diff --git a/.github/workflows/co-docs-builder.yml b/.github/workflows/co-docs-builder.yml index e251dd00f4..769bb04c09 100644 --- a/.github/workflows/co-docs-builder.yml +++ b/.github/workflows/co-docs-builder.yml @@ -21,11 +21,16 @@ on: jobs: publish: if: contains(github.event.pull_request.labels.*.name, 'ci:doc-build') - uses: elastic/workflows/.github/workflows/docs-elastic-co-publish.yml@main + uses: elastic/workflows/.github/workflows/docs-versioned-publish.yml@main with: - subdirectory: 'docs/serverless/' + # Refers to Vercel project + project-name: elastic-dot-co-docs-preview-docs + # Which prebuild step (dev or not) + prebuild: wordlake-docs + # Docsmobile project dir + site-repo: docs-site secrets: VERCEL_GITHUB_TOKEN: ${{ secrets.VERCEL_GITHUB_TOKEN_PUBLIC }} VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN_PUBLIC }} VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID_PUBLIC }} - VERCEL_PROJECT_ID_DOCS_CO: ${{ secrets.VERCEL_PROJECT_ID_DOCS_CO_PUBLIC }} + VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID_ELASTIC_DOT_CO_DOCS_PRODUCTION_PUBLIC }} diff --git a/docs/assistant/ai-alert-triage.asciidoc b/docs/assistant/ai-alert-triage.asciidoc index 6baf930357..1e779bb95e 100644 --- a/docs/assistant/ai-alert-triage.asciidoc +++ b/docs/assistant/ai-alert-triage.asciidoc @@ -1,5 +1,5 @@ [[assistant-triage]] -= Triage alerts with Elastic AI Assistant += Triage alerts Elastic AI Assistant can help you enhance and streamline your alert triage workflows by assessing multiple recent alerts in your environment, and helping you interpret an alert and its context. When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue. diff --git a/docs/assistant/ai-esql-queries.asciidoc b/docs/assistant/ai-esql-queries.asciidoc new file mode 100644 index 0000000000..0a8776ae54 --- /dev/null +++ b/docs/assistant/ai-esql-queries.asciidoc @@ -0,0 +1,23 @@ +[[esql-queries-assistant]] += Generate, customize, and learn about {esql} queries + +:frontmatter-description: Elastic AI Assistant can help you write ES|QL queries. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [guide] +:frontmatter-tags-user-goals: [get-started] + +Elastic AI Assistant can help you learn about and leverage the Elasticsearch Query Language ({esql}). + +With AI Assistant's <> enabled, AI Assistant benefits from specialized training data that enables it to answer questions related to {esql} at an expert level. + +AI Assistant can help with {esql} in many ways, including: + +* **Education and training**: AI Assistant can serve as a powerful {esql} learning tool. Ask it for examples, explanations of complex queries, and best practices. +* **Writing new queries**: Prompt AI Assistant to provide a query that accomplishes a particular task, and it will generate a query matching your description. For example: "Write a query to identify documents with `curl.exe` usage and calculate the sum of `destination.bytes`" or "What query would return all user logins to [a host] in the last six hours?" +* **Providing feedback to optimize existing queries**: Send AI Assistant a query you want to work on and ask it for improvements, refactoring, a general assessment, or to optimize the query's performance with large data sets. +* **Customizing queries for your environment**: Since each environment is unique, you may need to customize queries that you used in other contexts. AI Assistant can suggest necessary modifications based on contextual information you provide. +* **Troubleshooting**: Having trouble with a query or getting unexpected results? Ask AI Assistant to help you troubleshoot. + +In these ways and others, AI Assistant can enable you to make use of {esql}'s advanced search capabilities to accomplish goals across {elastic-sec}. + + diff --git a/docs/assistant/assistant-use-cases.asciidoc b/docs/assistant/assistant-use-cases.asciidoc new file mode 100644 index 0000000000..5a92f80197 --- /dev/null +++ b/docs/assistant/assistant-use-cases.asciidoc @@ -0,0 +1,10 @@ +[[assistant-use-cases]] += AI Assistant use cases + +Elastic AI Assistant's flexibility means you can use it for many different purposes. These topics describe some of the possible uses for AI Assistant within {elastic-sec}: + +* <> +* <> +* <> + +For general information about AI Assistant, refer to <>. \ No newline at end of file diff --git a/docs/assistant/azure-openai-setup.asciidoc b/docs/assistant/azure-openai-setup.asciidoc index 