diff --git a/raw-migrated-files/docs-content/serverless/security-analyze-risk-score-data.md b/raw-migrated-files/docs-content/serverless/security-analyze-risk-score-data.md deleted file mode 100644 index b1c64c7342..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-analyze-risk-score-data.md +++ /dev/null @@ -1,177 +0,0 @@ ---- -navigation_title: "View risk score data" ---- - -# View and analyze risk score data [security-analyze-risk-score-data] - - -The {{security-app}} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {{security-app}} to view and analyze risk score data: - -* [Entity Analytics dashboard](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-entity-analytics-dashboard) -* [Alerts page](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-alerts-page) -* [Alert details flyout](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-alert-details-flyout) -* [Hosts and Users pages](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-hosts-and-users-pages) -* [Host and user details pages](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-host-and-user-details-pages) -* [Host and user details flyouts](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-host-and-user-details-flyouts) - -::::{tip} -We recommend that you prioritize [alert triaging](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-alert-triaging) to identify anomalies or abnormal behavior patterns. - -:::: - - - -## Entity Analytics dashboard [security-analyze-risk-score-data-entity-analytics-dashboard] - -From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. - -:::{image} ../../../images/serverless--dashboards-entity-dashboard.png -:alt: Entity Analytics dashboard -:class: screenshot -::: - - -## Alert triaging [security-analyze-risk-score-data-alert-triaging] - -You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the {{security-app}}. - - -### Alerts page [security-analyze-risk-score-data-alerts-page] - -Use the Alerts table to investigate and analyze: - -* Host and user risk levels -* Host and user risk scores -* Asset criticality - -To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following: - -* `user.risk.calculated_level` or `host.risk.calculated_level` -* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` -* `user.asset.criticality` or `host.asset.criticality` - -Learn more about [customizing the Alerts table](../../../solutions/security/detect-and-alert/manage-detection-alerts.md#customize-the-alerts-table). - -:::{image} ../../../images/serverless-alerts-table-rs.png -:alt: Risk scores in the Alerts table -:class: screenshot -::: - - -#### Triage alerts associated with high-risk or business-critical entities [security-analyze-risk-score-data-triage-alerts-associated-with-high-risk-or-business-critical-entities] - -To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level. - -::::{note} -If you change the entity’s criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. - -:::: - - -* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, [edit the default controls](../../../solutions/security/detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) to filter by: - - * `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: - - :::{image} ../../../images/serverless-filter-by-host-risk-level.png - :alt: Alerts filtered by high host risk level - :class: screenshot - ::: - - * `user.asset.criticality` or `host.asset.criticality` for asset criticality level: - - :::{image} ../../../images/serverless-filter-by-asset-criticality.png - :alt: Filter alerts by asset criticality level - :class: screenshot - ::: - -* To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for: - - * `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level: - - :::{image} ../../../images/serverless-group-by-host-risk-level.png - :alt: Alerts grouped by host risk levels - :class: screenshot - ::: - - * `host.asset.criticality` or `user.asset.criticality` for asset criticality level: - - :::{image} ../../../images/serverless-group-by-asset-criticality.png - :alt: Alerts grouped by entity asset criticality levels - :class: screenshot - ::: - - * You can further sort the grouped alerts by highest entity risk score: - - 1. Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**). - 2. Select **Sort fields** → **Pick fields to sort by**. - 3. Select fields in the following order: - - 1. `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low** - 2. `Risk score`: **High-Low** - 3. `@timestamp`: **New-Old** - - :::{image} ../../../images/serverless-hrl-sort-by-host-risk-score.png - :alt: High-risk alerts sorted by host risk score - :class: screenshot - ::: - - - -### Alert details flyout [security-analyze-risk-score-data-alert-details-flyout] - -To access risk score data in the alert details flyout, select **Insights** → **Entities** on the **Overview** tab: - -:::{image} ../../../images/serverless-alerts-flyout-rs.png -:alt: Risk scores in the Alerts flyout -:class: screenshot -::: - - -### Hosts and Users pages [security-analyze-risk-score-data-hosts-and-users-pages] - -On the Hosts and Users pages, you can access the risk score data: - -* In the **Host risk level** or **User risk level*** column on the ***All hosts** or **All users** tab: - - :::{image} ../../../images/serverless-hosts-hr-level.png - :alt: Host risk level data on the All hosts tab of the Hosts page - :class: screenshot - ::: - -* On the **Host risk** or **User risk** tab: - - :::{image} ../../../images/serverless-hosts-hr-data.png - :alt: Host risk data on the Host risk tab of the Hosts page - :class: screenshot - ::: - - - -### Host and user details pages [security-analyze-risk-score-data-host-and-user-details-pages] - -On the host details and user details pages, you can access the risk score data: - -* In the Overview section: - - :::{image} ../../../images/serverless-host-details-overview.png - :alt: Host risk data in the Overview section of the host details page - :class: screenshot - ::: - -* On the **Host risk** or **User risk** tab: - - :::{image} ../../../images/serverless-host-details-hr-tab.png - :alt: Host risk data on the Host risk tab of the host details page - :class: screenshot - ::: - - - -### Host and user details flyouts [security-analyze-risk-score-data-host-and-user-details-flyouts] - -In the host details and user details flyouts, you can access the risk score data in the risk summary section: - -:::{image} ../../../images/serverless-risk-summary.png -:alt: Host risk data in the Host risk summary section -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-asset-criticality.md b/raw-migrated-files/docs-content/serverless/security-asset-criticality.md deleted file mode 100644 index 1549d5e1fd..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-asset-criticality.md +++ /dev/null @@ -1,131 +0,0 @@ -# Asset criticality [security-asset-criticality] - -::::{admonition} Requirements -:class: note - -To view and assign asset criticality, you must have the appropriate user role. For more information, refer to [Entity risk scoring prerequisites](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md). - -:::: - - -The asset criticality feature allows you to classify your organization’s entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. - -You can assign one of the following asset criticality levels to your entities, based on their impact: - -* Low impact -* Medium impact -* High impact -* Extreme impact - -For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. - - -## View and assign asset criticality [security-asset-criticality-view-and-assign-asset-criticality] - -Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or [bulk assign](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#security-asset-criticality-bulk-assign-asset-criticality) it to multiple entities by importing a text file. - -When you assign, change, or unassign an individual entity’s asset criticality level, that entity’s risk score is immediately recalculated. - -::::{note} -If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. - -:::: - - -You can view, assign, change, or unassign asset criticality from the following places in the {{elastic-sec}} app: - -* The [host details page](../../../solutions/security/explore/hosts-page.md#host-details-page) and [user details page](../../../solutions/security/explore/users-page.md#security-users-page-user-details-page): - - :::{image} ../../../images/serverless--assign-asset-criticality-host-details.png - :alt: Assign asset criticality from the host details page - :class: screenshot - ::: - -* The [host details flyout](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout) and [user details flyout](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout): - - :::{image} ../../../images/serverless--assign-asset-criticality-host-flyout.png - :alt: Assign asset criticality from the host details flyout - :class: screenshot - ::: - -* The host details flyout and user details flyout in [Timeline](../../../solutions/security/investigate/timeline.md): - - :::{image} ../../../images/serverless--assign-asset-criticality-timeline.png - :alt: Assign asset criticality from the host details flyout in Timeline - :class: screenshot - ::: - - - -### Bulk assign asset criticality [security-asset-criticality-bulk-assign-asset-criticality] - -You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools. - -The file must contain three columns, with each entity record listed on a separate row: - -1. The first column should indicate whether the entity is a `host` or a `user`. -2. The second column should specify the entity’s `host.name` or `user.name`. -3. The third column should specify one of the following asset criticality levels: - - * `extreme_impact` - * `high_impact` - * `medium_impact` - * `low_impact` - - -The maximum file size is 1 MB. - -File structure example: - -```txt -user,user-001,low_impact -user,user-002,medium_impact -host,host-001,extreme_impact -``` - -To import a file: - -1. Go to **Project Settings** → **Stack Management** → **Entity Store**. -2. Select or drag and drop the file you want to import. - - ::::{note} - The file validation step highlights any lines that don’t follow the required file structure. The asset criticality levels for those entities won’t be assigned. We recommend that you fix any invalid lines and re-upload the file. - - :::: - -3. Click **Assign**. - -This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows. - -You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. - - -## Improve your security operations [security-asset-criticality-improve-your-security-operations] - -With asset criticality, you can improve your security operations by: - -* [Prioritizing open alerts](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#security-asset-criticality-prioritize-open-alerts) -* [Monitoring an entity’s risk](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#security-asset-criticality-monitor-an-entitys-risk) - - -### Prioritize open alerts [security-asset-criticality-prioritize-open-alerts] - -You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. - -Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to [prioritize alerts associated with business-critical entities](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#security-analyze-risk-score-data-triage-alerts-associated-with-high-risk-or-business-critical-entities). - - -### Monitor an entity’s risk [security-asset-criticality-monitor-an-entitys-risk] - -The risk scoring engine dynamically factors in an entity’s asset criticality, along with `Open` and `Acknowledged` detection alerts to [calculate the entity’s overall risk score](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated). This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. - -To view the impact of asset criticality on an entity’s risk score, follow these steps: - -1. Open the [host details flyout](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout) or [user details flyout](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. -2. Click **View risk contributions** to open the flyout’s left panel. -3. In the **Risk contributions** section, verify the entity’s criticality level from the time the alert was generated. - -:::{image} ../../../images/serverless--asset-criticality-impact.png -:alt: View asset criticality impact on host risk score -:class: screenshot -::: diff --git a/raw-migrated-files/security-docs/security/analyze-risk-score-data.md b/raw-migrated-files/security-docs/security/analyze-risk-score-data.md deleted file mode 100644 index 187f18c49a..0000000000 --- a/raw-migrated-files/security-docs/security/analyze-risk-score-data.md +++ /dev/null @@ -1,173 +0,0 @@ -# View and analyze risk score data [analyze-risk-score-data] - -The {{security-app}} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {{security-app}} to view and analyze risk score data: - -* [Entity Analytics dashboard](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#entity-analytics-dashboard) -* [Alerts page](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#alerts-page) -* [Alert details flyout](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#alert-details-flyout) -* [Hosts and Users pages](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#hosts-users-pages) -* [Host and user details pages](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#host-user-details-pages) -* [Host and user details flyouts](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#host-and-user-details-flyouts) - -::::{tip} -We recommend that you prioritize [alert triaging](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#alert-triaging) to identify anomalies or abnormal behavior patterns. -:::: - - - -## Entity Analytics dashboard [entity-analytics-dashboard] - -From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. - -If you have enabled the [entity store](../../../solutions/security/advanced-entity-analytics/entity-store.md), the dashboard also displays the [**Entities** section](../../../solutions/security/dashboards/entity-analytics-dashboard.md#entity-entities), where you can view all hosts and users along with their risk and asset criticality data. - -:::{image} ../../../images/security-entity-dashboard.png -:alt: Entity Analytics dashboard -:class: screenshot -::: - - -## Alert triaging [alert-triaging] - -You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the {{security-app}}. - - -### Alerts page [alerts-page] - -Use the Alerts table to investigate and analyze: - -* Host and user risk levels -* Host and user risk scores -* Asset criticality - -To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following: - -* `user.risk.calculated_level` or `host.risk.calculated_level` -* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` -* `user.asset.criticality` or `host.asset.criticality` - -Learn more about [customizing the Alerts table](../../../solutions/security/detect-and-alert/manage-detection-alerts.md#customize-the-alerts-table). - -:::{image} ../../../images/security-alerts-table-rs.png -:alt: Risk scores in the Alerts table -:class: screenshot -::: - - -#### Triage alerts associated with high-risk or business-critical entities [triage-alerts-associated-with-high-risk-or-business-critical-entities] - -To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level. - -::::{note} -If you change the entity’s criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. -:::: - - -* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, [edit the default controls](../../../solutions/security/detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) to filter by: - - * `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: - - :::{image} ../../../images/security-filter-by-host-risk-level.png - :alt: Alerts filtered by high host risk level - :class: screenshot - ::: - - * `user.asset.criticality` or `host.asset.criticality` for asset criticality level: - - :::{image} ../../../images/security-filter-by-asset-criticality.png - :alt: Filter alerts by asset criticality level - :class: screenshot - ::: - -* To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for: - - * `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level: - - :::{image} ../../../images/security-group-by-host-risk-level.png - :alt: Alerts grouped by host risk levels - :class: screenshot - ::: - - * `host.asset.criticality` or `user.asset.criticality` for asset criticality level: - - :::{image} ../../../images/security-group-by-asset-criticality.png - :alt: Alerts grouped by entity asset criticality levels - :class: screenshot - ::: - - * You can further sort the grouped alerts by highest entity risk score: - - 1. Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**). - 2. Select **Sort fields** → **Pick fields to sort by**. - 3. Select fields in the following order: - - 1. `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low** - 2. `Risk score`: **High-Low** - 3. `@timestamp`: **New-Old** - - - :::{image} ../../../images/security-hrl-sort-by-host-risk-score.png - :alt: High-risk alerts sorted by host risk score - :class: screenshot - ::: - - - -### Alert details flyout [alert-details-flyout] - -To access risk score data in the alert details flyout, select **Insights** → **Entities** on the **Overview** tab: - -:::{image} ../../../images/security-alerts-flyout-rs.png -:alt: Risk scores in the Alerts flyout -:class: screenshot -::: - - -### Hosts and Users pages [hosts-users-pages] - -On the Hosts and Users pages, you can access the risk score data: - -* In the **Host risk level** or **User risk level*** column on the ***All hosts** or **All users** tab: - - :::{image} ../../../images/security-hosts-hr-level.png - :alt: Host risk level data on the All hosts tab of the Hosts page - :class: screenshot - ::: - -* On the **Host risk** or **User risk** tab: - - :::{image} ../../../images/security-hosts-hr-data.png - :alt: Host risk data on the Host risk tab of the Hosts page - :class: screenshot - ::: - - - -### Host and user details pages [host-user-details-pages] - -On the host details and user details pages, you can access the risk score data: - -* In the Overview section: - - :::{image} ../../../images/security-host-details-overview.png - :alt: Host risk data in the Overview section of the host details page - :class: screenshot - ::: - -* On the **Host risk** or **User risk** tab: - - :::{image} ../../../images/security-host-details-hr-tab.png - :alt: Host risk data on the Host risk tab of the host details page - :class: screenshot - ::: - - - -### Host and user details flyouts [host-and-user-details-flyouts] - -In the host details and user details flyouts, you can access the risk score data in the risk summary section: - -:::{image} ../../../images/security-risk-summary.png -:alt: Host risk data in the Host risk summary section -:class: screenshot -::: diff --git a/raw-migrated-files/security-docs/security/asset-criticality.md b/raw-migrated-files/security-docs/security/asset-criticality.md deleted file mode 100644 index e9d2d446b4..0000000000 --- a/raw-migrated-files/security-docs/security/asset-criticality.md +++ /dev/null @@ -1,134 +0,0 @@ -# Asset criticality [asset-criticality] - -::::{admonition} Requirements -To view and assign asset criticality, you must have the appropriate user role. For more information, refer to [Entity risk scoring requirements](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md). - -:::: - - -The asset criticality feature allows you to classify your organization’s entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. - -You can assign one of the following asset criticality levels to your entities, based on their impact: - -* Low impact -* Medium impact -* High impact -* Extreme impact - -For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. - - -## View and assign asset criticality [_view_and_assign_asset_criticality] - -Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or [bulk assign](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#bulk-assign-asset-criticality) it to multiple entities by importing a text file. Alternatively, you can assign and manage asset criticality records through the [*Asset criticality API*](https://www.elastic.co/guide/en/security/current/asset-criticality-api-overview.html). - -When you assign, change, or unassign an individual entity’s asset