diff --git a/solutions/images/security-entity-dashboard.png b/solutions/images/security-entity-dashboard.png deleted file mode 100644 index 56479b9f1e..0000000000 Binary files a/solutions/images/security-entity-dashboard.png and /dev/null differ diff --git a/solutions/images/security-preview-risky-entities.png b/solutions/images/security-preview-risky-entities.png deleted file mode 100644 index ce345d40e4..0000000000 Binary files a/solutions/images/security-preview-risky-entities.png and /dev/null differ diff --git a/solutions/images/security-service-risk-scores.png b/solutions/images/security-service-risk-scores.png new file mode 100644 index 0000000000..1f02905960 Binary files /dev/null and b/solutions/images/security-service-risk-scores.png differ diff --git a/solutions/images/security-user-asset-criticality.png b/solutions/images/security-user-asset-criticality.png deleted file mode 100644 index 72e4e34ca1..0000000000 Binary files a/solutions/images/security-user-asset-criticality.png and /dev/null differ diff --git a/solutions/images/security-user-observed-data.png b/solutions/images/security-user-observed-data.png deleted file mode 100644 index 0f2ec3f9f4..0000000000 Binary files a/solutions/images/security-user-observed-data.png and /dev/null differ diff --git a/solutions/images/security-user-risk-inputs.png b/solutions/images/security-user-risk-inputs.png deleted file mode 100644 index f6ec9c0ce6..0000000000 Binary files a/solutions/images/security-user-risk-inputs.png and /dev/null differ diff --git a/solutions/security/advanced-entity-analytics.md b/solutions/security/advanced-entity-analytics.md index 9773953215..91a62882cb 100644 --- a/solutions/security/advanced-entity-analytics.md +++ b/solutions/security/advanced-entity-analytics.md @@ -10,7 +10,7 @@ applies_to: # Advanced Entity Analytics [advanced-entity-analytics-overview] -Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity’s environment. This feature combines the power of the SIEM detection engine and Elastic’s {{ml}} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts and users. +Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity’s environment. This feature combines the power of the SIEM detection engine and Elastic’s {{ml}} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts, users, and services. Advanced Entity Analytics provides two key capabilities: diff --git a/solutions/security/advanced-entity-analytics/asset-criticality.md b/solutions/security/advanced-entity-analytics/asset-criticality.md index 6177d5b85f..afb668bd04 100644 --- a/solutions/security/advanced-entity-analytics/asset-criticality.md +++ b/solutions/security/advanced-entity-analytics/asset-criticality.md @@ -48,14 +48,14 @@ You can view, assign, change, or unassign asset criticality from the following p :screenshot: ::: -* The [host details flyout](../explore/hosts-page.md#host-details-flyout) and [user details flyout](../explore/users-page.md#user-details-flyout): +* The [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout): :::{image} /solutions/images/security-assign-asset-criticality-host-flyout.png :alt: Assign asset criticality from the host details flyout :screenshot: ::: -* The host details flyout and user details flyout in [Timeline](../investigate/timeline.md): +* The entity details flyout in [Timeline](../investigate/timeline.md): :::{image} /solutions/images/security-assign-asset-criticality-timeline.png :alt: Assign asset criticality from the host details flyout in Timeline @@ -77,8 +77,8 @@ You can bulk assign asset criticality to multiple entities by importing a CSV, T The file must contain three columns, with each entity record listed on a separate row: -1. The first column should indicate whether the entity is a `host` or a `user`. -2. The second column should specify the entity’s `host.name` or `user.name`. +1. The first column should indicate whether the entity is a `host`, `user`, or `service`. +2. The second column should specify the entity’s `host.name`, `user.name`, or `service.name`. 3. The third column should specify one of the following asset criticality levels: * `extreme_impact` @@ -95,6 +95,7 @@ File structure example: user,user-001,low_impact user,user-002,medium_impact host,host-001,extreme_impact +service,service-001,extreme_impact ``` To import a file: @@ -134,7 +135,7 @@ The risk scoring engine dynamically factors in an entity’s asset criticality, To view the impact of asset criticality on an entity’s risk score, follow these steps: -1. Open the [host details flyout](../explore/hosts-page.md#host-details-flyout) or [user details flyout](../explore/users-page.md#user-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. +1. Open the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout). The risk summary section shows asset criticality’s contribution to the overall risk score. 2. Click **View risk contributions** to open the flyout’s left panel. 