|
| 1 | +[[security-hosts-overview]] |
| 2 | += Hosts page |
| 3 | + |
| 4 | +// :description: Explore the Hosts page to analyze hosts and related security events. |
| 5 | +// :keywords: serverless, security, how-to, analyze |
| 6 | + |
| 7 | +preview:[] |
| 8 | + |
| 9 | +The Hosts page provides a comprehensive overview of all hosts and host-related security events. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data, drill down for deeper insights, and interact with Timeline for further investigation. |
| 10 | + |
| 11 | +[role="screenshot"] |
| 12 | +image::images/hosts-overview/-management-hosts-hosts-ov-pg.png[Hosts page] |
| 13 | + |
| 14 | +The Hosts page has the following sections: |
| 15 | + |
| 16 | +[discrete] |
| 17 | +[[host-KPI-charts]] |
| 18 | +== Host KPI (key performance indicator) charts |
| 19 | + |
| 20 | +KPI charts show metrics for hosts and unique IPs within the time range specified in the date picker. This data is visualized using linear or bar graphs. |
| 21 | + |
| 22 | +[TIP] |
| 23 | +==== |
| 24 | +Hover inside a KPI chart to display the actions menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]), where you can perform these actions: inspect, open in Lens, and add to a new or existing case. |
| 25 | +==== |
| 26 | + |
| 27 | +[discrete] |
| 28 | +[[host-data-tables]] |
| 29 | +== Data tables |
| 30 | + |
| 31 | +Beneath the KPI charts are data tables, categorized by individual tabs, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following data: |
| 32 | + |
| 33 | +* **Events**: All host events. To display alerts received from external monitoring tools, scroll down to the Events table and select **Show only external alerts** on the right. |
| 34 | +* **All hosts**: High-level host details. |
| 35 | +* **Uncommon processes**: Uncommon processes running on hosts. |
| 36 | +* **Anomalies**: Anomalies discovered by machine learning jobs. |
| 37 | +* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. This feature requires the Security Analytics Complete <<elasticsearch-manage-project,project feature>> and must be enabled to display the data. To learn more, refer to our <<security-entity-risk-scoring,entity risk scoring documentation>>. |
| 38 | +* **Sessions**: Linux process events that you can open in <<security-session-view,Session View>>, an investigation tool that allows you to examine Linux process data at a hierarchal level. |
| 39 | + |
| 40 | +The tables within the **Events** and **Sessions** tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <<security-alerts-manage,Manage detection alerts>>. |
| 41 | + |
| 42 | +[role="screenshot"] |
| 43 | +image::images/hosts-overview/-getting-started-users-events-table.png[Events table] |
| 44 | + |
| 45 | +[discrete] |
| 46 | +[[host-details-page]] |
| 47 | +== Host details page |
| 48 | + |
| 49 | +A host's details page displays all relevant information for the selected host. To view a host's details page, click its **Host name** link in the **All hosts** table. |
| 50 | + |
| 51 | +The host details page includes the following sections: |
| 52 | + |
| 53 | +* **Asset Criticality**: This section displays the host's current <<security-asset-criticality,asset criticality level>>. |
| 54 | +* **Summary**: Details such as the host ID, when the host was first and last seen, the associated IP addresses, and associated operating system. If the entity risk score feature is enabled, this section also displays host risk score data. |
| 55 | +* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). |
| 56 | +* **Data tables**: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. |
| 57 | + |
| 58 | +[role="screenshot"] |
| 59 | +image::images/hosts-overview/-management-hosts-hosts-detail-pg.png[Host's details page] |
| 60 | + |
| 61 | +[discrete] |
| 62 | +[[security-hosts-overview-host-details-flyout]] |
| 63 | +== Host details flyout |
| 64 | + |
| 65 | +In addition to the host details page, relevant host information is also available in the host details flyout throughout the {elastic-sec} app. You can access this flyout from the following places: |
| 66 | + |
| 67 | +* The Alerts page, by clicking on a host name in the Alerts table |
| 68 | +* The Entity Analytics dashboard, by clicking on a host name in the Host Risk Scores table |
| 69 | +* The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table |
| 70 | +* The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table |
| 71 | +* The **Events** tab on the Hosts and host details pages, by clicking on a host name in the Events table |
| 72 | +* The **Host risk** tab on the host details page, by clicking on a host name in the Top risk score contributors table |
| 73 | + |
| 74 | +The host details flyout includes the following sections: |
| 75 | + |
| 76 | +* <<security-hosts-overview-host-risk-summary,Host risk summary>>, which displays host risk data and inputs. |
| 77 | +* <<security-hosts-overview-asset-criticality,Asset Criticality>>, which allows you to view and assign asset criticality. |
| 78 | +* <<host-details-insights, Insights>>, which displays vulnerabilities findings for the host. |
| 79 | +* <<security-hosts-overview-observed-data,Observed data>>, which displays host details. |
| 80 | + |
| 81 | +[role="screenshot"] |
| 82 | +image::images/hosts-overview/-host-details-flyout.png[Host details flyout] |
| 83 | + |
| 84 | +[discrete] |
| 85 | +[[security-hosts-overview-host-risk-summary]] |
| 86 | +=== Host risk summary |
| 87 | + |
| 88 | +.Requirements |
| 89 | +[NOTE] |
| 90 | +==== |
| 91 | +The **Host risk summary** section is only available if the <<security-turn-on-risk-engine,risk scoring engine is turned on>>. |
| 92 | +==== |
| 93 | + |
| 94 | +The **Host risk summary** section contains a risk summary visualization and table. |
| 95 | + |
| 96 | +The risk summary visualization shows the host risk score and host risk level. Hover over the visualization to display the **Options** menu (image:images/icons/boxesHorizontal.svg[Options menu]). Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. |
| 97 | + |
| 98 | +The risk summary table shows the category, score, and number of risk inputs that determine the host risk score. Hover over the table to display the **Inspect** button (image:images/icons/inspect.svg[Inspect]), which allows you to inspect the table's queries. |
| 99 | + |
| 100 | +To expand the **Host risk summary** section, click **View risk contributions**. The left panel displays additional details about the host's risk inputs: |
| 101 | + |
| 102 | +* The asset criticality level and contribution score from the latest risk scoring calculation. |
| 103 | +* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score. |
| 104 | + |
| 105 | +If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. |
| 106 | + |
| 107 | +[role="screenshot"] |
| 108 | +image::images/hosts-overview/-host-risk-inputs.png[Host risk inputs] |
| 109 | + |
| 110 | +[discrete] |
| 111 | +[[security-hosts-overview-asset-criticality]] |
| 112 | +=== Asset Criticality |
| 113 | + |
| 114 | +The **Asset Criticality** section displays the selected host's <<security-asset-criticality,asset criticality level>>. Asset criticality contributes to the overall <<security-entity-risk-scoring,host risk score>>. The criticality level defines how impactful the host is when calculating the risk score. |
| 115 | + |
| 116 | +[role="screenshot"] |
| 117 | +image::images/hosts-overview/-host-asset-criticality.png[Asset criticality] |
| 118 | + |
| 119 | +Click **Assign** to assign a criticality level to the selected host, or **Change** to change the currently assigned criticality level. |
| 120 | + |
| 121 | +[discrete] |
| 122 | +[[host-details-insights]] |
| 123 | +=== Insights |
| 124 | + |
| 125 | +The **Insights** section displays <<security-vuln-management-findings, Vulnerabilities Findings>> for the host. Click **Vulnerabilities** to expand the flyout and view this data. |
| 126 | + |
| 127 | +image::images/hosts-overview/-host-details-insights-expanded.png[Host details flyout with the Vulnerabilities section expanded, 85%] |
| 128 | + |
| 129 | +[discrete] |
| 130 | +[[security-hosts-overview-observed-data]] |
| 131 | +=== Observed data |
| 132 | + |
| 133 | +This section displays details such as the host ID, when the host was first and last seen, the associated IP addresses and operating system, and the relevant Endpoint integration policy information. |
| 134 | + |
| 135 | +[role="screenshot"] |
| 136 | +image::images/hosts-overview/-host-observed-data.png[Host observed data] |
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments