This article details the internal Elastic Infosec team's process to optimize our endpoint data collection using Event Filtering and Advanced Policy Settings in Elastic Defend.

The environment: Worldwide Distributed Workforce

Step 1: Identifying the Noise

Step 2: Precise Event Filtering

Filter example 1: Elasticsearch file noise

Filter example 2: Linux Logfile modifications

Step 3: Optimizing Performance at the Source

Event Aggregation

Results

Conclusion

How Elastic Infosec Optimizes Defend for Cost and Performance

Learn how to automate detection rule tuning requests in Elastic Security. This guide shows how to add custom fields to Cases, create a rule to detect tuning needs, and use a webhook to create a frictionless feedback loop between analysts and detection engineers.

Automating Detection Tuning Requests with Elastic Security

Custom Fields in Kibana Cases

Creating Custom fields

Using Runtime fields to map the custom fields

Creating the Runtime Fields

Automating the tuning request creation

Step 1: Find any cases recently tagged as `TuningRequired`

Step 2: Parsing each case

Step 3: Retrieving the alerts attached to the case

Step 4: Opening a tuning request.

Automating detection tuning requests with Kibana cases

Author

Aaron Jewitt

Articles

How Elastic Infosec Optimizes Defend for Cost and Performance

Automating detection tuning requests with Kibana cases