You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cloud-native-security/session-view.asciidoc
+8-9Lines changed: 8 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
[[session-view]]
2
-
==Session View
2
+
= Session View
3
3
4
4
Session View is an investigation tool that allows you to examine Linux process data organized
5
5
in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution.
@@ -13,9 +13,8 @@ and investigating session activity on your Linux infrastructure and understandin
13
13
* Session View requires an https://www.elastic.co/pricing[Enterprise subscription].
14
14
--
15
15
16
-
[float]
17
-
[[session-view-data]]
18
-
====== Session View displays:
16
+
Session View has the following features:
17
+
19
18
* *Interactive and non-interactive processes:* Processes and services with or without a controlling terminal.
20
19
* *User information:* The Linux user that executed each session or process, and any exec user changes.
21
20
* *Process and event telemetry:* Process information included in the Linux logical event model.
@@ -27,7 +26,7 @@ NOTE: To view Linux session data from your Kubernetes infrastructure, you'll nee
27
26
28
27
[float]
29
28
[[enable-session-view]]
30
-
=== Enable Session View data
29
+
== Enable Session View data
31
30
Session View uses process data collected by the {elastic-defend} integration,
32
31
but this data is not always collected by default. To confirm that Session View data is enabled:
33
32
@@ -45,7 +44,7 @@ fields collected when this setting is enabled, refer to the https://github.com/e
45
44
46
45
[float]
47
46
[[open-session-view]]
48
-
=== Open Session View
47
+
== Open Session View
49
48
Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout and the **Kubernetes** dashboard.
50
49
Events and sessions that you can investigate in Session View have a rectangular
51
50
*Open Session View* button in the *Actions* column. For example:
@@ -60,7 +59,7 @@ From either of these tabs, click the *Open Session View* button for an event or
@@ -148,7 +147,7 @@ TIP: Use Session view's *Fullscreen* button (located next to the *Close session
148
147
149
148
[discrete]
150
149
[[terminal-output-limitations]]
151
-
==== Terminal output limitations for search and alerting
150
+
=== Terminal output limitations for search and alerting
152
151
You should understand several current limitations before building rules based on terminal output data:
153
152
154
153
* Terminal output that appears in the `process.io.text` field includes https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797[ANSI codes] that represent, among other things, text color, text weight, and escape sequences. This can prevent EKS queries from matching as expected. Queries of this data will have more success matching single words than more complex strings.
Copy file name to clipboardExpand all lines: docs/detections/detections-req.asciidoc
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,8 @@ and restarting {kib}, you must restart all detection rules.
36
36
[discrete]
37
37
[[enable-detections-ui]]
38
38
== Enable and access detections
39
-
To use the Detections feature, it must be enabled and your role must have access to rules and alerts. If your role does not have the cluster and index privileges needed to enable this feature, you can request someone who has these privileges to visit your Kibana space, which will turn it on for you. The following table describes the required privileges to access the Detections page, including rules and alerts.
39
+
40
+
To use the Detections feature, it must be enabled, your role must have access to rules and alerts, and your {kib} space must have **Data View Management** {kibana-ref}/xpack-spaces.html#spaces-control-feature-visibility[feature visibility]. If your role does not have the cluster and index privileges needed to enable this feature, you can request someone who has these privileges to visit your Kibana space, which will turn it on for you. The following table describes the required privileges to access the Detections feature, including rules and alerts.
40
41
41
42
NOTE: For instructions about using Machine Learning jobs and rules, refer to <<ml-requirements, Machine learning job and rule requirements>>.
42
43
@@ -65,7 +66,7 @@ a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for t
65
66
66
67
|Enable the Detections feature in all Kibana spaces
67
68
68
-
*NOTE*: To turn on the Detections feature, visit the Detections page for each appropriate Kibana space.
69
+
*NOTE*: To turn on the Detections feature, visit the Rules and Alerts pages for each appropriate Kibana space.
69
70
70
71
|The `manage` privilege
71
72
a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for the following system indices and data streams:
Copy file name to clipboardExpand all lines: docs/detections/rules-cross-cluster-search.asciidoc
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,9 +9,11 @@
9
9
10
10
This section explains the general process for setting up cross-cluster search in detection rules. For specific instructions on each part of the process, refer to the linked documentation.
11
11
12
-
NOTE: This procedure uses TLS certificate authentication to add remote clusters. {stack} 8.10.0 introduces an alternate method using {ref}/remote-clusters-api-key.html[API key authentication], but it is not yet supported for detection rules.
12
+
. On the local cluster, establish trust and set up a connection to the remote cluster, using one of the following methods. With either method, note the unique name that you give to the remote cluster, because you'll need to use it throughout this process.
13
13
14
-
. On the local cluster, {ref}/remote-clusters-cert.html[establish trust and set up a connection] to the remote cluster. Note the unique name that you give to the remote cluster, because you'll need to use it throughout this process.
14
+
* {ref}/remote-clusters-api-key.html[Add remote clusters using API key authentication] — Clusters must be on {stack} version 8.14 or later.
15
+
16
+
* {ref}/remote-clusters-cert.html[Add remote clusters using TLS certificate authentication]
15
17
16
18
. On both the local and remote clusters, {ref}/remote-clusters-cert.html#clusters-privileges-ccs-kibana-cert[create a
17
19
role for cross-cluster search privileges], and make sure the two roles have
@@ -56,7 +58,9 @@ IMPORTANT: The rule preview uses the current user's cross-cluster search privile
56
58
[[update-api-key]]
57
59
=== Update a rule's API key
58
60
59
-
When a user creates a new rule or saves edits to an existing rule, their current privileges are saved to {kibana-ref}/alerting-setup.html#alerting-authorization[the rule's API key]. If that user's privileges change in the future, the rule *_does not_* automatically update with the user's latest privileges — you must update the rule's API key to update its privileges.
61
+
Each detection rule has its own {kibana-ref}/alerting-setup.html#alerting-authorization[API key], which determines the data and actions the rule is allowed to access. When a user creates a new rule or changes an existing rule, their current privileges are saved to the rule's API key. If that user's privileges change in the future, the rule *_does not_* automatically update with the user's latest privileges — you must update the rule's API key if you want to update its privileges.
62
+
63
+
IMPORTANT: A rule's API key is different from the API key you might have created for <<set-up-ccs-rules,authentication between local and remote clusters>>.
60
64
61
65
To update a rule's API key, log into the local cluster as a user with the privileges you want to apply to the rule, then do either of the following:
Copy file name to clipboardExpand all lines: docs/detections/visual-event-analyzer.asciidoc
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,14 +1,14 @@
1
1
[[visual-event-analyzer]]
2
2
[role="xpack"]
3
-
==Visual event analyzer
3
+
= Visual event analyzer
4
4
5
5
{elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.
6
6
7
7
TIP: If you're experiencing performance degradation, you can <<exclude-cold-frozen-tiers, exclude cold and frozen tier data>> from analyzer queries.
8
8
9
9
[float]
10
10
[[find-events-analyze]]
11
-
=== Find events to analyze
11
+
== Find events to analyze
12
12
13
13
You can only visualize events triggered by hosts configured with the {elastic-defend} integration or any `sysmon` data from `winlogbeat`.
14
14
@@ -47,7 +47,7 @@ TIP: You can also analyze events from <<timelines-ui,Timelines>>.
47
47
48
48
[discrete]
49
49
[[visual-analyzer-ui]]
50
-
=== Visual event analyzer UI
50
+
== Visual event analyzer UI
51
51
52
52
Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to explore the hierarchy of all process relationships.
Copy file name to clipboardExpand all lines: docs/es-overview.asciidoc
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
1
[[es-overview]]
2
2
[chapter, role="xpack"]
3
-
= Elastic Security overview
3
+
= {elastic-sec} overview
4
4
5
5
{elastic-sec} combines threat detection analytics, cloud native security, and endpoint protection capabilities in a single solution, so you can quickly detect, investigate, and respond to threats and vulnerabilities across your environment.
6
6
7
-
Elastic Security provides:
7
+
{elastic-sec} provides:
8
8
9
9
* A detection engine that identifies a wide range of threats
10
10
* A workspace for event triage, investigation, and case management
@@ -16,7 +16,7 @@ Elastic Security provides:
16
16
=== Learn more
17
17
18
18
* <<getting-started, Get started>>: Learn about system requirements, workspaces, configuration, and data ingestion.
19
-
* <<es-ui-overview, Elastic Security UI overview>>: Navigate {elastic-sec}'s various tools and interfaces.
19
+
* <<es-ui-overview, {elastic-sec} UI overview>>: Navigate {elastic-sec}'s various tools and interfaces.
20
20
* <<about-rules, Detection rules>>: Use {elastic-sec}'s detection engine with custom and prebuilt rules.
21
21
* <<cloud-native-security-overview, Cloud native security>>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs.
22
22
* <<install-endpoint, Install {elastic-defend}>>: Enable key endpoint protection capabilities like event collection and malicious activity prevention.
0 commit comments