diff --git a/images/serverless--events-correlation-tab-eql-query.png b/images/serverless--events-correlation-tab-eql-query.png deleted file mode 100644 index 56d45538a3..0000000000 Binary files a/images/serverless--events-correlation-tab-eql-query.png and /dev/null differ diff --git a/images/serverless--events-esql-tab.png b/images/serverless--events-esql-tab.png deleted file mode 100644 index deb79f0e16..0000000000 Binary files a/images/serverless--events-esql-tab.png and /dev/null differ diff --git a/images/serverless--events-timeline-disable-filter.png b/images/serverless--events-timeline-disable-filter.png deleted file mode 100644 index 9a73b5b87c..0000000000 Binary files a/images/serverless--events-timeline-disable-filter.png and /dev/null differ diff --git a/images/serverless--events-timeline-field-exists.png b/images/serverless--events-timeline-field-exists.png deleted file mode 100644 index c78c054156..0000000000 Binary files a/images/serverless--events-timeline-field-exists.png and /dev/null differ diff --git a/images/serverless--events-timeline-filter-exclude.png b/images/serverless--events-timeline-filter-exclude.png deleted file mode 100644 index 8df9ee8512..0000000000 Binary files a/images/serverless--events-timeline-filter-exclude.png and /dev/null differ diff --git a/images/serverless--events-timeline-filter-value.png b/images/serverless--events-timeline-filter-value.png deleted file mode 100644 index 7e51f9041a..0000000000 Binary files a/images/serverless--events-timeline-filter-value.png and /dev/null differ diff --git a/images/serverless--events-timeline-sidebar.png b/images/serverless--events-timeline-sidebar.png deleted file mode 100644 index 76d45ff77a..0000000000 Binary files a/images/serverless--events-timeline-sidebar.png and /dev/null differ diff --git a/images/serverless--events-timeline-ui-filter-options.png b/images/serverless--events-timeline-ui-filter-options.png deleted file mode 100644 index e3aeddcec9..0000000000 Binary files a/images/serverless--events-timeline-ui-filter-options.png and /dev/null differ diff --git a/images/serverless--events-timeline-ui-renderer.png b/images/serverless--events-timeline-ui-renderer.png deleted file mode 100644 index 207d5e5ccb..0000000000 Binary files a/images/serverless--events-timeline-ui-renderer.png and /dev/null differ diff --git a/images/serverless--events-timeline-ui-updated.png b/images/serverless--events-timeline-ui-updated.png deleted file mode 100644 index 63450436cd..0000000000 Binary files a/images/serverless--events-timeline-ui-updated.png and /dev/null differ diff --git a/raw-migrated-files/docs-content/serverless/security-alerts-run-osquery.md b/raw-migrated-files/docs-content/serverless/security-alerts-run-osquery.md deleted file mode 100644 index 5b8255bd23..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-alerts-run-osquery.md +++ /dev/null @@ -1,62 +0,0 @@ -# Run Osquery from alerts [security-alerts-run-osquery] - -Run live queries on hosts associated with alerts to learn more about your infrastructure and operating systems. For example, with Osquery, you can search your system for indicators of compromise that might have contributed to the alert. You can then use this data to inform your investigation and alert triage efforts. - -::::{admonition} Requirements -:class: note - -* The [Osquery manager integration](../../../solutions/security/investigate/manage-integration.md) must be installed. -* {{agent}}'s [status](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/monitor-elastic-agent.md) must be `Healthy`. Refer to [{{fleet}} Troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md) if it isn’t. -* You must have the appropriate user role to use this feature. - -:::: - - -To run Osquery from an alert: - -1. Do one of the following from the Alerts table: - - * Click the **View details** button to open the Alert details flyout, then click **Take action → Run Osquery**. - * Select the **More actions** menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")), then select **Run Osquery**. - -2. Choose to run a single query or a query pack. -3. Select one or more {{agent}}s or groups to query. Start typing in the search field to get suggestions for {{agent}}s by name, ID, platform, and policy. - - ::::{note} - The host associated with the alert is automatically selected. You can specify additional hosts to query. - - :::: - -4. Specify the query or pack to run: - - * **Query**: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set [mapped ECS fields](../../../solutions/security/investigate/osquery.md#osquery-map-fields) included in the results from the live query (optional). - - ::::{note} - Overwriting the query’s default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. - - :::: - - - ::::{tip} - Use [placeholder fields](../../../solutions/security/investigate/use-placeholder-fields-in-osquery-queries.md) to dynamically add existing alert data to your query. - - :::: - - * **Pack**: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. - - ::::{tip} - Refer to [prebuilt packs](../../../solutions/security/investigate/osquery.md#osquery-prebuilt-packs-queries) to learn about using and managing Elastic prebuilt packs. - - :::: - - - ![Shows how to set up a single query](../../../images/serverless--osquery-setup-query.png "") - -5. Click **Submit**. Query results will display within the flyout. - - ::::{note} - Refer to [Examine Osquery results](../../../solutions/security/investigate/examine-osquery-results.md) for more information about query results. - - :::: - -6. Click **Save for later** to save the query for future use (optional). diff --git a/raw-migrated-files/docs-content/serverless/security-examine-osquery-results.md b/raw-migrated-files/docs-content/serverless/security-examine-osquery-results.md deleted file mode 100644 index 134a305367..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-examine-osquery-results.md +++ /dev/null @@ -1,43 +0,0 @@ -# Examine Osquery results [security-examine-osquery-results] - -Osquery provides relevant, timely data that you can use to better understand and monitor your environment. When you run queries, results are indexed and displayed the Results table, which you can filter, sort, and interact with. - - -## Results table [osquery-result-types] - -The Results table displays results from single queries and query packs. - - -### Single query results [review-single-osquery-results] - -Results for single queries appear on the **Results** tab. When you run a query, the number of agents queried and query status temporarily display in a status bar above the results table. Agent responses can be `Successful`, `Not yet responded` (pending), and `Failed`. - -:::{image} ../../../images/serverless--osquery-single-query-results.png -:alt: Shows query results -:class: screenshot -::: - - -### Query pack results [review-pack-osquery-results] - -Results for each query in the pack appear in the **Results** tab. Click the expand icon (![Markdown](../../../images/serverless-arrowDown.svg "")) at the far right of each query row to display query results. The number of agents that were queried and their responses are shown for each query. Agent responses are color-coded. Green is `Sucessful`, `Not yet responded` (pending) is gray, and `Failed` is red. - -:::{image} ../../../images/serverless--osquery-pack-query-results.png -:alt: Shows query results -:class: screenshot -::: - - -## Investigate query results [investigate-osquery-results] - -From the results table, you can: - -* Click **View in Discover** (![View in Discover app](../../../images/serverless-discoverApp.svg "")) to explore the results in Discover. -* Click **View in Lens** (![View in Lens app](../../../images/serverless-lensApp.svg "")) to navigate to Lens, where you can use the drag-and-drop **Lens** editor to create visualizations. -* Click **Timeline** (![Timeline](../../../images/serverless-timeline.svg "")) to investigate a single query result in Timeline or **Add to timeline investigation** to investigate all results. This option is only available for single query results. - - When you open all results in Timeline, the events in Timeline are filtered based on the `action_ID` generated by the Osquery query. - -* Click **Add to Case** (![Cases](../../../images/serverless-casesApp.svg "")) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments. -* Click the view details icon (![View details](../../../images/serverless-expand.svg "")) to examine the query ID and statement. -* View more information about the request, such as failures, by opening the **Status** tab. diff --git a/raw-migrated-files/docs-content/serverless/security-invest-guide-run-osquery.md b/raw-migrated-files/docs-content/serverless/security-invest-guide-run-osquery.md deleted file mode 100644 index aa3ba6d924..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-invest-guide-run-osquery.md +++ /dev/null @@ -1,77 +0,0 @@ -# Run Osquery from investigation guides [security-invest-guide-run-osquery] - -Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. When you build a custom rule, you can also set up an investigation guide that incorporates Osquery. This allows you to run live queries from a rule’s investigation guide as you analyze alerts produced by the rule. - -::::{admonition} Requirements -:class: note - -* The [Osquery manager integration](../../../solutions/security/investigate/manage-integration.md) must be installed. -* {{agent}}'s [status](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/monitor-elastic-agent.md) must be `Healthy`. Refer to [{{fleet}} Troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md) if it isn’t. -* You must have the appropriate user role to use this feature. - -:::: - - -:::{image} ../../../images/serverless--osquery-osquery-investigation-guide.png -:alt: Shows a live query in an investigation guide -:class: screenshot -::: - - -## Add live queries to an investigation guide [add-live-queries-ig] - -::::{note} -You can only add Osquery to investigation guides for custom rules because prebuilt rules cannot be edited. - -:::: - - -1. Go to **Rules** → **Detection rules (SIEM)**, select a rule, then click **Edit rule settings** on the rule details page. -2. Select the **About** tab, then expand the rule’s advanced settings. -3. Scroll down to the Investigation guide section. In the toolbar, click the **Osquery** button (![Click the Osquery button](../../../images/serverless--osquery-osquery-button.png "")). - - 1. Add a descriptive label for the query; for example, `Search for executables`. - 2. Select a saved query or enter a new one. - - ::::{tip} - Use [placeholder fields](../../../solutions/security/investigate/use-placeholder-fields-in-osquery-queries.md) to dynamically add existing alert data to your query. - - :::: - - 3. Expand the **Advanced** section to set a timeout period for the query, and view or set [mapped ECS fields](../../../solutions/security/investigate/osquery.md#osquery-map-fields) included in the results from the live query (optional). - - ::::{note} - Overwriting the query’s default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. - - :::: - - - ![ osquery setup osquery investigation guide](../../../images/serverless--osquery-setup-osquery-investigation-guide.png "")[height=70%][Shows results from running a query from an investigation guide] - -4. Click **Save changes** to add the query to the rule’s investigation guide. - - -## Run live queries from an investigation guide [run-live-queries-ig] - -1. Go to **Rules** → **Detection rules (SIEM)**, then select a rule to open its details. -2. Go to the About section of the rule details page and click **Investigation guide**. -3. Click the query. The Run Osquery pane displays with the **Query** field autofilled. Do the following: - - 1. Select one or more {{agent}}s or groups to query. Start typing in the search field to get suggestions for {{agent}}s by name, ID, platform, and policy. - 2. Expand the **Advanced** section to set a timeout period for the query, and view or set the [mapped ECS fields](../../../solutions/security/investigate/osquery.md#osquery-map-fields) which are included in the live query’s results (optional). - - ::::{note} - Overwriting the query’s default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. - - :::: - -4. Click **Submit** to run the query. Query results display in the flyout. - - ::::{note} - Refer to [Examine Osquery results](../../../solutions/security/investigate/examine-osquery-results.md) for more information about query results. - - :::: - -5. Click **Save for later** to save the query for future use (optional). - - ![ osquery run query investigation guide](../../../images/serverless--osquery-run-query-investigation-guide.png "")[height=80%][Shows results from running a query from an investigation guide] diff --git a/raw-migrated-files/docs-content/serverless/security-investigate-events.md b/raw-migrated-files/docs-content/serverless/security-investigate-events.md deleted file mode 100644 index 2fc24c0457..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-investigate-events.md +++ /dev/null @@ -1,11 +0,0 @@ -# Investigation tools [security-investigate-events] - -The following sections describe tools for investigating security events and tracking security issues directly in {{elastic-sec}}. - -These features are available in the {{security-app}}'s side navigation menu: - -* [**Cases**](../../../solutions/security/investigate/cases.md): Track investigation details about security issues. -* **Investigations** → [**Timelines**](../../../solutions/security/investigate/timeline.md): Workspace for investigations and threat hunting. -* **Investigations** → [**Osquery**](../../../solutions/security/investigate/osquery.md): Run live and scheduled queries on operating systems. -* [**Intelligence**](../../../troubleshoot/security/indicators-of-compromise.md): Indicators of compromise used for threat intelligence. -* [**Notes**](../../../solutions/security/investigate/notes.md): Use notes to coordinate responses, conduct threat hunting, and share investigative findings. diff --git a/raw-migrated-files/docs-content/serverless/security-osquery-placeholder-fields.md b/raw-migrated-files/docs-content/serverless/security-osquery-placeholder-fields.md deleted file mode 100644 index 1c9b070b2d..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-osquery-placeholder-fields.md +++ /dev/null @@ -1,28 +0,0 @@ -# Use placeholder fields in Osquery queries [security-osquery-placeholder-fields] - -Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and reusable queries. - -Placeholder fields work in single queries or query packs. They’re also supported in the following features: - -* [Live queries](../../../solutions/security/investigate/run-osquery-from-alerts.md) -* [Osquery Response Actions](../../../solutions/security/investigate/add-osquery-response-actions.md) -* [Investigation guides using Osquery queries](../../../solutions/security/investigate/run-osquery-from-investigation-guides.md) - - -## Placeholder field syntax and requirements [placeholder-field-syntax] - -Placeholder fields use [mustache syntax](http://mustache.github.io/) and must be wrapped in double curly brackets (`{{example.field}}`). You can use any field within an event or alert document as a placeholder field. - -Queries with placeholder fields can only run against alerts or events. Otherwise, they will lack the necessary values and the query status will be `error`. - - -### Example query with a placeholder field [placeholder-field-example] - -The following query uses the `{{host.name}}` placeholder field: - -```sql -SELECT * FROM os_version WHERE name = {{host.os.name}} -``` - -When you run the query, the value that’s stored in the alert or event’s `host.name` field will be transferred to the `{{host.os.name}}` placeholder field. - diff --git a/raw-migrated-files/docs-content/serverless/security-osquery-response-action.md b/raw-migrated-files/docs-content/serverless/security-osquery-response-action.md deleted file mode 100644 index 3592af5ddf..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-osquery-response-action.md +++ /dev/null @@ -1,102 +0,0 @@ -# Add Osquery Response Actions [security-osquery-response-action] - -::::{warning} -This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -:::: - - -Osquery Response Actions allow you to add live queries to custom query rules so you can automatically collect data on systems the rule is monitoring. Use this data to support your alert triage and investigation efforts. - -::::{admonition} Requirements -:class: note - -* Osquery Response Actions require the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -* The [Osquery manager integration](../../../solutions/security/investigate/manage-integration.md) must be installed. -* {{agent}}'s [status](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/monitor-elastic-agent.md) must be `Healthy`. Refer to [{{fleet}} Troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md) if it isn’t. -* You must have the appropriate user role to use this feature. -* You can only add Osquery Response Actions to custom query rules. - -:::: - - -:::{image} ../../../images/serverless--osquery-available-response-actions-osquery.png -:alt: The Osquery response action -:class: screenshot -::: - - -## Add Osquery Response Actions to rules [add-osquery-response-action] - -You can add Osquery Response Actions to new or existing custom query rules. Queries run every time the rule executes. - -1. Choose one of the following: - - * **New rule**: When you are on the last step of [custom query rule](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-custom-rule) creation, go to the Response Actions section and click the **Osquery** icon. - * **Existing rule**: Edit the rule’s settings, then go to the **Actions** tab. In the tab, click the **Osquery** icon under the Response Actions section. - - ::::{note} - If the rule’s investigation guide is using an Osquery query, you’ll be asked if you want to add the query as an Osquery Response Action. Click **Add** to add the investigation guide’s query to the rule’s Osquery Response Action. - - :::: - -2. Specify whether you want to set up a single live query or a pack: - - * **Query**: Select a saved query or enter a new one. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set [mapped ECS fields](../../../solutions/security/investigate/osquery.md#osquery-map-fields) included in the results from the live query. Mapping ECS fields is optional. - - ::::{note} - Overwriting the query’s default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. - - :::: - - - ::::{tip} - You can use [placeholder fields](../../../solutions/security/investigate/use-placeholder-fields-in-osquery-queries.md) to dynamically add alert data to your query. - - :::: - - * **Pack**: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. - - ::::{tip} - Refer to [prebuilt packs](../../../solutions/security/investigate/osquery.md#osquery-prebuilt-packs-queries) to learn about using and managing Elastic prebuilt packs. - - :::: - - - :::{image} ../../../images/serverless--osquery-setup-single-query.png - :alt: Shows how to set up a single query - :class: screenshot - ::: - -3. Click the **Osquery** icon to add more live queries (optional). -4. Click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules) to finish adding the queries. - - -## Edit Osquery Response Actions [edit-osquery-response-action] - -If you want to choose a different query or query pack for the Osquery Response Action to use, edit the rule to update the Response Action. - -::::{important} -If you edited a saved query or query pack that an Osquery Response Action is using, you must reselect the saved query or query pack on the related Osquery Response Action. Query changes are not automatically applied to Osquery Response Actions. - -:::: - - -1. Edit the rule’s settings, then go to the **Actions** tab. -2. Modify the settings for Osquery Response Actions you’ve added. -3. Click **Save changes**. - - -## Find query results [find-osquery-response-action-results] - -When a rule generates an alert, Osquery automatically collects data on the host. Query results are displayed within the **Response Results** tab in the Alert details flyout. The number next to the **Response Results** tab represents the number of queries attached to the rule, in addition to endpoint response actions run by the rule. - -::::{note} -Refer to [Examine Osquery results](../../../solutions/security/investigate/examine-osquery-results.md) for more information about query results. - -:::: - - -:::{image} ../../../images/serverless--osquery-osquery-results-tab.png -:alt: Shows how to set up a single query -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-query-operating-systems.md b/raw-migrated-files/docs-content/serverless/security-query-operating-systems.md deleted file mode 100644 index 3ef363ed19..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-query-operating-systems.md +++ /dev/null @@ -1,10 +0,0 @@ -# Osquery [security-query-operating-systems] - -Osquery is an open source tool that lets you use SQL to query operating systems like a database. When you add the [Osquery manager integration](../../../solutions/security/investigate/manage-integration.md) to an {{agent}} policy, Osquery is deployed to all agents assigned to that policy. After completing this setup, you can [run live queries and schedule recurring queries](../../../solutions/security/investigate/osquery.md) for agents and begin gathering data from your entire environment. - -Osquery is supported for Linux, macOS, and Windows. You can use it with {{elastic-sec}} to perform real-time incident response, threat hunting, and monitoring to detect vulnerability or compliance issues. The following Osquery features are available from {{elastic-sec}}: - -* [Osquery Response Actions](../../../solutions/security/investigate/add-osquery-response-actions.md) - Use Osquery Response Actions to add live queries to custom query rules. -* [Live queries from investigation guides](../../../solutions/security/investigate/run-osquery-from-investigation-guides.md) - Incorporate live queries into investigation guides to enhance your research capabilities while investigating possible security issues. -* [Live queries from alerts](../../../solutions/security/investigate/run-osquery-from-alerts.md) - Run live queries against an alert’s host to learn more about your infrastructure and operating systems. -* [Osquery settings](../../../solutions/security/investigate/osquery.md) - Navigate to **Investigations** → **Osquery** to manage project-level Osquery settings. diff --git a/raw-migrated-files/docs-content/serverless/security-session-view.md b/raw-migrated-files/docs-content/serverless/security-session-view.md deleted file mode 100644 index 15035458bf..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-session-view.md +++ /dev/null @@ -1,127 +0,0 @@ -# Session View [security-session-view] - -Session View is an investigation tool that allows you to examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. It displays events in a highly readable format that is inspired by the terminal. This makes it a powerful tool for monitoring and investigating session activity on your Linux infrastructure and understanding user and service behavior. - -Session View has the following features: - -* **Interactive and non-interactive processes:** Processes and services with or without a controlling terminal. -* **User information:** The Linux user that executed each session or process, and any exec user changes. -* **Process and event telemetry:** Process information included in the Linux logical event model. -* **Nested sessions:** Sessions started by processes descended from the entry session. -* **Alerts:** Process, file, and network alerts in the context of the events which caused them. -* **Terminal output:** Terminal output associated with each process in the session. - - -## Enable Session View data [enable-session-view] - -Session View uses process data collected by the {{elastic-defend}} integration, but this data is not always collected by default. To confirm that Session View data is enabled: - -1. Go to **Assets** → **Policies**, select a policy and then edit one or more of your {{elastic-defend}} integration policies. -2. Select the **Settings** tab, then scroll down to the Linux event collection section near the bottom. -3. Check the box for **Process** events, and turn on the **Collect session data** toggle. -4. If you want to include file and network alerts in Session View, check the boxes for **Network** and **File** events. -5. If you want to enable terminal output capture, turn on the **Capture terminal output** toggle. - -Session View can only display data that was collected by {{elastic-defend}} when **Collect session data** was enabled. When this setting is enabled, {{elastic-defend}} includes additional process context data in captured process, file, and network events. For more information about the additional fields collected when this setting is enabled, refer to the [Linux event model RFC](https://github.com/elastic/ecs/blob/main/rfcs/text/0030-linux-event-model.md). - - -## Open Session View [open-session-view] - -Session View is accessible from the **Hosts**, **Alerts***, and ***Timelines*** pages, as well as the ***Kubernetes*** dashboard. Events and sessions that you can investigate in Session View have a rectangular ***Open Session View** button in the **Actions** column. For example: - -* On the Alerts page, scroll down to view the Alerts table. Look for alerts that have the **Open Session View** button in the **Actions** column: - -:::{image} ../../../images/serverless--detections-session-view-action-icon-detail.png -:alt: Detail of the Open Session View button -:class: screenshot -::: - -* On the Hosts page (**Explore** → **Hosts***), select the ***Sessions*** or the ***Events** tab. From either of these tabs, click the **Open Session View** button for an event or session. - - -## Session View UI [session-view-ui] - -The Session View UI has the following features: - -:::{image} ../../../images/serverless--detections-session-view-terminal-labeled.png -:alt: Detail of Session view with labeled UI elements -:class: screenshot -::: - -1. The **Close Session** and **Full screen** buttons. -2. The search bar. Use it to find and highlight search terms within the current session. The left and right arrows allow you to navigate through search results. -3. The **display settings** button. Click to toggle Timestamps and Verbose mode. With Verbose mode enabled, Session View shows all processes created in a session, including shell startup, shell completion, and forks caused by built-in commands. It defaults to **off** to highlight the data most likely to be user-generated and non-standard. -4. The **Detail panel** button. Click it to toggle the Detail panel, which appears below the button and displays a wide range of additional information about the selected process’s ancestry and host, and any associated alerts. To select a process in Session View, click on it. -5. The startup process. In this example, it shows that the session was a bash session. It also shows the Linux user "Ubuntu" started the session. -6. The **Child processes** button. Click to expand or collapse a process’s children. You can also expand collapsed alerts and scripts where they appear. Collapsed processes will automatically expand when their contents match a search. -7. The **Alerts** button. Click to show alerts caused by the parent process. In this example, the `(2)` indicates that there are two alerts. Note the red line to the left of the event that caused the alert. Both alerts caused by this event are `process` alerts, as indicated by the gear icon. -8. The **Terminal output** button. Hover to see how much output data has been captured from the session. Click to open the terminal output view, which is described in detail below. -9. The **Refresh session** button. Click to check for any new data from the current session. - -Session View includes additional badges not pictured above: - -* The alert badge for multiple alerts appears when a single event causes alerts of multiple types (![Settings](../../../images/serverless-gear.svg "") for `process` alerts, ![Document](../../../images/serverless-document.svg "") for `file` alerts, and ![Network](../../../images/serverless-globe.svg "") for `network` alerts): - - ![The alert badge for a command with all three alert types](../../../images/serverless--cloud-native-security-session-view-alert-types-badge.png "") - -* The **Exec user change** badge highlights exec user changes, such as when a user escalates to root: - - ![The Exec user change badge](../../../images/serverless--detections-session-view-exec-user-change-badge.png "") - -* The **Output** badge appears next to commands that generated terminal output. Click it to view that command’s output in terminal output view. - - ![The Output badge](../../../images/serverless--detections-session-view-output-badge.png "") - - - -## Terminal output view UI [session-view-output] - -::::{admonition} Requirements -:class: note - -* Session output can only be collected from Linux OSes with eBPF-enabled kernels versions 5.10.16 or higher. - -:::: - - -In general, terminal output is the text that appears in interactive Linux shell sessions. This generally includes user-entered text (terminal input), which appears as output to facilitate editing commands, as well as the text output of executed programs. In certain cases such as password entry, terminal input is not captured as output. - -From a security perspective, terminal output is important because it offers a means of exfiltrating data. For example, a command like `cat tls-private-key.pem` could output a web server’s private key. Thus, terminal output view can improve your understanding of commands executed by users or adversaries, and assist with auditing and compliance. - -To enable terminal output data capture: - -1. Go to **Assets** → **Policies**, select a policy and then edit one or more of your {{elastic-defend}} integration policies. -2. On the **Settings** tab, scroll down to the Linux event collection section near the bottom of the page and select the **Collect session data** and **Capture terminal output** options. - -You can configure several additional settings by clicking **Advanced settings** at the bottom of the page: - -* `linux.advanced.tty_io.max_kilobytes_per_process`: The maximum number of kilobytes of output to record from a single process. Default: 512 KB. Process output exceeding this value will not be recorded. -* `linux.advanced.tty_io.max_kilobytes_per_event`: The maximum number of kilobytes of output to send to {{es}} as a single event. Default: 512 KB. Additional data is captured as a new event. -* `linux.advanced.tty_io.max_event_interval_seconds`: The maximum interval (in seconds) during which output is batched. Default: 30 seconds. Output will be sent to {{es}} at this interval (unless it first exceeds the `max_kilobytes_per_event` value, in which case it might be sent sooner). - -:::{image} ../../../images/serverless--detections-session-view-output-viewer.png -:alt: Terminal output view -:class: screenshot -::: - -1. Search bar. Use to find and highlight search terms within the current session. The left and right arrows allow you to navigate through search results. -2. Right-side scroll bar. Use along with the bottom scroll bar to navigate output data that doesn’t fit on a single screen. -3. Playback controls and progress bar. Use to advance or rewind the session’s commands and output. Click anywhere on the progress bar to jump to that part of the session. The marks on the bar represent processes that generated output. Click them or the **Prev** and **Next** buttons to skip between processes. -4. **Fit screen**, **Zoom in**, and **Zoom out** buttons. Use to adjust the text size. - -::::{tip} -Use Session view’s **Fullscreen** button (located next to the **Close session viewer** button) to better fit output with long lines, such as for graphical programs like `vim`. - -:::: - - - -### Terminal output limitations for search and alerting [terminal-output-limitations] - -You should understand several current limitations before building rules based on terminal output data: - -* Terminal output that appears in the `process.io.text` field includes [ANSI codes](https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797) that represent, among other things, text color, text weight, and escape sequences. This can prevent EKS queries from matching as expected. Queries of this data will have more success matching single words than more complex strings. -* Queries of this data should include leading and trailing wildcards (for example `process where process.io.text : "*sudo*"`), since output events typically include multiple lines of output. -* The search functionality built into terminal output view is subject to similar limitations. For example, if a user accidentally entered `sdo` instead of `sudo`, then pressed backspace twice to fix the typo, the recorded output would be `sdo\b\budo`. This would appear in the terminal output view as `sudo`, but searching terminal output view for `sudo` would not result in a match. -* Output that seems like it should be continuous may be split into multiple events due to the advanced settings described above, which may prevent a query or search from matching as expected. -* Rules based on output data will identify which output event’s `process.io.text` value matched the alert query, without identifying which specific part of that value matched. For example, the rule query `process.io.text: "*test*"` could match a large, multi-line log file due to a single instance of `test`, without identifying where in the file the instance occurred. diff --git a/raw-migrated-files/docs-content/serverless/security-timeline-templates-ui.md b/raw-migrated-files/docs-content/serverless/security-timeline-templates-ui.md deleted file mode 100644 index 407adb44b8..