Olivia
Online
James
@jamesspi
Helping folk do security things with @elastic. Views are my own. Creator of and
Parker, CO
Joined April 2009
537 Following
1.2K Followers
1.5K Posts
new detection content for Kubernetes covering a variety of techniques using k8 audit logs:
https://t.co/VTBCknTQaP
Built something new to showcase what's possible with @elastic's Workflow and Agent Builder capabilities in 9.4.
Lurelit - an agentic screenshot analyzer for phishing and smishing attempts. Entirely powered by an Elastic workflow, end-to-end.
Upload a screenshot of a suspicious message. The workflow handles the rest:
AI vision analysis extracts IOCs and classifies the threat
VirusTotal and https://t.co/yOB3RwOskF enrich every URL and domain
Automated ES|QL hunting across your Elastic environment
Human-in-the-loop gates before proceeding with hunts
Token consumption tracking with per-model cost breakdowns
It demonstrates Workflows GA, Agent Builder's new skills framework, the connector framework, the consumption API, and human-in-the-loop steps with conditional triggers.
The workflow is 700+ lines of configuration. I didn't write a single line. The natural language workflow authoring skill built the entire thing.
Code, docs, bootstrapping UI, and sample data included.
https://t.co/ZnpV9ZKFjM | https://t.co/xmdVMnH9ha
Agent Builder in Elastic 9.4 cuts token costs by up to 40%.
Not by truncating context, but by enabling agents to manage it independently.
Four mechanisms do the work:
• Dynamic skill loading: instructions load only when needed, not all at once
• Conversation context store: large result sets stay out of the prompt until required
• Selective compaction: long conversations compress without losing what matters
• OAuth connectors: query Google Drive, Salesforce, Slack without copying data
In internal testing, dynamic skills alone cut input token usage by 21 to 39%.
Top snippets retrieval added another 27 to 34% reduction.
Context window stays stable past 30 turns.
Without this, it balloons to max size by turn twelve.
Elastic 9.4 is now available, bringing new advancements across the Elasticsearch Platform.
Key new features:
• Elastic Workflows GA, scripted automation and agentic reasoning enable AI agents to act on their findings
• Elastic Agent Builder enhancements optimize context, transforming agents from open-ended prompts into controlled, action-driven systems
• Native Prometheus and PromQL support, with significant TSDB efficiency improvements, position Elastic Observability as a compelling alternative to competing metrics solutions and enable a single platform across logs, metrics, and traces
Transform data into answers, actions, and outcomes.
Learn more: https://t.co/ja8HiIOrFY
Who to follow
Elastic Security Labs
@elasticseclabs
Elastic Security Labs is democratizing security by sharing knowledge and capabilities necessary to prepare for threats. Spiritually serving humanity since 2019.
ςεяβεяμs - мαℓωαяε яεsεαяςнεя & мαℓωαяε gεиεтιςιѕт
@c3rb3ru5d3d53c
💕 Malware Reverse Engineer & Malware Geneticist 💕
#Binlex Developer
https://t.co/EKYUS9Itvd
👩💻 She/Her
RussianPanda 🐼 🇺🇦
@RussianPanda9xx
badass @HuntressLabs | Researcher @ https://t.co/vqtwIGbXlW | Malware Addict | Volunteer @TheDFIRReport | YouTube: https://t.co/N8bPp4P37z
@HackingDave I honestly hate that Cursor took away the usage indicator below the agent window. Now the only way I find out is when the Amex notifications start blowing my phone up 🥹🥹🥹
We have identified a novel social engineering campaign abusing Obsidian, the popular note taking app, to deliver a previously undocumented RAT #PHANTOMPULSE and it’s loader #PHANTOMPULL targeting individuals in finance and crypto.
The attack never exploits a vulnerability. It abuses Obsidian's own plugin ecosystem to execute code the moment a victim opens a shared vault.
Full analysis: https://t.co/y7sGjClCKc
@uwu_underground @_devonkerr_ @statictear @elasticseclabs You might want to clarify just a bit, many are confused by your post.
Quick new thing, in case it helps anyone.
https://t.co/LSWooBJBGa
Have fun!
We open sourced the tool used to detect the Axios supply chain compromise! I built it Friday after a red eye home from RSAC. Also, wrote up the full story, including the hectic moments after that first critical alert
https://t.co/HAm8eMr8vO
‼️ Meet the guy almost everyone loves for alerting the axios devs about the supply chain attack.
He built a supply chain monitoring system last week, and was alerted within minutes of the axios compromise.
The world should be thanking Elastic Security's finest:
Joe @dez_
ElasticSecurityLabs detects the Axios npm supply chain attack across Linux, Windows & macOS.
Our behavioral detections caught it without relying on static indicators.
Full malware analysis dropping soon: https://t.co/RLFNCpS6AG
Elastic Cloud Hosted on AWS GovCloud (US) achieves FedRAMP® High authorization, continuing our team’s longstanding commitment to the highest levels of security and efficiency for sensitive government data.
https://t.co/FObcNQRwD3
We are working it, sharing what we know as of now - https://t.co/iYq5HUJ767
@ReEnElec @elasticseclabs It’s just an example to show additional evidence collection by an agent once something is detected. Very common practice to back up a finding with known intel.
APT confirmation used to take hours. Now it takes 4 minutes.
Attack Discovery correlates alerts into a single narrative.
A workflow triggers the agent.
The agent:
• Looks up the hash on VirusTotal
• Runs ES|QL queries across your logs
• Finds the on-call analyst
• Creates a case
• Opens a Slack incident channel
All before you read the threat intel report.
Step right up! 📢 We’re serving up a Windows kernel exploit that never goes stale. 🍿 Forget patches, this forever-day is popping off and it's here to stay. Grab a bucket and watch the show! https://t.co/E3zbarcY7L
@dipl3_ @Flangvik @EmericNasi @ShitSecure @_JohnHammond @domchell That’s right. What was previously endgame is now part of Elastic Security, has been for a few years now. I had started a series a while back showing some of its capabilities here, in case you wanted to take a peek - https://t.co/91ZFYUh7ic
Last Seen Users on Sotwe
kaganakkan
Seen from Turkey
Zarife
Seen from Turkey
Jake Mann 19+ محتوى للبالغين
هديل
Seen from Saudi Arabia
Ç0RLU GAY AP 29 173 98
Seen from Turkey
Tottenham El Salvador
Seen from United States
teo
Seen from Argentina
GAMERFERZİYE
Seen from Turkey
الفحل
Seen from Canada
maya..ᅠ𖤣𖥧
Seen from United States
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers