diff --git a/raw-migrated-files/docs-content/serverless/security-asset-criticality.md b/raw-migrated-files/docs-content/serverless/security-asset-criticality.md deleted file mode 100644 index 4ad67e4988..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-asset-criticality.md +++ /dev/null @@ -1,131 +0,0 @@ -# Asset criticality [security-asset-criticality] - -::::{admonition} Requirements -:class: note - -To view and assign asset criticality, you must have the appropriate user role. For more information, refer to [Entity risk scoring prerequisites](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md). - -:::: - - -The asset criticality feature allows you to classify your organization’s entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. - -You can assign one of the following asset criticality levels to your entities, based on their impact: - -* Low impact -* Medium impact -* High impact -* Extreme impact - -For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. - - -## View and assign asset criticality [security-asset-criticality-view-and-assign-asset-criticality] - -Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or [bulk assign](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#security-asset-criticality-bulk-assign-asset-criticality) it to multiple entities by importing a text file. - -When you assign, change, or unassign an individual entity’s asset criticality level, that entity’s risk score is immediately recalculated. - -::::{note} -If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. - -:::: - - -You can view, assign, change, or unassign asset criticality from the following places in the {{elastic-sec}} app: - -* The [host details page](../../../solutions/security/explore/hosts-page.md#host-details-page) and [user details page](../../../solutions/security/explore/users-page.md#security-users-page-user-details-page): - - :::{image} ../../../images/serverless--assign-asset-criticality-host-details.png - :alt: Assign asset criticality from the host details page - :class: screenshot - ::: - -* The [host details flyout](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout) and [user details flyout](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout): - - :::{image} ../../../images/serverless--assign-asset-criticality-host-flyout.png - :alt: Assign asset criticality from the host details flyout - :class: screenshot - ::: - -* The host details flyout and user details flyout in [Timeline](../../../solutions/security/investigate/timeline.md): - - :::{image} ../../../images/serverless--assign-asset-criticality-timeline.png - :alt: Assign asset criticality from the host details flyout in Timeline - :class: screenshot - ::: - - - -### Bulk assign asset criticality [security-asset-criticality-bulk-assign-asset-criticality] - -You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools. - -The file must contain three columns, with each entity record listed on a separate row: - -1. The first column should indicate whether the entity is a `host` or a `user`. -2. The second column should specify the entity’s `host.name` or `user.name`. -3. The third column should specify one of the following asset criticality levels: - - * `extreme_impact` - * `high_impact` - * `medium_impact` - * `low_impact` - - -The maximum file size is 1 MB. - -File structure example: - -```txt -user,user-001,low_impact -user,user-002,medium_impact -host,host-001,extreme_impact -``` - -To import a file: - -1. Go to **Project Settings** → **Stack Management** → **Entity Store**. -2. Select or drag and drop the file you want to import. - - ::::{note} - The file validation step highlights any lines that don’t follow the required file structure. The asset criticality levels for those entities won’t be assigned. We recommend that you fix any invalid lines and re-upload the file. - - :::: - -3. Click **Assign**. - -This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows. - -You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. - - -## Improve your security operations [security-asset-criticality-improve-your-security-operations] - -With asset criticality, you can improve your security operations by: - -* [Prioritizing open alerts](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#security-asset-criticality-prioritize-open-alerts) -* [Monitoring an entity’s risk](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#security-asset-criticality-monitor-an-entitys-risk) - - -### Prioritize open alerts [security-asset-criticality-prioritize-open-alerts] - -You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. - -Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to [prioritize alerts associated with business-critical entities](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-triage-alerts-associated-with-high-risk-or-business-critical-entities). - - -### Monitor an entity’s risk [security-asset-criticality-monitor-an-entitys-risk] - -The risk scoring engine dynamically factors in an entity’s asset criticality, along with `Open` and `Acknowledged` detection alerts to [calculate the entity’s overall risk score](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md#security-entity-risk-scoring-how-is-risk-score-calculated). This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. - -To view the impact of asset criticality on an entity’s risk score, follow these steps: - -1. Open the [host details flyout](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout) or [user details flyout](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. -2. Click **View risk contributions** to open the flyout’s left panel. -3. In the **Risk contributions** section, verify the entity’s criticality level from the time the alert was generated. - -:::{image} ../../../images/serverless--asset-criticality-impact.png -:alt: View asset criticality impact on host risk score -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-entity-risk-scoring.md b/raw-migrated-files/docs-content/serverless/security-entity-risk-scoring.md deleted file mode 100644 index fc516fde7c..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-entity-risk-scoring.md +++ /dev/null @@ -1,94 +0,0 @@ -# Entity risk scoring [security-entity-risk-scoring] - -Entity risk scoring is an advanced {{elastic-sec}} analytics feature that helps security analysts detect changes in an entity’s risk posture, hunt for new threats, and prioritize incident response. - -Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days. - -It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {{elastic-sec}} use cases, and allows you to customize and control how and when risk is calculated. - - -## Risk scoring inputs [security-entity-risk-scoring-risk-scoring-inputs] - -Entity risk scores are determined by the following risk inputs: - -| Risk input | Storage location | -| --- | --- | -| [Alerts](../../../solutions/security/detect-and-alert/manage-detection-alerts.md) | `.alerts-security.alerts-` index alias | -| [Asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md) | `.asset-criticality.asset-criticality-` index alias | - -The resulting entity risk scores are stored in the `risk-score.risk-score-` data stream alias. - -::::{note} -Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score. - -:::: - - - -## How is risk score calculated? [security-entity-risk-scoring-how-is-risk-score-calculated] - -1. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. - - ::::{note} - When [turning on the risk engine](../../../solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md), you can choose to also include `Closed` alerts in risk scoring calculations. - :::: - -2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-risk-summary). -3. The engine then verifies the entity’s [asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. - - | Asset criticality level | Default risk weight | - | --- | --- | - | Low impact | 0.5 | - | Medium impact | 1 | - | High impact | 1.5 | - | Extreme impact | 2 | - - ::::{note} - Asset criticality levels and default risk weights are subject to change. - - :::: - -4. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels: - - | Risk level | Risk score | - | --- | --- | - | Unknown | < 20 | - | Low | 20-40 | - | Moderate | 40-70 | - | High | 70-90 | - | Critical | > 90 | - - -::::{dropdown} Click for a risk score calculation example -This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**. - -There are 5 open alerts associated with `User_A`: - -* Alert 1 with alert risk score 21 -* Alert 2 with alert risk score 45 -* Alert 3 with alert risk score 21 -* Alert 4 with alert risk score 70 -* Alert 5 with alert risk score 21 - -
-To calculate the user risk score, the risk scoring engine: - -1. Sorts the associated alerts in descending order of alert risk score: - - * Alert 4 with alert risk score 70 - * Alert 2 with alert risk score 45 - * Alert 1 with alert risk score 21 - * Alert 3 with alert risk score 21 - * Alert 5 with alert risk score 21 - -2. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category. -3. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**. -4. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95. -5. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level. - -If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16. - -:::: - - -Learn how to [turn on the risk scoring engine](../../../solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). diff --git a/raw-migrated-files/security-docs/security/asset-criticality.md b/raw-migrated-files/security-docs/security/asset-criticality.md deleted file mode 100644 index e9d2d446b4..0000000000 --- a/raw-migrated-files/security-docs/security/asset-criticality.md +++ /dev/null @@ -1,134 +0,0 @@ -# Asset criticality [asset-criticality] - -::::{admonition} Requirements -To view and assign asset criticality, you must have the appropriate user role. For more information, refer to [Entity risk scoring requirements](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md). - -:::: - - -The asset criticality feature allows you to classify your organization’s entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. - -You can assign one of the following asset criticality levels to your entities, based on their impact: - -* Low impact -* Medium impact -* High impact -* Extreme impact - -For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. - - -## View and assign asset criticality [_view_and_assign_asset_criticality] - -Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or [bulk assign](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#bulk-assign-asset-criticality) it to multiple entities by importing a text file. Alternatively, you can assign and manage asset criticality records through the [*Asset criticality API*](https://www.elastic.co/guide/en/security/current/asset-criticality-api-overview.html). - -When you assign, change, or unassign an individual entity’s asset criticality level, that entity’s risk score is immediately recalculated. - -::::{note} -If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. -:::: - - -You can view, assign, change, or unassign asset criticality from the following places in the {{elastic-sec}} app: - -* The [host details page](../../../solutions/security/explore/hosts-page.md#host-details-page) and [user details page](../../../solutions/security/explore/users-page.md#user-details-page): - - :::{image} ../../../images/security-assign-asset-criticality-host-details.png - :alt: Assign asset criticality from the host details page - :class: screenshot - ::: - -* The [host details flyout](../../../solutions/security/explore/hosts-page.md#host-details-flyout) and [user details flyout](../../../solutions/security/explore/users-page.md#user-details-flyout): - - :::{image} ../../../images/security-assign-asset-criticality-host-flyout.png - :alt: Assign asset criticality from the host details flyout - :class: screenshot - ::: - -* The host details flyout and user details flyout in [Timeline](../../../solutions/security/investigate/timeline.md): - - :::{image} ../../../images/security-assign-asset-criticality-timeline.png - :alt: Assign asset criticality from the host details flyout in Timeline - :class: screenshot - ::: - - -If you have enabled the [entity store](../../../solutions/security/advanced-entity-analytics/entity-store.md), you can also view asset criticality assignments in the [**Entities** section](../../../solutions/security/dashboards/entity-analytics-dashboard.md#entity-entities) of the Entity Analytics dashboard: - -:::{image} ../../../images/security-entities-section.png -:alt: Entities section -:class: screenshot -::: - - -### Bulk assign asset criticality [bulk-assign-asset-criticality] - -You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools. - -The file must contain three columns, with each entity record listed on a separate row: - -1. The first column should indicate whether the entity is a `host` or a `user`. -2. The second column should specify the entity’s `host.name` or `user.name`. -3. The third column should specify one of the following asset criticality levels: - - * `extreme_impact` - * `high_impact` - * `medium_impact` - * `low_impact` - - -The maximum file size is 1 MB. - -File structure example: - -```txt -user,user-001,low_impact -user,user-002,medium_impact -host,host-001,extreme_impact -``` - -To import a file: - -1. Find **Entity Store** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Select or drag and drop the file you want to import. - - ::::{note} - The file validation step highlights any lines that don’t follow the required file structure. The asset criticality levels for those entities won’t be assigned. We recommend that you fix any invalid lines and re-upload the file. - :::: - -3. Click **Assign**. - -This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows. - -You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. - - -## Improve your security operations [_improve_your_security_operations] - -With asset criticality, you can improve your security operations by: - -* [Prioritizing open alerts](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#prioritize-open-alerts) -* [Monitoring an entity’s risk](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#monitor-entity-risk) - - -### Prioritize open alerts [prioritize-open-alerts] - -You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. - -Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to [prioritize alerts associated with business-critical entities](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#triage-alerts-associated-with-high-risk-or-business-critical-entities). - - -### Monitor an entity’s risk [monitor-entity-risk] - -The risk scoring engine dynamically factors in an entity’s asset criticality, along with `Open` and `Acknowledged` detection alerts to [calculate the entity’s overall risk score](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated). This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. - -To view the impact of asset criticality on an entity’s risk score, follow these steps: - -1. Open the [host details flyout](../../../solutions/security/explore/hosts-page.md#host-details-flyout) or [user details flyout](../../../solutions/security/explore/users-page.md#user-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. -2. Click **View risk contributions** to open the flyout’s left panel. -3. In the **Risk contributions** section, verify the entity’s criticality level from the time the alert was generated. - -:::{image} ../../../images/security-asset-criticality-impact.png -:alt: View asset criticality impact on host risk score -:class: screenshot -::: diff --git a/raw-migrated-files/security-docs/security/entity-risk-scoring.md b/raw-migrated-files/security-docs/security/entity-risk-scoring.md deleted file mode 100644 index df66f0b8e1..0000000000 --- a/raw-migrated-files/security-docs/security/entity-risk-scoring.md +++ /dev/null @@ -1,97 +0,0 @@ -# Entity risk scoring [entity-risk-scoring] - -::::{admonition} -If you’ve installed the original user and host risk score modules, refer to [Host risk score](https://www.elastic.co/guide/en/security/8.11/host-risk-score.html) and [User risk score](https://www.elastic.co/guide/en/security/8.11/user-risk-score.html). - -:::: - - -Entity risk scoring is an advanced {{elastic-sec}} analytics feature that helps security analysts detect changes in an entity’s risk posture, hunt for new threats, and prioritize incident response. - -Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days. - -It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {{elastic-sec}} use cases, and allows you to customize and control how and when risk is calculated. - - -## Risk scoring inputs [_risk_scoring_inputs] - -Entity risk scores are determined by the following risk inputs: - -| Risk input | Storage location | -| --- | --- | -| [Alerts](../../../solutions/security/detect-and-alert/manage-detection-alerts.md) | `.alerts-security.alerts-` index alias | -| [Asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md) | `.asset-criticality.asset-criticality-` index alias | - -The resulting entity risk scores are stored in the `risk-score.risk-score-` data stream alias. - -::::{note} -Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score. -:::: - - - -## How is risk score calculated? [how-is-risk-score-calculated] - -1. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. - - ::::{note} - When [turning on the risk engine](../../../solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md), you can choose to also include `Closed` alerts in risk scoring calculations. - :::: - -2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](../../../solutions/security/explore/hosts-page.md#host-risk-summary). -3. The engine then verifies the entity’s [asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. - - | Asset criticality level | Default risk weight | - | --- | --- | - | Low impact | 0.5 | - | Medium impact | 1 | - | High impact | 1.5 | - | Extreme impact | 2 | - - ::::{note} - Asset criticality levels and default risk weights are subject to change. - :::: - -4. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels: - - | Risk level | Risk score | - | --- | --- | - | Unknown | < 20 | - | Low | 20-40 | - | Moderate | 40-70 | - | High | 70-90 | - | Critical | > 90 | - - -::::{dropdown} Click for a risk score calculation example -This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**. - -There are 5 open alerts associated with `User_A`: - -* Alert 1 with alert risk score 21 -* Alert 2 with alert risk score 45 -* Alert 3 with alert risk score 21 -* Alert 4 with alert risk score 70 -* Alert 5 with alert risk score 21 - -To calculate the user risk score, the risk scoring engine: - -1. Sorts the associated alerts in descending order of alert risk score: - - * Alert 4 with alert risk score 70 - * Alert 2 with alert risk score 45 - * Alert 1 with alert risk score 21 - * Alert 3 with alert risk score 21 - * Alert 5 with alert risk score 21 - -2. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category. -3. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**. -4. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95. -5. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level. - -If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16. - -:::: - - -Learn how to [turn on the latest risk scoring engine](../../../solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index df39317fcc..c2c3621c9f 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -416,7 +416,6 @@ toc: - file: docs-content/serverless/security-alerts-run-osquery.md - file: docs-content/serverless/security-allowlist-endpoint.md - file: docs-content/serverless/security-analyze-risk-score-data.md - - file: docs-content/serverless/security-asset-criticality.md - file: docs-content/serverless/security-automated-response-actions.md - file: docs-content/serverless/security-automatic-import.md - file: docs-content/serverless/security-behavioral-detection-use-cases.md @@ -463,7 +462,6 @@ toc: - file: docs-content/serverless/security-endpoint-protection-intro.md - file: docs-content/serverless/security-endpoint-self-protection.md - file: docs-content/serverless/security-endpoints-page.md - - file: docs-content/serverless/security-entity-risk-scoring.md - file: docs-content/serverless/security-environment-variable-capture.md - file: docs-content/serverless/security-ers-requirements.md - file: docs-content/serverless/security-event-filters.md @@ -809,7 +807,6 @@ toc: - file: security-docs/security/allowlist-endpoint-3rd-party-av-apps.md - file: security-docs/security/analyze-risk-score-data.md - file: security-docs/security/artifact-control.md - - file: security-docs/security/asset-criticality.md - file: security-docs/security/assistant-connect-to-azure-openai.md - file: security-docs/security/assistant-connect-to-bedrock.md - file: security-docs/security/assistant-connect-to-openai.md @@ -865,7 +862,6 @@ toc: - file: security-docs/security/endpoint-protection-intro.md - file: security-docs/security/endpoint-protection-rules.md - file: security-docs/security/endpoint-self-protection.md - - file: security-docs/security/entity-risk-scoring.md - file: security-docs/security/environment-variable-capture.md - file: security-docs/security/ers-requirements.md - file: security-docs/security/es-overview.md diff --git a/solutions/security/advanced-entity-analytics/asset-criticality.md b/solutions/security/advanced-entity-analytics/asset-criticality.md index c0d9eb08de..0bc67e621b 100644 --- a/solutions/security/advanced-entity-analytics/asset-criticality.md +++ b/solutions/security/advanced-entity-analytics/asset-criticality.md @@ -4,25 +4,138 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-asset-criticality.html --- -# Asset criticality +# Asset criticality [asset-criticality] -% What needs to be done: Lift-and-shift +::::{admonition} Requirements +To view and assign asset criticality, you must have the appropriate user role. For more information, refer to [Entity risk scoring requirements](entity-risk-scoring-requirements.md). -% Use migrated content from existing pages that map to this page: +:::: -% - [ ] ./raw-migrated-files/security-docs/security/asset-criticality.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-asset-criticality.md -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): +The asset criticality feature allows you to classify your organization’s entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. -$$$bulk-assign-asset-criticality$$$ +You can assign one of the following asset criticality levels to your entities, based on their impact: -$$$prioritize-open-alerts$$$ +* Low impact +* Medium impact +* High impact +* Extreme impact -$$$security-asset-criticality-bulk-assign-asset-criticality$$$ +For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. -$$$security-asset-criticality-prioritize-open-alerts$$$ -$$$security-asset-criticality-monitor-an-entitys-risk$$$ +## View and assign asset criticality [_view_and_assign_asset_criticality] + +Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or [bulk assign](#bulk-assign-asset-criticality) it to multiple entities by importing a text file. Alternatively, you can assign and manage asset criticality records through the [*Asset criticality API*](https://www.elastic.co/docs/api/doc/kibana/v8/group/endpoint-security-entity-analytics-api). + +When you assign, change, or unassign an individual entity’s asset criticality level, that entity’s risk score is immediately recalculated. + +::::{note} +If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. +:::: + + +You can view, assign, change, or unassign asset criticality from the following places in the {{elastic-sec}} app: + +* The [host details page](../explore/hosts-page.md#host-details-page) and [user details page](../explore/users-page.md#user-details-page): + + :::{image} ../../../images/security-assign-asset-criticality-host-details.png + :alt: Assign asset criticality from the host details page + :class: screenshot + ::: + +* The [host details flyout](../explore/hosts-page.md#host-details-flyout) and [user details flyout](../explore/users-page.md#user-details-flyout): + + :::{image} ../../../images/security-assign-asset-criticality-host-flyout.png + :alt: Assign asset criticality from the host details flyout + :class: screenshot + ::: + +* The host details flyout and user details flyout in [Timeline](../investigate/timeline.md): + + :::{image} ../../../images/security-assign-asset-criticality-timeline.png + :alt: Assign asset criticality from the host details flyout in Timeline + :class: screenshot + ::: + + +If you have enabled the [entity store](entity-store.md), you can also view asset criticality assignments in the [**Entities** section](../dashboards/entity-analytics-dashboard.md#entity-entities) of the Entity Analytics dashboard: + +:::{image} ../../../images/security-entities-section.png +:alt: Entities section +:class: screenshot +::: + + +### Bulk assign asset criticality [bulk-assign-asset-criticality] + +You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools. + +The file must contain three columns, with each entity record listed on a separate row: + +1. The first column should indicate whether the entity is a `host` or a `user`. +2. The second column should specify the entity’s `host.name` or `user.name`. +3. The third column should specify one of the following asset criticality levels: + + * `extreme_impact` + * `high_impact` + * `medium_impact` + * `low_impact` + + +The maximum file size is 1 MB. + +File structure example: + +```txt +user,user-001,low_impact +user,user-002,medium_impact +host,host-001,extreme_impact +``` + +To import a file: + +1. Find **Entity Store** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Select or drag and drop the file you want to import. + + ::::{note} + The file validation step highlights any lines that don’t follow the required file structure. The asset criticality levels for those entities won’t be assigned. We recommend that you fix any invalid lines and re-upload the file. + :::: + +3. Click **Assign**. + +This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows. + +You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. + + +## Improve your security operations [_improve_your_security_operations] + +With asset criticality, you can improve your security operations by: + +* [Prioritizing open alerts](asset-criticality.md#prioritize-open-alerts) +* [Monitoring an entity’s risk](asset-criticality.md#monitor-entity-risk) + + +### Prioritize open alerts [prioritize-open-alerts] + +You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. + +Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to [prioritize alerts associated with business-critical entities](view-analyze-risk-score-data.md#triage-alerts-associated-with-high-risk-or-business-critical-entities). + + +### Monitor an entity’s risk [monitor-entity-risk] + +The risk scoring engine dynamically factors in an entity’s asset criticality, along with `Open` and `Acknowledged` detection alerts to [calculate the entity’s overall risk score](entity-risk-scoring.md#how-is-risk-score-calculated). This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. + +To view the impact of asset criticality on an entity’s risk score, follow these steps: + +1. Open the [host details flyout](../explore/hosts-page.md#host-details-flyout) or [user details flyout](../explore/users-page.md#user-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. +2. Click **View risk contributions** to open the flyout’s left panel. +3. In the **Risk contributions** section, verify the entity’s criticality level from the time the alert was generated. + +:::{image} ../../../images/security-asset-criticality-impact.png +:alt: View asset criticality impact on host risk score +:class: screenshot +::: -$$$monitor-entity-risk$$$ \ No newline at end of file diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md index 46327c7a75..5eee0076b7 100644 --- a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md +++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md @@ -4,17 +4,96 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-entity-risk-scoring.html --- -# Entity risk scoring +# Entity risk scoring [security-entity-risk-scoring] -% What needs to be done: Lift-and-shift +Entity risk scoring is an advanced {{elastic-sec}} analytics feature that helps security analysts detect changes in an entity’s risk posture, hunt for new threats, and prioritize incident response. -% Use migrated content from existing pages that map to this page: +Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days. -% - [ ] ./raw-migrated-files/security-docs/security/entity-risk-scoring.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-entity-risk-scoring.md +It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {{elastic-sec}} use cases, and allows you to customize and control how and when risk is calculated. -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): -$$$how-is-risk-score-calculated$$$ +## Risk scoring inputs [security-entity-risk-scoring-risk-scoring-inputs] -$$$security-entity-risk-scoring-how-is-risk-score-calculated$$$ \ No newline at end of file +Entity risk scores are determined by the following risk inputs: + +| Risk input | Storage location | +| --- | --- | +| [Alerts](../detect-and-alert/manage-detection-alerts.md) | `.alerts-security.alerts-` index alias | +| [Asset criticality level](asset-criticality.md) | `.asset-criticality.asset-criticality-` index alias | + +The resulting entity risk scores are stored in the `risk-score.risk-score-` data stream alias. + +::::{note} +Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score. + +:::: + + + +## How is risk score calculated? [how-is-risk-score-calculated] + +1. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. + + ::::{note} + When [turning on the risk engine](turn-on-risk-scoring-engine.md), you can choose to also include `Closed` alerts in risk scoring calculations. + :::: + +2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](../explore/hosts-page.md#security-hosts-overview-host-risk-summary). +3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. + + | Asset criticality level | Default risk weight | + | --- | --- | + | Low impact | 0.5 | + | Medium impact | 1 | + | High impact | 1.5 | + | Extreme impact | 2 | + + ::::{note} + Asset criticality levels and default risk weights are subject to change. + + :::: + +4. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels: + + | Risk level | Risk score | + | --- | --- | + | Unknown | < 20 | + | Low | 20-40 | + | Moderate | 40-70 | + | High | 70-90 | + | Critical | > 90 | + + +::::{dropdown} Click for a risk score calculation example +This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**. + +There are 5 open alerts associated with `User_A`: + +* Alert 1 with alert risk score 21 +* Alert 2 with alert risk score 45 +* Alert 3 with alert risk score 21 +* Alert 4 with alert risk score 70 +* Alert 5 with alert risk score 21 + +To calculate the user risk score, the risk scoring engine: + +1. Sorts the associated alerts in descending order of alert risk score: + + * Alert 4 with alert risk score 70 + * Alert 2 with alert risk score 45 + * Alert 1 with alert risk score 21 + * Alert 3 with alert risk score 21 + * Alert 5 with alert risk score 21 + +2. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category. +3. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**. +4. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95. +5. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level. + +If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16. + +:::: + + +Learn how to [turn on the risk scoring engine](turn-on-risk-scoring-engine.md).