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-timeline-templates-ui.md +++ /dev/null @@ -1,161 +0,0 @@ -# Timeline templates [security-timeline-templates-ui] - -You can attach Timeline templates to detection rules. When attached, the rule’s alerts use the template when they are investigated in Timeline. This enables immediately viewing the alert’s most interesting fields when you start an investigation. - -Templates can include two types of filters: - -* **Regular filter**: Like other KQL filters, defines both the source event field and its value. For example: `host.name : "win-server"`. -* **Template filter**: Only defines the event field and uses a placeholder for the field’s value. When you investigate an alert in Timeline, the field’s value is taken from the alert. - -For example, if you define the `host.name: "{host.name}"` template filter, when alerts generated by the rule are investigated in Timeline, the alert’s `host.name` value is used in the filter. If the alert’s `host.name` value is `Linux_stafordshire-061`, the Timeline filter is: `host.name: "Linux_stafordshire-061"`. - -::::{note} -For information on how to add Timeline templates to rules, refer to [Create a detection rule](../../../solutions/security/detect-and-alert/create-detection-rule.md). - -:::: - - -When you load {{elastic-sec}} prebuilt rules, {{elastic-sec}} also loads a selection of prebuilt Timeline templates, which you can attach to detection rules. **Generic** templates use broad KQL queries to retrieve event data, and **Comprehensive** templates use detailed KQL queries to retrieve additional information. The following prebuilt templates appear by default: - -* **Alerts Involving a Single Host Timeline**: Investigate detection alerts involving a single host. -* **Alerts Involving a Single User Timeline**: Investigate detection alerts involving a single user. -* **Generic Endpoint Timeline**: Investigate {{elastic-endpoint}} detection alerts. -* **Generic Network Timeline**: Investigate network-related detection alerts. -* **Generic Process Timeline**: Investigate process-related detection alerts. -* **Generic Threat Match Timeline**: Investigate threat indicator match detection alerts. -* **Comprehensive File Timeline**: Investigate file-related detection alerts. -* **Comprehensive Network Timeline**: Investigate network-related detection alerts. -* **Comprehensive Process Timeline**: Investigate process-related detection alerts. -* **Comprehensive Registry Timeline**: Investigate registry-related detection alerts. - -::::{tip} -You can [duplicate prebuilt templates](../../../solutions/security/investigate/timeline-templates.md#man-templates-ui) and use them as a starting point for your own custom templates. - -:::: - - - -## Timeline template legend [template-legend-ui] - -When you add filters to a Timeline template, the items are color coded to indicate which type of filter is added. Additionally, you change Timeline filters to template filters as you build your template. - -Regular Timeline filter -: Clicking **Convert to template field** changes the filter to a template filter: - - :::{image} ../../../images/serverless--events-template-filter-value.png - :alt: events template filter value - :class: screenshot - ::: - - -Template filter -: ![ events timeline template filter](../../../images/serverless--events-timeline-template-filter.png "") - -When you [convert a template to a Timeline](../../../solutions/security/investigate/timeline-templates.md#man-templates-ui), template filters with placeholders are disabled: - -:::{image} ../../../images/serverless--events-invalid-filter.png -:alt: events invalid filter -:class: screenshot -::: - -To enable the filter, either specify a value or change it to a field’s existing filter (refer to [Edit existing filters](../../../solutions/security/investigate/timeline.md#pivot)). - - - -## Create a Timeline template [create-timeline-template] - -1. Choose one of the following: - - * Go to **Investigations** → **Timelines***. Click the ***Templates** tab, then click **Create new Timeline template**. - * Go to the Timeline bar (which is at the bottom of most pages), click the ![New Timeline](../../../images/serverless-plusInCircle.svg "") button, then click **Create new Timeline template**. - * From an open Timeline or Timeline template, click **New** → **New Timeline template**. - -2. Add filters to the new Timeline template. Click **Add field**, and select the required option: - - * **Add field**: Add a regular Timeline filter. - * **Add template field**: Add a template filter with a value placeholder. - - ::::{tip} - You can also drag and send items to the template from the **Overview**, **Hosts***, ***Network**, and **Alerts** pages. - - :::: - - - :::{image} ../../../images/serverless--events-create-a-timeline-template-field.png - :alt: An example of a Timeline filter - :class: screenshot - ::: - -3. Click **Save** to give the template a title and description. - -**Example** - -To create a template for process-related alerts on a specific host: - -* Add a regular filter for the host name: `host.name: "Linux_stafordshire-061"` -* Add template filter for process names: `process.name: "{process.name}"` - -:::{image} ../../../images/serverless--events-template-query-example.png -:alt: events template query example -:class: screenshot -::: - -When alerts generated by rules associated with this template are investigated in Timeline, the host name is `Linux_stafordshire-061`, whereas the process name value is retrieved from the alert’s `process.name` field. - - -## Manage existing Timeline templates [man-templates-ui] - -You can view, duplicate, export, delete, and create templates from existing Timelines: - -1. Go to **Investigations** → **Timelines** → **Templates**. - - :::{image} ../../../images/serverless--events-all-actions-timeline-ui.png - :alt: events all actions timeline ui - :class: screenshot - ::: - -2. Click the **All actions** icon in the relevant row, and then select the action: - - * **Create timeline from template** (refer to [Create a Timeline template](../../../solutions/security/investigate/timeline-templates.md#create-timeline-template)) - * **Duplicate template** - * **Export selected** (refer to [Export and import Timeline templates](../../../solutions/security/investigate/timeline-templates.md#import-export-timeline-templates)) - * **Delete selected** - * **Create query rule from timeline** (only available if the Timeline contains a KQL query) - * **Create EQL rule from timeline** (only available if the Timeline contains an EQL query) - - -::::{tip} -To perform the same action on multiple templates, select templates, then the required action from the **Bulk actions** menu. - -:::: - - -::::{note} -You cannot delete prebuilt templates. - -:::: - - - -## Export and import Timeline templates [import-export-timeline-templates] - -You can import and export Timeline templates, which enables importing templates from one space or {{elastic-sec}} instance to another. Exported templates are saved in an `ndjson` file. - -1. Go to **Investigations** → **Timelines** → **Templates**. -2. To export templates, do one of the following: - - * To export one template, click the **All actions** icon in the relevant row and then select **Export selected**. - * To export multiple templates, select all the required templates and then click **Bulk actions** → **Export selected**. - -3. To import templates, click **Import**, then select or drag and drop the template `ndjson` file. - - ::::{note} - Each template object in the file must be represented in a single line. Multiple template objects are delimited with newlines. - - :::: - - -::::{note} -You cannot export prebuilt templates. - -:::: diff --git a/raw-migrated-files/docs-content/serverless/security-timelines-ui.md b/raw-migrated-files/docs-content/serverless/security-timelines-ui.md deleted file mode 100644 index 48685ff01c..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-timelines-ui.md +++ /dev/null @@ -1,265 +0,0 @@ -# Timeline [security-timelines-ui] - -Use Timeline as your workspace for investigations and threat hunting. You can add alerts from multiple indices to a Timeline to facilitate advanced investigations. - -You can drag or send fields of interest to a Timeline to create the desired query. For example, you can add fields from tables and histograms on the **Overview**, **Alerts***, ***Hosts***, and ***Network** pages, as well as from other Timelines. Alternatively, you can add a query directly in Timeline by expanding the [query builder](../../../solutions/security/investigate/timeline.md#narrow-expand) and clicking **+ Add field**. - -:::{image} ../../../images/serverless--events-timeline-ui-updated.png -:alt: example Timeline with several events -:class: screenshot -::: - -In addition to Timelines, you can create and attach Timeline templates to [detection rules](../../../solutions/security/detect-and-alert.md). Timeline templates allow you to define the source event fields used when you investigate alerts in Timeline. You can select whether the fields use predefined values or values retrieved from the alert. For more information, refer to [Create Timeline templates](../../../solutions/security/investigate/timeline-templates.md). - - -## Create new or open existing Timeline [open-create-timeline] - -To make a new Timeline, choose one of the following: - -* Go to the Timelines page (**Investigations** → **Timelines**), then click **Create new Timeline**. -* Go to the Timeline bar (which is at the bottom of most pages), click the ![New Timeline](../../../images/serverless-plusInCircle.svg "") button, then click **Create new Timeline**. -* From an open Timeline or Timeline template, click **New** → **New Timeline**. - -To open an existing Timeline, choose one of the following: - -* Go to the Timelines page, then click a Timeline’s title. -* Go to the Timeline bar, click the ![New Timeline](../../../images/serverless-plusInCircle.svg "") button, then click **Open Timeline**. -* From an open Timeline or Timeline template, click **Open**, then select the appropriate Timeline. - -To avoid losing your changes, you must save the Timeline before moving to a different {{security-app}} page. If you change an existing Timeline, you can use the **Save as new timeline** toggle to make a new copy of the Timeline, without overwriting the original one. - -::::{tip} -Click the star icon (![Favorite](../../../images/serverless-starEmpty.svg "")) to favorite your Timeline and quickly find it later. - -:::: - - - -## View and refine Timeline results [refine-timeline-results] - -You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only, click **Data view** to the left of the KQL query bar, then select **Show only detection alerts**. - - -## Inspect an event or alert [timeline-inspect-events-alerts] - -To further inspect an event or detection alert, click the **View details** button. A flyout with event or [alert details](../../../solutions/security/detect-and-alert/view-detection-alert-details.md) appears. - - -## Configure Timeline event context and display [conf-timeline-display] - -Many types of events automatically appear in preconfigured views that provide relevant contextual information, called **Event Renderers**. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (![The customize event renderer button](../../../images/serverless-gear.svg "")) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you’re done. Your changes are automatically applied to Timeline. - -:::{image} ../../../images/serverless--events-timeline-ui-renderer.png -:alt: example timeline with the event renderer highlighted -:class: screenshot -::: - -The example above displays the Flow event renderer, which highlights the movement of data between its source and destination. If you see a particular part of the rendered event that interests you, you can drag it up to the drop zone below the query bar for further investigation. - -You can also modify a Timeline’s display in other ways: - -* [Add and remove fields](../../../solutions/security/investigate/timeline.md#add-remove-timeline-fields) from Timeline -* Create [runtime fields](../../../solutions/security/get-started/create-runtime-fields-in-elastic-security.md) and display them in the Timeline -* Reorder and resize columns -* Copy a column name or values to a clipboard -* Change how the name, value, or description of a field are displayed in Timeline -* View the Timeline in full screen mode -* Add or delete [notes](../../../solutions/security/investigate/notes.md) attached to alerts, events, or Timeline -* Pin interesting events to the Timeline - - -## Add and remove fields from Timeline [add-remove-timeline-fields] - -The Timeline table shows fields that are available for alerts and events in the selected data view. You can modify the table to display fields that interest you. Use the sidebar to search for specific fields or scroll through it to find fields of interest. Fields that you select display as columns in the table. - -To add a field from the sidebar, hover over it, and click the **Add field as a column** button (![The button that lets you to add a field as a column](../../../images/serverless-plusInCircle.svg "")), or drag and drop the field into the table. To remove a field, hover over it, and click the **Remove field as a column** button (![The button that lets you to remove a field as a column](../../../images/serverless-cross.svg "")). - -:::{image} ../../../images/serverless--events-timeline-sidebar.png -:alt: Shows the sidebar that allows you to configure the columns that display in Timeline -:class: screenshot -::: - - -## Use the Timeline query builder [narrow-expand] - -Expand the query builder by clicking the query builder button (![Query builder](../../../images/serverless-timeline.svg "")) to the right of the KQL query bar. Drop in fields to build a query that filters Timeline results. The fields' relative placement specifies their logical relationships: horizontally adjacent filters use `AND`, while vertically adjacent filters use `OR`. - -::::{tip} -Collapse the query builder and provide more space for Timeline results by clicking the query builder button (![Query builder](../../../images/serverless-timeline.svg "")). - -:::: - - - -## Edit existing filters [pivot] - -Click a filter to access additional operations such as **Add filter**, **Clear all**, **Load saved query**, and more: - -:::{image} ../../../images/serverless--events-timeline-ui-filter-options.png -:alt: events timeline ui filter options -:class: screenshot -::: - -Here are examples of various types of filters: - -Field with value -: Filters for events with the specified field value: - - :::{image} ../../../images/serverless--events-timeline-filter-value.png - :alt: events timeline filter value - :class: screenshot - ::: - - -Field exists -: Filters for events containing the specified field: - - :::{image} ../../../images/serverless--events-timeline-field-exists.png - :alt: events timeline field exists - :class: screenshot - ::: - - -Exclude results -: Filters for events that do not contain the specified field value (`field with value` filter) or the specified field (`field exists` filter): - - :::{image} ../../../images/serverless--events-timeline-filter-exclude.png - :alt: events timeline filter exclude - :class: screenshot - ::: - - -Temporarily disable -: The filter is not used in the query until it is enabled again: - - :::{image} ../../../images/serverless--events-timeline-disable-filter.png - :alt: events timeline disable filter - :class: screenshot - ::: - - -Filter for field present -: Converts a `field with value` filter to a `field exists` filter. - -::::{note} -When you convert a [Timeline template](../../../solutions/security/investigate/timeline-templates.md) to a Timeline, some fields may be disabled. For more information, refer to [Timeline template legend](../../../solutions/security/investigate/timeline-templates.md#template-legend-ui). - -:::: - - - -## Attach Timeline to a case [timeline-to-cases-ui] - -To attach a Timeline to a new or existing case, open it, click **Attach to case** in the upper right corner, then select either **Attach to new case** or **Attach to existing case**. - -To learn more about cases, refer to [Cases](../../../solutions/security/investigate/cases.md). - - -## Manage existing Timelines [manage-timelines-ui] - -You can view, duplicate, export, delete, and create templates from existing Timelines: - -1. Go to **Investigations** → **Timelines**. -2. Click the **All actions** menu in the desired row, then select an action: - - * **Create template from timeline** (refer to [Create Timeline templates](../../../solutions/security/investigate/timeline-templates.md)) - * **Duplicate timeline** - * **Export selected** (refer to [Export and import Timelines](../../../solutions/security/investigate/timeline.md#import-export-timelines)) - * **Delete selected** - * **Create query rule from timeline** (only available if the Timeline contains a KQL query) - * **Create EQL rule from timeline** (only available if the Timeline contains an EQL query) - - -::::{tip} -To perform an action on multiple Timelines, first select the Timelines, then select an action from the **Bulk actions** menu. - -:::: - - - -## Export and import Timelines [import-export-timelines] - -You can export and import Timelines, which enables you to share Timelines from one space or {{elastic-sec}} instance to another. Exported Timelines are saved as `.ndjson` files. - -To export Timelines: - -* Go to **Investigations** → **Timelines**. -* Either click the **All actions** menu in the relevant row and select **Export selected***, or select multiple Timelines and then click ***Bulk actions** → **Export selected**. - -To import Timelines: - -* Click **Import**, then select or drag and drop the relevant `.ndjson` file. - - ::::{note} - Multiple Timeline objects are delimited with newlines. - - :::: - - - -## Filter Timeline results with EQL [filter-with-eql] - -Use the **Correlation** tab to investigate Timeline results with [EQL queries](../../../explore-analyze/query-filter/languages/eql.md). - -When forming EQL queries, you can write a basic query to return a list of events and alerts. Or, you can create sequences of EQL queries to view matched, ordered events across multiple event categories. Sequence queries are useful for identifying and predicting related events. They can also provide a more complete picture of potential adversary behavior in your environment, which you can use to create or update rules and detection alerts. - -The following image shows what matched ordered events look like in the Timeline table. Events that belong to the same sequence are matched together in groups and shaded red or blue. Matched events are also ordered from oldest to newest in each sequence. - -:::{image} ../../../images/serverless--events-correlation-tab-eql-query.png -:alt: a Timeline's correlation tab -:class: screenshot -::: - -From the **Correlation** tab, you can also do the following: - -* Specify the date and time range that you want to investigate. -* Reorder the columns and choose which fields to display. -* Choose a data view and whether to show detection alerts only. - - -## Use {{esql}} to investigate events [esql-in-timeline] - -The [Elasticsearch Query Language ({{esql}})](../../../explore-analyze/query-filter/languages/esql.md) provides a powerful way to filter, transform, and analyze event data stored in {{es}}. {{esql}} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. - -You can use {{esql}} in Timeline by opening the **{{esql}}** tab. From there, you can: - -* Write an {{esql}} query to explore your events. For example, start with the following query, then iterate on it to tailor your results: - - ```esql - FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-* - | LIMIT 10 - | KEEP @timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, user.name - ``` - - This query does the following: - - * It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the [Security data view](../../../solutions/security/get-started/configure-advanced-settings.md#update-sec-indices). - * Then, the query limits the output to the top 10 results. - * Finally, it keeps the default Timeline fields (`@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name`) in the output. - - ::::{tip} - When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the [`KEEP`](asciidocalypse://docs/elasticsearch/docs/reference/query-languages/esql-commands.md#esql-keep) command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. - - :::: - - - ::::{note} - * An error message displays when the query bar is empty. - * When specifying data sources for an {{esql}} query, autocomplete doesn’t suggest hidden indices, such as `.alerts-*`. You must manually enter the index name or pattern. - - :::: - -* Click the help icon (![Click the ES|QL help icon](../../../images/serverless-iInCircle.svg "")) on the far right side of the query editor to open the in-product reference documentation for all {{esql}} commands and functions. -* Visualize query results using [Discover](../../../explore-analyze/discover.md) functionality. - -:::{image} ../../../images/serverless--events-esql-tab.png -:alt: Example of the ES|QL tab in Timeline -:class: screenshot -::: - - -## Additional {{esql}} resources [esql-in-timeline-resources] - -To get started using {{esql}}, read the tutorial for [using {{esql}} in {{kib}}](../../../explore-analyze/query-filter/languages/esql-kibana.md). Much of the functionality available in {{kib}} is also available in Timeline. - -To find examples of using {{esql}} for threat hunting, check out [our blog](https://www.elastic.co/blog/introduction-to-esql-new-query-language-flexible-iterative-analytics). diff --git a/raw-migrated-files/docs-content/serverless/security-visual-event-analyzer.md b/raw-migrated-files/docs-content/serverless/security-visual-event-analyzer.md deleted file mode 100644 index e36287917a..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-visual-event-analyzer.md +++ /dev/null @@ -1,172 +0,0 @@ -# Visual event analyzer [security-visual-event-analyzer] - -{{elastic-sec}} allows any event detected by {{elastic-endpoint}} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. - - -## Find events to analyze [find-events-analyze] - -You can only visualize events triggered by hosts configured with the {{elastic-defend}} integration or any `sysmon` data from `winlogbeat`. - -In KQL, this translates to any event with the `agent.type` set to either: - -* `endpoint` -* `winlogbeat` with `event.module` set to `sysmon` - -To find events that can be visually analyzed: - -1. First, display a list of events by doing one of the following: - - * Go to **Explore** → **Hosts**, then select the **Events** tab. A list of all your hosts' events appears at the bottom of the page. - * Go to **Alerts**, then scroll down to the Alerts table. - -2. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting **Enter**: - - * `agent.type:"endpoint" and process.entity_id :*` - - Or - - * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` - -3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the Hosts, Alerts, and Timelines pages, as well as the alert details flyout. - - ::::{tip} - Turn on the `securitySolution:enableVisualizationsInFlyout` [advanced setting](../../../solutions/security/get-started/configure-advanced-settings.md#visualizations-in-flyout) to access the event analyzer from the **Visualize** tab in the alert or event details flyout. - - :::: - - - ![Shows analyze event option](../../../images/serverless--detections-analyze-event-button.png "") - - ::::{note} - Events that cannot be analyzed will not have the **Analyze event** option available. This might occur if the event has incompatible field mappings. - - :::: - - - :::{image} ../../../images/serverless--detections-analyze-event-timeline.png - :alt: detections analyze event timeline - :class: screenshot - ::: - - ::::{tip} - You can also analyze events from [Timelines](../../../solutions/security/investigate/timeline.md). - - :::: - - - -## Visual event analyzer UI [visual-analyzer-ui] - -Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to explore the hierarchy of all process relationships. - -To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are: - -* `SOURCE`: Can be either `endpoint` or `winlogbeat` -* `ID`: Event field that uniquely identifies a node -* `EDGE`: Event field which indicates the relationship between two nodes - -:::{image} ../../../images/serverless--detections-process-schema.png -:alt: detections process schema -:class: screenshot -::: - -Click the **Legend** to show the state of each process node. - -:::{image} ../../../images/serverless--detections-node-legend.png -:alt: detections node legend -:class: screenshot -::: - -Use the date and time filter to analyze the event within a specific time range. By default, the selected time range matches that of the table from which you opened the alert. - -:::{image} ../../../images/serverless--detections-date-range-selection.png -:alt: detections date range selection -:class: screenshot -::: - -Select a different data view to further filter the alert’s related events. - -:::{image} ../../../images/serverless--detections-data-view-selection.png -:alt: detections data view selection -:class: screenshot -::: - -To expand the analyzer to a full screen, select the **Full Screen** icon above the left panel. - -:::{image} ../../../images/serverless--detections-full-screen-analyzer.png -:alt: detections full screen analyzer -:class: screenshot -::: - -The left panel contains a list of all processes related to the event, starting with the event chain’s first process. **Analyzed Events** — the event you selected to analyze from the events list or Timeline — are highlighted with a light blue outline around the cube. - -:::{image} ../../../images/serverless--detections-process-list.png -:alt: detections process list -:class: screenshot -::: - -In the graphical view, you can: - -* Zoom in and out of the graphical view using the slider on the far right -* Click and drag around the graphical view to more process relationships -* Observe child process events that spawned from the parent process -* Determine how much time passed between each process -* Identify all events related to each process - -:::{image} ../../../images/serverless--detections-graphical-view.png -:alt: detections graphical view -:class: screenshot -::: - - -## Process and event details [process-and-event-details] - -To learn more about each related process, select the process in the left panel or the graphical view. The left panel displays process details such as: - -* The number of events associated with the process -* The timestamp of when the process was executed -* The file path of the process within the host -* The `process-pid` -* The user name and domain that ran the process -* Any other relevant process information -* Any associated alerts - -:::{image} ../../../images/serverless--detections-process-details.png -:alt: detections process details -:class: screenshot -::: - -When you first select a process, it appears in a loading state. If loading data for a given process fails, click **Reload `{{process_name}}`** beneath the process to reload the data. - -Access event details by selecting that event’s URL at the top of the process details view or choosing one of the event pills in the graphical view. - -Events are categorized based on the `event.category` value. - -:::{image} ../../../images/serverless--detections-event-type.png -:alt: detections event type -:class: screenshot -::: - -When you select an `event.category` pill, all the events within that category are listed in the left panel. To display more details about a specific event, select it from the list. - -:::{image} ../../../images/serverless--detections-event-details.png -:alt: detections event details -:class: screenshot -::: - -::::{note} -There is no limit to the number of events that can be associated with a process. - -:::: - - -You can also examine alerts associated with events. - -To examine alerts associated with the event, select the alert pill (***x* alert**). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert’s details. - -In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one. - -:::{image} ../../../images/serverless--detections-alert-pill.png -:alt: detections alert pill -:class: screenshot -::: diff --git a/raw-migrated-files/kibana/kibana/osquery.md b/raw-migrated-files/kibana/kibana/osquery.md deleted file mode 100644 index fd1e44b3d2..0000000000 --- a/raw-migrated-files/kibana/kibana/osquery.md +++ /dev/null @@ -1,287 +0,0 @@ -# Osquery [osquery] - -[Osquery](https://osquery.io) is an open source tool that lets you query operating systems like a database, providing you with visibility into your infrastructure and operating systems. Using basic SQL commands, you can ask questions about devices, such as servers, Docker containers, and computers running Linux, macOS, or Windows. The [extensive schema](https://osquery.io/schema) helps with a variety of use cases, including vulnerability detection, compliance monitoring, incident investigations, and more. - -With Osquery in {{kib}}, you can: - -* Run live queries for one or more agents -* Schedule query packs to capture changes to OS state over time -* View a history of past queries and their results -* Save queries and build a library of queries for specific use cases - -Osquery in {{kib}} is powered by the **Osquery Manager** integration. For information on how to set up **Osquery Manager**, refer to [*Manage the integration*](../../../solutions/security/investigate/manage-integration.md). - - -## Required privileges [_required_privileges_2] - -To use **Osquery Manager**, you must be assigned to a role with the following privileges: - -* `Read` privileges for the `logs-osquery_manager.result*` index. -* {{kib}} privileges for **Osquery Manager**. The `All` privilege enables you to run, schedule, and save queries. `Read` enables you to view live and scheduled query results, but you cannot run live queries or edit. - - -## Run live queries [osquery-run-query] - -To inspect hosts, run a query against one or more agents or policies, then view the results. - -1. Go to **Osquery** using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. In the **Live queries** view, click **New live query**. -3. Choose to run a single query or a query pack. -4. Select one or more agents or groups to query. Start typing in the search field, and you’ll get suggestions for agents by name, ID, platform, and policy. -5. Specify the query or pack to run: - - * **Query**: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set [mapped ECS fields](../../../solutions/security/investigate/osquery.md#osquery-map-fields) included in the results from the live query (optional). - - ::::{note} - Overwriting the query’s default timeout period allows you to support queries that require more time to complete. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. - :::: - - * **Pack**: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. - - ::::{tip} - Refer to [prebuilt packs](../../../solutions/security/investigate/osquery.md#osquery-prebuilt-packs) to learn about using and managing Elastic prebuilt packs. - :::: - - - :::{image} ../../../images/kibana-enter-query.png - :alt: Select saved query dropdown name showing query name and description - :class: screenshot - ::: - -6. Click **Submit**. - - ::::{tip} - To save a single query for future use, click **Save for later** and define the ID, description, and other [details](../../../solutions/security/investigate/osquery.md#osquery-manage-query). - :::: - -7. Review the results and do any of the following: - - * Click **View in Discover** (![View in Discover icon](../../../images/kibana-discover-button-osquery.png "")) to explore the results in **Discover**. - * Click **View in Lens** (![View in Lens icon](../../../images/kibana-lens-button-osquery.png "")) to navigate to **Lens**, where you can use the drag-and-drop **Lens** editor to create visualizations. - * Click **Add to Case** (![Add to Case icon](../../../images/kibana-case-button-osquery.png "")) to add the query results to a new or existing case. - * Click the view details icon (![View details icon](../../../images/kibana-view-osquery-details.png "")) to examine the query ID and statement. - -8. To view more information about the request, such as failures, open the **Status** tab. - - -## View or rerun previous live queries [osquery-view-history] - -The **Live queries history** section on the **Live queries** tab shows a log of queries run over the last 30 days. From the Live queries table, you can: - -* Click the run icon (![Right-pointing triangle](../../../images/kibana-play-icon.png "")) to rerun a single query or a query pack. -* Click the table icon (![Table icon](../../../images/kibana-table-icon.png "")) to examine the [results](../../../solutions/security/investigate/osquery.md#osquery-results) for a single query or a query pack. From the results table, you can also find the query [status](../../../solutions/security/investigate/osquery.md#osquery-status). - - :::{image} ../../../images/kibana-live-query-check-results.png - :alt: Results of OSquery - :class: screenshot - ::: - - - -## Schedule queries with packs [osquery-schedule-query] - -A pack is a set of grouped queries that perform similar functions or address common use cases. [Prebuilt Elastic packs](../../../solutions/security/investigate/osquery.md#osquery-prebuilt-packs) are available to download and can help you get started using the Osquery integration. - -You can also create a custom pack with one or more queries. For example, when creating custom packs, you might create one pack that checks for IT compliance-type issues, and another pack that monitors for evidence of malware. - -You can run packs as live queries or schedule packs to run for one or more agent policies. When scheduled, queries in the pack are run at the set intervals for all agents in those policies. - -1. Click the **Packs** tab. -2. Click **Add pack*** to create a new pack, or click the name of an existing pack, then ***Edit** to add queries to an existing pack. -3. Provide a name for the pack. The short description is optional. -4. Schedule the pack to be deployed on specified agent policies (**Policy**) or on all agent policies (**Global**). - - ::::{tip} - Pack deployment details are stored within the [Osquery configuration](../../../solutions/security/investigate/manage-integration.md#osquery-custom-config). The `shard` field value is the percentage of agents in the policy using the pack. - :::: - - - If you choose the **Policy** option, configure these fields: - - ::::{note} - When defining pack deployment details, you cannot configure the same policy multiple times. In other words, after specifying a policy, you can either choose to deploy the pack to all of the policy’s agents or only a subset. You cannot choose both. - :::: - - - * **Scheduled {{agent}} policies (optional)**: Allows you to deploy the pack to specific agent policies. By default, the pack is deployed to all {{agents}} that are registered to the policies you define. - * **Partial deployment (shards)**: Allows you to deploy the pack to a portion of the agents on each specified agent policy. After defining a policy, use the **Shard** slider to set the amount of agents to which the pack is deployed. For example, after specifying a policy, you can choose to deploy the pack to half of the policy’s agents by selecting 50% on the slider. - -5. If you’re creating a new pack, add queries to schedule: - - * Click **Add query** and then add a saved query or enter a new query. Each query must include a unique query ID and the interval at which it should run. Optionally, set the minimum Osquery version and platform, specify a timeout period, or [map ECS fields](../../../solutions/security/investigate/osquery.md#osquery-map-fields). When you add a saved query to a pack, this adds a copy of the query. A connection is not maintained between saved queries and packs. - - ::::{note} - Overwriting the query’s default timeout period allows you to support queries that require more time to complete. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. - :::: - - * Upload queries from a `.conf` query pack by dragging the pack to the drop zone under the query table. To explore the community packs that Osquery publishes, click **Example packs**. - -6. Click **Save pack**. The queries run when the policy receives the update. - - -## View status of scheduled packs [osquery-schedule-status] - -1. Open the **Packs** tab. -2. Click a pack name to view the status. - - Details include the last time each query ran, how many results were returned, and the number of agents the query ran against. If there are errors, expand the row to view the details, including an option to view more information in the Logs. - - :::{image} ../../../images/kibana-scheduled-pack.png - :alt: Shows queries in the pack and details about each query - :class: screenshot - ::: - -3. View scheduled query results in [**Discover**](../../../explore-analyze/discover.md) or the drag-and-drop [**Lens**](../../../explore-analyze/visualize/lens.md) editor. - - -## Save queries [osquery-manage-query] - -You can save queries in two ways: - -* After running a live query, click the **Save for later** link. -* From the **Saved queries** tab, click **Add saved query**. - -Once you save a query, you can only edit it from the **Saved queries** tab: - -1. Go to **Saved queries**, and then click **Add saved query** or the edit icon. -2. Provide the following fields: - - * The unique identifier (required). - * A brief description. - * The SQL query (required). Osquery supports multi-line queries. - * A timeout period (optional). Increase the query’s default timeout period to support queries that require more time to complete. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. - * The [ECS fields](../../../solutions/security/investigate/osquery.md#osquery-map-fields) to populate when the query is run (optional). These fields are also copied in when you add this query to a pack. - * The defaults to set when you add the query to a pack. - - * The frequency to run the query. - * The minimum [version of Osquery](https://github.com/osquery/osquery/releases)) required to run the query. - * The operating system required to run the query. For information about supported platforms per table, refer to the [Osquery schema](https://osquery.io/schema). - -3. Click **Test configuration** to test the query and any mapped fields: - - * From the **Test query** panel, select agents or groups to test the query, then click **Submit** to run a live query. Result columns with the ![mapping](../../../images/kibana-mapped-icon.png "") icon are mapped. Hover over the icon to see the mapped ECS field. - -4. Click **Save** or **Update**. - - -## Prebuilt Elastic packs and queries [osquery-prebuilt-packs-queries] - -The prebuilt Osquery packs are included with the integration. Once you add a pack, you can activate and schedule it. - - -### Prebuilt packs [osquery-prebuilt-packs] - -The prebuilt Osquery packs are included with the integration and can be optionally loaded. Once added, you can then activate and schedule the packs. - -You can modify the scheduled agent policies for a prebuilt pack, but you cannot edit queries in the pack. To edit the queries, you must first create a copy of the pack. - -For information about the prebuilt packs that are available, refer to [*Prebuilt packs reference*](asciidocalypse://docs/kibana/docs/reference/osquery-manager-prebuilt-packs.md). - - -#### Load and activate prebuilt Elastic packs [load-prebuilt-packs] - -Follow these steps to load and turn on new or updated prebuilt packs: - -1. Go to **Packs**, and then click **Load Elastic prebuilt packs**. -2. For each pack that you want to activate and schedule: - - * Turn on the **Active** toggle to ensure the pack runs continuously. - - ::::{note} - You must manually run inactive packs. - :::: - - * Click the pack name, then **Edit**. - * Update the **Scheduled agent policies** to specify the policies where this pack should run. - -3. Click **Update pack**. - - -#### Copy prebuilt Elastic packs [copy-prebuilt-packs] - -To modify queries in prebuilt packs, you must first make a copy of the pack. - -1. Go to **Stack Management** → **Saved Objects**. -2. Search for the Osquery packs you want to modify by name. -3. Select the checkboxes of the packs to export. -4. Click **Export x objects**. -5. Click **Import**. -6. Select the import option **Create new objects with random IDs**, then click **Import** to import the pack. This creates a copy of the pack that you can edit. - - -### Prebuilt queries [osquery-prebuilt-queries] - -A set of saved queries are included with the integration and available to run as a live query. Note the following about the prebuilt queries: - -* The queries are not editable. -* Several of the queries include default ECS mappings to standardize the results. -* The prebuilt Elastic queries all follow the same naming convention and identify what type of information is being queried, what operating system it supports if it’s limited to one or more, and that these are Elastic queries. For example, `firewall_rules_windows_elastic`. - - -## Map result fields to ECS [osquery-map-fields] - -When you save queries or add queries to a pack, you can optionally map Osquery results or static values to fields in the [Elastic Common Schema](asciidocalypse://docs/ecs/docs/reference/ecs/index.md) (ECS). This standardizes your Osquery data for use across detections, machine learning, and any other areas that rely on ECS-compliant data. When the query is run, the results include the original `osquery.` and the mapped ECS fields. For example, if you update a query to map `osquery.name` to `user.name`, the query results include both fields. - -1. Edit saved queries or queries in a pack to map fields: - - * For **Saved queries**: Open the **Saved queries** tab, and then click the edit icon for the query that you want to map. - * For **packs**: Open the **Packs** tab, edit a pack, and then click the edit icon for the query that you want to map. - -2. In the **ECS mapping*** section, select an ***ECS field** to map. -3. In the **Value** column, use the dropdown on the left to choose what type of value to map to the ECS field: - - * **Osquery value**: Select an Osquery field. The fields available are based on the SQL query entered, and only include fields that the query returns. When the query runs, the ECS field is set dynamically to the value of the Osquery field selected. - * **Static value**: Enter a static value. When the query runs, the ECS field is set to the value entered. For example, static fields can be used to apply `tags` or your preferred `event.category` to the query results. - -4. Map more fields, as needed. To remove any mapped rows, click the delete icon. -5. Save your changes. - -::::{note} -* Some ECS fields are restricted and cannot be mapped. These are not available in the ECS dropdown. -* Some ECS fields are restricted to a set of allowed values, like [event.category](asciidocalypse://docs/ecs/docs/reference/ecs/ecs-event.md#field-event-category). Use the [ECS Field Reference](asciidocalypse://docs/ecs/docs/reference/ecs/ecs-field-reference.md) for help when mapping fields. -* Osquery date fields have a variety of data types (including integer, text, or bigint). When mapping an Osquery date field to an ECS date field, you might need to use SQL operators in the query to get an {{es}}-compatible [date](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/mapping-reference/date.md) type. - -:::: - - - -## Extended tables for Kubernetes queries [osquery-extended-tables] - -In addition to the Osquery schema, the Elastic-provided version of Osquery also includes the following tables to support Kubernetes containers. These can be queried with live or scheduled queries. - -* `host_users` -* `host_groups` -* `host_processes` - -When querying these tables, the expectation is that the `/etc/passwd`, `/etc/group`, and `/proc` are available in the container under `/hostfs` as: `/hostfs/etc/passwd`, `/hostfs/etc/group`, and `/hostfs/proc`. For information about the fields available in these tables, see the [exported fields](https://docs.elastic.co/en/integrations/osquery_manager#exported-fields) reference. - - -## Osquery status [osquery-status] - -A query can have the following status: - -| | | -| --- | --- | -| Successful | The query successfully completed. | -| Failed | The query encountered a problem, such as an issue with the query or the agent was disconnected, and might have failed. | -| Not yet responded | The query has not been sent to the agent. | -| Expired | The action request timed out. The agent may be offline. | - -::::{note} -If an agent is offline, the request status remains **pending** as {{kib}} retries the request. By default, a query request times out after one minute. An action timeout error is returned when the query does not complete within that interval. -:::: - - - -## Osquery results [osquery-results] - -When you run live or scheduled queries, the results are automatically stored in an {{es}} index, so that you can search, analyze, and visualize this data in {{kib}}. For a list of the Osquery fields that can be returned in query results, refer to [exported fields](https://docs.elastic.co/en/integrations/osquery_manager#exported-fields). Query results can also include ECS fields, if the query has a defined ECS mapping. - -Osquery responses include the following information: - -* Everything prefaced with `osquery.` is part of the query response. These fields are not mapped to ECS by default. -* Results include some ECS fields by default, such as `host.*` and `agent.*`, which provide information about the host that was queried. -* For live queries, the `action_data.query` is the query that was sent. -* For scheduled queries in a pack, the `action_id` has the format `pack__`. You can use this information to look up the query that was run. -* By default, all query results are [snapshot logs](https://osquery.readthedocs.io/en/stable/deployment/logging/#snapshot-logs) that represent a point in time with a set of results, with no [differentials](https://osquery.readthedocs.io/en/stable/deployment/logging/#differential-logs). -* Osquery data is stored in the `logs-osquery_manager.result-` datastream, and the result row data is under the `osquery` property in the document. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 140bb47cef..199b6c8340 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -229,7 +229,6 @@ toc: - file: docs-content/serverless/security-ai-usecase-incident-reporting.md - file: docs-content/serverless/security-alert-suppression.md - file: docs-content/serverless/security-alerts-manage.md - - file: docs-content/serverless/security-alerts-run-osquery.md - file: docs-content/serverless/security-automated-response-actions.md - file: docs-content/serverless/security-automatic-import.md - file: docs-content/serverless/security-behavioral-detection-use-cases.md @@ -266,15 +265,12 @@ toc: - file: docs-content/serverless/security-environment-variable-capture.md - file: docs-content/serverless/security-ers-requirements.md - file: docs-content/serverless/security-event-filters.md - - file: docs-content/serverless/security-examine-osquery-results.md - file: docs-content/serverless/security-get-started-with-kspm.md - file: docs-content/serverless/security-host-isolation-exceptions.md - file: docs-content/serverless/security-ingest-data.md - file: docs-content/serverless/security-install-edr.md - file: docs-content/serverless/security-install-endpoint-manually.md - file: docs-content/serverless/security-interactive-investigation-guides.md - - file: docs-content/serverless/security-invest-guide-run-osquery.md - - file: docs-content/serverless/security-investigate-events.md - file: docs-content/serverless/security-isolate-host.md - file: docs-content/serverless/security-kspm.md - file: docs-content/serverless/security-linux-file-monitoring.md @@ -282,15 +278,12 @@ toc: - file: docs-content/serverless/security-llm-performance-matrix.md - file: docs-content/serverless/security-machine-learning.md - file: docs-content/serverless/security-ml-requirements.md - - file: docs-content/serverless/security-osquery-placeholder-fields.md - - file: docs-content/serverless/security-osquery-response-action.md - file: docs-content/serverless/security-overview-dashboard.md - file: docs-content/serverless/security-policies-page.md - file: docs-content/serverless/security-posture-faq.md - file: docs-content/serverless/security-posture-management.md - file: docs-content/serverless/security-prebuilt-rules-management.md - file: docs-content/serverless/security-query-alert-indices.md - - file: docs-content/serverless/security-query-operating-systems.md - file: docs-content/serverless/security-reduce-notifications-alerts.md - file: docs-content/serverless/security-requirements-overview.md - file: docs-content/serverless/security-response-actions-config.md @@ -301,18 +294,14 @@ toc: - file: docs-content/serverless/security-rules-create.md - file: docs-content/serverless/security-rules-ui-management.md - file: docs-content/serverless/security-self-healing-rollback.md - - file: docs-content/serverless/security-session-view.md - file: docs-content/serverless/security-signals-to-cases.md - file: docs-content/serverless/security-third-party-actions.md - - file: docs-content/serverless/security-timeline-templates-ui.md - - file: docs-content/serverless/security-timelines-ui.md - file: docs-content/serverless/security-triage-alerts-with-elastic-ai-assistant.md - file: docs-content/serverless/security-trusted-applications.md - file: docs-content/serverless/security-tune-detection-signals.md - file: docs-content/serverless/security-turn-on-risk-engine.md - file: docs-content/serverless/security-ui.md - file: docs-content/serverless/security-view-alert-details.md - - file: docs-content/serverless/security-visual-event-analyzer.md - file: docs-content/serverless/security-visualize-alerts.md - file: docs-content/serverless/security-vuln-management-dashboard-dash.md - file: docs-content/serverless/security-vuln-management-faq.md @@ -405,7 +394,6 @@ toc: - file: kibana/kibana/kibana-role-management.md - file: kibana/kibana/logging-settings.md - file: kibana/kibana/management.md - - file: kibana/kibana/osquery.md - file: kibana/kibana/reporting-production-considerations.md - file: kibana/kibana/role-mappings.md - file: kibana/kibana/search-ai-assistant.md diff --git a/solutions/security/investigate.md b/solutions/security/investigate.md index 247bc1cf19..7b794638ed 100644 --- a/solutions/security/investigate.md +++ b/solutions/security/investigate.md @@ -4,13 +4,12 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-investigate-events.html --- -# Investigation tools +# Investigation tools [security-investigate-events] -% What needs to be done: Lift-and-shift +The following are tools for investigating security events and tracking security issues directly in the {{security-app}}. -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/investigations-tools.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-investigate-events.md - -The following sections describe tools for investigating security events and tracking security issues directly in the {{security-app}}. +* [**Cases**](investigate/cases.md): Track investigation details about security issues. +* [**Timelines**](investigate/timeline.md): Workspace for investigations and threat hunting. +* [**Osquery**](investigate/osquery.md): Run live and scheduled queries on operating systems. +* [**Intelligence**](../../troubleshoot/security/indicators-of-compromise.md): Indicators of compromise used for threat intelligence. +* [**Notes**](investigate/notes.md): Use notes to coordinate responses, conduct threat hunting, and share investigative findings. diff --git a/solutions/security/investigate/add-osquery-response-actions.md b/solutions/security/investigate/add-osquery-response-actions.md index cdd8afc57f..af2cd7fbf4 100644 --- a/solutions/security/investigate/add-osquery-response-actions.md +++ b/solutions/security/investigate/add-osquery-response-actions.md @@ -4,14 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-osquery-response-action.html --- -# Add Osquery Response Actions - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/osquery-response-action.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-osquery-response-action.md +# Add Osquery Response Actions [security-osquery-response-action] ::::{warning} This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. @@ -21,8 +14,8 @@ This functionality is in technical preview and may be changed or removed in a fu Osquery Response Actions allow you to add live queries to custom query rules so you can automatically collect data on systems the rule is monitoring. Use this data to support your alert triage and investigation efforts. ::::{admonition} Requirements -* Osquery Response Actions require a [Platinum or Enterprise subscription](https://www.elastic.co/pricing). -* The [Osquery manager integration](/solutions/security/investigate/manage-integration.md) must be installed. +* Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). +* The [Osquery manager integration](manage-integration.md) must be installed. * {{agent}}'s [status](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/monitor-elastic-agent.md) must be `Healthy`. Refer to [{{fleet}} Troubleshooting](/troubleshoot/ingest/fleet/common-problems.md) if it isn’t. * Your role must have [Osquery feature privileges](/solutions/security/investigate/osquery.md). * You can only add Osquery Response Actions to custom query rules. @@ -102,6 +95,6 @@ Refer to [Examine Osquery results](/solutions/security/investigate/examine-osque :::{image} ../../../images/security-osquery-results-tab.png -:alt: osquery results tab +:alt: Shows how to set up a single query :class: screenshot ::: diff --git a/solutions/security/investigate/examine-osquery-results.md b/solutions/security/investigate/examine-osquery-results.md index 534cd798d4..ddebf9cbeb 100644 --- a/solutions/security/investigate/examine-osquery-results.md +++ b/solutions/security/investigate/examine-osquery-results.md @@ -4,14 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-examine-osquery-results.html --- -# Examine Osquery results - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/view-osquery-results.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-examine-osquery-results.md +# Examine Osquery results [security-examine-osquery-results] Osquery provides relevant, timely data that you can use to better understand and monitor your environment. When you run queries, results are indexed and displayed the Results table, which you can filter, sort, and interact with. @@ -26,17 +19,17 @@ The Results table displays results from single queries and query packs. Results for single queries appear on the **Results** tab. When you run a query, the number of agents queried and query status temporarily display in a status bar above the results table. Agent responses can be `Successful`, `Not yet responded` (pending), and `Failed`. :::{image} ../../../images/security-single-query-results.png -:alt: single query results +:alt: Shows query results :class: screenshot ::: ### Query pack results [review-pack-osquery-results] -Results for each query in the pack appear in the **Results** tab. Click the expand icon (![Click markdown icon](../../../images/security-pack-expand-button-osquery.png "")) at the far right of each query row to display query results. The number of agents that were queried and their responses are shown for each query. Agent responses are color-coded. Green is `Successful`, `Not yet responded` (pending) is gray, and `Failed` is red. +Results for each query in the pack appear in the **Results** tab. Click the expand icon (![Click markdown icon](../../../images/security-pack-expand-button-osquery.png "title =20x20")) at the far right of each query row to display query results. The number of agents that were queried and their responses are shown for each query. Agent responses are color-coded. Green is `Successful`, `Not yet responded` (pending) is gray, and `Failed` is red. :::{image} ../../../images/security-pack-query-results.png -:alt: pack query results +:alt: Shows query results :class: screenshot ::: @@ -45,13 +38,13 @@ Results for each query in the pack appear in the **Results** tab. Click the expa From the results table, you can: -* Click **View in Discover** (![Click the View in Discover button](../../../images/security-discover-button-osquery.png "")) to explore the results in Discover. -* Click **View in Lens** (![Click the View in Lens button](../../../images/security-lens-button-osquery.png "")) to navigate to Lens, where you can use the drag-and-drop **Lens** editor to create visualizations. -* Click **Timeline** (![Click Timeline button](../../../images/security-timeline-button-osquery.png "")) to investigate a single query result in Timeline or **Add to timeline investigation** to investigate all results. This option is only available for single query results. +* Click **View in Discover** (![View in Discover button](../../../images/security-discover-button-osquery.png "title =20x20")) to explore the results in Discover. +* Click **View in Lens** (![View in Lens button](../../../images/security-lens-button-osquery.png "title =20x20")) to navigate to Lens, where you can use the drag-and-drop **Lens** editor to create visualizations. +* Click **Timeline** (![Timeline button](../../../images/security-timeline-button-osquery.png "title =20x20")) to investigate a single query result in Timeline or **Add to timeline investigation** to investigate all results. This option is only available for single query results. When you open all results in Timeline, the events in Timeline are filtered based on the `action_ID` generated by the Osquery query. -* Click **Add to Case** (![Click Add to Case button](../../../images/security-case-button-osquery.png "")) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments. +* Click **Add to Case** (![Add to Case button](../../../images/security-case-button-osquery.png "title =20x20")) to add the query results to a new or existing case. If you ran a live query from an alert, the alert and query results are added to the case as comments. ::::{note} If you add the results to a *new* case, you are prompted to specify the solution that you want the create the case within. Ensure you select the correct solution. From {{elastic-sec}}, you cannot access cases created in {{observability}} or Stack Management. @@ -60,6 +53,6 @@ From the results table, you can: :::: -* Click the view details icon (![View details icon](../../../images/security-view-osquery-details.png "")) to examine the query ID and statement. +* Click the view details icon (![View details icon](../../../images/security-view-osquery-details.png "title =20x20")) to examine the query ID and statement. * View more information about the request, such as failures, by opening the **Status** tab. diff --git a/solutions/security/investigate/manage-integration.md b/solutions/security/investigate/manage-integration.md index 01713853e1..80b7783cca 100644 --- a/solutions/security/investigate/manage-integration.md +++ b/solutions/security/investigate/manage-integration.md @@ -1,6 +1,12 @@ --- mapped_pages: - https://www.elastic.co/guide/en/kibana/current/manage-osquery-integration.html + +navigation_title: "Osquery manager integration" + +applies_to: + stack: preview all + serverless: preview all --- # Manage the integration [manage-osquery-integration] @@ -8,12 +14,12 @@ mapped_pages: ## System requirements [_system_requirements] -* [Fleet](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/index.md) is enabled on your cluster, and one or more [Elastic Agents](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/install-elastic-agents.md) is enrolled. -* The [**Osquery Manager**](https://docs.elastic.co/en/integrations/osquery_manager) integration has been added and configured for an agent policy through Fleet. This integration supports x64 architecture on Windows, MacOS, and Linux platforms, and ARM64 architecture on Linux. +* [{{fleet}}](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/index.md) is enabled on your cluster, and one or more [{{agents}}](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/install-elastic-agents.md) is enrolled. +* The [Osquery Manager](https://docs.elastic.co/en/integrations/osquery_manager) integration has been added and configured for an agent policy through {{fleet}}. This integration supports x64 architecture on Windows, MacOS, and Linux platforms, and ARM64 architecture on Linux. ::::{note} * The original [Filebeat Osquery module](asciidocalypse://docs/beats/docs/reference/ingestion-tools/beats-filebeat/filebeat-module-osquery.md) and the [Osquery](https://docs.elastic.co/en/integrations/osquery) integration collect logs from self-managed Osquery deployments. The **Osquery Manager** integration manages Osquery deployments and supports running and scheduling queries from {{kib}}. -* **Osquery Manager** cannot be integrated with an Elastic Agent in standalone mode. +* **Osquery Manager** cannot be integrated with an {{agent}} in standalone mode. :::: @@ -21,12 +27,12 @@ mapped_pages: ## Customize Osquery sub-feature privileges [_customize_osquery_sub_feature_privileges] -Depending on your [subscription level](https://www.elastic.co/subscriptions), you can further customize the sub-feature privileges for **Osquery Manager**. These include options to grant specific access for running live queries, running saved queries, saving queries, and scheduling packs. For example, you can create roles for users who can only run live or saved queries, but who cannot save or schedule queries. This is useful for teams who need in-depth and detailed control. +Depending on your [subscription level](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can further customize the sub-feature privileges for **Osquery Manager**. These include options to grant specific access for running live queries, running saved queries, saving queries, and scheduling packs. For example, you can create roles for users who can only run live or saved queries, but who cannot save or schedule queries. This is useful for teams who need in-depth and detailed control. ## Customize Osquery configuration [osquery-custom-config] -[preview] By default, all Osquery Manager integrations share the same osquery configuration. However, you can customize how Osquery is configured by editing the Osquery Manager integration for each agent policy you want to adjust. The custom configuration is then applied to all agents in the policy. This powerful feature allows you to configure [File Integrity Monitoring](https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring), [Process auditing](https://osquery.readthedocs.io/en/stable/deployment/process-auditing), and [others](https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-specification). +By default, all Osquery Manager integrations share the same Osquery configuration. However, you can customize how Osquery is configured by editing the Osquery Manager integration for each agent policy you want to adjust. The custom configuration is then applied to all agents in the policy. This powerful feature allows you to configure [File Integrity Monitoring](https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring), [Process auditing](https://osquery.readthedocs.io/en/stable/deployment/process-auditing), and [others](https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-specification). ::::{important} * Take caution when editing this configuration. The changes you make are distributed to all agents in the policy. @@ -87,7 +93,7 @@ For each agent policy where you want to allow `curl` table queries, edit the Osq ## Upgrade Osquery versions [_upgrade_osquery_versions] -The [Osquery version](https://github.com/osquery/osquery/releases) available on an Elastic Agent is associated to the version of Osquery Beat on the Agent. To get the latest version of Osquery Beat, [upgrade your Elastic Agent](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/upgrade-elastic-agent.md). +The [Osquery version](https://github.com/osquery/osquery/releases) available on an {{agent}} is associated to the version of Osquery Beat on the Agent. To get the latest version of Osquery Beat, [upgrade your {{agent}}](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/upgrade-elastic-agent.md). ## Debug issues [_debug_issues] @@ -101,8 +107,8 @@ If you encounter issues with **Osquery Manager**, find the relevant logs for {{e To get more details in the logs, change the agent logging level to debug: -1. Go to **Fleet** using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +1. Go to **{{fleet}}** using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Select the agent that you want to debug. -3. On the **Logs*** tab, change the ***Agent logging level*** to ***debug***, and then click ***Apply changes**. +3. On the **Logs** tab, change the **Agent logging level** to **debug**, and then click **Apply changes**. `agent.logging.level` is updated in `fleet.yml`, and the logging level is changed to `debug`. diff --git a/solutions/security/investigate/osquery.md b/solutions/security/investigate/osquery.md index 69c02a0878..af7ce78724 100644 --- a/solutions/security/investigate/osquery.md +++ b/solutions/security/investigate/osquery.md @@ -5,41 +5,298 @@ mapped_urls: - https://www.elastic.co/guide/en/kibana/current/osquery.html --- -# Osquery +# Osquery [osquery] -% What needs to be done: Refine +[Osquery](https://osquery.io) is an open source tool that lets you query operating systems like a database, providing you with visibility into your infrastructure and operating systems. Using basic SQL commands, you can ask questions about devices, such as servers, Docker containers, and computers running Linux, macOS, or Windows. The [extensive schema](https://osquery.io/schema) helps with a variety of use cases, including vulnerability detection, compliance monitoring, incident investigations, and more. -% Scope notes: Align serverless/stateful + combine with Kibana Osquery intro page +With Osquery, you can: -% Use migrated content from existing pages that map to this page: +* Run live queries for one or more agents +* Schedule query packs to capture changes to OS state over time +* View a history of past queries and their results +* Save queries and build a library of queries for specific use cases -% - [x] ./raw-migrated-files/security-docs/security/use-osquery.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-query-operating-systems.md -% - [ ] ./raw-migrated-files/kibana/kibana/osquery.md +To use Osquery, you must add the [Osquery manager integration](manage-integration.md) to an {{agent}} policy. After completing that step, you can use the Osquery features that are available in your solution. -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): +% The following Osquery features are available from {{elastic-sec}}: -$$$osquery-map-fields$$$ +% * **[Osquery Response Actions](/solutions/security/investigate/add-osquery-response-actions.md)** - Use Osquery Response Actions to add live queries to custom query rules. +% * **[Live queries from investigation guides](/solutions/security/investigate/run-osquery-from-investigation-guides.md)** - Incorporate live queries into investigation guides to enhance your research capabilities while investigating possible security issues. +% * **[Live queries from alerts](/solutions/security/investigate/run-osquery-from-alerts.md)** - Run live queries against an alert’s host to learn more about your infrastructure and operating systems. -$$$osquery-prebuilt-packs$$$ +## Required privileges [required_osquery-privileges] -$$$osquery-manage-query$$$ +To use **Osquery Manager**, you must be assigned to a role with the following privileges: -$$$osquery-results$$$ +* `Read` privileges for the `logs-osquery_manager.result*` index. +* {{kib}} privileges for **Osquery Manager**. The `All` privilege enables you to run, schedule, and save queries. `Read` enables you to view live and scheduled query results, but you cannot run live queries or edit. -$$$osquery-status$$$ -$$$osquery-prebuilt-packs-queries$$$ +## Run live queries [osquery-run-query] -Osquery is an open source tool that lets you use SQL to query operating systems like a database. When you add the [Osquery manager integration](/solutions/security/investigate/manage-integration.md) to an {{agent}} policy, Osquery is deployed to all agents assigned to that policy. After completing this setup, you can [run live queries and schedule recurring queries](/solutions/security/investigate/osquery.md) for agents and begin gathering data from your entire environment. +To inspect hosts, run a query against one or more agents or policies, then view the results. -Osquery is supported for Linux, macOS, and Windows. You can use it with {{elastic-sec}} to perform real-time incident response, threat hunting, and monitoring to detect vulnerability or compliance issues. The following Osquery features are available from {{elastic-sec}}: +1. Go to **Osquery** using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. In the **Live queries** view, click **New live query**. +3. Choose to run a single query or a query pack. +4. Select one or more agents or groups to query. Start typing in the search field, and you’ll get suggestions for agents by name, ID, platform, and policy. +5. Specify the query or pack to run: -* **[Osquery Response Actions](/solutions/security/investigate/add-osquery-response-actions.md)** - Use Osquery Response Actions to add live queries to custom query rules. -* **[Live queries from investigation guides](/solutions/security/investigate/run-osquery-from-investigation-guides.md)** - Incorporate live queries into investigation guides to enhance your research capabilities while investigating possible security issues. -* **[Live queries from alerts](/solutions/security/investigate/run-osquery-from-alerts.md)** - Run live queries against an alert’s host to learn more about your infrastructure and operating systems. + * **Query**: Select a saved query or enter a new one in the text box. After you enter the query, you can expand the **Advanced** section to set a timeout period for the query, and view or set [mapped ECS fields](#osquery-map-fields) included in the results from the live query (optional). + ::::{note} + Overwriting the query’s default timeout period allows you to support queries that require more time to complete. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. + :::: + * **Pack**: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. + + ::::{tip} + Refer to [prebuilt packs](#osquery-prebuilt-packs) to learn about using and managing Elastic prebuilt packs. + :::: + + + :::{image} ../../../images/kibana-enter-query.png + :alt: Select saved query dropdown name showing query name and description + :class: screenshot + ::: + +6. Click **Submit**. + + ::::{tip} + To save a single query for future use, click **Save for later** and define the ID, description, and other [details](../../../solutions/security/investigate/osquery.md#osquery-manage-query). + :::: + +7. Review the results and do any of the following: + + * Click **View in Discover** (![View in Discover icon](../../../images/kibana-discover-button-osquery.png "title =20x20")) to explore the results in **Discover**. + * Click **View in Lens** (![View in Lens icon](../../../images/kibana-lens-button-osquery.png "title =20x20")) to navigate to **Lens**, where you can use the drag-and-drop **Lens** editor to create visualizations. + * Click **Add to Case** (![Add to Case icon](../../../images/kibana-case-button-osquery.png "title =20x20")) to add the query results to a new or existing case. + * Click the view details icon (![View details icon](../../../images/kibana-view-osquery-details.png "title =20x20")) to examine the query ID and statement. + +8. To view more information about the request, such as failures, open the **Status** tab. + + +## View or rerun previous live queries [osquery-view-history] + +The **Live queries history** section on the **Live queries** tab shows a log of queries run over the last 30 days. From the Live queries table, you can: + +* Click the run icon (![Right-pointing triangle](../../../images/kibana-play-icon.png "")) to rerun a single query or a query pack. +* Click the table icon (![Table icon](../../../images/kibana-table-icon.png "")) to examine the [results](#osquery-results) for a single query or a query pack. From the results table, you can also find the query [status](#osquery-status). + + :::{image} ../../../images/kibana-live-query-check-results.png + :alt: Results of OSquery + :class: screenshot + ::: + + + +## Schedule queries with packs [osquery-schedule-query] + +A pack is a set of grouped queries that perform similar functions or address common use cases. [Prebuilt Elastic packs](#osquery-prebuilt-packs) are available to download and can help you get started using the Osquery integration. + +You can also create a custom pack with one or more queries. For example, when creating custom packs, you might create one pack that checks for IT compliance-type issues, and another pack that monitors for evidence of malware. + +You can run packs as live queries or schedule packs to run for one or more agent policies. When scheduled, queries in the pack are run at the set intervals for all agents in those policies. + +1. Click the **Packs** tab. +2. Click **Add pack** to create a new pack, or click the name of an existing pack, then **Edit** to add queries to an existing pack. +3. Provide a name for the pack. The short description is optional. +4. Schedule the pack to be deployed on specified agent policies (**Policy**) or on all agent policies (**Global**). + + ::::{tip} + Pack deployment details are stored within the [Osquery configuration](/solutions/security/investigate/manage-integration.md#osquery-custom-config). The `shard` field value is the percentage of agents in the policy using the pack. + :::: + + + If you choose the **Policy** option, configure these fields: + + ::::{note} + When defining pack deployment details, you cannot configure the same policy multiple times. In other words, after specifying a policy, you can either choose to deploy the pack to all of the policy’s agents or only a subset. You cannot choose both. + :::: + + + * **Scheduled {{agent}} policies (optional)**: Allows you to deploy the pack to specific agent policies. By default, the pack is deployed to all {{agents}} that are registered to the policies you define. + * **Partial deployment (shards)**: Allows you to deploy the pack to a portion of the agents on each specified agent policy. After defining a policy, use the **Shard** slider to set the amount of agents to which the pack is deployed. For example, after specifying a policy, you can choose to deploy the pack to half of the policy’s agents by selecting 50% on the slider. + +5. If you’re creating a new pack, add queries to schedule: + + * Click **Add query** and then add a saved query or enter a new query. Each query must include a unique query ID and the interval at which it should run. Optionally, set the minimum Osquery version and platform, specify a timeout period, or [map ECS fields](#osquery-map-fields). When you add a saved query to a pack, this adds a copy of the query. A connection is not maintained between saved queries and packs. + + ::::{note} + Overwriting the query’s default timeout period allows you to support queries that require more time to complete. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. + :::: + + * Upload queries from a `.conf` query pack by dragging the pack to the drop zone under the query table. To explore the community packs that Osquery publishes, click **Example packs**. + +6. Click **Save pack**. The queries run when the policy receives the update. + + +## View status of scheduled packs [osquery-schedule-status] + +1. Open the **Packs** tab. +2. Click a pack name to view the status. + + Details include the last time each query ran, how many results were returned, and the number of agents the query ran against. If there are errors, expand the row to view the details, including an option to view more information in the Logs. + + :::{image} ../../../images/kibana-scheduled-pack.png + :alt: Shows queries in the pack and details about each query + :class: screenshot + ::: + +3. View scheduled query results in [**Discover**](../../../explore-analyze/discover.md) or the drag-and-drop [**Lens**](../../../explore-analyze/visualize/lens.md) editor. + + +## Save queries [osquery-manage-query] + +You can save queries in two ways: + +* After running a live query, click the **Save for later** link. +* From the **Saved queries** tab, click **Add saved query**. + +Once you save a query, you can only edit it from the **Saved queries** tab: + +1. Go to **Saved queries**, and then click **Add saved query** or the edit icon. +2. Provide the following fields: + + * The unique identifier (required). + * A brief description. + * The SQL query (required). Osquery supports multi-line queries. + * A timeout period (optional). Increase the query’s default timeout period to support queries that require more time to complete. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. + * The [ECS fields](#osquery-map-fields) to populate when the query is run (optional). These fields are also copied in when you add this query to a pack. + * The defaults to set when you add the query to a pack. + + * The frequency to run the query. + * The minimum [version of Osquery](https://github.com/osquery/osquery/releases)) required to run the query. + * The operating system required to run the query. For information about supported platforms per table, refer to the [Osquery schema](https://osquery.io/schema). + +3. Click **Test configuration** to test the query and any mapped fields: + + * From the **Test query** panel, select agents or groups to test the query, then click **Submit** to run a live query. Result columns with the ![mapping](../../../images/kibana-mapped-icon.png "") icon are mapped. Hover over the icon to see the mapped ECS field. + +4. Click **Save** or **Update**. + + +## Prebuilt Elastic packs and queries [osquery-prebuilt-packs-queries] + +The prebuilt Osquery packs are included with the integration. Once you add a pack, you can activate and schedule it. + + +### Prebuilt packs [osquery-prebuilt-packs] + +The prebuilt Osquery packs are included with the integration and can be optionally loaded. Once added, you can then activate and schedule the packs. + +You can modify the scheduled agent policies for a prebuilt pack, but you cannot edit queries in the pack. To edit the queries, you must first create a copy of the pack. + +For information about the prebuilt packs that are available, refer to [*Prebuilt packs reference*](https://www.elastic.co/guide/en/kibana/current/prebuilt-packs.html). + + +#### Load and activate prebuilt Elastic packs [load-prebuilt-packs] + +Follow these steps to load and turn on new or updated prebuilt packs: + +1. Go to **Packs**, and then click **Load Elastic prebuilt packs**. +2. For each pack that you want to activate and schedule: + + * Turn on the **Active** toggle to ensure the pack runs continuously. + + ::::{note} + You must manually run inactive packs. + :::: + + * Click the pack name, then **Edit**. + * Update the **Scheduled agent policies** to specify the policies where this pack should run. + +3. Click **Update pack**. + + +#### Copy prebuilt Elastic packs [copy-prebuilt-packs] + +To modify queries in prebuilt packs, you must first make a copy of the pack. + +1. Go to **Stack Management** → **Saved Objects**. +2. Search for the Osquery packs you want to modify by name. +3. Select the checkboxes of the packs to export. +4. Click **Export x objects**. +5. Click **Import**. +6. Select the import option **Create new objects with random IDs**, then click **Import** to import the pack. This creates a copy of the pack that you can edit. + + +### Prebuilt queries [osquery-prebuilt-queries] + +A set of saved queries are included with the integration and available to run as a live query. Note the following about the prebuilt queries: + +* The queries are not editable. +* Several of the queries include default ECS mappings to standardize the results. +* The prebuilt Elastic queries all follow the same naming convention and identify what type of information is being queried, what operating system it supports if it’s limited to one or more, and that these are Elastic queries. For example, `firewall_rules_windows_elastic`. + + +## Map result fields to ECS [osquery-map-fields] + +When you save queries or add queries to a pack, you can optionally map Osquery results or static values to fields in the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS). This standardizes your Osquery data for use across detections, machine learning, and any other areas that rely on ECS-compliant data. When the query is run, the results include the original `osquery.` and the mapped ECS fields. For example, if you update a query to map `osquery.name` to `user.name`, the query results include both fields. + +1. Edit saved queries or queries in a pack to map fields: + + * For saved queries: Open the **Saved queries** tab, and then click the edit icon for the query that you want to map. + * For packs: Open the **Packs** tab, edit a pack, and then click the edit icon for the query that you want to map. + +2. In the **ECS mapping** section, select an ***ECS field** to map. +3. In the **Value** column, use the dropdown on the left to choose what type of value to map to the ECS field: + + * **Osquery value**: Select an Osquery field. The fields available are based on the SQL query entered, and only include fields that the query returns. When the query runs, the ECS field is set dynamically to the value of the Osquery field selected. + * **Static value**: Enter a static value. When the query runs, the ECS field is set to the value entered. For example, static fields can be used to apply `tags` or your preferred `event.category` to the query results. + +4. Map more fields, as needed. To remove any mapped rows, click the delete icon. +5. Save your changes. + +::::{note} +* Some ECS fields are restricted and cannot be mapped. These are not available in the ECS dropdown. +* Some ECS fields are restricted to a set of allowed values, like [event.category](https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-category). Use the [ECS Field Reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for help when mapping fields. +* Osquery date fields have a variety of data types (including integer, text, or bigint). When mapping an Osquery date field to an ECS date field, you might need to use SQL operators in the query to get an {{es}}-compatible [date](https://www.elastic.co/guide/en/elasticsearch/reference/current/date.html) type. + +:::: + + + +## Extended tables for Kubernetes queries [osquery-extended-tables] + +In addition to the Osquery schema, the Elastic-provided version of Osquery also includes the following tables to support Kubernetes containers. These can be queried with live or scheduled queries. + +* `host_users` +* `host_groups` +* `host_processes` + +When querying these tables, the expectation is that the `/etc/passwd`, `/etc/group`, and `/proc` are available in the container under `/hostfs` as: `/hostfs/etc/passwd`, `/hostfs/etc/group`, and `/hostfs/proc`. For information about the fields available in these tables, see the [exported fields](https://docs.elastic.co/en/integrations/osquery_manager#exported-fields) reference. + + +## Osquery status [osquery-status] + +A query can have the following status: + +| | | +| --- | --- | +| Successful | The query successfully completed. | +| Failed | The query encountered a problem, such as an issue with the query or the agent was disconnected, and might have failed. | +| Not yet responded | The query has not been sent to the agent. | +| Expired | The action request timed out. The agent may be offline. | + +::::{note} +If an agent is offline, the request status remains **pending** as {{kib}} retries the request. By default, a query request times out after one minute. An action timeout error is returned when the query does not complete within that interval. +:::: + + + +## Osquery results [osquery-results] + +When you run live or scheduled queries, the results are automatically stored in an {{es}} index, so that you can search, analyze, and visualize this data in {{kib}}. For a list of the Osquery fields that can be returned in query results, refer to [exported fields](https://docs.elastic.co/en/integrations/osquery_manager#exported-fields). Query results can also include ECS fields, if the query has a defined ECS mapping. + +Osquery responses include the following information: + +* Everything prefaced with `osquery.` is part of the query response. These fields are not mapped to ECS by default. +* Results include some ECS fields by default, such as `host.*` and `agent.*`, which provide information about the host that was queried. +* For live queries, the `action_data.query` is the query that was sent. +* For scheduled queries in a pack, the `action_id` has the format `pack__`. You can use this information to look up the query that was run. +* By default, all query results are [snapshot logs](https://osquery.readthedocs.io/en/stable/deployment/logging/#snapshot-logs) that represent a point in time with a set of results, with no [differentials](https://osquery.readthedocs.io/en/stable/deployment/logging/#differential-logs). +* Osquery data is stored in the `logs-osquery_manager.result-` datastream, and the result row data is under the `osquery` property in the document. diff --git a/solutions/security/investigate/run-osquery-from-alerts.md b/solutions/security/investigate/run-osquery-from-alerts.md index 0375c00c83..027366b1aa 100644 --- a/solutions/security/investigate/run-osquery-from-alerts.md +++ b/solutions/security/investigate/run-osquery-from-alerts.md @@ -4,21 +4,14 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-alerts-run-osquery.html --- -# Run Osquery from alerts - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/alerts-run-osquery.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-alerts-run-osquery.md +# Run Osquery from alerts [security-alerts-run-osquery] Run live queries on hosts associated with alerts to learn more about your infrastructure and operating systems. For example, with Osquery, you can search your system for indicators of compromise that might have contributed to the alert. You can then use this data to inform your investigation and alert triage efforts. ::::{admonition} Requirements * The [Osquery manager integration](/solutions/security/investigate/manage-integration.md) must be installed. * {{agent}}'s [status](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/monitor-elastic-agent.md) must be `Healthy`. Refer to [{{fleet}} Troubleshooting](/troubleshoot/ingest/fleet/common-problems.md) if it isn’t. -* Your role must have [Osquery feature privileges](/solutions/security/investigate/osquery.md). +* Your role must have the appropriate [feature privileges](/solutions/security/investigate/osquery.md#required_osquery-privileges) in {{stack}} or [user role](/deploy-manage/users-roles/cloud-organization/user-roles.md) in {{serverless-short}}. :::: @@ -58,7 +51,7 @@ To run Osquery from an alert: :::{image} ../../../images/security-setup-query.png - :alt: setup query + :alt: Shows how to set up a single query :class: screenshot ::: diff --git a/solutions/security/investigate/run-osquery-from-investigation-guides.md b/solutions/security/investigate/run-osquery-from-investigation-guides.md index 24c449c894..d46ba5542f 100644 --- a/solutions/security/investigate/run-osquery-from-investigation-guides.md +++ b/solutions/security/investigate/run-osquery-from-investigation-guides.md @@ -4,7 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-invest-guide-run-osquery.html --- -# Run Osquery from investigation guides +# Run Osquery from investigation guides [security-invest-guide-run-osquery] % What needs to be done: Align serverless/stateful @@ -18,7 +18,8 @@ Detection rule investigation guides suggest steps for triaging, analyzing, and r ::::{admonition} Requirements * The [Osquery manager integration](/solutions/security/investigate/manage-integration.md) must be installed. * {{agent}}'s [status](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/monitor-elastic-agent.md) must be `Healthy`. Refer to [{{fleet}} Troubleshooting](/troubleshoot/ingest/fleet/common-problems.md) if it isn’t. -* Your role must have [Osquery feature privileges](/solutions/security/investigate/osquery.md). +* In {{stack}}, your role must have [Osquery feature privileges](/solutions/security/investigate/osquery.md). +* In {{serverless-short}}, you must have the appropriate user role to use this feature. :::: @@ -39,7 +40,7 @@ You can only add Osquery to investigation guides for custom rules because prebui 1. Go to the **Rules** page. To access it, find **Detection rules (SIEM)** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Select a rule to open the its details, then click **Edit rule settings**. 3. Select the **About** tab, then expand the rule’s advanced settings. -4. Scroll down to the Investigation guide section. In the toolbar, click the **Osquery** button (![Click the Osquery button](../../../images/security-osquery-button.png "")). +4. Scroll down to the Investigation guide section. In the toolbar, click the **Osquery** button (![Click the Osquery button](../../../images/security-osquery-button.png "title =20x20")). 1. Add a descriptive label for the query; for example, `Search for executables`. 2. Select a saved query or enter a new one. @@ -56,7 +57,7 @@ You can only add Osquery to investigation guides for custom rules because prebui :::{image} ../../../images/security-setup-osquery-investigation-guide.png - :alt: setup osquery investigation guide + :alt: Shows results from running a query from an investigation guide :class: screenshot ::: @@ -87,6 +88,6 @@ You can only add Osquery to investigation guides for custom rules because prebui 7. Click **Save for later** to save the query for future use (optional). :::{image} ../../../images/security-run-query-investigation-guide.png - :alt: run query investigation guide + :alt: Shows results from running a query from an investigation guide :class: screenshot ::: diff --git a/solutions/security/investigate/session-view.md b/solutions/security/investigate/session-view.md index 83b1e7df3a..055bcf1d66 100644 --- a/solutions/security/investigate/session-view.md +++ b/solutions/security/investigate/session-view.md @@ -4,23 +4,12 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-session-view.html --- -# Session view - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/session-view.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-session-view.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$enable-session-view$$$ +# Session View [security-session-view] Session View is an investigation tool that allows you to examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. It displays events in a highly readable format that is inspired by the terminal. This makes it a powerful tool for monitoring and investigating session activity on your Linux infrastructure and understanding user and service behavior. ::::{admonition} Requirements -* Session View requires an [Enterprise subscription](https://www.elastic.co/pricing). +Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). :::: @@ -56,7 +45,7 @@ Session View can only display data that was collected by {{elastic-defend}} when ## Open Session View [open-session-view] -Session View is accessible from the **Hosts**, **Alerts***, and ***Timelines** pages, as well as the alert details flyout and the **Kubernetes** dashboard. Events and sessions that you can investigate in Session View have a rectangular **Open Session View** button in the **Actions** column. For example: +Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout and the **Kubernetes** dashboard. Events and sessions that you can investigate in Session View have a rectangular **Open Session View** button in the **Actions** column. For example: * On the Alerts page, scroll down to view the Alerts table. Look for alerts that have the **Open Session View** button in the **Actions** column: diff --git a/solutions/security/investigate/timeline-templates.md b/solutions/security/investigate/timeline-templates.md index 9e0d52d504..f8bac18465 100644 --- a/solutions/security/investigate/timeline-templates.md +++ b/solutions/security/investigate/timeline-templates.md @@ -4,24 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-timeline-templates-ui.html --- -# Timeline templates - -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/timeline-templates-ui.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-timeline-templates-ui.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$create-timeline-template$$$ - -$$$import-export-timeline-templates$$$ - -$$$man-templates-ui$$$ - -$$$template-legend-ui$$$ +# Timeline templates [security-timeline-templates-ui] You can attach Timeline templates to detection rules. When attached, the rule’s alerts use the template when they are investigated in Timeline. This enables immediately viewing the alert’s most interesting fields when you start an investigation. @@ -33,7 +16,7 @@ Templates can include two types of filters: For example, if you define the `host.name: "{host.name}"` template filter, when alerts generated by the rule are investigated in Timeline, the alert’s `host.name` value is used in the filter. If the alert’s `host.name` value is `Linux_stafordshire-061`, the Timeline filter is: `host.name: "Linux_stafordshire-061"`. ::::{note} -For information on how to add Timeline templates to rules, refer to [*Create a detection rule*](/solutions/security/detect-and-alert/create-detection-rule.md). +For information on how to add Timeline templates to rules, refer to [Create a detection rule](/solutions/security/detect-and-alert/create-detection-rule.md). :::: @@ -64,13 +47,13 @@ Regular Timeline filter : Clicking **Convert to template field** changes the filter to a template filter: :::{image} ../../../images/security-template-filter-value.png - :alt: template filter value + :alt: Timeline template filter value :class: screenshot ::: Template filter -: :::{image} ../../../images/security-timeline-template-filter.png +:::{image} ../../../images/security-timeline-template-filter.png :alt: timeline template filter :class: screenshot ::: @@ -79,7 +62,7 @@ Template filter When you [convert a template to a Timeline](/solutions/security/investigate/timeline-templates.md#man-templates-ui), template filters with placeholders are disabled: :::{image} ../../../images/security-invalid-filter.png -:alt: invalid filter +:alt: Invalid events filter :class: screenshot ::: @@ -91,7 +74,7 @@ To enable the filter, either specify a value or change it to a field’s existin 1. Choose one of the following: * Find **Timelines** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Next, select the **Templates** tab, then click **Create new Timeline template**. - * Go to the Timeline bar (which is at the bottom of most pages), click the ![Click the add new button](../../../images/security-add-new-timeline-button.png "") button, then click **Create new Timeline template**. + * Go to the Timeline bar (which is at the bottom of most pages), click the ![Click the add new button](../../../images/security-add-new-timeline-button.png "title =20x20") button, then click **Create new Timeline template**. * From an open Timeline or Timeline template, click **New** → **New Timeline template**. 2. To add filters, click **Add field**, and then select the required option: @@ -132,7 +115,7 @@ You can view, duplicate, export, delete, and create templates from existing Time 1. Find **Timelines** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then select the **Templates** tab. :::{image} ../../../images/security-all-actions-timeline-ui.png - :alt: all actions timeline ui + :alt: All actions Timeline UI :class: screenshot ::: diff --git a/solutions/security/investigate/timeline.md b/solutions/security/investigate/timeline.md index 99e6fe3ef6..fa342f839e 100644 --- a/solutions/security/investigate/timeline.md +++ b/solutions/security/investigate/timeline.md @@ -4,26 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-timelines-ui.html --- -# Timeline - -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/timelines-ui.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-timelines-ui.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$esql-in-timeline$$$ - -$$$add-remove-timeline-fields$$$ - -$$$import-export-timelines$$$ - -$$$narrow-expand$$$ - -$$$pivot$$$ +# Timeline [security-timelines-ui] Use Timeline as your workspace for investigations and threat hunting. You can add alerts from multiple indices to a Timeline to facilitate advanced investigations. @@ -42,19 +23,19 @@ In addition to Timelines, you can create and attach Timeline templates to [detec To make a new Timeline, choose one of the following: * Find **Timelines** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Create new Timeline**. -* Go to the Timeline bar (which is at the bottom of most pages), click the ![Click the add new button](../../../images/security-add-new-timeline-button.png "") button, then click **Create new Timeline template**. +* Go to the Timeline bar (which is at the bottom of most pages), click the ![Add new button](../../../images/security-add-new-timeline-button.png "title =20x20") button, then click **Create new Timeline template**. * From an open Timeline or Timeline template, click **New** → **New Timeline**. To open an existing Timeline, choose one of the following: * Go to the Timelines page, then click a Timeline’s title. -* Go to the Timeline bar, click the ![Click the add new button](../../../images/security-add-new-timeline-button.png "") button, then click **Open Timeline**. -* From an open Timeline or Timeline template, click **Open**, then select a Timeline. +* Go to the Timeline bar, click the ![Add new button](../../../images/security-add-new-timeline-button.png "title =20x20") button, then click **Open Timeline**. +* From an open Timeline or Timeline template, click **Open**, then select the appropriate Timeline. -To avoid losing your changes, save the Timeline before moving to a different {{security-app}} page. If you change an existing Timeline, you can use the **Save as new timeline** toggle to make a new copy of the Timeline without overwriting the original one. +To avoid losing your changes, you must save the Timeline before moving to a different {{security-app}} page. If you change an existing Timeline, you can use the **Save as new timeline** toggle to make a new copy of the Timeline without overwriting the original one. ::::{tip} -Click the star icon (![Click the favorite icon](../../../images/security-favorite-icon.png "")) to favorite your Timeline and quickly find it later. +Click the star icon (![Favorite icon](../../../images/security-favorite-icon.png "title =20x20")) to favorite your Timeline and quickly find it later. :::: @@ -71,7 +52,7 @@ To further inspect an event or detection alert, click the **View details** butto ## Configure Timeline event context and display [conf-timeline-display] -Many types of events automatically appear in preconfigured views that provide relevant contextual information, called **Event renderers**. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (![The customize event renderer button](../../../images/security-customize-event-renderers.png "")) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you’re done. Your changes are automatically applied to Timeline. +Many types of events automatically appear in preconfigured views that provide relevant contextual information, called **Event renderers**. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (![Customize event renderer button](../../../images/security-customize-event-renderers.png "title =20x20")) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you’re done. Your changes are automatically applied to Timeline. :::{image} ../../../images/security-timeline-ui-renderer.png :alt: example timeline with the event renderer highlighted @@ -83,10 +64,10 @@ The example above displays the Flow event renderer, which highlights the movemen You can also modify a Timeline’s display in other ways: * [Add and remove fields](/solutions/security/investigate/timeline.md#add-remove-timeline-fields) from Timeline -* Create [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) and display them in Timeline +* Create [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) and display them in the Timeline * Reorder and resize columns * Copy a column name or values to a clipboard -* Change how the name, value, and description of a field are displayed in Timeline +* Change how the name, value, or description of a field are displayed in Timeline * View the Timeline in full screen mode * Add or delete [notes](/solutions/security/investigate/notes.md) attached to alerts, events, or Timeline * Pin interesting events to the Timeline @@ -96,7 +77,7 @@ You can also modify a Timeline’s display in other ways: The Timeline table shows fields that are available for alerts and events in the selected data view. You can modify the table to display fields that interest you. Use the sidebar to search for specific fields or scroll through it to find fields of interest. Fields that you select display as columns in the table. -To add a field from the sidebar, hover over it, and click the **Add field as a column** button (![The button that lets you to add a field as a column](../../../images/security-add-field-button.png "")), or drag and drop the field into the table. To remove a field, hover over it, and click the **Remove field as a column** button (![The button that lets you to remove a field as a column](../../../images/security-remove-field-button.png "")). +To add a field from the sidebar, hover over it, and click the **Add field as a column** button (![Add a field as a column button](../../../images/security-add-field-button.png "title =20x20")), or drag and drop the field into the table. To remove a field, hover over it, and click the **Remove field as a column** button (![Remove a field as a column button](../../../images/security-remove-field-button.png "title =20x20")). :::{image} ../../../images/security-timeline-sidebar.png :alt: Shows the sidebar that allows you to configure the columns that display in Timeline @@ -106,16 +87,18 @@ To add a field from the sidebar, hover over it, and click the **Add field as a c ## Use the Timeline query builder [narrow-expand] -Expand the query builder by clicking the query builder button (![Click the query builder button](../../../images/security-query-builder-button.png "")) to the right of the KQL query bar. Drop in fields to build a query that filters Timeline results. The fields' relative placement specifies their logical relationships: horizontally adjacent filters use `AND`, while vertically adjacent filters use `OR`. +Expand the query builder by clicking the query builder button (![Query builder button](../../../images/security-query-builder-button.png "title =20x20")) to the right of the KQL query bar. Drop in fields to build a query that filters Timeline results. The fields' relative placement specifies their logical relationships: horizontally adjacent filters use `AND`, while vertically adjacent filters use `OR`. ::::{tip} -Collapse the query builder to provide more space for Timeline results by clicking the query builder button (![Click the query builder button](../../../images/security-query-builder-button.png "")). +Collapse the query builder and provide more space for Timeline results by clicking the query builder button (![Query builder button](../../../images/security-query-builder-button.png "title =20x20")). :::: ## Edit existing filters [pivot] +% Consider changing the anchor text for this section. It's not very descriptive atm. + Click a filter to access additional operations such as **Add filter**, **Clear all**, **Load saved query**, and more: :::{image} ../../../images/security-timeline-ui-filter-options.png @@ -181,7 +164,7 @@ To learn more about cases, refer to [Cases](/solutions/security/investigate/case You can view, duplicate, export, delete, and create templates from existing Timelines: -1. Go to **Timelines**. +1. Find **Timelines** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Click the **All actions** menu in the desired row, then select an action: * **Create template from timeline** (refer to [Timeline templates](/solutions/security/investigate/timeline-templates.md)) @@ -204,7 +187,7 @@ You can export and import Timelines, which enables you to share Timelines from o To export Timelines: -* Find **Timelines** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +* Find **Timelines** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). * Either click the **All actions** menu in the relevant row and select **Export selected**, or select multiple Timelines and then click **Bulk actions** → **Export selected**. To import Timelines: @@ -274,11 +257,11 @@ You can use {{esql}} in Timeline by opening the **{{esql}}** tab. From there, yo :::: -* Click the help icon (![Click the ES|QL reference button](../../../images/security-esql-help-ref-button.png "")) on the far right side of the query editor to open the in-product reference documentation for all {{esql}} commands and functions. +* Click the help icon (![ES|QL reference button](../../../images/security-esql-help-ref-button.png "title =20x20")) on the far right side of the query editor to open the in-product reference documentation for all {{esql}} commands and functions. * Visualize query results using [Discover](/explore-analyze/discover.md) functionality. :::{image} ../../../images/security-esql-tab.png -:alt: a Timeline's ES|QL tab +:alt: Example of the ES|QL tab in Timeline :class: screenshot ::: diff --git a/solutions/security/investigate/use-placeholder-fields-in-osquery-queries.md b/solutions/security/investigate/use-placeholder-fields-in-osquery-queries.md index dd7523691e..feb6161c18 100644 --- a/solutions/security/investigate/use-placeholder-fields-in-osquery-queries.md +++ b/solutions/security/investigate/use-placeholder-fields-in-osquery-queries.md @@ -4,14 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-osquery-placeholder-fields.html --- -# Use placeholder fields in Osquery queries - -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/osquery-placeholder-fields.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-osquery-placeholder-fields.md +# Use placeholder fields in Osquery queries [security-osquery-placeholder-fields] Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and reusable queries. @@ -33,7 +26,9 @@ Queries with placeholder fields can only run against alerts or events. Otherwise The following query uses the `{{host.name}}` placeholder field: -`SELECT * FROM os_version WHERE name = {{host.os.name}}` +```sql +SELECT * FROM os_version WHERE name = {{host.os.name}} +``` When you run the query, the value that’s stored in the alert or event’s `host.name` field will be transferred to the `{{host.os.name}}` placeholder field. diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md index ad43ce3b3e..3ad8f02f68 100644 --- a/solutions/security/investigate/visual-event-analyzer.md +++ b/solutions/security/investigate/visual-event-analyzer.md @@ -4,19 +4,12 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-visual-event-analyzer.html --- -# Visual event analyzer - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/visual-event-analyzer.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-visual-event-analyzer.md +# Visual event analyzer [security-visual-event-analyzer] {{elastic-sec}} allows any event detected by {{elastic-endpoint}} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. ::::{tip} -If you’re experiencing performance degradation, you can [exclude cold and frozen tier data](/solutions/security/get-started/configure-advanced-settings.md#exclude-cold-frozen-tiers) from analyzer queries. +If you’re experiencing performance degradation, you can [exclude cold and frozen tier data](/solutions/security/get-started/configure-advanced-settings.md#exclude-cold-frozen-tiers) from analyzer queries. This setting is only available for the {{stack}}. :::: @@ -45,7 +38,7 @@ To find events that can be visually analyzed: * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` -3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts***, ***Alerts**, and **Timelines** pages, as well as the alert details flyout. +3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout. ::::{tip} Turn on the `securitySolution:enableVisualizationsInFlyout` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#visualizations-in-flyout) to access the event analyzer from the **Visualize** tab in the alert or event details flyout. @@ -174,12 +167,11 @@ When you select an `event.category` pill, all the events within that category ar ::: ::::{note} -In {{stack}} versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in {{stack}} versions 7.9.0 and earlier, each process is limited to only 100 events. +- You must have the appropriate [{{stack}}](https://www.elastic.co/pricing) subscription or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) to examine alerts associated with events. +- There is no limit to the number of events that can be associated with a process. :::: -If you have a [Platinum or Enterprise subscription](https://www.elastic.co/pricing), you can also examine alerts associated with events. - To examine alerts associated with the event, select the alert pill (***x* alert**). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert’s details. In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one.