we are currently evaluating the Elastic Agent to be used as endpoint security solution within our company. We are especially interested in the features provided by Endgame.
To get a feeling for the system I have setup a test environment using my computer running a Elasticsearch (version 7.15.1) and a Kibana instance. Further I'm using VirtualBox running a Ubuntu 20.04.2 VM to simulate a client for the Elastic Agent. This setup seems to work so far, since I'm receiving alerts for a few test cases.
To test Endgame I have downloaded several GB of malicious PE and ELF files and enabled all Endgame rules. However I have not received an alert from any of these rules and all rules show the following warning message:
This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["endgame-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated.
The only alert related to these files came from the Endpoint Security rule while pulling a git repository with malicious ELF files.
I have used this guide for the setup.
Am I misunderstanding something about the functionality of Endgame? I have not found any additional resources that seem to be up to date.
Yes, there's some confusion here. Endgame is the legacy product and there are prebuilt rules in place as an integration. What you are looking to work with is Endpoint Security and our Security Solution - see here as a guide to get started. When you enable the rules that work with our Endpoint, you'll see indices such as logs-endpoint.events., anytime you see endgame, it is the wrong rule.
Also, if you would like help evaluating our Security Solution, let me know where you are located and I can have an account owner and corresponding Solutions Architect reach out to you and assist.
thanks for the reply! I will go through the documentation.
However I still think it's odd that the detection rate for malware is that low (18/475). Since the alerts only appeared while cloning the repository containing the malware, it also seems like the agent does not perform a static analysis on the filesystem.
Is there any experience with this behavior?
It appears you are trying to enable rules specifically for Endgame but are using Elastic Agent with the endpoint security integration. If I have that correct, then the behavior is as expected, but obviously confusing.
As far as the malware detection. We perform analysis of the files PE/ELF upon create, modification, or execution. We will not typically analyze PE files on a Linux system. Do you know the breakdown of PE and ELF files in the samples you downloaded?
thanks for the insights, they help a lot.
Only ELF files were considered in my upper post. After multiple attempts to reproduce this result the detection rate always jumped to 283/475 but still underperforms most signature based classifiers. So I think there is still something not working correctly, as I have much better experiences with ML based classifiers.
Thanks for sharing some of your testing/evaluation feedback for the Linux Malware Protection feature. For confirmation, were you using this repo for the testing criteria? It looked to match based on the number of files you mentioned (475).
When reviewing these kinds of datasets, some of the samples that don't generate detections end up coming down to specific details around the individual files. For example, within that dataset it includes Android malware, we currently don't support Android on the Elastic Endpoint Security product so we have not put any focus in this area yet. Also, there is a big prevalence of packed files (UPX) within the dataset, which we are looking to release new improved endpoint capabilities in near future to specifically address packed samples like these. I didn't personally analyze these files, but a few look to be potentially non-malicious/benign as well (fd10b45ac68f4bdc804fb99eaf0124aa16e1b3a7a0672be4d4114d0e3d74d26c, 7c5c84eb86a72395bf75510d5a1a51553a025668d6477dbef86ad12da7bc6b8a). With that said, thanks for bringing these up as there is a good amount of samples that we will action and seek to further improve coverage around this feature.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.