Advice needed for Elastic Agent Alerting

[innovate-support]

I've recently set up an SO server specifically intended to gather Elastic Agent data from remote employee Windows laptops. It's functionally working and remote laptops are sending their data to the server just fine. I'm currently testing simulated malicious software on those laptops to see what gets flagged in the SO Alerts sections. Thus far nothing has flagged an Alert even though I've ran the KnowBe4 RanSim software on the remote laptop, it was flagged by Windows as malicious, and I can Hunt and find the logs on the SO Server to confirm the Elastic Agent is sending it's data to the SO Server. I also tried adjusting the default 'elastic-defend-integration' Elastic Fleet policies to enable Malware detection. But nothing is being flagged as an Alert in SO. Are the tollerances set too low? Is there some settings I'm missing? It seems very odd that I could possibly run malicious software on an endpoint and SO wouldn't flag it. Please advise.

[innovate-support]

Do I need to purchase Elastic Platinum to get the functionality I want?

I'm willing to buy a license since this is of value to our company, but only if it works.

If I do purchase a Platinum license, how do I apply it in my SO installation?

[defensivedepth]

hey there - for clarification:

Are you wanting to use Elastic Agent as the primary anti-malware for your endpoints? Or are you just looking for alerting off the data that Elastic Agent is generating?

[innovate-support]

Alerting only.

[innovate-support]

I need to know if it's possible to apply an Elastic Platinum license to a Security Onion installation, how to apply it, and confirmation that it will give the extra functionality that I'm seeking?

[defensivedepth]

Our default settings for Elastic Agent generates/ships alot of logs:

• Ships local system logs (syslog, Windows Eventlogs etc)
• Generates logs for: process creation, network connections, registry changes, drivers loaded, etc

The detections that focus on these logsources are from Sigma rules loaded in Playbook. The vast majority of these are disabled by default, as they require a bit of tuning, field mapping changes and can cause performance issues if care is not taken to work through them.

The good news is that in our next release, we are debuting a brand new Detections module. It will replace Playbook. We will have a certain set of Sigma rules enabled and tuned by default. You can find out more information about it here: https://www.youtube.com/watch?v=oxR4q53N6OI

[innovate-support]

Thanks for the info. Is there an ETA for 2.4.70 ?

[dougburks]

2.4.70 is currently scheduled to be released in the next few weeks.