diff --git a/solutions/images/security-attck-disc-esql-query-gen-example.png b/solutions/images/security-attck-disc-esql-query-gen-example.png index 2db023e780..713983f3f4 100644 Binary files a/solutions/images/security-attck-disc-esql-query-gen-example.png and b/solutions/images/security-attck-disc-esql-query-gen-example.png differ diff --git a/solutions/security/get-started/automatic-import.md b/solutions/security/get-started/automatic-import.md index 24d1aed29d..265ce692b8 100644 --- a/solutions/security/get-started/automatic-import.md +++ b/solutions/security/get-started/automatic-import.md @@ -108,7 +108,7 @@ Using Automatic Import allows users to create new third-party data integrations ::: 14. Click **Add to an agent** to deploy your new integration and start collecting data, or click **View integration** to view detailed information about your new integration. -15. (Optional) Once you’ve added an integration, you can edit the ingest pipeline by going to **Project Settings → Stack Management → Ingest Pipelines**. +15. (Optional) Once you’ve added an integration, you can edit the ingest pipeline by going to the **Ingest Pipelines** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). ::::{tip} You can use the [Data Quality dashboard](/solutions/security/dashboards/data-quality-dashboard.md) to check the health of your data ingest pipelines and field mappings. diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md index 5f05c70727..f81131e9ef 100644 --- a/solutions/security/get-started/elastic-security-ui.md +++ b/solutions/security/get-started/elastic-security-ui.md @@ -30,15 +30,6 @@ Filter for alerts, events, processes, and other important security data by enter * To save the current KQL query and any applied filters, select **Saved query menu** (![Saved query menu icon](/solutions/images/security-saved-query-menu-icon.png "title =20x20")), enter a name for the saved query, and select **Save saved query**. -## Navigation menu [navigation-menu-overview] - -The navigation menu contains direct links and expandable groups, identified by the group icon (![Group icon](/solutions/images/security-group-icon.png "title =20x20")). - -* Click a top-level link to go directly to its landing page, which contains links and information for related pages. -* Click a group’s icon (![Group icon](/solutions/images/security-group-icon.png "title =20x20")) to open its flyout menu, which displays links to related pages within that group. Click a link in the flyout to navigate to its landing page. -* Click the **Collapse side navigation** icon (![Side menu collapse icon](/solutions/images/security-side-button.png "title =20x20")) to collapse and expand the main navigation menu. - - ## Visualization actions [visualization-actions] Many {{elastic-sec}} histograms, graphs, and tables display an **Inspect** button (![Inspect icon](/solutions/images/security-inspect-icon.png "title =20x20")) when you hover over them. Click to examine the {{es}} queries used to retrieve data throughout the app. @@ -101,7 +92,7 @@ Expand this section to access the following dashboards, which provide interactiv - Overview - Detection & Response -- Kubernetes (in {{stack}}) +- {applies_to}`serverless: unavailable` Kubernetes - Cloud Security Posture - Cloud Native Vulnerability Management - Entity Analytics @@ -128,33 +119,48 @@ Expand this section to access the following pages: View and manage alerts to monitor activity within your network. Refer to [Detections and alerts](/solutions/security/detect-and-alert.md) for more information. -### Findings [_findings] +### Attack discovery -Identify misconfigurations and vulnerabilities in your cloud infrastructure. For setup instructions, refer to [Cloud Security Posture Management](/solutions/security/cloud/cloud-security-posture-management.md), [Kubernetes Security Posture Management](/solutions/security/cloud/kubernetes-security-posture-management.md), or [Cloud Native Vulnerability Management](/solutions/security/cloud/cloud-native-vulnerability-management.md). +Use large language models (LLMs) to analyze alerts in your environment and identify threats. Refer to [](/solutions/security/ai/attack-discovery.md) for more information. -### Cases [_cases] +### Assets [security-ui-assets] -Open and track security issues. Refer to [Cases](/solutions/security/investigate/cases.md) to learn more. +The Assets section allows you to manage the following features: +* [{{fleet}}](/reference/fleet/manage-elastic-agents-in-fleet.md) +* [Endpoint protection](/solutions/security/manage-elastic-defend.md) -### Investigations [security-ui-investigations] + * [Endpoints](/solutions/security/manage-elastic-defend/endpoints.md): View and manage hosts running {{elastic-defend}}. + * [Policies](/solutions/security/manage-elastic-defend/policies.md): View and manage {{elastic-defend}} integration policies. + * [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md): View and manage trusted Windows, macOS, and Linux applications. + * [Event filters](/solutions/security/manage-elastic-defend/event-filters.md): View and manage event filters, which allow you to filter endpoint events you don’t need to want stored in {{es}}. + * [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md): View and manage host isolation exceptions, which specify IP addresses that can communicate with your hosts even when those hosts are blocked from your network. + * [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md): View and manage the blocklist, which allows you to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. + * [Response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md): Find the history of response actions performed on hosts. -Expand this section to access the following pages: +* [Cloud security](/solutions/security/cloud.md) -* [Timelines](../investigate/timeline.md): Investigate alerts and complex threats — such as lateral movement — in your network. Timelines are interactive and allow you to share your findings with other team members. - ::::{tip} - Click the **Timeline** button at the bottom of the {{security-app}} to start an investigation. +### Cases [_cases] - :::: +Open and track security