Elastic State of Detection Engineering 2025

Keypoints

• Typical report structure: Introduction, practical detection engineering (real-world analysis and rule development), platform and telemetry enhancements, internal metrics and evaluation, partnership with threat reporting and forward-looking guidance, followed by a conclusion.
• Part 1 (Detection engineering in practice): explains how retrospective threat analysis (telemetry, detonations, PoCs) informs rules, with detailed case studies (CUPS RCE response; Windows CLFS/DWM local privilege escalation) and emphasis on behavior-driven detections beyond single-vulnerability signatures.
• Part 1 subsections: 1.1 Real-world threat analysis (vulnerability triage, PoC testing, telemetry-driven detection design) and 1.2 Robust rule development (automation, validations, DaC, DEBMM maturity model, and proactive hunting).
• DEBMM (Detection Engineering Behavioral Maturity Model): five maturity tiers (Foundation → Expert) used to benchmark telemetry integration, rule management, documentation, and threat modeling; applied initially to Azure ruleset to prioritize improvements.
• Detections-as-Code and CI: automated query/rule validation across stack versions, ES|QL support, unit/test datasets, peer review and version control to reduce noisy or inaccurate rules and accelerate safe releases.
• Proactive threat hunting: curated hunting query library, telemetry-driven alert channels, and public hunting queries that complement rules and help discover novel threats (example: discovery and remediation of REF6138 on Linux).
• Part 2 (Enhancing Elastic Security): focuses on integration enrichment (450+ integrations available) and endpoint visibility improvements that expanded detection surface across cloud, SaaS, Windows, macOS, and Linux.
• Cloud and SaaS focus: 15% of new/tuned rules related to cloud/SaaS; AWS CloudTrail and Okta account for ~70% of that subset; AWS audit produced 50+ tunings, 40+ new rules, and 17 threat-hunting queries by Oct 2024.
• Identity/SSO emphasis: Okta enhancements (System Log + Entity Analytics enrichment) enable anomaly detection using contextual user metadata (roles, MFA status, group memberships) and support detections for adversaries like Scattered Spider.
• LLM/GenAI telemetry: development of AWS Bedrock model-invocation logging integration and standardized LLM field mappings (ECS/OTel) to enable security monitoring of LLM workflows and vendor-agnostic detections.
• Endpoint visibility — Windows: major kernel/ETW telemetry additions across Elastic releases (call stacks, VirtualAlloc/VirtualProtect/WriteProcessMemory coverage, AMSI events, TCP connect call stacks, DeviceIoControl, WMI visibility) to detect in-memory threats, hollowing, and privilege escalation.
• Endpoint visibility — macOS: engineered a first-of-its-kind dylib-load event (via filtered mmap + code-sign/hash enrichment) and a custom DNS event; enabled reliable in-memory JXA execution detection and surfaced a DPRK malicious NPM campaign via DNS correlations.
• Endpoint visibility — Linux: expanded coverage via Elastic Defend, Auditd Manager, and FIM integrations; Auditd Manager provides syscall-level detection (e.g., init_module/finit_module to detect LKM/rootkit loads) while FIM handles real-time file-change detection for persistence vectors.
• Elastic Defend enhancements: added Linux effective/permitted capabilities fields to detect capability-based privilege escalation (e.g., CAP_SETUID/CAP_SETGID → root escalation) and improved cross-platform telemetry for endpoint rules.
• Part 3 (Internal metrics and evaluation): two measurement layers — operational (detection efficacy, false positives, query performance) and strategic (OKRs, long-term impact); Endpoint Behavior rules prioritized for high-confidence/noise reduction while some SIEM rules intentionally remain noisy for signal-fidelity.
• Protections malware feed efficacy: Detonate sandbox ingests 500+ samples/day; the protection metric tracks ability to detect/block ~99% of malicious samples using layered protections (behavioral rules, ransomware prevention, memory detection, YARA, etc.).
• Rule tuning and false negatives: continuous telemetry monitoring for unexpected alert spikes, selective tuning policies depending on agent population size, and triage workflows to address underperforming rules and add coverage where gaps appear.
• Notable detections and incidents: rapid rule deployment and public guidance for CUPS RCE variants (multiple CVEs), behavior+YARA detections for Windows CLFS/DWM LPE chains, discovery and reverse engineering of REF6138 Linux malware with YARA signatures, and detection of DPRK-sourced malicious NPM packages via macOS DNS telemetry.
• Key trends and findings: adversaries increasingly reuse core exploitation techniques (KASLR bypass, token swapping, PreviousMode abuse), in-memory and fileless techniques are rising, identity/cloud-targeting (compromised keys, IAM misconfigurations, Okta compromises) remain critical, and telemetry-first engineering yields higher-fidelity detections.
• Operational takeaways: invest in fine-grained telemetry (kernel call stacks, dylib loads, DNS events), adopt DaC/CI validation to scale rule quality, mature detection programs with structured models (DEBMM), pair hunting with rule development, and prioritize cross-integration correlation for high-confidence detections.
• Forward-looking priorities: extend cloud audits to Azure/GCP, standardize LLM telemetry across vendors, continue kernel-level telemetry enhancements (token impersonation, OpenProcess, ResumeThread heuristics), and progress rulesets toward higher DEBMM maturity tiers.
• Impactful recommendations for teams: treat detections as software (testable, versioned), focus on behavior-driven detections for broad coverage, enrich identity and LLM telemetry, run continuous detonation and coverage metrics, and use maturity frameworks to prioritize limited detection engineering resources.