-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Entity Analytics: New Advanced Entity Analytics section (#4167)
* Entity Analytics: New Advanced Entity Analytics section * Adds Turn on the risk engine page * Adds reference to Entity Risk Scoring prerequisites * Adds View and analyze risk score data page * Applies review feedback
- Loading branch information
1 parent
aad7b27
commit 323f50a
Showing
16 changed files
with
184 additions
and
0 deletions.
There are no files selected for viewing
23 changes: 23 additions & 0 deletions
23
docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
[[advanced-entity-analytics-overview]] | ||
= Advanced Entity Analytics | ||
|
||
Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's {ml} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts and users. | ||
|
||
[discrete] | ||
[[entity-risk-scoring]] | ||
== Entity Risk Scoring | ||
|
||
beta::[] | ||
|
||
Entity Risk Scoring is an advanced {elastic-sec} analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response. | ||
|
||
Entity Risk Scoring allows you to monitor the change in the risk posture of hosts and users from your environment. The risk scoring engine generates these advanced scoring analytics by factoring threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. | ||
|
||
The next-generation risk scoring engine provides greater scalability and performance. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days. | ||
|
||
It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated. | ||
|
||
Learn how to <<turn-on-risk-engine, turn on the latest risk scoring engine>>. | ||
|
||
include::turn-on-risk-engine.asciidoc[] | ||
include::analyze-risk-score-data.asciidoc[] |
81 changes: 81 additions & 0 deletions
81
docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
[[analyze-risk-score-data]] | ||
== View and analyze risk score data | ||
|
||
The {security-app} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {security-app} to view and analyze risk score data: | ||
|
||
* <<entity-analytics-dashboard, Entity Analytics dashboard>> | ||
* <<alerts-page, Alerts page>> | ||
* <<alert-details-flyout, Alert details flyout>> | ||
* <<hosts-users-pages, Hosts and Users pages>> | ||
* <<host-user-details-pages, Host and user details pages>> | ||
|
||
TIP: We recommend that you prioritize <<alert-triaging, alert triaging>> to identify anomalies or abnormal behavior patterns. | ||
|
||
[discrete] | ||
[[entity-analytics-dashboard]] | ||
=== Entity Analytics dashboard | ||
|
||
From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. | ||
|
||
[role="screenshot"] | ||
image::images/ea-dashboard.png[Entity Analytics dashboard] | ||
|
||
[discrete] | ||
[[alert-triaging]] | ||
=== Alert triaging | ||
You can prioritize alert triaging to analyze alerts associated with risky entities using the following features in the {security-app}. | ||
|
||
[discrete] | ||
[[alerts-page]] | ||
==== Alerts page | ||
|
||
Use the Alerts table to investigate and analyze host and user risk levels and scores. We recommend adding the `user.risk.calculated_level` and `host.risk.calculated_level` columns to the Alerts table to easily display this data. To do this, select **Fields**, search for `user.risk` and `host.risk`, then select the appropriate fields from the list. Learn more about <<customize-the-alerts-table, customizing the Alerts table>>. | ||
|
||
[role="screenshot"] | ||
image::images/alerts-table-rs.png[Risk scores in the Alerts table] | ||
|
||
You can use the drop-down filter controls to filter alerts by their risk score level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`: | ||
|
||
[role="screenshot"] | ||
image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level] | ||
|
||
[discrete] | ||
[[alert-details-flyout]] | ||
==== Alert details flyout | ||
|
||
To access risk score data in the alert details flyout, select **Insights** -> **Entities** on the **Overview** tab: | ||
|
||
[role="screenshot"] | ||
image::images/alerts-flyout-rs.png[Risk scores in the Alerts flyout] | ||
|
||
[discrete] | ||
[[hosts-users-pages]] | ||
==== Hosts and Users pages | ||
|
||
On the Hosts and Users pages, you can access the risk score data: | ||
|
||
* In the **Host risk level** or **User risk level** column on the **All hosts** or **All users** tab: | ||
+ | ||
