This document discusses how application performance monitoring (APM) data from the Elastic Stack can be used for threat hunting. It describes how APM data can be combined with machine learning and security information and event management (SIEM) to more easily detect anomalies, pinpoint potential security threats, and reduce mean time to resolution for issues. The document provides examples of how APM metadata can be applied as filters across different Elastic solutions to focus analysis and identifies specific attack models and techniques that can be applied in APM-driven threat hunting rules.
3. - Monitor software services and applications in real
time to make it easier to pinpoint and remedy
performance problems, quickly.
- Automatically collect unhandled errors and
exceptions.
- Automatically retrieve basic host-level and agent
specific metrics.
Application
Performance
Monitoring
7. Combine autonomous
monitoring with alerts of
unknown & defined
events.
Correlate ML & Watcher with
APM view from same screen
Reduces the need to toggle between
tabs to generate ML jobs or Watcher
alerts on events of APM monitored
services.
Apply APM metadata as filters
in different solution views
The Elastic solutions all have a variant
view of the dataset, but can share APM
metadata as filters to cull the view
Event Detection
8. Decrease MTTR by
sequencing ML and APM
analysis
APM service(s) driving
anomalous event(s)
Observe how ML triggered events are
influenced by APM services.
Analyze in ML & APM views
ML anomalies can contain a hyperlink to
the APM analysis view of the service(s)
that influenced the event.
ML + APM
Analysis
9. Server & service
information can assist in
securing the network
APM Server information can be
shared in SIEM
Leveraging the same dataset as APM,
SIEM can be used to track and identify
potential threats to the business
Tagging can help reduce MTTR
APM data can be tagged for use in the
various Elastic solutions, especially
SIEM, as a filtration mechanism
Highlight unexpected processes
Rogue processes or unauthorized
access requests can be quickly identified
with APM & SIEM monitoring
Threat Hunting
with APM
10. APM data can be used by
SIEM to perform signal
detections
Customize signal detection
rules for APM data
Apply target influencer(s) of the signal
detection leveraging APM metadata
Select any MITRE attack models
to apply to the signal rule
Each MITRE attack model has collection
techniques that can be applied
Schedule the signal for
continued threat hunting
Flexibility to select signal detection
frequency
APM Driven
Threat Hunting
https://www.elastic.co/campaigns/mitre-attack
12. SLED Virtual Group
● Are you interested in learning more about Elastic?
● Do you want to represent your community at the next Elastic
Virtual Group?
● Come check out your opportunity to be a leader and have your
voice heard:
○ https://community.elastic.co/state-and-local-government-and-
education-sled-virtual/
At our next Virtual Group, led by Jenny Morris,
we will be learning more about how to
Leverage Elastic machine learning features to
enhance your security posture.
13. Training Subscriptions
Annual pass
Year-round learning solution for a named
user
Training on the go
Flexible options include live, virtual and
On-Demand training
Immersive learning
Hands-on, solution-based training
Extensive curriculum
Classes span the Elastic Stack with new
content added regularly
Explore all benefits