3. In the **Risk contributions** section, verify the entity’s criticality level from the time the alert was generated. diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md index 1d46a6dadb..bd2f12c8f2 100644 --- a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md +++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md @@ -58,7 +58,7 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v ### Known limitations [_known_limitations] -* The risk scoring engine uses an internal user role to score all hosts and users, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host and user risk scores. +* The risk scoring engine uses an internal user role to score all hosts, users, and services, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host, user, and service risk scores. * You cannot customize alert data views or risk weights associated with alerts and asset criticality levels. diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md index 9d76a31565..47f9e688da 100644 --- a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md +++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md @@ -12,7 +12,7 @@ applies_to: Entity risk scoring is an advanced {{elastic-sec}} analytics feature that helps security analysts detect changes in an entity’s risk posture, hunt for new threats, and prioritize incident response. -Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days. +Entity risk scoring allows you to monitor risk score changes of hosts, users, and services in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host, user, and service risk scores from the last 30 days. It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {{elastic-sec}} use cases, and allows you to customize and control how and when risk is calculated. @@ -43,7 +43,7 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri When [turning on the risk engine](turn-on-risk-scoring-engine.md), you can choose to also include `Closed` alerts in risk scoring calculations. :::: -2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](/solutions/security/explore/hosts-page.md#host-risk-summary). +2. The engine groups alerts by `host.name`, `user.name`, or `service.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-risk-summary). 3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. | Asset criticality level | Default risk weight | diff --git a/solutions/security/advanced-entity-analytics/entity-store.md b/solutions/security/advanced-entity-analytics/entity-store.md index a45ecae605..e3e6fbc277 100644 --- a/solutions/security/advanced-entity-analytics/entity-store.md +++ b/solutions/security/advanced-entity-analytics/entity-store.md @@ -26,11 +26,11 @@ The entity store allows you to query, reconcile, maintain, and persist entity me The entity store can hold any entity type observed by {{elastic-sec}}. It allows you to view and query select entities represented in your indices without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {{elastic-sec}} [default data view](../get-started/data-views-elastic-security.md#default-data-view-security). -When the entity store is enabled, the following resources are generated for each entity type (hosts and users): +When the entity store is enabled, the following resources are generated for each entity type (hosts, users, and services): * {{es}} resources, such as transforms, ingest pipelines, and enrich policies. * Data and fields for each entity. -* The `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices, which contain field mappings for hosts and users respectively. You can query these indices to see a list of fields that are mapped in the entity store. +* The `.entities.v1.latest.security_user_`, `.entities.v1.latest.security_host_`, and `.entities.v1.latest.security_services_` indices, which contain field mappings for hosts, users, and services respectively. You can query these indices to see a list of fields that are mapped in the entity store. ## Enable entity store [enable-entity-store] @@ -45,12 +45,12 @@ Once you enable the entity store, the Entity Analytics dashboard displays the [* ## Clear entity store data [clear-entity-store] -Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name` or `host.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis. +Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name`, `host.name`, or `service.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis. Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments. ::::{warning} -Clearing entity store data permanently deletes persisted user and host records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone. +Clearing entity store data permanently deletes persisted user, host, and service records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone. :::: @@ -58,3 +58,8 @@ To clear entity data: 1. Find **Entity Store** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. On the **Entity Store** page, select **Clear**. + + +## Verify engine status + +Once the entity store is enabled, the **Entity Store** page displays the **Engine Status** tab, where you can verify which engines are installed and their statuses. This tab shows a list of installed resources for each installed entity. Click the resource link to navigate to the resource page and view more information. diff --git a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md index 30c872e76a..31cee8e07b 100644 --- a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md +++ b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md @@ -18,7 +18,7 @@ To use entity risk scoring, your role must have the appropriate user role or pri ## Preview risky entities [_preview_risky_entities] -You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker. +You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts, users, and services found in the 1000 sampled entities during the time frame selected in the date picker. ::::{note} The preview is limited to two risk scores per {{kib}} instance or serverless project. @@ -27,11 +27,6 @@ The preview is limited to two risk scores per {{kib}} instance or serverless pro To preview risky entities, find **Entity Risk Score** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -:::{image} /solutions/images/security-preview-risky-entities.png -:alt: Preview of risky entities -:screenshot: -::: - ## Turn on the latest risk engine [_turn_on_the_latest_risk_engine] diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md index 5d55a84d00..cf0f5455e9 100644 --- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md +++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md @@ -17,7 +17,7 @@ The {{security-app}} provides several options to monitor the change in the risk * [Alert details flyout](#alert-details-flyout) * [Hosts and Users pages](#hosts-users-pages) * [Host and user details pages](#host-user-details-pages) -* [Host and user details flyouts](#host-and-user-details-flyouts) +* [Entity details flyouts](#entity-details-flyouts) ::::{tip} We recommend that you prioritize [alert triaging](#alert-triaging) to identify anomalies or abnormal behavior patterns. @@ -29,12 +29,7 @@ We recommend that you prioritize [alert triaging](#alert-triaging) to identify a From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. -If you have enabled the [entity store](entity-store.md), the dashboard also displays the [**Entities** section](../dashboards/entity-analytics-dashboard.md#entity-entities), where you can view all hosts and users along with their risk and asset criticality data. - -:::{image} /solutions/images/security-entity-dashboard.png -:alt: Entity Analytics dashboard -:screenshot: -::: +If you have enabled the [entity store](entity-store.md), the dashboard also displays the [**Entities** section](../dashboards/entity-analytics-dashboard.md#entity-entities), where you can view all hosts, users, and services along with their risk and asset criticality data. ## Alert triaging [alert-triaging] @@ -46,15 +41,15 @@ You can prioritize alert triaging to analyze alerts associated with risky or bus Use the Alerts table to investigate and analyze: -* Host and user risk levels -* Host and user risk scores +* Host, user, and service risk levels +* Host, user, and service risk scores * Asset criticality To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following: -* `user.risk.calculated_level` or `host.risk.calculated_level` -* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` -* `user.asset.criticality` or `host.asset.criticality` +* `user.risk.calculated_level`, `host.risk.calculated_level`, or `service.risk.calculated_level` +* `user.risk.calculated_score_norm`, `host.risk.calculated_score_norm`, or `service.risk.calculated_score_norm` +* `user.asset.criticality`, `host.asset.criticality`, or `service.asset.criticality` Learn more about [customizing the Alerts table](../detect-and-alert/manage-detection-alerts.md#customize-the-alerts-table). @@ -75,14 +70,14 @@ If you change the entity’s criticality level after an alert is generated, that * Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, [edit the default controls](../detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) to filter by: - * `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: + * `user.risk.calculated_level`, `host.risk.calculated_level`, or `service.risk.calculated_level` for entity risk level: :::{image} /solutions/images/security-filter-by-host-risk-level.png :alt: Alerts filtered by high host risk level :screenshot: ::: - * `user.asset.criticality` or `host.asset.criticality` for asset criticality level: + * `user.asset.criticality`, `host.asset.criticality`, or `service.asset.criticality` for asset criticality level: :::{image} /solutions/images/security-filter-by-asset-criticality.png :alt: Filter alerts by asset criticality level @@ -91,14 +86,14 @@ If you change the entity’s criticality level after an alert is generated, that * To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for: - * `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level: + * `host.risk.calculated_level`, `user.risk.calculated_level`, or `service.risk.calculated_level` for entity risk level: :::{image} /solutions/images/security-group-by-host-risk-level.png :alt: Alerts grouped by host risk levels :screenshot: ::: - * `host.asset.criticality` or `user.asset.criticality` for asset criticality level: + * `host.asset.criticality`, `user.asset.criticality`, or `service.asset.criticality` for asset criticality level: :::{image} /solutions/images/security-group-by-asset-criticality.png :alt: Alerts grouped by entity asset criticality levels @@ -111,7 +106,7 @@ If you change the entity’s criticality level after an alert is generated, that 2. Select **Sort fields** → **Pick fields to sort by**. 