criticality level, that entity’s risk score is immediately recalculated. - -::::{note} -If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. -:::: - - -You can view, assign, change, or unassign asset criticality from the following places in the {{elastic-sec}} app: - -* The [host details page](../../../solutions/security/explore/hosts-page.md#host-details-page) and [user details page](../../../solutions/security/explore/users-page.md#user-details-page): - - :::{image} ../../../images/security-assign-asset-criticality-host-details.png - :alt: Assign asset criticality from the host details page - :class: screenshot - ::: - -* The [host details flyout](../../../solutions/security/explore/hosts-page.md#host-details-flyout) and [user details flyout](../../../solutions/security/explore/users-page.md#user-details-flyout): - - :::{image} ../../../images/security-assign-asset-criticality-host-flyout.png - :alt: Assign asset criticality from the host details flyout - :class: screenshot - ::: - -* The host details flyout and user details flyout in [Timeline](../../../solutions/security/investigate/timeline.md): - - :::{image} ../../../images/security-assign-asset-criticality-timeline.png - :alt: Assign asset criticality from the host details flyout in Timeline - :class: screenshot - ::: - - -If you have enabled the [entity store](../../../solutions/security/advanced-entity-analytics/entity-store.md), you can also view asset criticality assignments in the [**Entities** section](../../../solutions/security/dashboards/entity-analytics-dashboard.md#entity-entities) of the Entity Analytics dashboard: - -:::{image} ../../../images/security-entities-section.png -:alt: Entities section -:class: screenshot -::: - - -### Bulk assign asset criticality [bulk-assign-asset-criticality] - -You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools. - -The file must contain three columns, with each entity record listed on a separate row: - -1. The first column should indicate whether the entity is a `host` or a `user`. -2. The second column should specify the entity’s `host.name` or `user.name`. -3. The third column should specify one of the following asset criticality levels: - - * `extreme_impact` - * `high_impact` - * `medium_impact` - * `low_impact` - - -The maximum file size is 1 MB. - -File structure example: - -```txt -user,user-001,low_impact -user,user-002,medium_impact -host,host-001,extreme_impact -``` - -To import a file: - -1. Find **Entity Store** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Select or drag and drop the file you want to import. - - ::::{note} - The file validation step highlights any lines that don’t follow the required file structure. The asset criticality levels for those entities won’t be assigned. We recommend that you fix any invalid lines and re-upload the file. - :::: - -3. Click **Assign**. - -This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows. - -You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. - - -## Improve your security operations [_improve_your_security_operations] - -With asset criticality, you can improve your security operations by: - -* [Prioritizing open alerts](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#prioritize-open-alerts) -* [Monitoring an entity’s risk](../../../solutions/security/advanced-entity-analytics/asset-criticality.md#monitor-entity-risk) - - -### Prioritize open alerts [prioritize-open-alerts] - -You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. - -Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to [prioritize alerts associated with business-critical entities](../../../solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#triage-alerts-associated-with-high-risk-or-business-critical-entities). - - -### Monitor an entity’s risk [monitor-entity-risk] - -The risk scoring engine dynamically factors in an entity’s asset criticality, along with `Open` and `Acknowledged` detection alerts to [calculate the entity’s overall risk score](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated). This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. - -To view the impact of asset criticality on an entity’s risk score, follow these steps: - -1. Open the [host details flyout](../../../solutions/security/explore/hosts-page.md#host-details-flyout) or [user details flyout](../../../solutions/security/explore/users-page.md#user-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. -2. Click **View risk contributions** to open the flyout’s left panel. -3. In the **Risk contributions** section, verify the entity’s criticality level from the time the alert was generated. - -:::{image} ../../../images/security-asset-criticality-impact.png -:alt: View asset criticality impact on host risk score -:class: screenshot -::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index d2f6792de6..aca513f588 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -412,8 +412,6 @@ toc: - file: docs-content/serverless/security-alerts-manage.md - file: docs-content/serverless/security-alerts-run-osquery.md - file: docs-content/serverless/security-allowlist-endpoint.md - - file: docs-content/serverless/security-analyze-risk-score-data.md - - file: docs-content/serverless/security-asset-criticality.md - file: docs-content/serverless/security-automated-response-actions.md - file: docs-content/serverless/security-automatic-import.md - file: docs-content/serverless/security-behavioral-detection-use-cases.md @@ -796,9 +794,7 @@ toc: - file: security-docs/security/alerts-run-osquery.md - file: security-docs/security/alerts-ui-manage.md - file: security-docs/security/allowlist-endpoint-3rd-party-av-apps.md - - file: security-docs/security/analyze-risk-score-data.md - file: security-docs/security/artifact-control.md - - file: security-docs/security/asset-criticality.md - file: security-docs/security/assistant-connect-to-azure-openai.md - file: security-docs/security/assistant-connect-to-bedrock.md - file: security-docs/security/assistant-connect-to-openai.md diff --git a/solutions/security/advanced-entity-analytics/asset-criticality.md b/solutions/security/advanced-entity-analytics/asset-criticality.md index c0d9eb08de..7571c4f8d4 100644 --- a/solutions/security/advanced-entity-analytics/asset-criticality.md +++ b/solutions/security/advanced-entity-analytics/asset-criticality.md @@ -4,25 +4,138 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-asset-criticality.html --- -# Asset criticality +# Asset criticality [asset-criticality] -% What needs to be done: Lift-and-shift +::::{admonition} Requirements +To view and assign asset criticality, you must have the appropriate user role. For more information, refer to [Entity risk scoring requirements](entity-risk-scoring-requirements.md). -% Use migrated content from existing pages that map to this page: +:::: -% - [ ] ./raw-migrated-files/security-docs/security/asset-criticality.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-asset-criticality.md -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): +The asset criticality feature allows you to classify your organization’s entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. -$$$bulk-assign-asset-criticality$$$ +You can assign one of the following asset criticality levels to your entities, based on their impact: -$$$prioritize-open-alerts$$$ +* Low impact +* Medium impact +* High impact +* Extreme impact -$$$security-asset-criticality-bulk-assign-asset-criticality$$$ +For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. -$$$security-asset-criticality-prioritize-open-alerts$$$ -$$$security-asset-criticality-monitor-an-entitys-risk$$$ +## View and assign asset criticality [_view_and_assign_asset_criticality] + +Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or [bulk assign](#bulk-assign-asset-criticality) it to multiple entities by importing a text file. Alternatively, you can assign and manage asset criticality records through the [*Asset criticality API*](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-entity-analytics-api). + +When you assign, change, or unassign an individual entity’s asset criticality level, that entity’s risk score is immediately recalculated. + +::::{note} +If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. +:::: + + +You can view, assign, change, or unassign asset criticality from the following places in the {{elastic-sec}} app: + +* The [host details page](../explore/hosts-page.md#host-details-page) and [user details page](../explore/users-page.md#user-details-page): + + :::{image} ../../../images/security-assign-asset-criticality-host-details.png + :alt: Assign asset criticality from the host details page + :class: screenshot + ::: + +* The [host details flyout](../explore/hosts-page.md#host-details-flyout) and [user details flyout](../explore/users-page.md#user-details-flyout): + + :::{image} ../../../images/security-assign-asset-criticality-host-flyout.png + :alt: Assign asset criticality from the host details flyout + :class: screenshot + ::: + +* The host details flyout and user details flyout in [Timeline](../investigate/timeline.md): + + :::{image} ../../../images/security-assign-asset-criticality-timeline.png + :alt: Assign asset criticality from the host details flyout in Timeline + :class: screenshot + ::: + + +If you have enabled the [entity store](entity-store.md), you can also view asset criticality assignments in the [**Entities** section](../dashboards/entity-analytics-dashboard.md#entity-entities) of the Entity Analytics dashboard: + +:::{image} ../../../images/security-entities-section.png +:alt: Entities section +:class: screenshot +::: + + +### Bulk assign asset criticality [bulk-assign-asset-criticality] + +You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools. + +The file must contain three columns, with each entity record listed on a separate row: + +1. The first column should indicate whether the entity is a `host` or a `user`. +2. The second column should specify the entity’s `host.name` or `user.name`. +3. The third column should specify one of the following asset criticality levels: + + * `extreme_impact` + * `high_impact` + * `medium_impact` + * `low_impact` + + +The maximum file size is 1 MB. + +File structure example: + +```txt +user,user-001,low_impact +user,user-002,medium_impact +host,host-001,extreme_impact +``` + +To import a file: + +1. Find **Entity Store** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Select or drag and drop the file you want to import. + + ::::{note} + The file validation step highlights any lines that don’t follow the required file structure. The asset criticality levels for those entities won’t be assigned. We recommend that you fix any invalid lines and re-upload the file. + :::: + +3. Click **Assign**. + +This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows. + +You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation. + + +## Improve your security operations [_improve_your_security_operations] + +With asset criticality, you can improve your security operations by: + +* [Prioritizing open alerts](#prioritize-open-alerts) +* [Monitoring an entity’s risk](#monitor-entity-risk) + + +### Prioritize open alerts [prioritize-open-alerts] + +You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. + +Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to [prioritize alerts associated with business-critical entities](view-analyze-risk-score-data.md#triage-alerts-associated-with-high-risk-or-business-critical-entities). + + +### Monitor an entity’s risk [monitor-entity-risk] + +The risk scoring engine dynamically factors in an entity’s asset criticality, along with `Open` and `Acknowledged` detection alerts to [calculate the entity’s overall risk score](entity-risk-scoring.md#how-is-risk-score-calculated). This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. + +To view the impact of asset criticality on an entity’s risk score, follow these steps: + +1. Open the [host details flyout](../explore/hosts-page.md#host-details-flyout) or [user details flyout](../explore/users-page.md#user-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. +2. Click **View risk contributions** to open the flyout’s left panel. +3. In the **Risk contributions** section, verify the entity’s criticality level from the time the alert was generated. + +:::{image} ../../../images/security-asset-criticality-impact.png +:alt: View asset criticality impact on host risk score +:class: screenshot +::: -$$$monitor-entity-risk$$$ \ No newline at end of file diff --git a/solutions/security/advanced-entity-analytics/entity-store.md b/solutions/security/advanced-entity-analytics/entity-store.md index 43cbfbf5dd..d79f6248ad 100644 --- a/solutions/security/advanced-entity-analytics/entity-store.md +++ b/solutions/security/advanced-entity-analytics/entity-store.md @@ -5,11 +5,6 @@ mapped_pages: # Entity store [entity-store] -::::{warning} -This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -:::: - - ::::{admonition} Requirements To use the entity store, you must have the appropriate privileges. For more information, refer to [Entity risk scoring requirements](entity-risk-scoring-requirements.md). diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md index 8e1b66ec5d..0f82eec356 100644 --- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md +++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md @@ -4,45 +4,176 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-analyze-risk-score-data.html --- -# View and analyze risk score data +# View and analyze risk score data [analyze-risk-score-data] -% What needs to be done: Lift-and-shift +The {{security-app}} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {{security-app}} to view and analyze risk score data: -% Use migrated content from existing pages that map to this page: +* [Entity Analytics dashboard](#entity-analytics-dashboard) +* [Alerts page](#alerts-page) +* [Alert details flyout](#alert-details-flyout) +* [Hosts and Users pages](#hosts-users-pages) +* [Host and user details pages](#host-user-details-pages) +* [Host and user details flyouts](#host-and-user-details-flyouts) -% - [ ] ./raw-migrated-files/security-docs/security/analyze-risk-score-data.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-analyze-risk-score-data.md +::::{tip} +We recommend that you prioritize [alert triaging](#alert-triaging) to identify anomalies or abnormal behavior patterns. +:::: -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): -$$$alert-details-flyout$$$ -$$$alert-triaging$$$ +## Entity Analytics dashboard [entity-analytics-dashboard] -$$$alerts-page$$$ +From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. -$$$entity-analytics-dashboard$$$ +If you have enabled the [entity store](entity-store.md), the dashboard also displays the [**Entities** section](../dashboards/entity-analytics-dashboard.md#entity-entities), where you can view all hosts and users along with their risk and asset criticality data. -$$$host-and-user-details-flyouts$$$ +:::{image} ../../../images/security-entity-dashboard.png +:alt: Entity Analytics dashboard +:class: screenshot +::: -$$$host-user-details-pages$$$ -$$$hosts-users-pages$$$ +## Alert triaging [alert-triaging] -$$$security-analyze-risk-score-data-alert-details-flyout$$$ +You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the {{security-app}}. -$$$security-analyze-risk-score-data-alert-triaging$$$ -$$$security-analyze-risk-score-data-alerts-page$$$ +### Alerts page [alerts-page] -$$$security-analyze-risk-score-data-entity-analytics-dashboard$$$ +Use the Alerts table to investigate and analyze: -$$$security-analyze-risk-score-data-host-and-user-details-flyouts$$$ +* Host and user risk levels +* Host and user risk scores +* Asset criticality -$$$security-analyze-risk-score-data-host-and-user-details-pages$$$ +To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following: -$$$security-analyze-risk-score-data-hosts-and-users-pages$$$ +* `user.risk.calculated_level` or `host.risk.calculated_level` +* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` +* `user.asset.criticality` or `host.asset.criticality` -$$$security-analyze-risk-score-data-triage-alerts-associated-with-high-risk-or-business-critical-entities$$$ +Learn more about [customizing the Alerts table](../detect-and-alert/manage-detection-alerts.md#customize-the-alerts-table). -$$$triage-alerts-associated-with-high-risk-or-business-critical-entities$$$ \ No newline at end of file +:::{image} ../../../images/security-alerts-table-rs.png +:alt: Risk scores in the Alerts table +:class: screenshot +::: + + +#### Triage alerts associated with high-risk or business-critical entities [triage-alerts-associated-with-high-risk-or-business-critical-entities] + +To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level. + +::::{note} +If you change the entity’s criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. +:::: + + +* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, [edit the default controls](../detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) to filter by: + + * `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: + + :::{image} ../../../images/security-filter-by-host-risk-level.png + :alt: Alerts filtered by high host risk level + :class: screenshot + ::: + + * `user.asset.criticality` or `host.asset.criticality` for asset criticality level: + + :::{image} ../../../images/security-filter-by-asset-criticality.png + :alt: Filter alerts by asset criticality level + :class: screenshot + ::: + +* To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for: + + * `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level: + + :::{image} ../../../images/security-group-by-host-risk-level.png + :alt: Alerts grouped by host risk levels + :class: screenshot + ::: + + * `host.asset.criticality` or `user.asset.criticality` for asset criticality level: + + :::{image} ../../../images/security-group-by-asset-criticality.png + :alt: Alerts grouped by entity asset criticality levels + :class: screenshot + ::: + + * You can further sort the grouped alerts by highest entity risk score: + + 1. Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**). + 2. Select **Sort fields** → **Pick fields to sort by**. + 3. Select fields in the following order: + + 1. `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low** + 2. `Risk score`: **High-Low** + 3. `@timestamp`: **New-Old** + + + :::{image} ../../../images/security-hrl-sort-by-host-risk-score.png + :alt: High-risk alerts sorted by host risk score + :class: screenshot + ::: + + + +### Alert details flyout [alert-details-flyout] + +To access risk score data in the alert details flyout, select **Insights** → **Entities** on the **Overview** tab: + +:::{image} ../../../images/security-alerts-flyout-rs.png +:alt: Risk scores in the Alerts flyout +:class: screenshot +::: + + +### Hosts and Users pages [hosts-users-pages] + +On the Hosts and Users pages, you can access the risk score data: + +* In the **Host risk level** or **User risk level** column on the **All hosts** or **All users** tab: + + :::{image} ../../../images/security-hosts-hr-level.png + :alt: Host risk level data on the All hosts tab of the Hosts page + :class: screenshot + ::: + +* On the **Host risk** or **User risk** tab: + + :::{image} ../../../images/security-hosts-hr-data.png + :alt: Host risk data on the Host risk tab of the Hosts page + :class: screenshot + ::: + + + +### Host and user details pages [host-user-details-pages] + +On the host details and user details pages, you can access the risk score data: + +* In the Overview section: + + :::{image} ../../../images/security-host-details-overview.png + :alt: Host risk data in the Overview section of the host details page + :class: screenshot + ::: + +* On the **Host risk** or **User risk** tab: + + :::{image} ../../../images/security-host-details-hr-tab.png + :alt: Host risk data on the Host risk tab of the host details page + :class: screenshot + ::: + + + +### Host and user details flyouts [host-and-user-details-flyouts] + +In the host details and user details flyouts, you can access the risk score data in the risk summary section: + +:::{image} ../../../images/security-risk-summary.png +:alt: Host risk data in the Host risk summary section +:class: screenshot +:::