[role="screenshot"] | ||
image::images/hosts-hr-level.png[Host risk level data on the All hosts tab of the Hosts page] | ||
|
||
* On the **Host risk** or **User risk** tab: | ||
+ | ||
[role="screenshot"] | ||
image::images/hosts-hr-data.png[Host risk data on the Host risk tab of the Hosts page] | ||
|
||
[discrete] | ||
[[host-user-details-pages]] | ||
==== Host and user details pages | ||
|
||
On the host details and user details pages, you can access the risk score data: | ||
|
||
* In the Overview section: | ||
+ | ||
[role="screenshot"] | ||
image::images/host-details-overview.png[Host risk data in the Overview section of the host details page] | ||
|
||
* On the **Host risk** or **User risk** tab: | ||
+ | ||
[role="screenshot"] | ||
image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page] |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
78 changes: 78 additions & 0 deletions
78
docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
[[turn-on-risk-engine]] | ||
== Turn on the risk scoring engine | ||
|
||
beta[] | ||
|
||
IMPORTANT: To use Entity Risk Scoring, your role must have the appropriate privileges. For more information, refer to <<ers-requirements, Entity Risk Scoring prerequisites>>. | ||
|
||
The latest risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` <<alerts-ui-manage, alerts>> from the last 30 days, and assigns risk score to the host or user. It then aggregates the individual risk scores and normalizes them to a 0-100 range. The engine assigns a risk level by mapping the normalized risk score to one of these levels: | ||
|
||
[width="100%",options="header"] | ||
|============================================== | ||
|Risk level |Risk score | ||
|
||
|Unknown |< 20 | ||
|Low |20-40 | ||
|Moderate |40-70 | ||
|High | 70-90 | ||
|Critical | > 90 | ||
|
||
|============================================== | ||
|
||
[discrete] | ||
=== Preview risky entities | ||
|
||
You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker. | ||
|
||
NOTE: The preview is limited to two risk scores per {kib} instance. | ||
|
||
To preview risky entities, go to **Manage** -> **Entity Risk Score**: | ||
|
||
[role="screenshot"] | ||
image::images/preview-risky-entities.png[Preview of risky entities] | ||
|
||
[discrete] | ||
=== Turn on the latest risk engine | ||
|
||
[NOTE] | ||
====== | ||
* To view risk score data, you must have alerts generated in your environment. | ||
* If you previously installed the original <<user-risk-score, user>> and <<host-risk-score, host risk score>> modules, and you're upgrading to {stack} version 8.11 or newer, refer to <<upgrade-risk-engine, Upgrade to the latest risk engine>>. | ||
====== | ||
|
||
If you're installing the risk scoring engine for the first time: | ||
|
||
. Go to **Manage** -> **Entity Risk Score**. | ||
. Turn the **Entity risk scoring** toggle on. | ||
|
||
[role="screenshot"] | ||
image::images/turn-on-risk-engine.png[Turn on entity risk scoring] | ||
|
||
[discrete] | ||
[[upgrade-risk-engine]] | ||
=== Upgrade to the latest risk engine | ||
|
||
If you upgraded to 8.11 from an earlier {stack} version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as: | ||
|
||
* The Entity Analytics dashboard | ||
* The **User risk** tab on the Users page | ||
* The **User risk** tab on a user's details page | ||
* The **Host risk** tab on the Hosts page | ||
* The **Host risk** tab on a host's details page | ||
|
||
[role="screenshot"] | ||
image::images/risk-engine-upgrade-prompt.png[Prompt to upgrade to the latest risk engine] | ||
|
||
. Click **Manage** in the upgrade prompt, or go to **Manage** -> **Entity Risk Score**. | ||
. On the Entity Risk Score page, click **Start update** next to the **Update available** label. | ||
+ | ||
[role="screenshot"] | ||
image::images/risk-score-start-update.png[Start the risk engine upgrade] | ||
. On the confirmation message, click **Yes, update now**. The old transform is removed and the latest risk engine is installed. | ||
. When the installation is complete, confirm that the **Entity risk scoring** toggle is on. | ||
+ | ||
[role="screenshot"] | ||
image::images/turn-on-risk-engine.png[Turn on entity risk scoring] | ||
|
||
NOTE: Previous risk score data is retained when you upgrade to the latest risk engine. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters