Elastic Security v9.4 introduces Entity Analytics Watchlists, enabling teams to create named, weighted lists of users, hosts, and services and inject that context directly into the platformβs entity risk scoring pipeline. Watchlists remove the need for ES|QL, pipeline configuration, or detection engineering tickets by letting analysts codify departing employees, privileged accounts, critical assets, and acquisition cohorts as weighted signals that dynamically influence prioritized risk scores. #ElasticSecurity #EntityAnalyticsWatchlists
Keypoints
- Entity Analytics Watchlists in v9.4 let teams create named, described, rule-driven or manually curated lists of users, hosts, services, or other entities with configurable risk weightings.
- Watchlist membership is injected as a weighted signal into the entity risk scoring pipeline, compounding with alert activity, asset criticality, and behavioral anomalies to produce a single prioritized risk score.
- The feature closes the gap between organizational knowledge (e.g., departing employees, privileged admins, M&A cohorts) and SIEM risk models without requiring ES|QL, pipeline changes, or detection engineering tickets.
- Use cases include monitoring departing employees, privileged access holders, crown-jewel hosts, newly acquired infrastructure, high-risk business initiatives, and known-safe allow lists.
- Watchlists can be manually managed or automatically populated via integrations or APIs (for example, HR systems that mark offboarding status), keeping signals fresh without manual upkeep.
- Entity Analytics Watchlists are available to customers running Elastic Security with Entity analytics enabled and are designed to make organizational context a first-class input to UEBA-style risk scoring.
MITRE Techniques
Indicators of Compromise
Read more: https://www.elastic.co/security-labs/entity-analytics-watchlists