diff --git a/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md b/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md index 8f75baa025..b2fd1870b7 100644 --- a/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md +++ b/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md @@ -58,7 +58,7 @@ To explore a case, click on its name. You can then: :::: -* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](../../../troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case +* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](../../../solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case * [Add files](../../../solutions/security/investigate/open-manage-cases.md#cases-add-files) * [Add a Lens visualization](../../../solutions/security/investigate/open-manage-cases.md#cases-lens-visualization) * Modify the case’s description, assignees, category, severity, status, and tags. diff --git a/raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md b/raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md deleted file mode 100644 index 8253e2997d..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md +++ /dev/null @@ -1,190 +0,0 @@ -# Indicators of compromise [security-indicators-of-compromise] - -The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs. - -::::{admonition} Requirements -:class: note - -* The Indicators page requires the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -* You must have *one* of the following installed on the hosts you want to monitor: - - * **{{agent}}** - Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) and ensure the agent’s status is `Healthy`. Refer to [{{fleet}} Troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md) if it isn’t. - * **{{filebeat}}** - Install [{{filebeat}}](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html). - - -:::: - - -:::{image} ../../../images/serverless--cases-indicators-table.png -:alt: Shows the Indicators page -:class: screenshot -::: - - -## Threat intelligence and indicators [ti-indicators] - -Threat intelligence is a research function that analyzes current and emerging threats and recommends appropriate actions to strengthen a company’s security posture. Threat intelligence requires proactivity to be useful, such as gathering, analyzing, and investigating various threat and vulnerability data sources. - -An indicator, also referred to as an IoC, is a piece of information associated with a known threat or reported vulnerability. There are many types of indicators, including URLs, files, domains, email addresses, and more. Within SOC teams, threat intelligence analysts use indicators to detect, assess, and respond to threats. - - -## Set up the Indicators page [setup-indicators-page] - -Install a threat intelligence integration to add indicators to the Indicators page. - -1. From the {{security-app}} main menu, select one of the following: - - * **Intelligence** → **Indicators** → **Add Integrations**. - * **Project settings** → **Integrations**. - -2. In the search bar, search for `Threat Intelligence` to get a list of threat intelligence integrations. -3. Select a threat intelligence integration, then complete the integration’s guided installation. - - ::::{note} - For more information about available fields, go to the [Elastic integration documentation](https://docs.elastic.co/integrations) and search for a specific threat intelligence integration. - - :::: - -4. Return to the Indicators page in {{elastic-sec}}. Refresh the page if indicator data isn’t displaying. - - -### Troubleshooting [troubleshoot-indicators-page] - -If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration: - -* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](../../../solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data: - - * **{{agent}} integrations** - `logs_ti*` - * **{{filebeat}} integrations** - `filebeat-*` - -* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/{{ecs_version}}). - -::::{note} -These troubleshooting steps also apply to the [Threat Intelligence view](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md). - -:::: - - - -## Indicators page UI [intelligence-page-ui] - -After you add indicators to the Indicators page, you can [examine](../../../troubleshoot/security/indicators-of-compromise.md#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend. - -:::{image} ../../../images/serverless--cases-interact-with-indicators-table.gif -:alt: Shows how to interact with the Intelligence page -:class: screenshot -::: - - -### Examine indicator details [examine-indicator-details] - -Learn more about an indicator by clicking **View details**, then opening the Indicator details flyout. The flyout contains these informational tabs: - -* **Overview**: A summary of the indicator, including the indicator’s name, the threat intelligence feed it came from, the indicator type, and additional relevant data. - - ::::{note} - Some threat intelligence feeds provide [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data. - - :::: - -* **Table**: The indicator data in table format. -* **JSON**: The indicator data in JSON format. - - :::{image} ../../../images/serverless--cases-indicator-details-flyout.png - :alt: Shows the Indicator details flyout - :class: screenshot - ::: - - - -## Find related security events [find-related-sec-events] - -Investigate an indicator in [Timeline](../../../solutions/security/investigate/timeline.md) to identify and predict related events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout. - -:::{image} ../../../images/serverless--cases-indicator-query-timeline.png -:alt: Shows the results of an indicator being investigated in Timeline -:class: screenshot -::: - -When you add an indicator to Timeline, a new Timeline opens with an auto-generated KQL query. The query contains the indicator field-value pair that you selected plus the field-value pair of the automatically mapped source event. By default, the query’s time range is set to seven days before and after the indicator’s `timestamp`. - - -### Example indicator Timeline investigation [example-indicator-timeline] - -The following image shows a file hash indictor being investigated in Timeline. The indicator field-value pair is: - -`threat.indicator.file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a` - -:::{image} ../../../images/serverless--cases-indicator-in-timeline.png -:alt: Shows the results of an indicator being investigated in Timeline -:class: screenshot -::: - -The auto-generated query contains the indicator field-value pair (mentioned previously) and the auto-mapped source event field-value pair, which is: - -`file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a` - -The query results show an alert with a matching `file.hash.sha256` field value, which may indicate suspicious or malicious activity in the environment. - - -## Attach indicators to cases [attach-indicator-to-case] - -Attaching indicators to cases provides more context and available actions for your investigations. This feature allows you to easily share or escalate threat intelligence to other teams. - -To add indicators to cases: - -1. From the Indicators table, click the **More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")) menu. Alternatively, open an indicator’s details, then select **Take action**. -2. Select one of the following: - - * **Add to existing case**: From the **Select case** dialog box, select the case to which you want to attach the indicator. - * **Add to new case**: Configure the case details. Refer to [Open a new case](../../../solutions/security/investigate/open-manage-cases.md#cases-ui-open) to learn more about opening a new case. - - The indicator is added to the case as a new comment. - - -:::{image} ../../../images/serverless--cases-indicator-added-to-case.png -:alt: An indicator attached to a case -:class: screenshot -::: - - -### Review indicator details in cases [review-indicator-in-case] - -When you attach an indicator to a case, the indicator is added as a new comment with the following details: - -* **Indicator name**: Click the linked name to open the Indicator details flyout, which contains the following tabs: - - * **Overview**: A summary of the threat indicator, including its name and type, which threat intelligence feed it came from, and additional relevant data. - - ::::{note} - Some threat intelligence feeds provide [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data. - - :::: - - * **Table**: The indicator data in table format. - * **JSON**: The indicator data in JSON format. - -* **Feed name**: The threat feed from which the indicator was ingested. -* **Indicator type**: The indicator type, for example, `file` or `.exe`. - - -### Remove indicators from cases [delete-indicator-from-case] - -To remove an indicator attached to a case, click the **More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")) menu → **Delete attachment** in the case comment. - -:::{image} ../../../images/serverless--cases-remove-indicator.png -:alt: Removing an indicator from a case -:class: screenshot -::: - - -## Use data from indicators to expand the blocklist [add-indicator-to-blocklist] - -Add indicator values to the [blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) to prevent selected applications from running on your hosts. You can use MD5, SHA-1, or SHA-256 hash values from `file` type indicators. - -You can add indicator values to the blocklist from the Indicators table or the Indicator details flyout. From the Indicators table, select the **More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")) menu → **Add blocklist entry***. Alternatively, open an indicator’s details, then select the ***Take action** menu → **Add blocklist entry**. - -::::{note} -Refer to [Blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) for more information about blocklist entries. - -:::: diff --git a/raw-migrated-files/docs-content/serverless/security-threat-intelligence.md b/raw-migrated-files/docs-content/serverless/security-threat-intelligence.md index d7ffffc888..2e70e19aff 100644 --- a/raw-migrated-files/docs-content/serverless/security-threat-intelligence.md +++ b/raw-migrated-files/docs-content/serverless/security-threat-intelligence.md @@ -1,6 +1,6 @@ # Enable threat intelligence integrations [security-threat-intelligence] -The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. +The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../solutions/security/investigate/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. @@ -34,7 +34,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v :::: 3. Select an {{agent}} integration, then complete the installation steps. -4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page). +4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md). ## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration] diff --git a/raw-migrated-files/security-docs/security/cases-open-manage.md b/raw-migrated-files/security-docs/security/cases-open-manage.md index ef6ac22acf..e77efd4387 100644 --- a/raw-migrated-files/security-docs/security/cases-open-manage.md +++ b/raw-migrated-files/security-docs/security/cases-open-manage.md @@ -80,7 +80,7 @@ To explore a case, click on its name. You can then: Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](../../../images/security-markdown-icon.png "")) in the bottom right of the comment. :::: -* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](../../../troubleshoot/security/indicators-of-compromise.md#review-indicator-in-case) attached to the case +* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](../../../solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case * [Add files](../../../solutions/security/investigate/open-manage-cases.md#cases-add-files) * [Add a Lens visualization](../../../solutions/security/investigate/open-manage-cases.md#cases-lens-visualization) * Modify the case’s description, assignees, category, severity, status, and tags. diff --git a/raw-migrated-files/security-docs/security/es-threat-intel-integrations.md b/raw-migrated-files/security-docs/security/es-threat-intel-integrations.md index f5e2bc69ea..3df90bfa2d 100644 --- a/raw-migrated-files/security-docs/security/es-threat-intel-integrations.md +++ b/raw-migrated-files/security-docs/security/es-threat-intel-integrations.md @@ -1,6 +1,6 @@ # Enable threat intelligence integrations [es-threat-intel-integrations] -The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. +The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../solutions/security/investigate/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. @@ -33,7 +33,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v :::: 3. Select an {{agent}} integration, then complete the installation steps. -4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page). +4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md). ## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration] diff --git a/raw-migrated-files/security-docs/security/indicators-of-compromise.md b/raw-migrated-files/security-docs/security/indicators-of-compromise.md deleted file mode 100644 index ab0a1a9e70..0000000000 --- a/raw-migrated-files/security-docs/security/indicators-of-compromise.md +++ /dev/null @@ -1,181 +0,0 @@ -# Indicators of compromise [indicators-of-compromise] - -The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs. - -::::{admonition} Requirements -* The Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature. -* You must have *one* of the following installed on the hosts you want to monitor: - - * **{{agent}}** - Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) and ensure the agent’s status is `Healthy`. Refer to [{{fleet}} Troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md) if it isn’t. - * **{{filebeat}}** - Install [{{filebeat}}](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html) version 8.x or later. Earlier {{filebeat}} versions are incompatible with ECS and will prevent indicator data from displaying in the Indicators table. - - -:::: - - -:::{image} ../../../images/security-indicators-table.png -:alt: Shows the Indicators page -:class: screenshot -::: - - -## Threat intelligence and indicators [ti-indicators] - -Threat intelligence is a research function that analyzes current and emerging threats and recommends appropriate actions to strengthen a company’s security posture. Threat intelligence requires proactivity to be useful, such as gathering, analyzing, and investigating various threat and vulnerability data sources. - -An indicator, also referred to as an IoC, is a piece of information associated with a known threat or reported vulnerability. There are many types of indicators, including URLs, files, domains, email addresses, and more. Within SOC teams, threat intelligence analysts use indicators to detect, assess, and respond to threats. - - -## Set up the Indicators page [setup-indicators-page] - -Install a threat intelligence integration to add indicators to the Indicators page. - -1. From the {{security-app}}, click **Add Integrations**. -2. In the search bar, search for `Threat Intelligence` to get a list of threat intelligence integrations. -3. Select a threat intelligence integration, then complete the integration’s guided installation. - - ::::{note} - For more information about available fields, go to the [Elastic integration documentation](https://docs.elastic.co/integrations) and search for a specific threat intelligence integration. - :::: - -4. Return to the Indicators page in {{elastic-sec}}. Refresh the page if indicator data isn’t displaying. - - -### Troubleshooting [troubleshoot-indicators-page] - -If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration: - -* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](../../../solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data: - - * **{{agent}} integrations** - `logs_ti*` - * **{{filebeat}} integrations** - `filebeat-*` - -* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/{{ecs_version}}). - -::::{note} -These troubleshooting steps also apply to the [Threat Intelligence view](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md). -:::: - - - -## Indicators page UI [intelligence-page-ui] - -After you add indicators to the Indicators page, you can [examine](../../../troubleshoot/security/indicators-of-compromise.md#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend. - -:::{image} ../../../images/security-interact-with-indicators-table.gif -:alt: interact with indicators table -:class: screenshot -::: - - -### Examine indicator details [examine-indicator-details] - -Learn more about an indicator by clicking **View details**, then opening the Indicator details flyout. The flyout contains these informational tabs: - -* **Overview**: A summary of the