diff --git a/solutions/security/cloud/ingest-aws-security-hub-data.md b/solutions/security/cloud/ingest-aws-security-hub-data.md index 5f5c3cc871..0f33ce9103 100644 --- a/solutions/security/cloud/ingest-aws-security-hub-data.md +++ b/solutions/security/cloud/ingest-aws-security-hub-data.md @@ -11,9 +11,13 @@ products: - id: cloud-serverless --- -# Ingest AWS Security Hub data +# AWS Security Hub +This page explains how to make data from the AWS Security Hub integration appear in the following places within {{elastic-sec}}: -In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture data collected by AWS Security Hub: +- **Findings page**: Data appears on the [Misconfigurations](/solutions/security/cloud/findings-page.md) tab. +- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). + +In order for AWS Security Hub data to appear in these workflows: * Follow the steps to [set up the AWS Security Hub integration](https://docs.elastic.co/en/integrations/aws/securityhub). * Make sure the integration version is at least 2.31.1. @@ -24,7 +28,6 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit :alt: AWS Security Hub integration settings showing the findings toggle ::: -After you’ve completed these steps, AWS Security Hub data will appear on the Misconfigurations tab of the [Findings](/solutions/security/cloud/findings-page.md) page. - -Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout). - +::::{note} +You can ingest data from the AWS Security Hub integration for other purposes without following these steps. +:::: diff --git a/solutions/security/cloud/ingest-cncf-falco-data.md b/solutions/security/cloud/ingest-cncf-falco-data.md index c84c879170..763a37d369 100644 --- a/solutions/security/cloud/ingest-cncf-falco-data.md +++ b/solutions/security/cloud/ingest-cncf-falco-data.md @@ -11,7 +11,7 @@ products: - id: cloud-serverless --- -# Ingest CNCF Falco data +# CNCF Falco CNCF Falco is an open-source runtime security tool that detects anomalous activity in Linux hosts, containers, Kubernetes, and cloud environments. You can ingest Falco alerts into {{es}} to view them on {{elastic-sec}}'s Alerts page and incorporate them into your security workflows by using Falcosidekick, a proxy forwarder which can send alerts from your Falco deployments to {{es}}. diff --git a/solutions/security/cloud/ingest-third-party-cloud-security-data.md b/solutions/security/cloud/ingest-third-party-cloud-security-data.md index 30313243d0..648edb9543 100644 --- a/solutions/security/cloud/ingest-third-party-cloud-security-data.md +++ b/solutions/security/cloud/ingest-third-party-cloud-security-data.md @@ -29,5 +29,10 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](/solutions/security/cloud/findings-page.md) page, on the [Cloud Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and in the [entity details](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout) and [alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) flyouts. -* Learn to [ingest cloud security posture data from AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md). -* Learn to [ingest cloud security posture and vulnerability data from Wiz](/solutions/security/cloud/ingest-wiz-data.md). +Data from each of the following integrations can feed into at least some of these workflows: + +* [AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md). +* [Wiz](/solutions/security/cloud/ingest-wiz-data.md). +* [Rapid7 InsightVM](/solutions/security/cloud/integration-rapid7.md). +* [Tenable VM](/solutions/security/cloud/integration-tenablevm.md). +* [Qualys VMDR](/solutions/security/cloud/integration-qualys.md). diff --git a/solutions/security/cloud/ingest-wiz-data.md b/solutions/security/cloud/ingest-wiz-data.md index a4be679f19..65e04a99c8 100644 --- a/solutions/security/cloud/ingest-wiz-data.md +++ b/solutions/security/cloud/ingest-wiz-data.md @@ -11,9 +11,15 @@ products: - id: cloud-serverless --- -# Ingest Wiz data +# Wiz -In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture and vulnerability data collected by Wiz: +This page explains how to make data from the Wiz integration appear in the following places within {{elastic-sec}}: + +- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab and the [Misconfiguations](/solutions/security/cloud/findings-page.md) tab. +- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). + + +In order for Wiz data to appear in these workflows: * Follow the steps to [set up the Wiz integration](https://docs.elastic.co/en/integrations/wiz). * Make sure the integration version is at least 2.0.1. @@ -28,10 +34,8 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit :alt: Wiz integration settings showing the vulnerabilities toggle ::: -After you’ve completed these steps, Wiz data will appear on the [Misconfiguations](/solutions/security/cloud/findings-page.md) and [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tabs of the Findings page. +Your Wiz data should now appear throughout {{elastic-sec}}. :::{image} /solutions/images/security-wiz-findings.png :alt: Wiz data on the Findings page ::: - -Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout). diff --git a/solutions/security/cloud/integration-qualys.md b/solutions/security/cloud/integration-qualys.md new file mode 100644 index 0000000000..76c1518515 --- /dev/null +++ b/solutions/security/cloud/integration-qualys.md @@ -0,0 +1,32 @@ +--- +applies_to: + stack: all + serverless: + security: all +products: + - id: security + - id: cloud-serverless +--- + +# Qualys VMDR + +This page explains how to make data from the Qualys Vulnerability Management, Detection and Response integration (Qualys VMDR) appear in the following places within {{elastic-sec}}: + +- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab. +- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). + +:::{note} +Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md). +::: + +In order for Qualys VMDR data to appear in these workflows: + +- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`. +- Follow the steps to [set up the Qualys VMDR integration](https://www.elastic.co/docs/reference/integrations/qualys_vmdr). + - While configuring the integration, in the **Host detection data** section, under **Input parameters**, enter `host_metadata=all`. This enables the ingest of `cloud.*` fields. +- ({{stack}} users) Ensure you're on at least v8.16. +- Make sure the integration version is at least 6.0.0. + +:::{note} +You can ingest data from the Qualys VMDR integration for other purposes without following these steps. +::: diff --git a/solutions/security/cloud/integration-rapid7.md b/solutions/security/cloud/integration-rapid7.md new file mode 100644 index 0000000000..00d8d504f1 --- /dev/null +++ b/solutions/security/cloud/integration-rapid7.md @@ -0,0 +1,31 @@ +--- +applies_to: + stack: all + serverless: + security: all +products: + - id: security + - id: cloud-serverless +--- + + +# Rapid7 +This page explains how to make data from the Rapid7 InsightVM integration (Rapid7) appear in the following places within {{elastic-sec}}: + +- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab. +- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). + +:::{note} +Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md). +::: + +In order for Rapid7 data to appear in these workflows: + +- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`. +- Follow the steps to [set up the Rapid7 integration](https://www.elastic.co/docs/reference/integrations/rapid7_insightvm). +- ({{stack}} users) Ensure you're on at least v9.1. +- Make sure the Rapid7 version is at least 2.0.0. + +:::{note} +You can ingest data from the Rapid7 integration for other purposes without following these steps. +::: diff --git a/solutions/security/cloud/integration-tenablevm.md b/solutions/security/cloud/integration-tenablevm.md new file mode 100644 index 0000000000..823e703097 --- /dev/null +++ b/solutions/security/cloud/integration-tenablevm.md @@ -0,0 +1,31 @@ +--- +applies_to: + stack: all + serverless: + security: all +products: + - id: security + - id: cloud-serverless +--- + + +# Tenable VM +This page explains how to make data from the Tenable Vulnerability Management integration (Tenable VM) appear in the following places within {{elastic-sec}}: + +- **Findings page**: Data appears on the [Vulnerabilities](/solutions/security/cloud/findings-page-3.md) tab. +- **Alert and Entity details flyouts**: Applicable data appears in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). + +::::{note} +Data from this integration does not appear on the [CNVM dashboard](/solutions/security/cloud/cnvm-dashboard.md). +:::: + +In order for Tenable VM data to appear in these workflows: + +- Ensure you have read privileges for the following index: `security_solution-*.vulnerability_latest`. +- Follow the steps to [set up the Tenable VM integration](https://www.elastic.co/docs/reference/integrations/tenable_io). +- ({{stack}} users) Ensure you're on at least v9.1. +- Make sure the Tenable VM version is at least 4.0.0. + +::::{note} +You can ingest data from the Tenable VM integration for other purposes without following these steps. +:::: diff --git a/solutions/toc.yml b/solutions/toc.yml index 9767338ba1..346d28c892 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -614,6 +614,9 @@ toc: - file: security/cloud/ingest-cncf-falco-data.md - file: security/cloud/ingest-aws-security-hub-data.md - file: security/cloud/ingest-wiz-data.md + - file: security/cloud/integration-qualys.md + - file: security/cloud/integration-tenablevm.md + - file: security/cloud/integration-rapid7.md - file: security/investigate.md children: - file: security/investigate/timeline.md