Daily Database Roasts

Building effective threat hunting and detection rules in Elastic Security

Originally from elastic.co/blog/feed

August 21, 2025 • Roasted by Dr. Cornelius "By The Book" Fitzgerald Read Original Article

Oh, bravo. A truly remarkable piece of... prose. I must commend the author's enthusiasm for tackling such a complex problem as "threat hunting" using the digital equivalent of a child's toy chest. One simply dumps all the misshapen blocks of data in, shakes it vigorously, and hopes a castle comes out. It’s a fantastically flexible approach, I’ll grant you that.

It is positively pioneering to see such a courageous disregard for decades of established data management theory. The choice to build this entire edifice upon what is, charitably, a distributed document store is a masterstroke of pragmatism. Why bother with the tedious ceremony of normalization or the rigid structures of a relational model when you can simply have a delightfully denormalized, JSON-formatted free-for-all? Codd’s twelve rules? I suppose they’re more like Codd’s Twelve Suggestions to the modern practitioner. A quaint historical document, really.

And the "rules"! The sheer, unadulterated genius of it all. To craft what is essentially a sophisticated grep command and call it a "detection rule" is a testament to the industry's boundless creativity. It's a brilliant brute-force ballet.

"...effective threat hunting and detection rules in Elastic Security..."

One has to admire the audacity. Instead of designing a system with inherent integrity and verifiable consistency, the solution is to pour ever more computational power into sifting through the resulting chaos. Who needs a proper query planner when you have more CPUs? It’s a philosophy that truly captures the spirit of the age.

I was particularly taken with the implicit architectural decisions. It's a rather brave choice, I daresay, to so casually cast aside Consistency in favor of Availability and Partition Tolerance. The CAP theorem, it seems, has been solved not with careful trade-offs, but with a shrug and a cheerful acceptance of eventual consistency. “The threat might have happened, and the data might be there, and it might be correct… eventually.” It’s a bold stance. One must wonder if the authors have ever encountered the concept of ACID properties, or if they simply found them too... well, acidic for their palate. The "Isolation" and "Consistency" guarantees are, after all, dreadful impediments to scalability.

It’s all so wonderfully innovative. It’s a shame, really. This entire class of problem, managing and querying vast datasets with integrity, was largely explored in the late 1980s. But I suppose nobody reads papers anymore. Clearly they've never read Stonebraker's seminal work on federated databases, or they would have realized they're simply re-implementing—and rather poorly, I might add—concepts we found wanting thirty years ago. My minor quibbles, to be sure, are just the pedantic ramblings of an old formalist:

The complete abdication of a relational schema in favor of a "schema-on-read" approach, which is a charming way of saying "an unmanageable mess."
The reliance on full-text search as a substitute for a structured, performant query language.
The fundamental architectural choice to prioritize availability over the one thing that matters in a security context: data consistency.

Still, one mustn't stifle such creative spirit with tiresome formalism and a demand for theoretical rigor. Keep up the good work! I shall make a point of never reading your blog again, lest I be tempted to send you a reading list.

Cheerfully,

Dr. Cornelius "By The Book" Fitzgerald Professor of Computer Science (and Keeper of the Relational Flame)

🔥 The DB Grill 🔥