Threat Research

How Elastic Infosec Optimizes Defend for Cost and Performance

Elastic.co
How Elastic Infosec Optimizes Defend for Cost and Performance

Elastic’s Infosec team reduced endpoint event volume and costs by using Event Filtering and Advanced Policy Settings in Elastic Defend across their worldwide distributed workforce. By identifying noisy processes and hosts with ES|QL queries, applying event filters, disabling unnecessary hash calculations, and enabling event aggregation they cut event volume per host by ~75% and saved terabytes of storage per month. #ElasticDefend #Elastic

Keypoints

  • Elastic Defend default and custom Event Filtering was used to prevent benign but noisy events from being sent to Elasticsearch, reducing data ingestion at the endpoint.
  • Initial deployment showed ~48k events/hour per workstation; after tuning this dropped to ~12k events/hourβ€”a ~75% reduction.
  • Noise sources included widely deployed management agents (Qualys, Jamf, inTune), developer workloads (local Elasticsearch, Docker), and misconfigured hosts.
  • ES|QL queries (logs-endpoint.events* index) were leveraged to identify noisiest event categories, hosts, processes, file paths, and network-generating processes.
  • Advanced policy settings (disable MD5/SHA-1, enable event aggregation) reduced CPU usage, event size, and overall storage without impacting protection.
  • Resulting benefits included significant storage and cost savings (estimated ~100TB/month for 4,000 hosts), improved analyst signal-to-noise, and faster hunting/search performance.

MITRE Techniques

Indicators of Compromise

  • [Process Names ] noisy or benign agents identified for filtering – Qualys, Jamf, inTune (and docker backend process)
  • [File Paths / Files ] frequent file activity and developer Elasticsearch file noise – Elasticsearch data files, log files (e.g., files written by local Elasticsearch instances)
  • [File Extension ] used to suppress noisy modifications – .log (filtering modifications while still allowing create/delete events)
  • [Host Identifiers ] used to find and drill into noisy hosts – host.id, host.name (examples used in ES|QL queries to identify top noisy hosts)
  • [File Hash Types ] hashing settings discussed for file events (not specific hash values) – MD5, SHA-1, SHA-256 (MD5 and SHA-1 disablement noted)

Read more: https://www.elastic.co/security-labs/how-elastic-infosec-optimizes-defend