Elastic Security v9.4 introduces Entity Analytics Watchlists, a feature designed to bridge the gap between organizational knowledge and SIEM risk scoring. By allowing security teams to create weighted lists of users, hosts, and services, the platform can prioritize entities based on specific context—such as departing employees or privileged admins—without requiring complex ES|QL or pipeline configurations.
This capability enhances traditional UEBA by injecting custom correlation factors directly into the risk engine. When a watchlisted entity triggers an alert, its risk score is automatically compounded with factors like asset criticality and behavioral anomalies. This streamlines the investigation process, surfacing high-risk threats more accurately and reducing the engineering overhead typically associated with custom risk modeling.
Top comments (0)