diff --git a/raw-migrated-files/docs-content/serverless/security-add-manage-notes.md b/raw-migrated-files/docs-content/serverless/security-add-manage-notes.md deleted file mode 100644 index 46dbc56083..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-add-manage-notes.md +++ /dev/null @@ -1,53 +0,0 @@ -# Notes [security-add-manage-notes] - -Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. - -::::{note} -Configure the `securitySolution:maxUnassociatedNotes` [advanced settings](../../../solutions/security/get-started/configure-advanced-settings.md#max-notes-alerts-events) to specify the maximum number of notes that you can attach to alerts and events. - -:::: - - - -## View and add notes to alerts and events [notes-alerts-events] - -Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (![The action that lets you to add a new note](../../../images/serverless-editorComment.svg "")) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it. - -After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert. - -:::{image} ../../../images/serverless--notes-new-note-alert-event.png -:alt: New note added to an alert -::: - - -## View and add notes to Timelines [notes-timelines] - -::::{important} -You can only add notes to saved Timelines. - -:::: - - -Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you’re investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option. - -After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline. - -:::{image} ../../../images/serverless--notes-new-note-timeline-tab.png -:alt: New note added to a Timeline -::: - - -## Manage notes [manage-notes] - -Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to **Investigations*** in the main navigation menu or by using the global search field, then go to ***Notes**. From the **Notes** page, you can: - -* Search for specific notes -* Filter notes by the user who created them or by the object they’re attached to (notes can be attached to alerts, events, or Timelines) -* Examine the contents of a note (select the text in the **Note content** column) -* Delete one or more notes -* Examine the alert or event that a note is attached to (click the **Expand alert/event details** ![Preview alert or event details action](../../../images/serverless-expand.svg "") icon) -* Open the Timeline that the note is attached to (click the **Open saved timeline** ![Preview alert or event details action](../../../images/serverless-timelineWithArrow.svg "") icon) - -:::{image} ../../../images/serverless--notes-management-page.png -:alt: Notes management page -::: diff --git a/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md b/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md deleted file mode 100644 index f48d7029c1..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cases-open-manage.md +++ /dev/null @@ -1,295 +0,0 @@ -# Create and manage cases [security-cases-open-manage] - -You can create and manage cases using the UI or the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases). - - -## Open a new case [cases-ui-open] - -Open a new case to keep track of security issues and share their details with colleagues. - -1. Go to **Cases**, then click **Create case**. If no cases exist, the Cases table will be empty and you’ll be prompted to create one by clicking the **Create case** button inside the table. -2. (Optional) If you defined [templates](../../../solutions/security/investigate/configure-case-settings.md#security-cases-settings-templates), select one to use its default field values. . Give the case a name, assign a severity level, and provide a description. You can use [Markdown](https://www.markdownguide.org/cheat-sheet) syntax in the case description. - - ::::{note} - If you do not assign your case a severity level, it will be assigned **Low** by default. - - :::: - - - ::::{tip} - You can insert a Timeline link in the case description by clicking the Timeline icon (![Timeline](../../../images/serverless-timeline.svg "")). - - :::: - -3. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary [prerequisites](../../../solutions/security/investigate/cases-requirements.md). -4. If you defined [custom fields](../../../solutions/security/investigate/configure-case-settings.md#security-cases-settings-custom-fields), they appear in the **Additional fields** section. -5. Choose if you want alert statuses to sync with the case’s status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case. -6. From **External incident management**, select a [connector](../../../solutions/security/investigate/configure-case-settings.md). If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`. -7. Click **Create case**. - - ::::{note} - If you’ve selected a connector for the case, the case is automatically pushed to the third-party system it’s connected to. - - :::: - - -:::{image} ../../../images/serverless--cases-cases-ui-open.png -:alt: Shows an open case -:class: screenshot -::: - - -## Manage existing cases [security-cases-open-manage-manage-existing-cases] - -From the Cases page, you can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes. General case metrics, including how long it takes to close cases, are provided above the table. - -:::{image} ../../../images/serverless--cases-cases-home-page.png -:alt: Case UI Home -:class: screenshot -::: - -To explore a case, click on its name. You can then: - -* [Review the case summary](../../../solutions/security/investigate/open-manage-cases.md#cases-summary) -* [Add and manage comments](../../../solutions/security/investigate/open-manage-cases.md#cases-manage-comments) - - ::::{tip} - Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](../../../images/serverless--detections-markdown-icon.png "")) in the bottom right of the comment. - - :::: - -* Examine [alerts](../../../solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case -* [Add files](../../../solutions/security/investigate/open-manage-cases.md#cases-add-files) -* [Add a Lens visualization](../../../solutions/security/investigate/open-manage-cases.md#cases-lens-visualization) -* Modify the case’s description, assignees, category, severity, status, and tags. -* Manage connectors and send updates to external systems (if you’ve added a connector to the case) -* [Add observables](../../../solutions/security/investigate/open-manage-cases.md#cases-add-observables) -* [Copy the case UUID](../../../solutions/security/investigate/open-manage-cases.md#cases-copy-case-uuid) -* Refresh the case to retrieve the latest updates - - -### Review the case summary [cases-summary] - -Click on an existing case to access its summary. The case summary, located under the case title, contains metrics that summarize alert information and response times. These metrics update when you attach additional unique alerts to the case, add connectors, or modify the case’s status: - -* **Total alerts**: Total number of unique alerts attached to the case -* **Associated users**: Total number of unique users that are represented in the attached alerts -* **Associated hosts**: Total number of unique hosts that are represented in the attached alerts -* **Total connectors**: Total number of connectors that have been added to the case -* **Case created**: Date and time that the case was created -* **Open duration**: Time elapsed since the case was created -* **In progress duration**: How long the case has been in the `In progress` state -* **Duration from creation to close**: Time elapsed from when the case was created to when it was closed - -:::{image} ../../../images/serverless--cases-cases-summary.png -:alt: Shows you a summary of the case -:class: screenshot -::: - - -### Manage case comments [cases-manage-comments] - -To edit, delete, or quote a comment, select the appropriate option from the **More actions** menu (![More actions](../../../images/serverless-boxesHorizontal.svg "")). - -:::{image} ../../../images/serverless--cases-cases-manage-comments.png -:alt: Shows you a summary of the case -:class: screenshot -::: - - -### Examine alerts attached to a case [cases-examine-alerts] - -To explore the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To [view alert details](../../../solutions/security/detect-and-alert/view-detection-alert-details.md), click the **View details** button. - -:::{image} ../../../images/serverless--cases-cases-alert-tab.png -:alt: Shows you the Alerts tab -:class: screenshot -::: - -::::{note} -Each case can have a maximum of 1,000 alerts. - -:::: - - - -### Add files [cases-add-files] - -To upload files to a case, click the **Files** tab: - -:::{image} ../../../images/serverless--cases-cases-files.png -:alt: A list of files attached to a case -:class: screenshot -::: - -You can add images and text, CSV, JSON, PDF, or ZIP files. For the complete list, check [mime_types.ts](https://github.com/elastic/kibana/blob/main/x-pack/plugins/cases/common/constants/mime_types.ts). - -::::{note} -There is a 10 MiB size limit for images. For all other MIME types, the limit is 100 MiB. - -:::: - - -To download or delete the file, or copy the file hash to your clipboard, open the **Actions** menu (**…**). The available hash functions are MD5, SHA-1, and SHA-256. - -When you add a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list. - - -### Add a Lens visualization [cases-lens-visualization] - -::::{warning} -This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. -:::: - - -Add a Lens visualization to your case to portray event and alert data through charts and graphs. - -:::{image} ../../../images/serverless--cases-add-vis-to-case.gif -:alt: Shows how to add a visualization to a case -:class: screenshot -::: - -To add a Lens visualization to a comment within your case: - -1. Click the **Visualization** button. The **Add visualization** dialog appears. -2. Select an existing visualization from your Visualize Library or create a new visualization. - - ::::{important} - Set an absolute time range for your visualization. This ensures your visualization doesn’t change over time after you save it to your case, and provides important context for others managing the case. - - :::: - -3. Save the visualization to your Visualize Library by clicking the **Save to library** button (optional). - - 1. Enter a title and description for the visualization. - 2. Choose if you want to keep the **Update panel on Security** activated. This option is activated by default and automatically adds the visualization to your Visualize Library. - -4. After you’ve finished creating your visualization, click **Save and return** to go back to your case. -5. Click **Preview** to show how the visualization will appear in the case comment. -6. Click **Add Comment** to add the visualization to your case. - -Alternatively, while viewing a [dashboard](../../../solutions/security/dashboards.md) you can open a panel’s menu then click **More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")​) → **Add to existing case*** or ***More actions** (![More actions](../../../images/serverless-boxesHorizontal.svg "")​) → **Add to new case**. - -After a visualization has been added to a case, you can modify or interact with it by clicking the **Open Visualization** option in the case’s comment menu. - -:::{image} ../../../images/serverless--cases-cases-open-vis.png -:alt: Shows where the Open Visualization option is -:class: screenshot -::: - - -### Add observables [cases-add-observables] - -::::{admonition} Requirements -To use observables, you must have the Security Analytics Essentials [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). - -:::: - - -An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. - -To create an observable: - -1. Click the **Observables** tab, then click **Add observable**. - - ::::{note} - Each case can have a maximum of 50 observables. - :::: - -2. Provide the necessary details: - - * **Type**: Select a type for the observable. You can choose a preset type or a [custom one](../../../solutions/security/investigate/configure-case-settings.md#security-cases-observable-types). - * **Value**: Enter a value for the observable. The value must align with the type you select. - * **Description** (Optional): Provide additional information about the observable. - -3. Click **Add observable**. - -After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**). - -::::{tip} -Go to the **Similar cases** tab to access other cases with the same observables. -:::: - - -:::{image} ../../../images/serverless--cases-cases-add-observables.png -:alt: Shows you where to add observables -:class: screenshot -::: - - -### Copy the case UUID [cases-copy-case-uuid] - -Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the Cases page and select **Actions** → **Copy Case ID*** for the case you want to share. Alternatively, go to a case’s details page, then from the ***More actions** menu (![More actions](../../../images/serverless-boxesHorizontal.svg "")), select **Copy Case ID**. - -:::{image} ../../../images/serverless--cases-cases-copy-case-id.png -:alt: Copy Case ID option in More actions menu 40% -:class: screenshot -::: - - -## Export and import cases [cases-export-import] - -Cases can be [exported](../../../solutions/security/investigate/open-manage-cases.md#cases-export) and [imported](../../../solutions/security/investigate/open-manage-cases.md#cases-import) as saved objects using the Saved Objects [project settings](https://www.elastic.co/guide/en/serverless/current/security-project-settings.html) UI. - -::::{important} -Before importing Lens visualizations, Timelines, or alerts, ensure their data is present. Without it, they won’t work after being imported. - -:::: - - - -### Export a case [cases-export] - -Use the **Export** option to move cases between different {{elastic-sec}} instances. When you export a case, the following data is exported to a newline-delimited JSON (`.ndjson`) file: - -* Case details -* User actions -* Text string comments -* Case alerts -* Lens visualizations (exported as JSON blobs). - -::::{note} -The following attachments are *not* exported: - -* **Case files**: Case files are not exported. However, they are accessible in **Project Settings*** → ***Stack Management** → **Files** to download and re-add. -* **Alerts**: Alerts attached to cases are not exported. You must re-add them after importing cases. - -:::: - - -To export a case: - -1. Go to **Project Settings** → **Stack Management** → **Saved objects**. -2. Search for the case by choosing a saved object type or entering the case title in the search bar. -3. Select one or more cases, then click the **Export** button. -4. Click **Export**. A confirmation message that your file is downloading displays. - - ::::{tip} - Keep the **Include related objects** option enabled to ensure connectors are exported too. - - :::: - - -:::{image} ../../../images/serverless--cases-cases-export-button.png -:alt: Shows the export saved objects workflow -:class: screenshot -::: - - -### Import a case [cases-import] - -To import a case: - -1. Go to **Project settings** → **Management** → **Saved objects**. -2. Click **Import**. -3. Select the NDJSON file containing the exported case and configure the import options. -4. Click **Import**. -5. Review the import log and click **Done**. - - ::::{important} - Be mindful of the following: - - * If the imported case had connectors attached to it, you’ll be prompted to re-authenticate the connectors. To do so, click **Go to connectors** on the **Import saved objects*** flyout and complete the necessary steps. Alternatively, open the main menu, then go to ***Project Settings*** → ***Stack Management** → **{{connectors-ui}}** to access connectors. - * If the imported case had attached alerts, verify that the alerts' source documents exist in the environment. Case features that interact with alerts (such as the Alert details flyout and rule details page) rely on the alerts' source documents to function. - - :::: diff --git a/raw-migrated-files/docs-content/serverless/security-cases-overview.md b/raw-migrated-files/docs-content/serverless/security-cases-overview.md deleted file mode 100644 index 3751296c1e..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cases-overview.md +++ /dev/null @@ -1,21 +0,0 @@ -# Cases [security-cases-overview] - -Collect and share information about security issues by opening a case in {{elastic-sec}}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {{elastic-sec}} UI provides several ways to create and manage cases. Alternatively, you can use the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases) to perform the same tasks. - -You can also send cases to these external systems by [configuring external connectors](../../../solutions/security/investigate/configure-case-settings.md): - -* {sn-itsm} -* {sn-sir} -* {{jira}} (including Jira Service Desk) -* {ibm-r} -* {swimlane} -* {webhook-cm} - -:::{image} ../../../images/serverless--cases-cases-home-page.png -:alt: Case UI Home -:class: screenshot -::: - - - - diff --git a/raw-migrated-files/docs-content/serverless/security-cases-requirements.md b/raw-migrated-files/docs-content/serverless/security-cases-requirements.md deleted file mode 100644 index 88b2dae7f7..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cases-requirements.md +++ /dev/null @@ -1,26 +0,0 @@ -# Cases requirements [security-cases-requirements] - -To access cases, you need either the appropriate [predefined Security user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges. - -You can create custom roles and define feature privileges at different levels to manage feature access in {{kib}}. {{kib}} privileges grant access to features within a specified {{kib}} space, and you can grant full or partial access. For more information, refer to [Custom roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md). - -::::{note} -To send cases to external systems, you need the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). - -:::: - - -::::{important} -Certain feature tiers and roles might be required to manage case attachments. For example, to add alerts to cases, you must have a role that allows [managing alerts](../../../solutions/security/detect-and-alert/detections-requirements.md#enable-detections-ui). - -:::: - - -To grant access to cases in a custom role, set the privileges for the **Cases** and **{{connectors-feature}}** features as follows: - -| Action | {{kib}} Privileges | -| --- | --- | -| Give full access to manage cases and settings | * **All** for the **Cases*** feature under ***Security***
* ***All*** for the ***{{connectors-feature}}*** feature under ***Stack Management***

::::{note}
Roles without ***All*** privileges for the ***{{connectors-feature}}*** feature cannot create, add, delete, or modify case connectors.

By default, ***All** for the **Cases** feature allows you to delete cases, delete alerts and comments from cases, and edit case settings. You can customize the sub-feature privileges to limit feature access.

::::

| -| Give assignee access to cases | **All** for the **Cases** feature under **Security**

::::{note}
Before a user can be assigned to a case, they must log into {{kib}} at least once, which creates a user profile.

::::

| -| Give view-only access for cases | **Read** for the **Security*** feature and ***All** for the **Cases** feature

::::{note}
You can customize the sub-feature privileges to allow access to deleting cases, deleting alerts and comments from cases, viewing or editing case settings, adding case comments and attachments, and re-opening cases.

::::

| -| Revoke all access to cases | **None** for the **Cases** feature under **Security** | diff --git a/raw-migrated-files/docs-content/serverless/security-cases-settings.md b/raw-migrated-files/docs-content/serverless/security-cases-settings.md deleted file mode 100644 index c1312198bf..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cases-settings.md +++ /dev/null @@ -1,150 +0,0 @@ -# Configure case settings [security-cases-settings] - -To access case settings in an {{elastic-sec}} project, go to **Cases** → **Settings**. - -:::{image} ../../../images/serverless-security-cases-settings.png -:alt: Shows the case settings page -:class: screenshot -::: - - -## Case closures [security-cases-settings-case-closures] - -If you close cases in your external incident management system, the cases will remain open in {{elastic-sec}} until you close them manually. - -To close cases when they are sent to an external system, select **Automatically close Security cases when pushing new incident to external system**. - - -## External incident management systems [security-cases-settings-external-incident-management-systems] - -You can push {{elastic-sec}} cases to these third-party systems: - -* {sn-itsm} -* {sn-sir} -* {{jira}} (including Jira Service Desk) -* {ibm-r} -* {swimlane} -* {hive} -* {webhook-cm} - -To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set {{elastic-sec}} cases to automatically close when they are sent to external systems. - -::::{admonition} Requirements -:class: note - -To create connectors and send cases to external systems, you need the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) and the appropriate user role. For more information, refer to [Cases prerequisites](../../../solutions/security/investigate/cases-requirements.md). - -:::: - - -To create a new connector - -1. From the **Incident management system** list, select **Add new connector**. -2. Select the system to send cases to: **{{sn}}**, **{{jira}}***, ***{{ibm-r}}***, ***{{swimlane}}***, ***{{hive}}**, or **{{webhook-cm}}**. -3. Enter your required settings. For connector configuration details, refer to: - - * [{{sn-itsm}} connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/servicenow-action-type.md) - * [{{sn-sir}} connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/servicenow-sir-action-type.md) - * [{{jira}} connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/jira-action-type.md) - * [{{ibm-r}} connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/resilient-action-type.md) - * [{{swimlane}} connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/swimlane-action-type.md) - * [{{hive}} connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/thehive-action-type.md) - * [{{webhook-cm}} connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/cases-webhook-action-type.md) - - -To change the settings of an existing connector: - -1. Select the required connector from the incident management system list. -2. Click **Update **. -3. In the **Edit connector** flyout, modify the connector fields as required, then click **Save & close** to save your changes. - -To change the default connector used to send cases to external systems, select the required connector from the incident management system list. - - -### Mapped case fields [security-cases-settings-mapped-case-fields] - -When you export an {{elastic-sec}} case to an external system, case fields are mapped to existing fields in the external system. For example, the case title is mapped to the short description in {{sn}} and the summary in {{jira}} incidents. Case tags are mapped to labels in {{jira}}. Case comments are mapped to work notes in {{sn}}. - -When you use a {{webhook-cm}} connector, case fields can be mapped to custom or existing fields. - -When you push updates to external systems, mapped fields are either overwritten or appended, depending on the field and the connector. - -Retrieving data from external systems is not supported. - - -## Custom fields [security-cases-settings-custom-fields] - -You can add optional and required fields for customized case collaboration. - -1. In the **Custom fields** section, click **Add field**. - - :::{image} ../../../images/serverless-security-cases-custom-fields.png - :alt: Add a custom field - :class: screenshot - ::: - -2. You must provide a field label and type (text or toggle). You can optionally designate it as a required field and provide a default value. - -When you create a custom field, it’s added to all new and existing cases. In existing cases, new custom text fields initially have null values. - -You can subsequently remove or edit custom fields on the **Settings** page. - - -## Templates [security-cases-settings-templates] - -::::{warning} -This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -:::: - - -You can make the case creation process faster and more consistent by adding templates. A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields. - -To create a template: - -1. In the **Templates** section, click **Add template**. - - :::{image} ../../../images/serverless-security-cases-templates.png - :alt: Add a case template - :class: screenshot - ::: - -2. You must provide a template name and case severity. You can optionally add template tags and a description, values for each case field, and a case connector. - -When users create cases, they can optionally select a template and use its field values or override them. - -::::{note} -If you update or delete templates, existing cases are unaffected. - -:::: - - - -## Observable types [security-cases-observable-types] - -::::{admonition} Requirements -To use observables, you must have the Security Analytics Essentials [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). - -:::: - - -Create custom observable types for enhanced case collaboration. - -1. In the **Observable types** section, click **Add observable type**. -2. Enter a descriptive label for the observable type, then click **Save**. - -After creating a new observable type, you can remove or edit it from the **Settings** page. - -::::{note} -You can create up to 10 custom observable types. -:::: - - -::::{important} -Deleting a custom observable type deletes all instances of it. -:::: - - -:::{image} ../../../images/serverless-security-cases-observable-types.png -:alt: Add an observable type in case settings -:class: screenshot -::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 0acc3f4186..140bb47cef 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -220,7 +220,6 @@ toc: - file: docs-content/serverless/project-settings-alerts.md - file: docs-content/serverless/project-settings-content.md - file: docs-content/serverless/security-about-rules.md - - file: docs-content/serverless/security-add-manage-notes.md - file: docs-content/serverless/security-advanced-settings.md - file: docs-content/serverless/security-agent-tamper-protection.md - file: docs-content/serverless/security-ai-assistant-esql-queries.md @@ -238,10 +237,6 @@ toc: - file: docs-content/serverless/security-benchmark-rules.md - file: docs-content/serverless/security-blocklist.md - file: docs-content/serverless/security-building-block-rules.md - - file: docs-content/serverless/security-cases-open-manage.md - - file: docs-content/serverless/security-cases-overview.md - - file: docs-content/serverless/security-cases-requirements.md - - file: docs-content/serverless/security-cases-settings.md - file: docs-content/serverless/security-cloud-native-security-overview.md - file: docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md - file: docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md diff --git a/solutions/security/investigate/cases-requirements.md b/solutions/security/investigate/cases-requirements.md index a9f1315672..d0c9fab3d9 100644 --- a/solutions/security/investigate/cases-requirements.md +++ b/solutions/security/investigate/cases-requirements.md @@ -4,35 +4,24 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-cases-requirements.html --- -# Cases requirements - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/case-permissions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cases-requirements.md - -You can create roles and define feature privileges at different levels to manage feature access in {{kib}}. {{kib}} privileges grant access to features within a specified {{kib}} space, and you can grant full or partial access. For more information, refer to [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#adding_kibana_privileges). +# Cases requirements [security-cases-requirements] ::::{note} -To send cases to external systems, you need the [appropriate license](https://www.elastic.co/subscriptions). +- To send cases to external systems, ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -If you are using an on-premises {{kib}} deployment and want the email notifications and the external incident management systems to contain links back to {{kib}}, you must configure the [server.publicBaseUrl](/deploy-manage/deploy/self-managed/configure.md#server-publicBaseUrl) setting. +- You need particular subscriptions and privileges to manage case attachments. For example in {{stack}}, to add alerts to cases, you must have privileges for [managing alerts](/solutions/security/detect-and-alert/detections-requirements.md#enable-detections-ui). In {{serverless-short}}, you need the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). +- If you have an on-premises deployment and want email notifications and external incident management systems to contain links back to {{kib}}, you must configure the [server.publicBaseUrl](/deploy-manage/deploy/self-managed/configure.md#server-publicBaseUrl) setting. :::: -::::{important} -Certain subscriptions and privileges might be required to manage case attachments. For example, to add alerts to cases, you must have privileges for [managing alerts](/solutions/security/detect-and-alert/detections-requirements.md#enable-detections-ui). -:::: - +To grant access to cases in a custom role, set the privileges for the **Cases** and **{{connectors-feature}}** features as follows: -To grant access to cases, set the privileges for the **Cases** and **{{connectors-feature}}** features as follows: +% Management might be called Stack Management in Serverless. | Action | {{kib}} Privileges | | --- | --- | -| Give full access to manage cases and settings | * **All** for the **Cases** feature under **Security**
* **All*** for the **{{connectors-feature}}** feature under **Management**

