This article details how the Elastic InfoSec team, acting as "Customer Zero," optimized their endpoint data collection by leveraging Elastic Defend's event filtering and advanced policy settings. Operating in a remote-first, globally distributed environment with high developer activity, the team initially faced a massive volume of benign telemetry from management software and development tools. By implementing a systematic approach to identify noise, they were able to suppress non-essential events directly at the endpoint source.
Through the use of ES|QL queries to pinpoint high-volume processes and file paths, the team applied OS-specific filters and adjusted advanced settings, such as disabling legacy hash collection and enabling event aggregation. These optimizations resulted in a 75% reduction in event noise and an estimated storage saving of 100TB per month. This approach demonstrates how organizations can maintain a robust security posture while significantly reducing EDR costs and improving analyst efficiency by focusing on high-fidelity signals.
Top comments (0)