Cloud security integrations 9.1 (#2318)

benironside · mdbirnstiehl · web-flow · commit ea041dc0c116 · 2025-07-30T21:13:27.000Z
Fixes #2090 , fixes #2091 , fixes #2092 by documenting several new integrations. Decided to do these in one PR since they have similar structure and are in the same section. --------- Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com>
diff --git a/solutions/security/cloud/ingest-aws-security-hub-data.md b/solutions/security/cloud/ingest-aws-security-hub-data.md
@@ -11,9 +11,13 @@ products:
   - id: cloud-serverless
 ---
 
-# Ingest AWS Security Hub data
+# AWS Security Hub
+This page explains how to make data from the AWS Security Hub integration appear in the following places within {{elastic-sec}}:
 
-In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture data collected by AWS Security Hub:
+- **Findings page**: Data appears on the [Misconfigurations](/solutions/security/cloud/findings-page.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+In order for AWS Security Hub data to appear in these workflows:
 
 * Follow the steps to [set up the AWS Security Hub integration](https://docs.elastic.co/en/integrations/aws/securityhub).
 * Make sure the integration version is at least 2.31.1.
@@ -24,7 +28,6 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit
 :alt: AWS Security Hub integration settings showing the findings toggle
 :::
 
-After you’ve completed these steps, AWS Security Hub data will appear on the Misconfigurations tab of the [Findings](/solutions/security/cloud/findings-page.md) page.
-
-Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout).
-
+::::{note}
+You can ingest data from the AWS Security Hub integration for other purposes without following these steps.
+::::
diff --git a/solutions/security/cloud/ingest-cncf-falco-data.md b/solutions/security/cloud/ingest-cncf-falco-data.md
@@ -11,7 +11,7 @@ products:
   - id: cloud-serverless
 ---
 
-# Ingest CNCF Falco data
+# CNCF Falco
 
 CNCF Falco is an open-source runtime security tool that detects anomalous activity in Linux hosts, containers, Kubernetes, and cloud environments. You can ingest Falco alerts into {{es}} to view them on {{elastic-sec}}'s Alerts page and incorporate them into your security workflows by using Falcosidekick, a proxy forwarder which can send alerts from your Falco deployments to {{es}}.
 
diff --git a/solutions/security/cloud/ingest-third-party-cloud-security-data.md b/solutions/security/cloud/ingest-third-party-cloud-security-data.md
@@ -29,5 +29,10 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th
 
 You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](/solutions/security/cloud/findings-page.md) page, on the [Cloud Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and in the [entity details](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout) and [alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) flyouts.
 
-* Learn to [ingest cloud security posture data from AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md).
-* Learn to [ingest cloud security posture and vulnerability data from Wiz](/solutions/security/cloud/ingest-wiz-data.md).
+Data from each of the following integrations can feed into at least some of these workflows:
+
+* [AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md).
+* [Wiz](/solutions/security/cloud/ingest-wiz-data.md).
+* [Rapid7 InsightVM](/solutions/security/cloud/integration-rapid7.md).
+* [Tenable VM](/solutions/security/cloud/integration-tenablevm.md).
+* [Qualys VMDR](/solutions/security/cloud/integration-qualys.md).
diff --git a/solutions/security/cloud/ingest-wiz-data.md b/solutions/security/cloud/ingest-wiz-data.md
@@ -11,9 +11,15 @@ products:
   - id: cloud-serverless
 ---
 
-# Ingest Wiz data
+# Wiz
 
-In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture and vulnerability data collected by Wiz:
+This page explains how to make data from the Wiz integration appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab and the [Misconfiguations](/solutions/security/cloud/findings-page.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+
+In order for Wiz data to appear in these workflows:
 
 * Follow the steps to [set up the Wiz integration](https://docs.elastic.co/en/integrations/wiz).
 * Make sure the integration version is at least 2.0.1.
@@ -28,10 +34,8 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit
 :alt: Wiz integration settings showing the vulnerabilities toggle
 :::
 
-After you’ve completed these steps, Wiz data will appear on the [Misconfiguations](/solutions/security/cloud/findings-page.md) and [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tabs of the Findings page.
+Your Wiz data should now appear throughout {{elastic-sec}}.
 
 :::{image} /solutions/images/security-wiz-findings.png
 :alt: Wiz data on the Findings page
 :::
-
-Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout).
diff --git a/solutions/security/cloud/integration-qualys.md b/solutions/security/cloud/integration-qualys.md
@@ -0,0 +1,32 @@
+---
+applies_to:
+  stack: all 
+  serverless:
+    security: all
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Qualys VMDR
+
+This page explains how to make data from the Qualys Vulnerability Management, Detection and Response integration (Qualys VMDR) appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+:::{note}
+Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md).
+:::
+
+In order for Qualys VMDR data to appear in these workflows:
+
+- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`.
+- Follow the steps to [set up the Qualys VMDR integration](https://www.elastic.co/docs/reference/integrations/qualys_vmdr).
+  - While configuring the integration, in the **Host detection data** section, under **Input parameters**, enter `host_metadata=all`. This enables the ingest of `cloud.*` fields.
+- ({{stack}} users) Ensure you're on at least v8.16.
+- Make sure the integration version is at least 6.0.0.
+
+:::{note}
+You can ingest data from the Qualys VMDR integration for other purposes without following these steps.
+:::
diff --git a/solutions/security/cloud/integration-rapid7.md b/solutions/security/cloud/integration-rapid7.md
@@ -0,0 +1,31 @@
+---
+applies_to:
+  stack: all 
+  serverless:
+    security: all
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+
+# Rapid7
+This page explains how to make data from the Rapid7 InsightVM integration (Rapid7) appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+:::{note}
+Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md).
+:::
+
+In order for Rapid7 data to appear in these workflows:
+
+- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`.
+- Follow the steps to [set up the Rapid7 integration](https://www.elastic.co/docs/reference/integrations/rapid7_insightvm).
+- ({{stack}} users) Ensure you're on at least v9.1.
+- Make sure the Rapid7 version is at least 2.0.0.
+
+:::{note}
+You can ingest data from the Rapid7 integration for other purposes without following these steps.
+:::
diff --git a/solutions/security/cloud/integration-tenablevm.md b/solutions/security/cloud/integration-tenablevm.md
@@ -0,0 +1,31 @@
+---
+applies_to:
+  stack: all 
+  serverless:
+    security: all
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+
+# Tenable VM  
+This page explains how to make data from the Tenable Vulnerability Management integration (Tenable VM) appear in the following places within {{elastic-sec}}:
+
+- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab.
+- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section).
+
+::::{note}
+Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md).
+::::
+
+In order for Tenable VM data to appear in these workflows:
+
+- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`.
+- Follow the steps to [set up the Tenable VM integration](https://www.elastic.co/docs/reference/integrations/tenable_io).
+- ({{stack}} users) Ensure you're on at least v9.1.
+- Make sure the Tenable VM version is at least 4.0.0.
+
+::::{note}
+You can ingest data from the Tenable VM integration for other purposes without following these steps.
+::::
diff --git a/solutions/toc.yml b/solutions/toc.yml
@@ -614,6 +614,9 @@ toc:
               - file: security/cloud/ingest-cncf-falco-data.md
               - file: security/cloud/ingest-aws-security-hub-data.md
               - file: security/cloud/ingest-wiz-data.md
+              - file: security/cloud/integration-qualys.md
+              - file: security/cloud/integration-tenablevm.md
+              - file: security/cloud/integration-rapid7.md
       - file: security/investigate.md
         children:
           - file: security/investigate/timeline.md
