Elastic Fleet + Elastic Defend: 100+ Server EDR Deployment

Overview

Deployed Elastic Fleet with Elastic Defend agents across 100+ cross-platform servers at PostEx. This layer provides EDR capabilities (Endpoint Detection and Response), centralized endpoint security policy management, and Elastic SIEM detection rules — complementing the Splunk Enterprise SIEM and Wazuh deployments with deep endpoint telemetry.

Architecture

Elastic Fleet Server (Management Plane)
    |
    v
Elastic Agent + Elastic Defend (100+ servers)
    Windows Server (Windows Workstations, DCs)
    Linux (Ubuntu, CentOS, RHEL servers)
    macOS (Admin workstations)
    |
    v
Elasticsearch Cluster (3-node, hot-warm-cold)
    |
    v
Kibana (Elastic SIEM + Fleet UI)
    |- Security > Alerts (detection rules)
    |- Security > Timelines (investigation)
    |- Fleet > Agents (policy management)
    |- Dashboards (custom security views)

Elastic Fleet: Deployment Details

Agent Policy Configuration

# Elastic Defend policy settings
protection_level: prevent  # Block malicious activity
malware_detection: enabled  # On-access + on-write scan
memory_protection: enabled  # Prevent process injection
behavioral_protection: enabled  # Anomaly-based detection
ransomware_protection: enabled  # Canary file approach

# Integration: Windows Event Logs
channel: Security
event_ids: [4624, 4625, 4648, 4672, 4688, 4698, 4702, 7045]

# Integration: Linux auditd
audit_rules:
  - "-w /etc/passwd -p wa -k user-modify"
  - "-w /etc/sudoers -p wa -k sudoers-modify"
  - "-a always,exit -F arch=b64 -S execve"

Endpoint Security Coverage

• Malware Prevention: On-access + on-write scanning with machine learning-based detection. Blocks known malware and suspicious file writes in real time.
• Memory Protection: Detects process injection, reflective DLL loading, and shellcode execution via memory anomaly analysis.
• Ransomware Protection: Canary file-based detection triggers immediate blocking of encryption processes before significant data loss.
• Behavioral Detection: Elastic's ML-based anomaly detection flags behavioral outliers without relying solely on signatures.
• Credential Protection: EQL rule blocks LSASS memory access from non-system processes (T1003.001).

Elastic EQL Detection Rules

LSASS Access Detection (T1003.001)

/* Elastic EQL - Credential Dumping via LSASS */
process where event.action == "start" and
  process.name : "lsass.exe" and
  process.parent.name != ("wininit.exe","svchost.exe","services.exe")
  | eval severity = "CRITICAL", technique = "T1003.001"

Lateral Movement via RDP (T1021.001)

/* Elastic EQL - RDP Lateral Movement */
sequence by winlog.computer_name with maxspan=5m
  [authentication where event.code == "4648"
   and winlog.event_data.TargetServerName != "localhost"]
  [process where process.name == "mstsc.exe"]

Centralized Monitoring Results

• 100+ cross-platform servers (Windows Server, Linux, macOS) under unified Elastic Fleet policy management
• Single Kibana console for all agent status, policy deployment, and alert investigation
• Full EDR telemetry: process tree, network connections, file system events, registry changes
• Elastic ML anomaly detection running continuously against endpoint behavioral baselines
• Custom Elastic SIEM detection rules covering 8 MITRE ATT&CK tactics

MITRE ATT&CK Coverage