your interest!

Follow us on Youtube

Follow us on Twitter

Follow us on LinkedIn

Follow us on Facebook

Headshot of

Reset all

Filters

Global Virtual Event

View more posts

Print

Continue reading

Share on Facebook

Share on LinkedIn

Share on Twitter

Share

Small image for

Video for

Explore similar demos

Register now

Upcoming webinar

On-demand webinar

Featured webinar

Highlights

See when this webinar starts in my time zone

Related workshops

Hosted by

Agenda

Location

Date

More

View more learning opportunities

Load more press releases

Load more news

What to explore next...

See All Posts

Contact Info

Register to Watch

Sign In to Attend

Register to Attend

Author

Articles by Aaron Jewitt

Principal Security Analyst, Elastic

How to detect malicious browser extensions using Elastic

Inventory to insight: How Elastic’s asset inventory powers InfoSec use cases

Reducing false positives with automated SIEM investigations from Elastic and Tines

Detecting account compromise with UEBA detection packages

Detection engineering — Maximizing analyst efficiency using Cardinality Threshold rules on your alerts

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards