From c8ac823c22d149cdcfb9d6512e37fef378d76187 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 11 Feb 2025 12:12:01 -0500 Subject: [PATCH 01/12] first draft --- ...enable-threat-intelligence-integrations.md | 78 ++++++++++++++++++- 1 file changed, 76 insertions(+), 2 deletions(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 6a21391c66..267b6ec68d 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -4,7 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-threat-intelligence.html --- -# Enable threat intelligence integrations +# Enable threat intelligence integrations [security-enable-threat-intelligence-integrations] % What needs to be done: Lift-and-shift @@ -19,4 +19,78 @@ $$$agent-ti-integration$$$ $$$custom-ti-integration$$$ -$$$ti-mod-integration$$$ \ No newline at end of file +$$$ti-mod-integration$$$ + + +The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. + +Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. + +::::{note} +To learn more about alerts with threat intelligence, visit [View alert details](../../../solutions/security/detect-and-alert/view-detection-alert-details.md). + +:::: + + +You can connect to threat intelligence sources using an [{{agent}} integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#agent-ti-integration), the [Threat Intel module](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#ti-mod-integration), or a [custom integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#custom-ti-integration). + +:::{image} ../../../images/serverless--getting-started-threat-intelligence-view.png +:alt: The Threat Intelligence view on the Overview dashboard +:class: screenshot +::: + +There are a few scenarios when data won’t display in the Threat Intelligence view: + +* If you’ve chosen a time range that doesn’t contain threat indicator event data, you are prompted to choose a different range. Use the date and time picker in the {{security-app}} to select a new range to analyze. +* If the {{agent}} or {{filebeat}} agent hasn’t ingested Threat Intel module data yet, the threat indicator event counts won’t load. You can wait for data to be ingested or reach out to your administrator for help resolving this. + + +## Add an {{agent}} integration [agent-ti-integration] + +1. Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) on the hosts you want to monitor. +2. In the Threat Intelligence view, click **Enable sources** to view the Integrations page. Scroll down and select **Elastic Agent only** to filter by {{agent}} integrations. + + ::::{tip} + If you know the name of {{agent}} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence integrations](https://docs.elastic.co/en/integrations/threat-intelligence-intro). + + :::: + +3. Select an {{agent}} integration, then complete the installation steps. +4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page). + + +## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration] + +% Substeps in step 2 will require inline versioning. Remember to update them when we have more guidance on handling line-level differences. + +1. Set up the [{{filebeat}} agent](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html) and enable the Threat Intel module. + + ::::{note} + For more information about enabling available threat intelligence filesets, refer to [Threat Intel module](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html). + + :::: + +2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`): + + * If you’re *only* using {{filebeat}} version 8.x, add the appropriate {{filebeat}} threat intelligence index pattern. For example, `logs-ti*`, `filebeat-8*`. + * If you’re using a previous version of Filebeat *and* a current one, differentiate between the threat intelligence indices by using unique index pattern names. For example, if you’re using {{filebeat}} version 7.0.0 and 8.0.0, update the setting to `logs-ti*`,`filebeat-7*`,`filebeat-8*`. + +3. Return to the Threat Intelligence view on the Overview dashboard. Refresh the page if indicator data isn’t displaying. + + +## Add a custom integration [custom-ti-integration] + +1. Set up a way to [ingest data](../../../solutions/security/get-started/ingest-data-to-elastic-security.md) into your system. +2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. + + ::::{note} + Threat intelligence indices aren’t required to be ECS compatible. However, we strongly recommend compatibility if you’d like your alerts to be enriched with relevant threat indicator information. You can find a list of ECS-compliant threat intelligence fields at [Threat Fields](https://www.elastic.co/guide/en/ecs/{{ecs_version}}/ecs-threat.html). + + :::: + +3. Return to the Threat Intelligence view on the Overview dashboard (**Dashboards** → **Overview**). Refresh the page if indicator data isn’t displaying. + + ::::{note} + The Threat Intelligence view searches for a `threat.feed.name` field value to define the source name in the **Name** column. If a custom source doesn’t have the `threat.feed.name` field or hasn’t defined a `threat.feed.name` field value, it’s considered unnamed and labeled as **Other**. Dashboards aren’t created for unnamed sources unless the `threat.feed.dashboard_id` field is defined. + + :::: From 8d8d90a33caf2d447b46722fa5d9c1f91ef2d8b5 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 11 Feb 2025 15:14:17 -0500 Subject: [PATCH 02/12] More changes --- ...ting-started-threat-intelligence-view.png} | Bin .../serverless/security-overview-dashboard.md | 2 +- .../security-threat-intelligence.md | 72 ------------------ .../security/es-threat-intel-integrations.md | 68 ----------------- raw-migrated-files/toc.yml | 2 +- 5 files changed, 2 insertions(+), 142 deletions(-) rename images/{serverless--getting-started-threat-intelligence-view.png => getting-started-threat-intelligence-view.png} (100%) delete mode 100644 raw-migrated-files/docs-content/serverless/security-threat-intelligence.md delete mode 100644 raw-migrated-files/security-docs/security/es-threat-intel-integrations.md diff --git a/images/serverless--getting-started-threat-intelligence-view.png b/images/getting-started-threat-intelligence-view.png similarity index 100% rename from images/serverless--getting-started-threat-intelligence-view.png rename to images/getting-started-threat-intelligence-view.png diff --git a/raw-migrated-files/docs-content/serverless/security-overview-dashboard.md b/raw-migrated-files/docs-content/serverless/security-overview-dashboard.md index d470eb02e0..82e4710988 100644 --- a/raw-migrated-files/docs-content/serverless/security-overview-dashboard.md +++ b/raw-migrated-files/docs-content/serverless/security-overview-dashboard.md @@ -58,7 +58,7 @@ For more information about connecting to threat intelligence sources, visit [Ena :::: -:::{image} ../../../images/serverless--getting-started-threat-intelligence-view.png +:::{image} ../../../images/getting-started-threat-intelligence-view.png :alt: Threat Intelligence view on the Overview dashboard :class: screenshot ::: diff --git a/raw-migrated-files/docs-content/serverless/security-threat-intelligence.md b/raw-migrated-files/docs-content/serverless/security-threat-intelligence.md deleted file mode 100644 index d7ffffc888..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-threat-intelligence.md +++ /dev/null @@ -1,72 +0,0 @@ -# Enable threat intelligence integrations [security-threat-intelligence] - -The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. - -Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. - -::::{note} -To learn more about alerts with threat intelligence, visit [View alert details](../../../solutions/security/detect-and-alert/view-detection-alert-details.md). - -:::: - - -Refer to the following sections to learn how to connect to threat intelligence sources using an [{{agent}} integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#agent-ti-integration), the [Threat Intel module](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#ti-mod-integration), or a [custom integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#custom-ti-integration). - -:::{image} ../../../images/serverless--getting-started-threat-intelligence-view.png -:alt: The Threat Intelligence view on the Overview dashboard -:class: screenshot -::: - -There are a few scenarios when data won’t display in the Threat Intelligence view: - -* If you’ve chosen a time range that doesn’t contain threat indicator event data, you are prompted to choose a different range. Use the date and time picker in the {{security-app}} to select a new range to analyze. -* If the {{agent}} or {{filebeat}} agent hasn’t ingested Threat Intel module data yet, the threat indicator event counts won’t load. You can wait for data to be ingested or reach out to your administrator for help resolving this. - - -## Add an {{agent}} integration [agent-ti-integration] - -1. Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) on the hosts you want to monitor. -2. In the Threat Intelligence view, click **Enable sources** to view the Integrations page. Scroll down and select **Elastic Agent only** to filter by {{agent}} integrations. - - ::::{tip} - If you know the name of {{agent}} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence integrations](https://docs.elastic.co/en/integrations/threat-intelligence-intro). - - :::: - -3. Select an {{agent}} integration, then complete the installation steps. -4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page). - - -## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration] - -1. Set up the [{{filebeat}} agent](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html) and enable the Threat Intel module. - - ::::{note} - For more information about enabling available threat intelligence filesets, refer to [Threat Intel module](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html). - - :::: - -2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`): - - 1. If you’re *only* using {{filebeat}} version 8.x, add the appropriate {{filebeat}} threat intelligence index pattern. For example, `logs-ti*`, `filebeat-8*`. - 2. If you’re using a previous version of Filebeat *and* a current one, differentiate between the threat intelligence indices by using unique index pattern names. For example, if you’re using {{filebeat}} version 7.0.0 and 8.0.0, update the setting to `logs-ti*`,`filebeat-7*`,`filebeat-8*`. - -3. Return to the Threat Intelligence view on the Overview dashboard. Refresh the page if indicator data isn’t displaying. - - -## Add a custom integration [custom-ti-integration] - -1. Set up a way to [ingest data](../../../solutions/security/get-started/ingest-data-to-elastic-security.md) into your system. -2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. - - ::::{note} - Threat intelligence indices aren’t required to be ECS compatible. However, we strongly recommend compatibility if you’d like your alerts to be enriched with relevant threat indicator information. You can find a list of ECS-compliant threat intelligence fields at [Threat Fields](https://www.elastic.co/guide/en/ecs/{{ecs_version}}/ecs-threat.html). - - :::: - -3. Return to the Threat Intelligence view on the Overview dashboard (**Dashboards** → **Overview**). Refresh the page if indicator data isn’t displaying. - - ::::{note} - The Threat Intelligence view searches for a `threat.feed.name` field value to define the source name in the **Name** column. If a custom source doesn’t have the `threat.feed.name` field or hasn’t defined a `threat.feed.name` field value, it’s considered unnamed and labeled as **Other**. Dashboards aren’t created for unnamed sources unless the `threat.feed.dashboard_id` field is defined. - - :::: diff --git a/raw-migrated-files/security-docs/security/es-threat-intel-integrations.md b/raw-migrated-files/security-docs/security/es-threat-intel-integrations.md deleted file mode 100644 index f5e2bc69ea..0000000000 --- a/raw-migrated-files/security-docs/security/es-threat-intel-integrations.md +++ /dev/null @@ -1,68 +0,0 @@ -# Enable threat intelligence integrations [es-threat-intel-integrations] - -The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. - -Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. - -::::{note} -To learn more about alerts with threat intelligence, visit [View alert details](../../../solutions/security/detect-and-alert/view-detection-alert-details.md). -:::: - - -You can connect to threat intelligence sources using an [{{agent}} integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#agent-ti-integration), the [Threat Intel module](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#ti-mod-integration), or a [custom integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#custom-ti-integration). - -:::{image} ../../../images/security-threat-intelligence-view.png -:alt: threat intelligence view -:class: screenshot -::: - -There are a few scenarios when data won’t display in the Threat Intelligence view: - -* If you’ve chosen a time range that doesn’t contain threat indicator event data, you are prompted to choose a different range. Use the date and time picker in the {{security-app}} or Kibana to select a new range to analyze. -* If the {{agent}} or {{filebeat}} agent hasn’t ingested Threat Intel module data yet, the threat indicator event counts won’t load. You can wait for data to be ingested or reach out to your administrator for help resolving this. - - -## Add an {{agent}} integration [agent-ti-integration] - -1. Install a [{{fleet}}-managed {{agent}}](https://www.elastic.co/guide/en/fleet/current/install-fleet-managed-elastic-agent.html) on the hosts you want to monitor. -2. In the Threat Intelligence view, click **Enable sources** to view the Integrations page. Scroll down and select **Elastic Agent only** to filter by {{agent}} integrations. - - ::::{tip} - If you know the name of {{agent}} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence {{integrations}}](https://docs.elastic.co/en/integrations/threat-intelligence-intro). - - :::: - -3. Select an {{agent}} integration, then complete the installation steps. -4. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn’t displaying, refresh the page or refer to these [troubleshooting steps](../../../troubleshoot/security/indicators-of-compromise.md#troubleshoot-indicators-page). - - -## Add a {{filebeat}} Threat Intel module integration [ti-mod-integration] - -1. Set up the [{{filebeat}} agent](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html) and enable the Threat Intel module. - - ::::{note} - For more information about enabling available threat intelligence filesets, refer to [Threat Intel module](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html). - :::: - -2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`): - - 1. If you’re *only* using {{filebeat}} version 8.x, add the appropriate {{filebeat}} threat intelligence index pattern. For example, `logs-ti*`, `filebeat-8*`. - 2. If you’re using a previous version of Filebeat *and* a current one, differentiate between the threat intelligence indices by using unique index pattern names. For example, if you’re using {{filebeat}} version 7.0.0 and 8.0.0, update the setting to `logs-ti*`,`filebeat-7*`,`filebeat-8*`. - -3. Return to the Threat Intelligence view on the Overview dashboard. Refresh the page if indicator data isn’t displaying. - - -## Add a custom integration [custom-ti-integration] - -1. Set up a way to [ingest data](../../../solutions/security/get-started/ingest-data-to-elastic-security.md) into your system. -2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. - - ::::{note} - Threat intelligence indices aren’t required to be ECS compatible. However, we strongly recommend compatibility if you’d like your alerts to be enriched with relevant threat indicator information. You can find a list of ECS-compliant threat intelligence fields at [Threat Fields](https://www.elastic.co/guide/en/ecs/{{ecs_version}}/ecs-threat.html). - :::: - -3. Return to the Threat Intelligence view on the Overview dashboard (**Dashboards → Overview**). Refresh the page if indicator data isn’t displaying. - - ::::{note} - The Threat Intelligence view searches for a `threat.feed.name` field value to define the source name in the **Name** column. If a custom source doesn’t have the `threat.feed.name` field or hasn’t defined a `threat.feed.name` field value, it’s considered unnamed and labeled as **Other**. Dashboards aren’t created for unnamed sources unless the `threat.feed.dashboard_id` field is defined. - :::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index b5242cb2ea..430e5b3fd9 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -862,7 +862,7 @@ toc: - file: security-docs/security/environment-variable-capture.md - file: security-docs/security/ers-requirements.md - file: security-docs/security/es-overview.md - - file: security-docs/security/es-threat-intel-integrations.md + - file: security-docs/security/enable-threat-intelligence-integrations.md - file: security-docs/security/es-ui-overview.md - file: security-docs/security/esql-queries-assistant.md - file: security-docs/security/event-filters.md From faca4b2833912f9a189435166b7cb8a2eb48925a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 11 Feb 2025 15:26:36 -0500 Subject: [PATCH 03/12] Removes refs from raw migrated toc --- raw-migrated-files/toc.yml | 2 -- .../get-started/enable-threat-intelligence-integrations.md | 7 ------- 2 files changed, 9 deletions(-) diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 430e5b3fd9..bfcea9a8dc 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -514,7 +514,6 @@ toc: - file: docs-content/serverless/security-signals-to-cases.md - file: docs-content/serverless/security-spaces.md - file: docs-content/serverless/security-third-party-actions.md - - file: docs-content/serverless/security-threat-intelligence.md - file: docs-content/serverless/security-timeline-templates-ui.md - file: docs-content/serverless/security-timelines-ui.md - file: docs-content/serverless/security-triage-alerts-with-elastic-ai-assistant.md @@ -862,7 +861,6 @@ toc: - file: security-docs/security/environment-variable-capture.md - file: security-docs/security/ers-requirements.md - file: security-docs/security/es-overview.md - - file: security-docs/security/enable-threat-intelligence-integrations.md - file: security-docs/security/es-ui-overview.md - file: security-docs/security/esql-queries-assistant.md - file: security-docs/security/event-filters.md diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 267b6ec68d..bcd6aa7e74 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -6,13 +6,6 @@ mapped_urls: # Enable threat intelligence integrations [security-enable-threat-intelligence-integrations] -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [ ] ./raw-migrated-files/security-docs/security/es-threat-intel-integrations.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-threat-intelligence.md - % Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): $$$agent-ti-integration$$$ From d412fafe00a060c78590300c74e10902ab116cb5 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 11 Feb 2025 15:28:59 -0500 Subject: [PATCH 04/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index bcd6aa7e74..9e5b2ea011 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -27,7 +27,7 @@ To learn more about alerts with threat intelligence, visit [View alert details]( You can connect to threat intelligence sources using an [{{agent}} integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#agent-ti-integration), the [Threat Intel module](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#ti-mod-integration), or a [custom integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#custom-ti-integration). -:::{image} ../../../images/serverless--getting-started-threat-intelligence-view.png +:::{image} ../../../images/getting-started-threat-intelligence-view.png :alt: The Threat Intelligence view on the Overview dashboard :class: screenshot ::: From 39e3e84239114f9e0879262b520d4dd2813f6bea Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 12 Feb 2025 12:18:52 -0500 Subject: [PATCH 05/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 9e5b2ea011..23fa231535 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -20,7 +20,7 @@ The Threat Intelligence view provides a streamlined way to collect threat intell Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. ::::{note} -To learn more about alerts with threat intelligence, visit [View alert details](../../../solutions/security/detect-and-alert/view-detection-alert-details.md). +To learn more about alerts with threat intelligence, visit [View alert details](../detect-and-alert/view-detection-alert-details.md). :::: From 014a291f0d615f981a1a59fe8acbd4ae66d8a818 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 12 Feb 2025 12:19:00 -0500 Subject: [PATCH 06/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 23fa231535..77f7d01dcf 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -25,7 +25,7 @@ To learn more about alerts with threat intelligence, visit [View alert details]( :::: -You can connect to threat intelligence sources using an [{{agent}} integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#agent-ti-integration), the [Threat Intel module](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#ti-mod-integration), or a [custom integration](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md#custom-ti-integration). +You can connect to threat intelligence sources using an [{{agent}} integration](#agent-ti-integration), the [Threat Intel module](#ti-mod-integration), or a [custom integration](#custom-ti-integration). :::{image} ../../../images/getting-started-threat-intelligence-view.png :alt: The Threat Intelligence view on the Overview dashboard From 87ceb0974f33310d106d7910dd619e9fdcf00964 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 12 Feb 2025 12:19:12 -0500 Subject: [PATCH 07/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 77f7d01dcf..e7c1420176 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -63,7 +63,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v :::: -2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`): +2. Update the `securitySolution:defaultThreatIndex` [advanced setting](configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`): * If you’re *only* using {{filebeat}} version 8.x, add the appropriate {{filebeat}} threat intelligence index pattern. For example, `logs-ti*`, `filebeat-8*`. * If you’re using a previous version of Filebeat *and* a current one, differentiate between the threat intelligence indices by using unique index pattern names. For example, if you’re using {{filebeat}} version 7.0.0 and 8.0.0, update the setting to `logs-ti*`,`filebeat-7*`,`filebeat-8*`. From 0aa12e87820158dc3c2462389e217a8e165938f2 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 12 Feb 2025 12:19:19 -0500 Subject: [PATCH 08/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index e7c1420176..a60cb80592 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -73,7 +73,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v ## Add a custom integration [custom-ti-integration] -1. Set up a way to [ingest data](../../../solutions/security/get-started/ingest-data-to-elastic-security.md) into your system. +1. Set up a way to [ingest data](ingest-data-to-elastic-security.md) into your system. 2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. ::::{note} From fb434f9b6e27092233cf2ed9f4d04a173e41b573 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 12 Feb 2025 12:19:25 -0500 Subject: [PATCH 09/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index a60cb80592..2803ab4872 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -74,7 +74,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v ## Add a custom integration [custom-ti-integration] 1. Set up a way to [ingest data](ingest-data-to-elastic-security.md) into your system. -2. Update the `securitySolution:defaultThreatIndex` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. +2. Update the `securitySolution:defaultThreatIndex` [advanced setting](configure-advanced-settings.md#update-threat-intel-indices) by adding the appropriate index pattern name after the default {{fleet}} threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. ::::{note} Threat intelligence indices aren’t required to be ECS compatible. However, we strongly recommend compatibility if you’d like your alerts to be enriched with relevant threat indicator information. You can find a list of ECS-compliant threat intelligence fields at [Threat Fields](https://www.elastic.co/guide/en/ecs/{{ecs_version}}/ecs-threat.html). From b8953e256c32bf202cb20c2d4238cb7126ece18c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 12 Feb 2025 17:40:42 -0500 Subject: [PATCH 10/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 2803ab4872..29f2db0b21 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -44,7 +44,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v 2. In the Threat Intelligence view, click **Enable sources** to view the Integrations page. Scroll down and select **Elastic Agent only** to filter by {{agent}} integrations. ::::{tip} - If you know the name of {{agent}} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence integrations](https://docs.elastic.co/en/integrations/threat-intelligence-intro). + If you know the name of {{agent}} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence integrations]({{integrations-docs}}/threat-intelligence-intro). :::: From 8217d44e66ab124b2ce60a9f916e26831c1625e1 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 12 Feb 2025 17:45:49 -0500 Subject: [PATCH 11/12] Update solutions/security/get-started/enable-threat-intelligence-integrations.md --- .../get-started/enable-threat-intelligence-integrations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 29f2db0b21..2803ab4872 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -44,7 +44,7 @@ There are a few scenarios when data won’t display in the Threat Intelligence v 2. In the Threat Intelligence view, click **Enable sources** to view the Integrations page. Scroll down and select **Elastic Agent only** to filter by {{agent}} integrations. ::::{tip} - If you know the name of {{agent}} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence integrations]({{integrations-docs}}/threat-intelligence-intro). + If you know the name of {{agent}} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence integrations](https://docs.elastic.co/en/integrations/threat-intelligence-intro). :::: From 00066548ffffa05ab11a1eac65647940d381604e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 12 Feb 2025 18:15:01 -0500 Subject: [PATCH 12/12] Removes comments about anchors --- .../enable-threat-intelligence-integrations.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/solutions/security/get-started/enable-threat-intelligence-integrations.md b/solutions/security/get-started/enable-threat-intelligence-integrations.md index 2803ab4872..ae07fd31a6 100644 --- a/solutions/security/get-started/enable-threat-intelligence-integrations.md +++ b/solutions/security/get-started/enable-threat-intelligence-integrations.md @@ -6,15 +6,6 @@ mapped_urls: # Enable threat intelligence integrations [security-enable-threat-intelligence-integrations] -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$agent-ti-integration$$$ - -$$$custom-ti-integration$$$ - -$$$ti-mod-integration$$$ - - The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of [threat indicators](../../../troubleshoot/security/indicators-of-compromise.md#ti-indicators) ingested from third-party threat intelligence sources. Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator.