You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: raw-migrated-files/docs-content/serverless/security-cases-open-manage.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,7 +58,7 @@ To explore a case, click on its name. You can then:
58
58
59
59
::::
60
60
61
-
* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](../../../troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case
61
+
* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case
The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources.
9
+
The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](/solutions/security/investigate/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources.
10
10
11
11
Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator.
12
12
@@ -40,7 +40,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v
40
40
::::
41
41
42
42
3. Select an {{agent}} integration, then complete the installation steps.
43
-
4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page).
43
+
4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md).
44
44
45
45
46
46
## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration]
The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs.
19
10
20
11
::::{admonition} Requirements
21
-
* The Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature.
12
+
* In {{stack}} 9.0.0+, the Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature.
13
+
* In serverless, the Indicators page requires the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md)
22
14
* You must have *one* of the following installed on the hosts you want to monitor:
23
15
24
16
***{{agent}}** - Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) and ensure the agent’s status is `Healthy`. Refer to [{{fleet}} Troubleshooting](/troubleshoot/ingest/fleet/common-problems.md) if it isn’t.
@@ -56,26 +48,9 @@ Install a threat intelligence integration to add indicators to the Indicators pa
56
48
4. Return to the Indicators page in {{elastic-sec}}. Refresh the page if indicator data isn’t displaying.
If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
62
-
63
-
* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data:
64
-
65
-
***{{agent}} integrations** - `logs_ti*`
66
-
***{{filebeat}} integrations** - `filebeat-*`
67
-
68
-
* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current).
69
-
70
-
::::{note}
71
-
These troubleshooting steps also apply to the [Threat Intelligence view](/solutions/security/get-started/enable-threat-intelligence-integrations.md).
72
-
::::
73
-
74
-
75
-
76
51
## Indicators page UI [intelligence-page-ui]
77
52
78
-
After you add indicators to the Indicators page, you can [examine](/troubleshoot/security/indicators-of-compromise.md#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend.
53
+
After you add indicators to the Indicators page, you can [examine](#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend.
Copy file name to clipboardExpand all lines: solutions/security/investigate/open-manage-cases.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -115,7 +115,7 @@ To explore a case, click on its name. You can then:
115
115
Comments can contain Markdown. For syntax help, click the Markdown icon () in the bottom right of the comment.
116
116
::::
117
117
118
-
* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case
118
+
* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case
# Troubleshoot indicators of compromise [troubleshoot-indicators-page]
10
10
11
-
% Scope notes: Pull out the troubleshooting section into its own topic, and leave the rest of the content in its current place
11
+
If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
12
12
13
-
% Use migrated content from existing pages that map to this page:
13
+
* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data:
0 commit comments