3. Select fields in the following order: - 1. `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low** + 1. `host.risk.calculated_score_norm`, `user.risk.calculated_score_norm` or `service.risk.calculated_score_norm`: **High-Low** 2. `Risk score`: **High-Low** 3. `@timestamp`: **New-Old** @@ -173,9 +168,9 @@ On the host details and user details pages, you can access the risk score data: -### Host and user details flyouts [host-and-user-details-flyouts] +### Entity details flyouts [entity-details-flyouts] -In the host details and user details flyouts, you can access the risk score data in the risk summary section: +In the entity details flyouts, you can access the risk score data in the risk summary section: :::{image} /solutions/images/security-risk-summary.png :alt: Host risk data in the Host risk summary section diff --git a/solutions/security/advanced-entity-analytics/view-entity-details.md b/solutions/security/advanced-entity-analytics/view-entity-details.md new file mode 100644 index 0000000000..08fac00af9 --- /dev/null +++ b/solutions/security/advanced-entity-analytics/view-entity-details.md @@ -0,0 +1,80 @@ +--- +applies_to: + stack: all + serverless: + security: all +--- + +# View entity details + +You can lean more about an entity (host, user, or service) from the entity details flyout, which is available throughout the {{elastic-sec}} app. To access this flyout, click on an entity name in places such as: + +* The Alerts table +* The Entity Analytics dashboard +* The **Users** and user details pages +* The **Hosts** and host details pages + +## Entity details flyout + +The entity details flyout includes the following sections: + +* [Entity risk summary](#entity-risk-summary), which displays entity risk data and inputs. +* [Asset Criticality](#asset-criticality), which allows you to view and assign asset criticality. +* [Insights](#insights), which displays vulnerabilities or misconfiguration findings for the entity. +* [Observed data](#observed-data), which displays entity details. + +:::{image} /solutions/images/security-host-details-flyout.png +:alt: Host details flyout +:screenshot: +::: + +### Entity risk summary + +::::{admonition} Requirements +The entity risk summary section is only available if the [risk scoring engine is turned on](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). +:::: + +The entity risk summary section contains a risk summary visualization and table. + +The risk summary visualization shows the entity risk score and risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. + +The risk summary table shows the category, score, and number of risk inputs that determine the entity risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table's queries. + +To expand the entity risk summary section, click **View risk contributions**. The left panel displays additional details about the entity's risk inputs: + +* The asset criticality level and contribution score from the latest risk scoring calculation. +* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score. + +If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. + +:::{image} /solutions/images/security-host-risk-inputs.png +:alt: Host risk inputs +:screenshot: +::: + +### Asset Criticality + +The **Asset Criticality** section displays the selected entity's [asset criticality level](/solutions/security/advanced-entity-analytics/asset-criticality.md). Asset criticality contributes to the overall [entity risk score](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). The criticality level defines how impactful the entity is when calculating the risk score. + +:::{image} /solutions/images/security-host-asset-criticality.png +:alt: Asset criticality +:screenshot: +::: + +Click **Assign** to assign a criticality level to the selected entity, or **Change** to change the currently assigned criticality level. + +### Insights + +The **Insights** section displays [Vulnerabilities Findings](/solutions/security/cloud/findings-page-3.md) for the host or [Misconfiguration Findings](/solutions/security/cloud/findings-page.md) for the user. Click **Vulnerabilities** or **Misconfigurations** to expand the flyout and view this data. + +:::{image} /solutions/images/security--host-details-insights-expanded.png +:alt: Host details flyout with the Vulnerabilities section expanded +::: + +### Observed data + +This section displays details such as the entity ID, when the entity was first and last seen, and the associated IP addresses and operating system. +:::{image} /solutions/images/security-host-observed-data.png +:alt: Host observed data +:screenshot: +::: \ No newline at end of file diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md index 9b4d57d86b..a33ab521df 100644 --- a/solutions/security/ai/attack-discovery.md +++ b/solutions/security/ai/attack-discovery.md @@ -91,7 +91,7 @@ Each discovery includes the following information describing the potential threa There are several ways you can incorporate discoveries into your {{elastic-sec}} workflows: -* Click an entity’s name to open the user or host details flyout and view more details that may be relevant to your investigation. +* Click an entity’s name to open the entity details flyout and view more details that may be relevant to your investigation. * Hover over an entity’s name to either add the entity to Timeline (![Add to timeline icon](/solutions/images/security-icon-add-to-timeline.png "title=70%")) or copy its field name and value to the clipboard (![Copy to clipboard icon](/solutions/images/security-icon-copy.png "title=70%")). * Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a [case](/solutions/security/investigate/cases.md). This makes it easy to share the information with your team and other stakeholders. * Click **Investigate in timeline** to explore the discovery in [Timeline](/solutions/security/investigate/timeline.md). diff --git a/solutions/security/cloud/ingest-aws-security-hub-data.md b/solutions/security/cloud/ingest-aws-security-hub-data.md index a7bc0f40a4..7eccb67302 100644 --- a/solutions/security/cloud/ingest-aws-security-hub-data.md +++ b/solutions/security/cloud/ingest-aws-security-hub-data.md @@ -23,4 +23,6 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit After you’ve completed these steps, AWS Security Hub data will appear on the Misconfigurations tab of the [Findings](/solutions/security/cloud/findings-page.md) page. -Any available findings data will also appear in the entity details flyouts for related [alerts](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. +Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout). + + \ No newline at end of file diff --git a/solutions/security/cloud/ingest-third-party-cloud-security-data.md b/solutions/security/cloud/ingest-third-party-cloud-security-data.md index 9630a3e34a..dc5bc5fb07 100644 --- a/solutions/security/cloud/ingest-third-party-cloud-security-data.md +++ b/solutions/security/cloud/ingest-third-party-cloud-security-data.md @@ -24,11 +24,7 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th ## Ingest third-party security posture and vulnerability data [_ingest_third_party_security_posture_and_vulnerability_data] -You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](/solutions/security/cloud/findings-page.md) page, on the [Cloud Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and in the entity details flyouts for [alerts](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout). +You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](/solutions/security/cloud/findings-page.md) page, on the [Cloud Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and in the [entity details](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout) and [alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) flyouts. * Learn to [ingest cloud security posture data from AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md). * Learn to [ingest cloud security posture and vulnerability data from Wiz](/solutions/security/cloud/ingest-wiz-data.md). - - - - diff --git a/solutions/security/cloud/ingest-wiz-data.md b/solutions/security/cloud/ingest-wiz-data.md index 4691f80ac5..7f655f7436 100644 --- a/solutions/security/cloud/ingest-wiz-data.md +++ b/solutions/security/cloud/ingest-wiz-data.md @@ -31,4 +31,4 @@ After you’ve completed these steps, Wiz data will appear on the [Misconfiguati :alt: Wiz data on the Findings page ::: -Any available findings data will also appear in the entity details flyouts for related [alerts](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. +Any available findings data will also appear in the [Insights section](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section) for related alerts. If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout). diff --git a/solutions/security/dashboards/entity-analytics-dashboard.md b/solutions/security/dashboards/entity-analytics-dashboard.md index c7d4c846a1..a0cb045585 100644 --- a/solutions/security/dashboards/entity-analytics-dashboard.md +++ b/solutions/security/dashboards/entity-analytics-dashboard.md @@ -20,16 +20,12 @@ In {{stack}}, a [Platinum subscription](https://www.elastic.co/pricing/) or high The dashboard includes the following sections: -* [Entity KPIs (key performance indicators)](/solutions/security/dashboards/entity-analytics-dashboard.md#entity-kpis) -* [User Risk Scores](/solutions/security/dashboards/entity-analytics-dashboard.md#entity-user-risk-scores) -* [Host Risk Scores](/solutions/security/dashboards/entity-analytics-dashboard.md#entity-host-risk-scores) -* [Entities](/solutions/security/dashboards/entity-analytics-dashboard.md#entity-entities) -* [Anomalies](/solutions/security/dashboards/entity-analytics-dashboard.md#entity-anomalies) - -:::{image} /solutions/images/security-entity-dashboard.png -:alt: Entity dashboard -:screenshot: -::: +* [Entity KPIs (key performance indicators)](#entity-kpis) +* [User Risk Scores](#entity-user-risk-scores) +* [Host Risk Scores](#entity-host-risk-scores) +* [Service Risk Scores](#service-risk-scores) +* [Entities](#entity-entities) +* [Anomalies](#entity-anomalies) ## Entity KPIs (key performance indicators) [entity-kpis] @@ -55,7 +51,7 @@ Displays user risk score data for your environment, including the total number o Interact with the table to filter data, view more details, and take action: * Select the **User risk level** menu to filter the chart by the selected level. -* Click a user name link to open the user details flyout. +* Click a user name link to open the entity details flyout. * Hover over a user name link to display inline actions: **Add to timeline**, which adds the selected value to Timeline, and **Copy to Clipboard**, which copies the user name value for you to paste later. * Click **View all** in the upper-right to display all user risk information on the Users page. * Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** (![Investigate in timeline icon](/solutions/images/security-timeline-button-osquery.png "title =20x20")) to launch Timeline with a query that includes the associated user name value. @@ -80,7 +76,7 @@ Displays host risk score data for your environment, including the total number o Interact with the table to filter data, view more details, and take action: * Select the **Host risk level** menu to filter the chart by the selected level. -* Click a host name link to open the host details flyout. +* Click a host name link to open the entity details flyout. * Hover over a host name link to display inline actions: **Add to timeline**, which adds the selected value to Timeline, and **Copy to Clipboard**, which copies the host name value for you to paste later. * Click **View all** in the upper-right to display all host risk information on the Hosts page. * Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** (![Investigate in timeline icon](/solutions/images/security-timeline-button-osquery.png "title =20x20")) to launch Timeline with a query that includes the associated host name value. @@ -88,6 +84,30 @@ Interact with the table to filter data, view more details, and take action: For more information about host risk scores, refer to [Entity risk scoring](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). +## Service Risk Scores + +::::{admonition} Requirements +To display service risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). +:::: + +Displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). + +:::{image} /solutions/images/security-service-risk-scores.png +:alt: Service risk scores table +:screenshot: +::: + + +Interact with the table to filter data, view more details, and take action: + +* Select the **Service risk level** menu to filter the chart by the selected level. +* Click a service name link to open the service details flyout. +* Hover over a service name link to display inline actions: **Add to timeline**, which adds the selected value to Timeline, and **Copy to Clipboard**, which copies the service name value for you to paste later. +* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** (![Investigate in timeline icon](/solutions/images/security-timeline-button-osquery.png "title =20x20")) to launch Timeline with a query that includes the associated service name value. + +For more information about service risk scores, refer to [Entity risk scoring](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). + + ## Entities [entity-entities] @@ -96,14 +116,14 @@ To display the **Entities** section, you must [enable the entity store](/solutio :::: -The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities from the [entity store](/solutions/security/advanced-entity-analytics/entity-store.md), which meet any of the following criteria: +The **Entities** section provides a centralized view of all hosts, users, and services in your environment. It displays entities from the [entity store](/solutions/security/advanced-entity-analytics/entity-store.md), which meet any of the following criteria: * Have been observed by {{elastic-sec}} * Have an asset criticality assignment * Have been added to {{elastic-sec}} through an integration, such Active Directory or Okta ::::{note} -The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices to see all the fields for each entity in the entity store. +The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_`, `.entities.v1.latest.security_host_`, and `.entities.v1.latest.security_service_` indices to see all the fields for each entity in the entity store. :::: @@ -121,7 +141,7 @@ Entity data from different sources appears in the **Entities** section based on Interact with the table to filter data and view more details: -* Select the **Risk level** dropdown to filter the table by the selected user or host risk level. +* Select the **Risk level** dropdown to filter the table by the selected user, host, or service risk level. * Select the **Criticality** dropdown to filter the table by the selected asset criticality level. * Select the **Source** dropdown to filter the table by the data source. * Click the **View details** icon (![View details icon](/solutions/images/security-view-details-icon.png "title =20x20")) to open the entity details flyout. diff --git a/solutions/security/detect-and-alert/manage-detection-alerts.md b/solutions/security/detect-and-alert/manage-detection-alerts.md index 46810b7be6..dcc6d47ff7 100644 --- a/solutions/security/detect-and-alert/manage-detection-alerts.md +++ b/solutions/security/detect-and-alert/manage-detection-alerts.md @@ -30,7 +30,7 @@ The Alerts page offers various ways for you to organize and triage detection ale ::: * View the rule that created an alert. Click a name in the **Rule** column to open the rule’s details. -* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the [host details flyout](/solutions/security/explore/hosts-page.md#host-details-flyout), or a user name to open the [user details flyout](/solutions/security/explore/users-page.md#user-details-flyout). +* View the details of the entity associated with the alert. In the Alerts table, click an entity name to open the [entity details flyout](/solutions/security/advanced-entity-analytics/view-entity-details.md#entity-details-flyout). * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices. * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours. * Use the drop-down filter controls to filter alerts by up to four fields. By default, you can filter alerts by **Status**, **Severity**, **User**, and **Host**, and you can [edit the controls](/solutions/security/detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) to use other fields. diff --git a/solutions/security/explore/hosts-page.md b/solutions/security/explore/hosts-page.md index 8aea5bb79f..bd8f099811 100644 --- a/solutions/security/explore/hosts-page.md +++ b/solutions/security/explore/hosts-page.md @@ -65,84 +65,3 @@ The host details page includes the following sections: :screenshot: ::: - -## Host details flyout [host-details-flyout] - -In addition to the host details page, relevant host information is also available in the host details flyout throughout the {{elastic-sec}} app. You can access this flyout from the following places: - -* The Alerts page, by clicking on a host name in the Alerts table -* The Entity Analytics dashboard, by clicking on a host name in the Host Risk Scores table -* The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table -* The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table -* The **Events** tab on the Hosts and host details pages, by clicking on a host name in the Events table -* The **Host risk** tab on the host details page, by clicking on a host name in the Top risk score contributors table - -The host details flyout includes the following sections: - -* [Host risk summary](/solutions/security/explore/hosts-page.md#host-risk-summary), which displays host risk data and inputs. -* [Asset Criticality](/solutions/security/explore/hosts-page.md#host-asset-criticality-section), which allows you to view and assign asset criticality. -* [Insights](/solutions/security/explore/hosts-page.md#host-details-insights), which displays vulnerabilities findings for the host. -* [Observed data](/solutions/security/explore/hosts-page.md#host-observed-data), which displays host details. - -:::{image} /solutions/images/security-host-details-flyout.png -:alt: Host details flyout -:screenshot: -::: - - -### Host risk summary [host-risk-summary] - -::::{admonition} Requirements -The **Host risk summary** section is only available if the [risk scoring engine is turned on](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). - -:::: - - -The **Host risk summary** section contains a risk summary visualization and table. - -The risk summary visualization shows the host risk score and host risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization’s queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. - -The risk summary table shows the category, score, and number of risk inputs that determine the host risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table’s queries. - -To expand the **Host risk summary** section, click **View risk contributions**. The left panel displays additional details about the host’s risk inputs: - -* The asset criticality level and contribution score from the latest risk scoring calculation. -* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert’s contribution score. - -If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. - -:::{image} /solutions/images/security-host-risk-inputs.png -:alt: Host risk inputs -:screenshot: -::: - - -### Asset Criticality [host-asset-criticality-section] - -The **Asset Criticality** section displays the selected host’s [asset criticality level](/solutions/security/advanced-entity-analytics/asset-criticality.md). Asset criticality contributes to the overall [host risk score](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). The criticality level defines how impactful the host is when calculating the risk score. - -:::{image} /solutions/images/security-host-asset-criticality.png -:alt: Asset criticality -:screenshot: -::: - -Click **Assign** to assign a criticality level to the selected host, or **Change** to change the currently assigned criticality level. - - -### Insights [host-details-insights] - -The **Insights** section displays [Vulnerabilities Findings](/solutions/security/cloud/findings-page-3.md) for the host. Click **Vulnerabilities** to expand the flyout and view this data. - -:::{image} /solutions/images/security--host-details-insights-expanded.png -:alt: Host details flyout with the Vulnerabilities section expanded -::: - - -### Observed data [host-observed-data] - -This section displays details such as the host ID, when the host was first and last seen, the associated IP addresses and operating system, and the relevant Endpoint integration policy information. - -:::{image} /solutions/images/security-host-observed-data.png -:alt: Host observed data -:screenshot: -::: diff --git a/solutions/security/explore/users-page.md b/solutions/security/explore/users-page.md index 2f98aefe95..55a5245e78 100644 --- a/solutions/security/explore/users-page.md +++ b/solutions/security/explore/users-page.md @@ -59,80 +59,3 @@ The user details page includes the following sections: :screenshot: ::: - -## User details flyout [user-details-flyout] - -In addition to the user details page, relevant user information is also available in the user details flyout throughout the {{elastic-sec}} app. You can access this flyout from the following places: - -* The Alerts page, by clicking on a user name in the Alerts table -* The Entity Analytics dashboard, by clicking on a user name in the User Risk Scores table -* The **Events** tab on the Users and user details pages, by clicking on a user name in the Events table -* The **User risk** tab on the user details page, by clicking on a user name in the Top risk score contributors table -* The **Events** tab on the Hosts and host details pages, by clicking on a user name in the Events table -* The **Host risk** tab on the host details page, by clicking on a user name in the Top risk score contributors table - -The user details flyout includes the following sections: - -* [User risk summary](/solutions/security/explore/users-page.md#user-risk-summary), which displays user risk data and inputs. -* [Asset Criticality](/solutions/security/explore/users-page.md#user-asset-criticality-section), which allows you to view and assign asset criticality. -* [Insights](/solutions/security/explore/users-page.md#user-insights), which displays misconfiguration findings for the user. -* [Observed data](/solutions/security/explore/users-page.md#user-observed-data), which displays user details. - -:::{image} /solutions/images/security-user-details-flyout.png -:alt: User details flyout -:screenshot: -::: - - -### User risk summary [user-risk-summary] - -::::{admonition} Requirements -The **User risk summary** section is only available if the [risk scoring engine is turned on](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). - -:::: - - -The **User risk summary** section contains a risk summary visualization and table. - -The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization’s queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. - -The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table’s queries. - -To expand the **User risk summary** section, click **View risk contributions**. The left panel displays additional details about the user’s risk inputs: - -* The asset criticality level and contribution score from the latest risk scoring calculation. -* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert’s contribution score. - -If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. - -:::{image} /solutions/images/security-user-risk-inputs.png -:alt: User risk inputs -:screenshot: -::: - - -### Asset Criticality [user-asset-criticality-section] - -The **Asset Criticality** section displays the selected user’s [asset criticality level](/solutions/security/advanced-entity-analytics/asset-criticality.md). Asset criticality contributes to the overall [user risk score](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). The criticality level defines how impactful the user is when calculating the risk score. - -:::{image} /solutions/images/security-user-asset-criticality.png -:alt: Asset criticality -:screenshot: -::: - -Click **Assign** to assign a criticality level to the selected user, or **Change** to change the currently assigned criticality level. - - -### Insights [user-insights] - -The **Insights** section displays [Misconfiguration Findings](/solutions/security/cloud/findings-page.md) for the user. Click **Misconfigurations** to expand the flyout and view this data. - - -### Observed data [user-observed-data] - -This section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system. - -:::{image} /solutions/images/security-user-observed-data.png -:alt: User observed data -:screenshot: -::: diff --git a/solutions/toc.yml b/solutions/toc.yml index ce1d5f21ed..80cf5d3f2f 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -634,6 +634,7 @@ toc: children: - file: security/advanced-entity-analytics/entity-risk-scoring-requirements.md - file: security/advanced-entity-analytics/turn-on-risk-scoring-engine.md + - file: security/advanced-entity-analytics/view-entity-details.md - file: security/advanced-entity-analytics/asset-criticality.md - file: security/advanced-entity-analytics/entity-store.md - file: security/advanced-entity-analytics/view-analyze-risk-score-data.md