Elastic Security v9.4: Implementing Entity Analytics Watchlists for Proactive Defense

In high-stakes SOC environments, the gap between "knowing" a threat and "detecting" it is often where breaches occur. Security analysts frequently maintain mental or ad-hoc lists of high-risk indicators—suspicious IPs, specific process names observed in previous incidents, or domains associated with active threat actors. The operational friction of converting this intelligence into reliable detection rules often leaves this critical context unused.

Elastic Security v9.4 addresses this defensive gap with Entity Analytics Watchlists. This feature allows your team to codify what you already know about high-risk entities and feed that context directly into the risk scoring engine. This is not just a list management tool; it is a force multiplier for risk-based alerting, allowing defenders to prioritize responses based on aggregated intelligence without the overhead of writing custom detection pipelines for every single observable.

Technical Analysis

Affected Products and Versions

• Product: Elastic Security (Endpoint and Cloud)
• Version: 9.4 and later
• Platform: Supports cross-platform telemetry ingestion (Windows, Linux, macOS, Network)

Feature Mechanics: How It Works

The Entity Analytics engine in Elastic functions by assigning a dynamic "Risk Score" to entities (specifically Users and Hosts) based on observed behaviors. Prior to v9.4, increasing this risk score required writing specific detection rules or queries.

With the introduction of Watchlists:

1. Ingestion: Definers can import static lists of values (CSV, NDJSON, or inline text) corresponding to specific entity types.
2. Entity Types Supported:
   • IP: IPv4 and IPv6 addresses (network connections).
   • Domain: DNS domains and hostnames.
   • Email: Email addresses (user context).
   • Process: Process names, hashes, or arguments.
   • Windows Registry: Registry key paths and values.
3. Risk Scoring Logic: When the Security solution observes an event involving an entity that exists in a Watchlist, the engine automatically increments the risk score of the associated Host or User.
4. Alerting: If the aggregated risk score exceeds a defined threshold, the Elastic Security UI generates a "Risk Alert." This consolidates multiple low-fidelity observations (e.g., a host hits 5 different IPs on a blocklist) into a single, high-priority investigative lead.

Defensive Value

This shifts the defensive posture from signature-based alerting to context-based risk aggregation. Instead of an alert for every single connection to a malicious IP, a host accumulates "risk points," alerting the analyst only when the cumulative activity warrants investigation. This significantly reduces alert fatigue while improving the signal-to-noise ratio for active compromise hunting.

Detection & Response

Executive Takeaways

As this release is a defensive capability enhancement rather than a specific CVE or malware threat, the following are strategic recommendations for integrating Entity Analytics Watchlists into your SOC operations:

1. Codify Institutional Knowledge Immediately: Conduct an audit of your recent Incident Response (IR) cases. Extract specific indicators (process hashes, C2 domains, unique user agents) that were specific to those breaches and create persistent Watchlists. This prevents "repeat" compromises by ensuring that artifacts from a resolved incident automatically flag future risk.

2. Implement Threat Intelligence Feeds: Move beyond manual entry. Automate the ingestion of your Threat Intelligence Platform (TIP) feeds into Elastic Watchlists. High-confidence indicators (e.g., C2 infrastructure from active ransomware operations) should be populated into watchlists daily, ensuring your risk engine is automatically aware of the shifting threat landscape without manual rule authoring.

3. Distinguish Between "Block" and "Watch": Not all Watchlist entries require immediate prevention. Use Watchlists for "detection-only" scenarios—such as monitoring specific TOR exit nodes or suspicious non-malicious binaries used in post-exploitation—to track potential risk without disrupting endpoint operations.

4. Tune Risk Thresholds Aggressively: The introduction of Watchlists will inflate risk scores across your environment. Review your alerting thresholds in the Entity Analytics rules. You may need to raise the threshold for a "Critical" alert to avoid being overwhelmed by hosts that simply match a broad Watchlist (e.g., a generic GEO-IP blocklist).

5. Leverage for Retroactive Hunting: When a new threat actor TTP is identified, create a Watchlist and immediately query the Elastic Timeline. Use the "Risk" facet to filter for Hosts or Users that would have triggered a risk score had that Watchlist been active. This turns Watchlists into a powerful back-testing tool for compromise assessment.

Remediation

Implementation and Configuration Steps:

1. Upgrade: Ensure your Elastic Stack (Elasticsearch and Kibana) and Elastic Agent fleet are upgraded to version 9.4.0 or higher.
2. Navigate: In Kibana, go to Security > Entity Analytics > Watchlists.
3. Create Watchlist:
   • Click "Create watchlist".
   • Define the Name (e.g., C2_Infrastructure_May2024).
   • Select the Entity Type (e.g., ip, domain, process_hash).
4. Import Data:
   • Paste your values directly or upload a file (CSV/NDJSON).
   • Ensure values match the selected entity type strictly (e.g., IPs must be in dot-decimal notation).
5. Define Risk Rules:
   • Go to Rules > Host Risk Rules (or User Risk Rules).
   • Ensure the rule "Host risk score increased" is active. This rule triggers the alert when the Watchlist match contributes to the score.
6. Validation:
   • Simulate an observation (e.g., curl to an IP in your watchlist) from an endpoint.
   • Verify that the Risk Score for that Host increases in the Hosts view and an alert is generated if the threshold is met.

Official Documentation:

• Elastic Security Entity Analytics Documentation

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub