diff --git a/solutions/images/security-gs-ingest-data.png b/solutions/images/security-gs-ingest-data.png new file mode 100644 index 0000000000..5adc792845 Binary files /dev/null and b/solutions/images/security-gs-ingest-data.png differ diff --git a/solutions/security/get-started.md b/solutions/security/get-started.md index 9e9a01f9e1..dce5ef4a09 100644 --- a/solutions/security/get-started.md +++ b/solutions/security/get-started.md @@ -14,19 +14,50 @@ products: New to {{elastic-sec}}? Follow the instructions in this topic to get started. Then, review the rest of the Get Started section to learn how to use the UI, review requirements, and discover more about our security features. -:::::{{stepper}} -::::{{step}} Install the Elastic Stack +::::::{{stepper}} +:::::{{step}} Choose your deployment type -To use {{elastic-sec}}, at minimum, you'll need to install {{es}} and {{kib}}—the core components of the {{stack}}. Elastic provides several self-managed or Elastic-managed installation options. For simplicity and speed, we recommend one of our [{{ecloud}}](/deploy-manage/deploy/elastic-cloud.md) options—either {{ech}} or {{serverless-full}}. However, if you prefer to install Elastic on your own infrastructure, you can deploy a [self-managed cluster](/deploy-manage/deploy/self-managed.md). Check out our [deployment types](/deploy-manage/deploy.md#choosing-your-deployment-type) to learn more. +Elastic provides several self-managed and Elastic-managed options. For simplicity and speed, we recommend [](./elastic-security-serverless.md), which enables you to run {{elastic-sec}} in fully managed environment so you don’t have to manage the underlying {{es}} cluster and {{kib}} instances. + +::::{dropdown} Create an Elastic Security Serverless project + +There are two options to create serverless projects: +- If you're a new user, [sign up for a free 14-day trial](https://cloud.elastic.co/serverless-registration) to create a serverless project. For more information about {{ecloud}} trials, check out [Trial information](/deploy-manage/deploy/elastic-cloud/create-an-organization.md#general-sign-up-trial-what-is-included-in-my-trial). +- If you're an existing customer, [log in to {{ecloud}}](https://cloud.elastic.co/login) and follow [these instructions](./get-started/create-security-project.md) on how to create a serverless project. + +:::{note} +You need the `admin` predefined role or an equivalent custom role to create projects. For more information, refer to [User roles and privileges](https://www.elastic.co/docs/deploy-manage/users-roles/cloud-organization/user-roles). +::: + +After you've created your project, you're ready to move on to the next step. :::: +Alternatively, if you prefer a self-managed deployment, you can create a [local development installation](https://www.elastic.co/docs/deploy-manage/deploy/self-managed/local-development-installation-quickstart) in Docker: + +```sh +curl -fsSL https://elastic.co/start-local | sh +``` + +Check out the full list of [deployment types](/deploy-manage/deploy.md#choosing-your-deployment-type) to learn more. + +::::: + ::::{{step}} Ingest your data -After you've deployed {{elastic-sec}}, the next step is to get data into the product before you can search, analyze, or use any visualization tools. The easiest way to get data into {{elastic-sec}} is through one of our [Security integrations](https://www.elastic.co/integrations/data-integrations?solution=security)—pre-packaged collections of assets that allows you to easily collect, store, and visualize any data from any source. You can add an integration directly from the **Get Started** page within the **Ingest your data** section. Choose from one of our recommended integrations, or select another tab to browse by category. Elastic also provides different [ingestion tools](../../manage-data/ingest/tools.md) to meet your infrastructure needs. +After you've deployed {{elastic-sec}}, the next step is to get data into the product before you can search, analyze, or use any visualization tools. The easiest way to get data into {{elastic-sec}} is through one of our integrations—a pre-packaged collection of assets that allows you to easily collect, store, and visualize any data from any source. You can add an integration directly from the **Get Started** page within the **Ingest your data** section: +1. At the top of page, click **Set up Security**. +2. In the Ingest your data section, click Add data with integrations. +3. Choose from one of our recommended integrations, or select another tab to browse by category. +:::{image} /solutions/images/security-gs-ingest-data.png +:alt: Ingest data +:screenshot: +::: + +Elastic also provides different [ingestion methods](/manage-data/ingest.md) to meet your infrastructure needs. :::{{tip}} -If you have data from a source that doesn't yet have an integration, you can use our [Automatic Import tool](/solutions/security/get-started/automatic-import.md). +If you have data from a source that doesn't yet have an integration, you can use our [Automatic Import tool](/solutions/security/get-started/automatic-import.md). ::: :::: @@ -35,7 +66,7 @@ Not sure where to start exploring {{elastic-sec}} or which features may be relevant to you? Continue to the next topic to view our [quickstart guides](../security/get-started/quickstarts.md), each of which is tailored to a specific use case and helps you complete a core task so you can get up and running. :::: -::::: +:::::: ## Related resources @@ -44,5 +75,6 @@ Use these resources to learn more about {{elastic-sec}} or get started in a diff * Migrate your SIEM rules from Splunk's Search Processing Language (SPL) to Elasticsearch Query Language ({{esql}}) using [Automatic Migration](../security/get-started/automatic-migration.md). * Check out the numerous [Security integrations](https://www.elastic.co/integrations/data-integrations?solution=security) available to collect and process your data. * Get started with [AI for Security](../security/ai.md). +* Learn how to use {{es}} Query Language ({{esql}}) for [security use cases](/solutions/security/esql-for-security.md). * View our [release notes](../../release-notes/elastic-security/index.md) for the latest updates. diff --git a/solutions/security/get-started/get-started-cloud-security.md b/solutions/security/get-started/get-started-cloud-security.md index a86758fbef..e8383462c3 100644 --- a/solutions/security/get-started/get-started-cloud-security.md +++ b/solutions/security/get-started/get-started-cloud-security.md @@ -13,7 +13,7 @@ In this quickstart guide, you'll learn how to get started with Elastic Security ## Prerequisites -* Access to an {{sec-serverless}} project. If you don't have one yet, refer to [Create a Security project](/solutions/security/get-started/create-security-project.md) to learn how to create one. +* You can follow this guide using any deployment. To get up and running quickly, we recommend [](/solutions/security/elastic-security-serverless.md) with the **Security Analytics Complete** [feature tier](/deploy-manage/deploy/elastic-cloud/project-settings.md#elastic-sec-project-features). To see all deployment options, refer to [](/deploy-manage/deploy.md#choosing-your-deployment-type). * An admin account for the cloud service provider (CSP) you want to use. diff --git a/solutions/security/get-started/get-started-detect-with-siem.md b/solutions/security/get-started/get-started-detect-with-siem.md index 295a2d42da..a9c67c31e8 100644 --- a/solutions/security/get-started/get-started-detect-with-siem.md +++ b/solutions/security/get-started/get-started-detect-with-siem.md @@ -13,13 +13,15 @@ In this quickstart guide, we'll learn how to use some of {{elastic-sec}}'s SIEM ## Prerequisites -* Access to an {{sec-serverless}} project. If you don't have one yet, refer to [Create a Security project](/solutions/security/get-started/create-security-project.md). -* Ensure you have the appropriate [{{elastic-defend}} feature privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). - +* You can follow this guide using any deployment. To get up and running quickly, we recommend [](/solutions/security/elastic-security-serverless.md) with the **Security Analytics Complete** [feature tier](/deploy-manage/deploy/elastic-cloud/project-settings.md#elastic-sec-project-features). To see all deployment options, refer to [](/deploy-manage/deploy.md#choosing-your-deployment-type). +* If you're using the recommended integration in this guide, {{elastic-defend}}, then: + * Ensure you have the minimum system requirements to install {{elastic-defend}}. Refer to [](/solutions/security/configure-elastic-defend/elastic-defend-requirements.md) for more information. + * Ensure you grant the appropriate [{{elastic-defend}} sub-feature privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). At minimum, you need `All` access for the **Endpoint List** and **Elastic Defend Policy Management** sub-features. +* We recommend `manage` and `write` access to manage rules and alerts. Refer to [Detection requirements](/solutions/security/detect-and-alert/detections-requirements.md#enable-detections-ui) for required cluster, index, and space privileges. ## Add data using {{elastic-defend}} -Before you can start using {{elastic-sec}}, you need to choose an integration to start collecting and analyzing your data. For this guide, we're going to use the {{elastic-defend}} integration. {{elastic-defend}} detects and protects endpoints from malicious activity, and provides automated response options before damage and loss occur. You have full control over which protections are enabled +Before you can begin using {{elastic-sec}}, you need to choose an integration to start collecting and analyzing your data. For this guide, we're going to use the {{elastic-defend}} integration. {{elastic-defend}} detects and protects endpoints from malicious activity, and provides automated response options before damage and loss occur. You have full control over which protections are turned on. :::::{stepper} ::::{step} Install the Elastic Defend integration @@ -64,7 +66,7 @@ If you’re using macOS, some versions may require you to grant {{elastic-endpoi ::::{step} Modify policy configuration settings -After you install the {{agent}} with {{elastic-defend}}, the Endpoint Security ({{elastic-defend}}) detection rule is automatically enabled and can generate either detection or protection alerts. +After you install the {{agent}} with {{elastic-defend}}, the Endpoint Security ({{elastic-defend}}) detection rule is automatically turned on and can generate detection or protection alerts. You can can also set up endpoint protections—such as preventions against malware, ransomware, memory threats, and other malicious behavior—on protected hosts. This means that {{elastic-defend}} not only monitors for these behaviors and generates an alert when they are detected but also blocks them. Due to this maximum level of protection, we recommend modifying the policy to _detect_ instead of _prevent_ so that only an alert will be generated, and you can decide how to respond to the threat. Then, closely monitor which alerts and how many are generating over a specific time period before enabling higher protection, if needed. @@ -83,9 +85,9 @@ For a comprehensive explanation of all endpoint protections and policy settings, ## Add Elastic prebuilt detection rules -Detection rules allow you to monitor your environment by searching for source events, matches, sequences, or {{ml}} job anomaly results that meet their criteria. When a rule’s criteria are met, {{elastic-sec}} generates an alert. While you can create your own rules tailored for your environment, Elastic ships out-of-the-box prebuilt rules that you can install. Remember that if you installed {{elastic-defend}}, the Endpoint Security rule is already enabled. +Detection rules allow you to monitor your environment by searching for source events, matches, sequences, or {{ml}} job anomaly results that meet their criteria. When a rule’s criteria are met, {{elastic-sec}} generates an alert. Although you can create your own rules tailored for your environment, Elastic ships out-of-the-box prebuilt rules that you can install. Remember that if you installed {{elastic-defend}}, the Endpoint Security rule is already turned on. -:::{dropdown} Steps to install and enable prebuilt rules +:::{dropdown} Steps to install and turn on prebuilt rules 1. On the **Get Started** page, scroll down to the **Configure rules and alerts** section. 2. Click **Install Elastic rules**, then **Add Elastic rules**. The **Rules** page displays. 3. At the top of the page, click **Add Elastic rules**. The badge next to it shows the number of prebuilt rules available for installation. @@ -98,20 +100,22 @@ Detection rules allow you to monitor your environment by searching for source ev ::: 6. Select the check box next to the rules you want to install. To select all rules on the page, select the check box to the left of the **Rule** column heading. We recommend installing all the rules for your operating system, but you can install whichever rules you're comfortable with to start. You can always install more later. -7. Click ![Vertical boxes button](/solutions/images/serverless-boxesVertical.svg "") → **Install and enable** to install and start running the rules. Alternatively, after a rule is installed, you can enable it from the installed rules table. Once you enable a rule, it starts running on its configured schedule. +7. Click ![Vertical boxes button](/solutions/images/serverless-boxesVertical.svg "") → **Install and enable** to install and start running the rules. Alternatively, after a rule is installed, you can turn it on from the installed rules table. Once you turn on a rule, it starts running on its configured schedule. :::{image} /solutions/images/security-gs-siem-install-rules.png :alt: Alerts page with visualizations section collapsed :screenshot: ::: - To learn how to view and manage all detection rules, refer to [Manage detection rules](/solutions/security/detect-and-alert/manage-detection-rules.md). +::::{tip} +{{elastic-sec}} regularly updates prebuilt rules to ensure they detect the latest threats. However, you must manually update these rules with the latest version. To learn how to do this, refer to [Update prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#update-prebuilt-rules). To learn how to view and manage all detection rules, refer to [Manage detection rules](/solutions/security/detect-and-alert/manage-detection-rules.md). +:::: ::: ## Visualize and examine alert details -Now that you've installed and enabled rules, it's time to monitor your {{sec-serverless}} project to see if you receive any alerts. Remember, an alert is generated if any of the rule's criteria are met. {{elastic-sec}} provides several tools for investigating security events: +Now that you've installed and turned on rules, it's time to monitor your {{sec-serverless}} project to see if you receive any alerts. Remember, an alert is generated if any of the rule's criteria are met. {{elastic-sec}} provides several tools for investigating security events: * **Alerts table:** View all generated alerts in a comprehensive list, apply filters for a customized view, and drill down into details. * **Timeline:** Explore alerts in a central, interactive workspace. Create customized queries and collaborate on incident analysis by combining data from various sources. diff --git a/solutions/security/get-started/get-started-endpoint-security.md b/solutions/security/get-started/get-started-endpoint-security.md index 1f29b42ed3..0fe3c17634 100644 --- a/solutions/security/get-started/get-started-endpoint-security.md +++ b/solutions/security/get-started/get-started-endpoint-security.md @@ -13,11 +13,11 @@ In this guide, you’ll learn how to use {{elastic-sec}} to protect your hosts f ## Prerequisites -* Access to an {{sec-serverless}} project. If you don't have one yet, refer to [Create a Security project](/solutions/security/get-started/create-security-project.md) to learn how to create one. -* Ensure you have the appropriate [{{elastic-defend}} feature privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). -* Ensure you have the appropriate user role to configure an integration policy and access the **Endpoints** page. +* You can follow this guide using any deployment. To get up and running quickly, we recommend [](/solutions/security/elastic-security-serverless.md) with the **Security Analytics Complete** [feature tier](/deploy-manage/deploy/elastic-cloud/project-settings.md#elastic-sec-project-features). To see all deployment options, refer to [](/deploy-manage/deploy.md#choosing-your-deployment-type). +* Ensure you have the minimum system requirements to install {{elastic-defend}}. Refer to [](/solutions/security/configure-elastic-defend/elastic-defend-requirements.md) for more information. +* Ensure you grant the appropriate [{{elastic-defend}} sub-feature privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). We recommend granting them all, but at minimum, you need `All` access for the **Endpoint List** and **Elastic Defend Policy Management** sub-features. -## Enable {{elastic-defend}} +## Install {{elastic-defend}} :::::{stepper} ::::{step} Install the Elastic Defend integration @@ -61,7 +61,7 @@ If you’re using macOS, some versions may require you to grant {{elastic-endpoi ::::{step} Modify policy configuration settings -After you install the {{agent}} with {{elastic-defend}}, several endpoint protections—such as preventions against malware, ransomware, memory threats, and other malicious behavior—are automatically enabled on protected hosts. If any of these behaviors are detected, {{elastic-defend}} generates an alert, and by default, prevents the malicious activity from completing. However, you can tailor the policy configuration to meet your organization’s security needs. +After you install the {{agent}} with {{elastic-defend}}, several endpoint protections—such as preventions against malware, ransomware, memory threats, and other malicious behavior—are automatically turned on for protected hosts. If any of these behaviors are detected, {{elastic-defend}} generates an alert, and by default, prevents the malicious activity from completing. However, you can tailor the policy configuration to meet your organization’s security needs. :::{tip} You may want to consider analyzing which and how many alerts are generated over a specific time period to identify common patterns or anomalies before you make any policy changes. Check out the [SIEM quick start guide](/solutions/security/get-started/get-started-detect-with-siem.md) to learn more about how to monitor alerts. @@ -84,7 +84,7 @@ For a comprehensive explanation of all endpoint protections and policy settings, ::::: ## Manage endpoints -Now that you've got endpoint protection enabled, it's important not only to monitor your environment for alerts, but to manage your hosts to ensure they're healthy and have all appropriate security settings. +Now that you've got endpoint protection turned on, it's important not only to monitor your environment for alerts, but to manage your hosts to ensure they're healthy and have all appropriate security settings. :::{{note}} You must have `admin` privileges to manage endpoints. @@ -115,9 +115,8 @@ You can apply trusted applications, blocklist entries, and host isolation except ## Next steps -After your hosts are secure and your environment has all the appropriate security configuration enabled, we recommend taking these next steps: +After your hosts are secure and your environment has all the appropriate security settings configured, we recommend taking these next steps: * Check out the [Hosts page](/solutions/security/explore/hosts-page.md) for a comprehensive overview of all hosts and host-related security events. This page is also useful to identify uncommon processes and anomalies discovered by {{ml}} jobs. -* Enable prebuilt detection rules. You're already set to receive endpoint threat alerts from {{elastic-defend}}, but did you know {{elastic-sec}} ships with several out-of-the-box rules that you can enable? Check out our [SIEM quick start guide](/solutions/security/get-started/get-started-detect-with-siem.md#add-elastic-prebuilt-detection-rules) or our [documentation](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules). +* Install and turn on prebuilt detection rules. You're already set to receive endpoint threat alerts from {{elastic-defend}}, but did you know {{elastic-sec}} ships with several out-of-the-box rules that you can turn on? Check out our [SIEM quick start guide](/solutions/security/get-started/get-started-detect-with-siem.md#add-elastic-prebuilt-detection-rules) or our [documentation](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules). * Discover all the other tools available to [manage {{elastic-defend}}](/solutions/security/manage-elastic-defend.md). -* Learn how to manage your [data lifecycle](/manage-data/lifecycle.md), including how long data is retained, and how indices can be transitioned through data tiers according to your performance needs and retention policies. \ No newline at end of file