Overview
The Elastic Agent is a computer service that empowers and enables groups to send data to our Elastic stack, our Security Information and Event Management (SIEM), and the Security Operations team to secure and protect those hosts with the “Defend” integration. Defend enables Elastic to function as an EDR (Endpoint Detection and Response) for hosts. System and Information Integrity (SI-3) requires the use of software to safeguard devices. Elastic Defend is that software.
You can find the installation instructions here.
Supported Operating Systems and Processor Architectures
Elastic publishes a table that details supported operating systems. You can find that information here. The most relevant sections are the Elastic Agent and Elastic Defend tables. There are some limitations with supported devices.
Chiefly among those (at time of this publication):
- Elastic Agent is not supported on 32-bit operating systems.
- Elastic Agent is not supported for Windows operating systems running on ARM processors.
Process Termination
Most of the time, Elastic will just create alerts, but sometimes there may be enough of a reason that a process is outright killed. The killing of a process should be extremely rare. Machines nor detection rules are going to be perfect in their understanding of activity. If there is reason to believe that a process that was killed was actually benign/allowed activity and not actually malicious, then exclusions and tuning can be done to prevent Elastic from impeding normal work practices.
Reaching out to security@tamu.edu will allow the security team to evaluate and tune/exclude activity. Please include information like the hostname, timeframe, process being killed, and alert name (if you see it from the notification).
Expected Binaries
A successful install of the Elastic Agent should end up with (note: not right away) with several different binaries running on the host. Those binaries are:
- elastic-agent.exe
- elastic-endpoint.exe
- agentbeat.exe (x4)
- osquery-extension.exe
- osqueryd.exe
Appropriate Use
A host that has the Elastic Agent installed on it and enrolled to a Defend enabled agent policy will end up with Elastic Defend running on it. The agent policy determines what ‘namespace’ a host’s data will go to, which in turn, will dictate what space in Elastic will be able to see the alerts and data. Elastic Defend will end up being universally installed for hosts that can accommodate it unless there is CISO approved exception.
Usage Model
Data Ingestion
Elastic includes many different integrations to collect, format, and send data to our SIEM. Ideally data that one wants to send to our SIEM will have the Elastic Agent on that device. That device will have an agent policy with specific desired data integrations. A particular integration can take in data, format it as Elastic Common Schema (ECS), and pass it along. You may review the list of integrations here: https://www.elastic.co/integrations/data-integrations
For more primitive data ingestion (or data sources that do not have a specific data integration), we can ingest that data by way of a TCP or UDP port on a Security Operations data collector. Data that is sent this way may not be formatted as ECS. This means that the data may not be parsed (may not be readily searchable with fields for particular pieces of data). It is possible to create a custom ingestion pipeline to parse the data, but without a consistent pattern in the data it may not be readily feasible to parse that data.
Security
Business Units at Texas A&M will be allocated their own space. This space will be configured such that it may only view data that is in a specific namespace. That includes Alerts, which are the results of Elastic Defend finding something it considers suspicious activity. Some alerts may include the fact that a program was killed, as to ideally stop malware from continuing to execute.
Glossary
Words that are underlined (not links) refer to Elastic specific terminology. You can review the Elastic glossary and what the word may mean here:
Additional Information
Information technology professionals on campus may contact endpoint-security@tamu.edu to ask any questions, request additional information, or request access to the agent installers.