issues. Refer to [Cases](/solutions/security/investigate/cases.md) to learn more. -* [Osquery](../investigate/osquery.md): Deploy Osquery with {{agent}}, then run and schedule queries. +### Entity analytics +```yaml {applies_to} +stack: ga 9.1 +serverless: ga +``` + +:::{admonition} Requirements +To access this section, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring). +::: -### Intelligence [_intelligence] +Expand this section to access the following pages: -The Intelligence section contains the Indicators page, which collects data from enabled threat intelligence feeds and provides a centralized view of indicators of compromise (IoCs). Refer to [Indicators of compromise](/troubleshoot/security/indicators-of-compromise.md) to learn more. +- [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md): Access a comprehensive overview of entity risk scores and anomalies identified by prebuilt {{anomaly-jobs}}. +- [Privileged user monitoring](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md): Set up your privileged users and monitor their activities to identify suspicious behavior. ### Explore [_explore] @@ -168,38 +174,30 @@ Expand this section to access the following pages: * [Users](/solutions/security/explore/users-page.md): Access a comprehensive overview of user data to help you understand authentication and user behavior within your environment. -### Assets [security-ui-assets] +### Investigations [security-ui-investigations] -The Assets section allows you to manage the following features: +Expand this section to access the following pages: -* [{{fleet}}](/reference/fleet/manage-elastic-agents-in-fleet.md) -* [Endpoint protection](/solutions/security/manage-elastic-defend.md) +* [Timelines](../investigate/timeline.md): Investigate alerts and complex threats — such as lateral movement — in your network. Timelines are interactive and allow you to share your findings with other team members. - * [Endpoints](/solutions/security/manage-elastic-defend/endpoints.md): View and manage hosts running {{elastic-defend}}. - * [Policies](/solutions/security/manage-elastic-defend/policies.md): View and manage {{elastic-defend}} integration policies. - * [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md): View and manage trusted Windows, macOS, and Linux applications. - * [Event filters](/solutions/security/manage-elastic-defend/event-filters.md): View and manage event filters, which allow you to filter endpoint events you don’t need to want stored in {{es}}. - * [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md): View and manage host isolation exceptions, which specify IP addresses that can communicate with your hosts even when those hosts are blocked from your network. - * [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md): View and manage the blocklist, which allows you to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. - * [Response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md): Find the history of response actions performed on hosts. + ::::{tip} + Click the **Timeline** button at the bottom of the {{security-app}} to start an investigation. -* [Cloud security](/solutions/security/cloud.md) + :::: +* [Notes](/solutions/security/investigate/notes.md): View and interact with all existing notes. -### Entity analytics -```yaml {applies_to} -stack: ga 9.1 -serverless: ga -``` +* [Osquery](../investigate/osquery.md): Deploy Osquery with {{agent}}, then run and schedule queries. -:::{admonition} Requirements -To access this section, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring). -::: -Expand this section to access the following pages: +### Findings [_findings] -- [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md): Access a comprehensive overview of entity risk scores and anomalies identified by prebuilt {{anomaly-jobs}}. -- [Privileged user monitoring](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md): Set up your privileged users and monitor their activities to identify suspicious behavior. +Identify misconfigurations and vulnerabilities in your cloud infrastructure. For setup instructions, refer to [Cloud Security Posture Management](/solutions/security/cloud/cloud-security-posture-management.md), [Kubernetes Security Posture Management](/solutions/security/cloud/kubernetes-security-posture-management.md), or [Cloud Native Vulnerability Management](/solutions/security/cloud/cloud-native-vulnerability-management.md). + + +### Intelligence [_intelligence] + +The Intelligence section contains the Indicators page, which collects data from enabled threat intelligence feeds and provides a centralized view of indicators of compromise (IoCs). Refer to [Indicators of compromise](/troubleshoot/security/indicators-of-compromise.md) to learn more. ### {{ml-cap}} [security-ui-ml-cap] @@ -214,26 +212,15 @@ Quickly add security integrations that can ingest data and monitor your hosts. Use additional API and analysis tools to interact with your data. - ### Management [_manage] -```yaml {applies_to} -stack: all -``` -Expand this section to access and manage: -- Additional security features -- [Stack monitoring](/deploy-manage/monitor/stack-monitoring.md) -- [{{integrations}}](/reference/fleet/manage-integrations.md) - -### Project Settings -```yaml {applies_to} -serverless: all -``` +Use the management or project settings pages to access and manage: -Expand this section to access and manage: - Additional security features +- {applies_to}`stack: ga` [Stack monitoring](/deploy-manage/monitor/stack-monitoring.md) - [{{integrations}}](/reference/fleet/manage-integrations.md) -- [Billing](/deploy-manage/cloud-organization/billing/serverless-project-billing-dimensions.md) and [subscription](/deploy-manage/cloud-organization/billing/manage-subscription.md) options for your {{serverless-short}} project +- Indices, data streams, and rollups +- {applies_to}`serverless: ga` [Billing](/deploy-manage/cloud-organization/billing/serverless-project-billing-dimensions.md) and [subscription](/deploy-manage/cloud-organization/billing/manage-subscription.md) options for your {{serverless-short}} project ## Accessibility features [timeline-accessibility-features]