indicator, including the indicator’s name, the threat intelligence feed it came from, the indicator type, and additional relevant data. - - ::::{note} - Some threat intelligence feeds provide [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data. - :::: - -* **Table**: The indicator data in table format. -* **JSON**: The indicator data in JSON format. - - :::{image} ../../../images/security-indicator-details-flyout.png - :alt: Shows the Indicator details flyout - :class: screenshot - ::: - - - -## Find related security events [find-related-sec-events] - -Investigate an indicator in [Timeline](../../../solutions/security/investigate/timeline.md) to identify and predict related events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout. - -:::{image} ../../../images/security-indicator-query-timeline.png -:alt: Shows the results of an indicator being investigated in Timeline -:class: screenshot -::: - -When you add an indicator to Timeline, a new Timeline opens with an auto-generated KQL query. The query contains the indicator field-value pair that you selected plus the field-value pair of the automatically mapped source event. By default, the query’s time range is set to seven days before and after the indicator’s `timestamp`. - - -### Example indicator Timeline investigation [example-indicator-timeline] - -The following image shows a file hash indictor being investigated in Timeline. The indicator field-value pair is: - -`threat.indicator.file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a` - -:::{image} ../../../images/security-indicator-in-timeline.png -:alt: Shows the results of an indicator being investigated in Timeline -:class: screenshot -::: - -The auto-generated query contains the indicator field-value pair (mentioned previously) and the auto-mapped source event field-value pair, which is: - -`file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a` - -The query results show an alert with a matching `file.hash.sha256` field value, which may indicate suspicious or malicious activity in the environment. - - -## Attach indicators to cases [attach-indicator-to-case] - -Attaching indicators to cases provides more context and available actions for your investigations. This feature allows you to easily share or escalate threat intelligence to other teams. - -To add indicators to cases: - -1. From the Indicators table, click the **More actions** (**…​​**) menu. Alternatively, open an indicator’s details, then select **Take action**. -2. Select one of the following: - - * **Add to existing case**: From the **Select case** dialog box, select the case to which you want to attach the indicator. - * **Add to new case**: Configure the case details. Refer to [Open a new case](../../../solutions/security/investigate/open-manage-cases.md#cases-ui-open) to learn more about opening a new case. - - The indicator is added to the case as a new comment. - - -:::{image} ../../../images/security-indicator-added-to-case.png -:alt: An indicator attached to a case -:class: screenshot -::: - - -### Review indicator details in cases [review-indicator-in-case] - -When you attach an indicator to a case, the indicator is added as a new comment with the following details: - -* **Indicator name**: Click the linked name to open the Indicator details flyout, which contains the following tabs: - - * **Overview**: A summary of the threat indicator, including its name and type, which threat intelligence feed it came from, and additional relevant data. - - ::::{note} - Some threat intelligence feeds provide [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data. - :::: - - * **Table**: The indicator data in table format. - * **JSON**: The indicator data in JSON format. - -* **Feed name**: The threat feed from which the indicator was ingested. -* **Indicator type**: The indicator type, for example, `file` or `.exe`. - - -### Remove indicators from cases [delete-indicator-from-case] - -To remove an indicator attached to a case, click the **More actions** (**…​​**) menu → **Delete attachment** in the case comment. - -:::{image} ../../../images/security-remove-indicator.png -:alt: Removing an indicator from a case -:class: screenshot -::: - - -## Use data from indicators to expand the blocklist [add-indicator-to-blocklist] - -Add indicator values to the [blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) to prevent selected applications from running on your hosts. You can use MD5, SHA-1, or SHA-256 hash values from `file` type indicators. - -You can add indicator values to the blocklist from the Indicators table or the Indicator details flyout. From the Indicators table, select the **More actions** (**…​​**) menu → **Add blocklist entry**. Alternatively, open an indicator’s details, then select the **Take action** menu → **Add blocklist entry**. - -::::{note} -Refer to [Blocklist](../../../solutions/security/manage-elastic-defend/blocklist.md) for more information about blocklist entries. -:::: - - diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 7e36e3a085..b641c674c9 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -501,7 +501,6 @@ toc: - file: docs-content/serverless/security-get-started-with-kspm.md - file: docs-content/serverless/security-host-isolation-exceptions.md - file: docs-content/serverless/security-hosts-overview.md - - file: docs-content/serverless/security-indicators-of-compromise.md - file: docs-content/serverless/security-ingest-data.md - file: docs-content/serverless/security-install-edr.md - file: docs-content/serverless/security-install-endpoint-manually.md @@ -945,7 +944,6 @@ toc: - file: security-docs/security/host-isolation-exceptions.md - file: security-docs/security/host-isolation-ov.md - file: security-docs/security/hosts-overview.md - - file: security-docs/security/indicators-of-compromise.md - file: security-docs/security/ingest-aws-securityhub-data.md - file: security-docs/security/ingest-data.md - file: security-docs/security/ingest-falco.md diff --git a/solutions/security/investigate/indicators-of-compromise.md b/solutions/security/investigate/indicators-of-compromise.md index 97848de4d6..bf0d0ee3f4 100644 --- a/solutions/security/investigate/indicators-of-compromise.md +++ b/solutions/security/investigate/indicators-of-compromise.md @@ -4,13 +4,165 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-indicators-of-compromise.html --- -# Indicators of compromise +# Indicators of compromise [indicators-of-compromise] -% What needs to be done: Refine +The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs. -% Scope notes: Pull out the troubleshooting section into its own topic, and leave the rest of the content in its current place +::::{admonition} Requirements +* The Indicators page is an [Enterprise subscription](https://www.elastic.co/pricing) feature. +* The Indicators page requires the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). +* You must have *one* of the following installed on the hosts you want to monitor: -% Use migrated content from existing pages that map to this page: + * **{{agent}}** - Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) and ensure the agent’s status is `Healthy`. Refer to [{{fleet}} Troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md) if it isn’t. + * **{{filebeat}}** - Install [{{filebeat}}](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html) version 8.x or later. Earlier {{filebeat}} versions are incompatible with ECS and will prevent indicator data from displaying in the Indicators table. +:::: + + +:::{image} ../../../images/security-indicators-table.png +:alt: Shows the Indicators page +:class: screenshot +::: + + +## Threat intelligence and indicators [ti-indicators] + +Threat intelligence is a research function that analyzes current and emerging threats and recommends appropriate actions to strengthen a company’s security posture. Threat intelligence requires proactivity to be useful, such as gathering, analyzing, and investigating various threat and vulnerability data sources. + +An indicator, also referred to as an IoC, is a piece of information associated with a known threat or reported vulnerability. There are many types of indicators, including URLs, files, domains, email addresses, and more. Within SOC teams, threat intelligence analysts use indicators to detect, assess, and respond to threats. + + +## Set up the Indicators page [setup-indicators-page] + +Install a threat intelligence integration to add indicators to the Indicators page. + +1. From the {{security-app}}, click **Add Integrations**. +2. In the search bar, search for `Threat Intelligence` to get a list of threat intelligence integrations. +3. Select a threat intelligence integration, then complete the integration’s guided installation. + + ::::{note} + For more information about available fields, go to the [Elastic integration documentation](https://docs.elastic.co/integrations) and search for a specific threat intelligence integration. + :::: + +4. Return to the Indicators page in {{elastic-sec}}. Refresh the page if indicator data isn’t displaying. + + +## Indicators page UI [intelligence-page-ui] + +After you add indicators to the Indicators page, you can [examine](#examine-indicator-details), search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend. + +:::{image} ../../../images/security-interact-with-indicators-table.gif +:alt: interact with indicators table +:class: screenshot +::: + + +### Examine indicator details [examine-indicator-details] + +Learn more about an indicator by clicking **View details**, then opening the Indicator details flyout. The flyout contains these informational tabs: + +* **Overview**: A summary of the indicator, including the indicator’s name, the threat intelligence feed it came from, the indicator type, and additional relevant data. + + ::::{note} + Some threat intelligence feeds provide [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data. + :::: + +* **Table**: The indicator data in table format. +* **JSON**: The indicator data in JSON format. + + :::{image} ../../../images/security-indicator-details-flyout.png + :alt: Shows the Indicator details flyout + :class: screenshot + ::: + + + +## Find related security events [find-related-sec-events] + +Investigate an indicator in [Timeline](timeline.md) to identify and predict related events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout. + +:::{image} ../../../images/security-indicator-query-timeline.png +:alt: Shows the results of an indicator being investigated in Timeline +:class: screenshot +::: + +When you add an indicator to Timeline, a new Timeline opens with an auto-generated KQL query. The query contains the indicator field-value pair that you selected plus the field-value pair of the automatically mapped source event. By default, the query’s time range is set to seven days before and after the indicator’s `timestamp`. + + +### Example indicator Timeline investigation [example-indicator-timeline] + +The following image shows a file hash indictor being investigated in Timeline. The indicator field-value pair is: + +`threat.indicator.file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a` + +:::{image} ../../../images/security-indicator-in-timeline.png +:alt: Shows the results of an indicator being investigated in Timeline +:class: screenshot +::: + +The auto-generated query contains the indicator field-value pair (mentioned previously) and the auto-mapped source event field-value pair, which is: + +`file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a` + +The query results show an alert with a matching `file.hash.sha256` field value, which may indicate suspicious or malicious activity in the environment. + + +## Attach indicators to cases [attach-indicator-to-case] + +Attaching indicators to cases provides more context and available actions for your investigations. This feature allows you to easily share or escalate threat intelligence to other teams. + +To add indicators to cases: + +1. From the Indicators table, click the **More actions** (**…​​**) menu. Alternatively, open an indicator’s details, then select **Take action**. +2. Select one of the following: + + * **Add to existing case**: From the **Select case** dialog box, select the case to which you want to attach the indicator. + * **Add to new case**: Configure the case details. Refer to [Open a new case](open-manage-cases.md#cases-ui-open) to learn more about opening a new case. + + The indicator is added to the case as a new comment. + + +:::{image} ../../../images/security-indicator-added-to-case.png +:alt: An indicator attached to a case +:class: screenshot +::: + + +### Review indicator details in cases [review-indicator-in-case] + +When you attach an indicator to a case, the indicator is added as a new comment with the following details: + +* **Indicator name**: Click the linked name to open the Indicator details flyout, which contains the following tabs: + + * **Overview**: A summary of the threat indicator, including its name and type, which threat intelligence feed it came from, and additional relevant data. + + ::::{note} + Some threat intelligence feeds provide [Traffic Light Protocol (TLP) markings](https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience). The `TLP Marking` and `Confidence` fields will be empty if the feed doesn’t provide that data. + :::: + + * **Table**: The indicator data in table format. + * **JSON**: The indicator data in JSON format. + +* **Feed name**: The threat feed from which the indicator was ingested. +* **Indicator type**: The indicator type, for example, `file` or `.exe`. + + +### Remove indicators from cases [delete-indicator-from-case] + +To remove an indicator attached to a case, click the **More actions** (**…​​**) menu → **Delete attachment** in the case comment. + +:::{image} ../../../images/security-remove-indicator.png +:alt: Removing an indicator from a case +:class: screenshot +::: + + +## Use data from indicators to expand the blocklist [add-indicator-to-blocklist] + +Add indicator values to the [blocklist](../manage-elastic-defend/blocklist.md) to prevent selected applications from running on your hosts. You can use MD5, SHA-1, or SHA-256 hash values from `file` type indicators. + +You can add indicator values to the blocklist from the Indicators table or the Indicator details flyout. From the Indicators table, select the **More actions** (**…​​**) menu → **Add blocklist entry**. Alternatively, open an indicator’s details, then select the **Take action** menu → **Add blocklist entry**. + +::::{note} +Refer to [Blocklist](../manage-elastic-defend/blocklist.md) for more information about blocklist entries. +:::: -% - [ ] ./raw-migrated-files/security-docs/security/indicators-of-compromise.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md \ No newline at end of file diff --git a/troubleshoot/security/indicators-of-compromise.md b/troubleshoot/security/indicators-of-compromise.md index 4346bedbce..8fb0d8dfff 100644 --- a/troubleshoot/security/indicators-of-compromise.md +++ b/troubleshoot/security/indicators-of-compromise.md @@ -1,26 +1,22 @@ --- +navigation_title: "Indicators of compromise" mapped_pages: - https://www.elastic.co/guide/en/security/current/indicators-of-compromise.html - https://www.elastic.co/guide/en/serverless/current/security-indicators-of-compromise.html --- -# Indicators of compromise +# Troubleshoot indicators of compromise [troubleshoot-indicators-page] -% What needs to be done: Refine +If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration: -% Scope notes: Pull out the troubleshooting section into its own topic, and leave the rest of the content in its current place +* Verify that the index storing indicator documents is included in the [default {{elastic-sec}} indices](../../solutions/security/get-started/configure-advanced-settings.md#update-sec-indices) (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you’re collecting indicator data: -% Use migrated content from existing pages that map to this page: + * **{{agent}} integrations** - `logs_ti*` + * **{{filebeat}} integrations** - `filebeat-*` -% - [ ] ./raw-migrated-files/security-docs/security/indicators-of-compromise.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-indicators-of-compromise.md +* Ensure the indicator data you’re ingesting is mapped to [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/{{ecs_version}}). -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): +::::{note} +These troubleshooting steps also apply to the [Threat Intelligence view](../../solutions/security/get-started/enable-threat-intelligence-integrations.md). +:::: -$$$review-indicator-in-case$$$ - -$$$ti-indicators$$$ - -$$$troubleshoot-indicators-page$$$ - -$$$examine-indicator-details$$$ \ No newline at end of file