::::{note}
Roles without ***All** privileges for the **{{connectors-feature}}** feature cannot create, add, delete, or modify case connectors.

By default, **All** for the **Cases** feature allows you to delete cases, delete alerts and comments from cases, and edit case settings. You can customize the sub-feature privileges to limit feature access.

::::

| -| Give assignee access to cases | **All** for the **Cases** feature under **Security**

::::{note}
Before a user can be assigned to a case, they must log into {{kib}} at least once, which creates a user profile.
::::

| -| Give view-only access for cases | **Read** for the **Security** feature and **All** for the **Cases** feature

::::{note}
You can customize the sub-feature privileges to allow access to deleting cases, deleting alerts and comments from cases, viewing or editing case settings, adding case comments and attachments, and re-opening cases.
::::

| +| Give full access to manage cases and settings | - **All** for the **Cases** feature under **Security**
- **All** for the **{{connectors-feature}}** feature under **Management**

**Note:** Roles without **All** privileges for the **{{connectors-feature}}** feature cannot create, add, delete, or modify case connectors. By default, **All** for the **Cases** feature allows you to delete cases, delete alerts and comments from cases, and edit case settings. You can customize the sub-feature privileges to limit feature access.



| +| Give assignee access to cases | **All** for the **Cases** feature under **Security**

**Note:** Before a user can be assigned to a case, they must log into {{kib}} at least once, which creates a user profile.

| +| Give view-only access for cases | **Read** for the **Security** feature and **All** for the **Cases** feature

**Note:** You can customize the sub-feature privileges to allow access to deleting cases, deleting alerts and comments from cases, viewing or editing case settings, adding case comments and attachments, and re-opening cases.

| | Revoke all access to cases | **None** for the **Cases** feature under **Security** | diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md index 0bbec82357..0ec50601d6 100644 --- a/solutions/security/investigate/cases.md +++ b/solutions/security/investigate/cases.md @@ -4,14 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-cases-overview.html --- -# Cases - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cases-overview.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cases-overview.md +# Cases [security-cases-overview] Collect and share information about security issues by opening a case in {{elastic-sec}}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {{elastic-sec}} UI provides several ways to create and manage cases. Alternatively, you can use the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases) to perform the same tasks. @@ -30,7 +23,7 @@ You can also send cases to these external systems by [configuring external conne ::: ::::{note} -From {{elastic-sec}}, you cannot access cases created in {{observability}} or Stack Management. +From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management. :::: diff --git a/solutions/security/investigate/configure-case-settings.md b/solutions/security/investigate/configure-case-settings.md index fc452d8ff5..809336bcfe 100644 --- a/solutions/security/investigate/configure-case-settings.md +++ b/solutions/security/investigate/configure-case-settings.md @@ -4,34 +4,10 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-cases-settings.html --- -# Configure case settings +# Configure case settings [security-cases-settings] -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cases-manage-settings.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cases-settings.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$cases-templates$$$ - -$$$cases-ui-custom-fields$$$ - -$$$cases-ui-integrations$$$ - -$$$cases-observable-types$$$ - -$$$security-cases-settings-templates$$$ - -$$$security-cases-settings-custom-fields$$$ - -$$$security-cases-observable-types$$$ - - - -To change case closure options, add custom fields, templates, and connectors for external incident management systems, and create custom observable types, find **Cases** in the navigation menu or search for `Security/Cases` by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Settings**. +This page explains how to change case closure options, add custom fields, templates, and connectors for external incident management systems, and create custom observable types. +First, find **Cases** in the navigation menu or search for `Security/Cases` by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Settings**. In {{serverless-short}}, you can access case settings in an {{elastic-sec}} project, go to **Cases** → **Settings**. :::{image} ../../../images/security-cases-settings.png :alt: Shows the case settings page @@ -39,7 +15,7 @@ To change case closure options, add custom fields, templates, and connectors for ::: ::::{note} -To view and change case settings, you must have the appropriate {{kib}} feature privileges. Refer to [Cases requirements](/solutions/security/investigate/cases-requirements.md). +On {{stack}}, view and change case settings, you must have the appropriate {{kib}} feature privileges. Refer to [Cases requirements](/solutions/security/investigate/cases-requirements.md). :::: @@ -48,7 +24,7 @@ To view and change case settings, you must have the appropriate {{kib}} feature If you close cases in your external incident management system, the cases will remain open in {{elastic-sec}} until you close them manually. -To close cases when they are sent to an external system, select **Automatically close cases when pushing new incident to external system**. +To close cases when they are sent to an external system, select the option to automatically close cases when pushing new incident to external system. ## External incident management systems [cases-ui-integrations] @@ -66,7 +42,7 @@ You can push {{elastic-sec}} cases to these third-party systems: To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set {{elastic-sec}} cases to automatically close when they are sent to external systems. ::::{important} -To create connectors and send cases to external systems, you need the [appropriate license](https://www.elastic.co/subscriptions), and your role needs **All** privileges for the **Action and Connectors** feature. For more information, refer to [Cases requirements](/solutions/security/investigate/cases-requirements.md). +To create connectors and send cases to external systems, ensure you have the appropriate role privileges and [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). For more information, refer to [Cases requirements](/solutions/security/investigate/cases-requirements.md). :::: @@ -154,7 +130,7 @@ If you update or delete templates, existing cases are unaffected. ## Observable types [cases-observable-types] ::::{admonition} Requirements -To use observables, you must have a [Platinum subscription](https://www.elastic.co/pricing) or higher. +Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). :::: diff --git a/solutions/security/investigate/notes.md b/solutions/security/investigate/notes.md index 579f942d5c..db4341b84d 100644 --- a/solutions/security/investigate/notes.md +++ b/solutions/security/investigate/notes.md @@ -4,20 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-add-manage-notes.html --- -# Notes - -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/add-manage-notes.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-add-manage-notes.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$manage-notes$$$ - -$$$notes-alerts-events$$$ +# Notes [security-add-manage-notes] Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. @@ -29,7 +16,7 @@ Configure the `securitySolution:maxUnassociatedNotes` [advanced setting](/soluti ## View and add notes to alerts and events [notes-alerts-events] -Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (![Add note action](../../../images/security-create-note-icon.png "")) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it. +Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (![Add note action](../../../images/security-create-note-icon.png "title =20x20")) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it. After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert. @@ -64,8 +51,8 @@ Use the **Notes** page to view and interact with all existing notes. To access t * Filter notes by the user who created them or by the object they’re attached to (notes can be attached to alerts, events, or Timelines) * Examine the contents of a note (click the text in the **Note content** column) * Delete one or more notes -* Examine the alert or event that a note is attached to (click the **Expand alert/event details** ![Preview alert or event action](../../../images/security-notes-page-document-details.png "") icon) -* Open the Timeline that the note is attached to (click the **Open saved timeline** ![Open Timeline action](../../../images/security-notes-page-timeline-details.png "") icon) +* Examine the alert or event that a note is attached to (click the **Expand alert/event details** ![Preview alert or event action](../../../images/security-notes-page-document-details.png "title =20x20") icon) +* Open the Timeline that the note is attached to (click the **Open saved timeline** ![Open Timeline action](../../../images/security-notes-page-timeline-details.png "title =20x20") icon) :::{image} ../../../images/security-notes-management-page.png :alt: Notes management page diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index 0882b47fa9..561b7ea565 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -4,36 +4,7 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html --- -# Open and manage cases - -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cases-open-manage.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cases-open-manage.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$cases-ui-open$$$ - -$$$cases-add-files$$$ - -$$$cases-add-observables$$$ - -$$$cases-copy-case-uuid$$$ - -$$$cases-examine-alerts$$$ - -$$$cases-export$$$ - -$$$cases-import$$$ - -$$$cases-lens-visualization$$$ - -$$$cases-manage-comments$$$ - -$$$cases-summary$$$ +# Open and manage cases [security-cases-open-manage] You can create and manage cases using the UI or the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases). @@ -52,7 +23,7 @@ Open a new case to keep track of security issues and share their details with co ::::{tip} - You can insert a Timeline link in the case description by clicking the Timeline icon (![Timeline icon](../../../images/security-add-timeline-button.png "")). + You can insert a Timeline link in the case description by clicking the Timeline icon (![Timeline icon](../../../images/security-add-timeline-button.png "title =20x20")). :::: 4. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary [prerequisites](/solutions/security/investigate/cases-requirements.md). @@ -71,6 +42,7 @@ Open a new case to keep track of security issues and share their details with co :class: screenshot ::: +% This wasn't in the Serverless docs. Might be an ESS-only feature. ## Add email notifications [cases-ui-notifications] @@ -112,7 +84,7 @@ To explore a case, click on its name. You can then: * [Add and manage comments](/solutions/security/investigate/open-manage-cases.md#cases-manage-comments) ::::{tip} - Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](../../../images/security-markdown-icon.png "")) in the bottom right of the comment. + Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](../../../images/security-markdown-icon.png "title =20x20")) in the bottom right of the comment. :::: * Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case @@ -180,6 +152,13 @@ To upload files to a case, click the **Files** tab: You can set file types and sizes by configuring your [{{kib}} case settings](asciidocalypse://docs/kibana/docs/reference/configuration-reference/cases-settings.md). +% The following note was grabbed from the Serverless docs. Check if this is Serverless only or if it's for both. + +::::{note} +There is a 10 MiB size limit for images. For all other MIME types, the limit is 100 MiB. + +:::: + To download or delete the file, or copy the file hash to your clipboard, open the **Actions** menu (**…**). The available hash functions are MD5, SHA-1, and SHA-256. When you add a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list. @@ -230,7 +209,7 @@ After a visualization has been added to a case, you can modify or interact with ### Add observables [cases-add-observables] ::::{admonition} Requirements -To use observables, you must have a [Platinum subscription](https://www.elastic.co/pricing) or higher. +Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). :::: @@ -288,7 +267,7 @@ Before importing Lens visualizations, Timelines, or alerts into a space, ensure ### Export a case [cases-export] -Use the **Export** option to move cases between different Kibana instances. When you export a case, the following data is exported to a newline-delimited JSON (`.ndjson`) file: +Use the **Export** option to move cases between different {{elastic-sec}} instances. When you export a case, the following data is exported to a newline-delimited JSON (`.ndjson`) file: * Case details * User actions @@ -299,7 +278,7 @@ Use the **Export** option to move cases between different Kibana instances. When ::::{note} The following attachments are *not* exported: -* **Case files**: Case files are not exported. However, they are accessible in **{{stack-manage-app}} > Files** to download and re-add. +* **Case files**: Case files are not exported. However, they are accessible from **Files** (find **Files** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md)) to download and re-add. * **Alerts**: Alerts attached to cases are not exported. You must re-add them after importing cases. :::: @@ -336,7 +315,7 @@ To import a case: ::::{important} Be mindful of the following: - * If the imported case had connectors attached to it, you’ll be prompted to re-authenticate the connectors. To do so, click **Go to connectors** on the **Import saved objects** flyout and complete the necessary steps. Alternatively, open the main menu, then go to **{{stack-manage-app}} → {{connectors-ui}}** to access connectors. + * If the imported case had connectors attached to it, you’ll be prompted to re-authenticate the connectors. To do so, click **Go to connectors** on the **Import saved objects** flyout and complete the necessary steps. You can also access connectors from the **{{connectors-ui}}** page (find **{{connectors-ui}}** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md)). * If the imported case had attached alerts, verify that the alerts' source documents exist in the environment. Case features that interact with alerts (such as the Alert details flyout and rule details page) rely on the alerts' source documents to function. ::::