873428a645..658f237b7b 100644 --- a/docs/assistant/azure-openai-setup.asciidoc +++ b/docs/assistant/azure-openai-setup.asciidoc @@ -72,7 +72,7 @@ Now, set up the Azure OpenAI model: ** If you select `gpt-4`, set the **Model version** to `0125-Preview`. ** If you select `gpt-4-32k`, set the **Model version** to `default`. + -IMPORTANT: The models available to you will depend on https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models#model-summary-table-and-region-availability[region availability]. For best results, use `GPT 4 Turbo version 0125-preview` or `GPT 4-32k` with the maximum Tokens-Per-Minute (TPM) capacity. In most regions, the GPT 4 Turbo model offers the largest supported context window. +IMPORTANT: The models available to you depend on https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models#model-summary-table-and-region-availability[region availability]. For best results, use `GPT-4o 2024-05-13` with the maximum Tokens-Per-Minute (TPM) capacity. For more information on how different models perform for different tasks, refer to the <>. + . Under **Deployment type**, select **Standard**. . Name your deployment. diff --git a/docs/assistant/connect-to-openai.asciidoc b/docs/assistant/connect-to-openai.asciidoc index 8a0dbd003f..830f657d23 100644 --- a/docs/assistant/connect-to-openai.asciidoc +++ b/docs/assistant/connect-to-openai.asciidoc @@ -12,7 +12,7 @@ This page provides step-by-step instructions for setting up an OpenAI connector Before creating an API key, you must choose a model. Refer to the https://platform.openai.com/docs/models/gpt-4-turbo-and-gpt-4[OpenAI docs] to select a model. Take note of the specific model name (for example `gpt-4-turbo`); you'll need it when configuring {kib}. -NOTE: `GPT-4 Turbo` offers increased performance. `GPT-4` and `GPT-3.5` are also supported. +NOTE: `GPT-4o` offers increased performance over previous versions. For more information on how different models perform for different tasks, refer to the <>. [discrete] === Create an API key @@ -51,6 +51,7 @@ To integrate with {kib}: . Provide a name for your connector, such as `OpenAI (GPT-4 Turbo Preview)`, to help keep track of the model and version you are using. . Under **Select an OpenAI provider**, choose **OpenAI**. . The **URL** field can be left as default. +. Under **Default model**, specify which https://platform.openai.com/docs/models/gpt-4-turbo-and-gpt-4[model] you want to use. . Paste the API key that you created into the corresponding field. . Click **Save**. diff --git a/docs/assistant/images/attck-disc-11-alerts-disc.png b/docs/assistant/images/attck-disc-11-alerts-disc.png new file mode 100644 index 0000000000..0075102604 Binary files /dev/null and b/docs/assistant/images/attck-disc-11-alerts-disc.png differ diff --git a/docs/assistant/images/attck-disc-esql-query-gen-example.png b/docs/assistant/images/attck-disc-esql-query-gen-example.png new file mode 100644 index 0000000000..3ec015ced4 Binary files /dev/null and b/docs/assistant/images/attck-disc-esql-query-gen-example.png differ diff --git a/docs/assistant/llm-connector-guides.asciidoc b/docs/assistant/llm-connector-guides.asciidoc new file mode 100644 index 0000000000..ead15956b1 --- /dev/null +++ b/docs/assistant/llm-connector-guides.asciidoc @@ -0,0 +1,11 @@ +[[llm-connector-guides]] += Set up connectors for large language models (LLM) + +This section contains instructions for setting up connectors for LLMs so you can use <> and <>. + +Setup guides are available for the following LLM providers: + +* <> +* <> +* <> + diff --git a/docs/assistant/security-assistant.asciidoc b/docs/assistant/security-assistant.asciidoc index 7c94ff23db..a5aaf2c4d7 100644 --- a/docs/assistant/security-assistant.asciidoc +++ b/docs/assistant/security-assistant.asciidoc @@ -8,19 +8,11 @@ The Elastic AI Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {elastic-sec} for tasks such as alert investigation, incident response, and query generation or conversion using natural language and much more. -AI Assistant can connect to multiple LLM providers so you can select the best model for your needs. - [role="screenshot"] image::images/assistant-basic-view.png[Image of AI Assistant chat window,90%] WARNING: The Elastic AI Assistant is designed to enhance your analysis with smart dialogues. Its capabilities are still developing. Users should exercise caution as the quality of its responses might vary. Your insights and feedback will help us improve this feature. Always cross-verify AI-generated advice for accuracy. -.Recommended models -[sidebar] --- -While AI Assistant is compatible with many different models, our testing found increased quality with Azure 32k, and faster and more cost-effective responses with Claude 3 Haiku and OpenAI GPT4 Turbo. --- - .Requirements [sidebar] -- @@ -50,9 +42,13 @@ NOTE: Elastic can automatically anonymize event data that you provide to AI Assi [[set-up-ai-assistant]] == Set up AI Assistant -You must create a generative AI connector before you can use AI Assistant. +You must create a generative AI connector before you can use AI Assistant. AI Assistant can connect to multiple large language model (LLM) providers so you can select the best model for your needs. To set up a connector, refer to <>. -For more information about setting up generative AI connectors, refer to <>, <>, or <>. +.Recommended models +[sidebar] +-- +While AI Assistant is compatible with many different models, our testing found increased quality with Azure 32k, and faster, more cost-effective responses with Claude 3 Haiku and OpenAI GPT4 Turbo. For more information, refer to the <>. +-- [discrete] [[start-chatting]] @@ -193,8 +189,14 @@ In addition to practical advice, AI Assistant can offer conceptual advice, tips, * “I need to monitor for unusual file creation patterns that could indicate ransomware activity. How would I construct this query using EQL?” -include::ai-alert-triage.asciidoc[leveloffset=+1] +include::assistant-use-cases.asciidoc[leveloffset=+1] +include::ai-alert-triage.asciidoc[leveloffset=+2] +include::use-attack-discovery-ai-assistant-incident-reporting.asciidoc[leveloffset=+2] +include::ai-esql-queries.asciidoc[leveloffset=+2] + +include::llm-connector-guides.asciidoc[leveloffset=+1] +include::azure-openai-setup.asciidoc[leveloffset=+2] +include::connect-to-openai.asciidoc[leveloffset=+2] +include::connect-to-bedrock.asciidoc[leveloffset=+2] + include::llm-performance-matrix.asciidoc[leveloffset=+1] -include::azure-openai-setup.asciidoc[leveloffset=+1] -include::connect-to-openai.asciidoc[leveloffset=+1] -include::connect-to-bedrock.asciidoc[leveloffset=+1] diff --git a/docs/assistant/use-attack-discovery-ai-assistant-incident-reporting.asciidoc b/docs/assistant/use-attack-discovery-ai-assistant-incident-reporting.asciidoc new file mode 100644 index 0000000000..9473c73862 --- /dev/null +++ b/docs/assistant/use-attack-discovery-ai-assistant-incident-reporting.asciidoc @@ -0,0 +1,60 @@ +[[attack-discovery-ai-assistant-incident-reporting]] += Identify, investigate, and document threats + +:frontmatter-description: Elastic AI Assistant can help you write ES|QL queries. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [guide] +:frontmatter-tags-user-goals: [get-started] + +Together, <> and <> can help you identify and mitigate threats, investigate incidents, and generate incident reports in various languages so you can monitor and protect your environment. + +In this guide, you'll learn how to: + +* <> +* <> +* <> +* <> + + +[discrete] +[[use-case-incident-reporting-use-attack-discovery-to-identify-threats]] +== Use Attack discovery to identify threats +Attack discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack discovery generates a detailed summary of each potential threat, which can serve as the basis for further analysis. Learn how to <>. + +image::images/attck-disc-11-alerts-disc.png[An Attack discovery card showing an attack with 11 related alerts,90%] + +In the example above, Attack discovery found connections between eleven alerts, and used them to identify and describe an attack chain. + +After Attack discovery outlines your threat landscape, use Elastic AI Assistant to quickly analyze a threat in detail. + +[discrete] +[[use-case-incident-reporting-use-ai-assistant-to-analyze-a-threat]] +== Use AI Assistant to analyze a threat + +From a discovery on the Attack discovery page, click **View in AI Assistant** to start a chat that includes the discovery as context. + +AI Assistant can quickly compile essential data and provide suggestions to help you generate an incident report and plan an effective response. You can ask it to provide relevant data or answer questions, such as “How can I remediate this threat?” or “What {esql} query would isolate actions taken by this user?” + +image::images/attck-disc-esql-query-gen-example.png[An AI Assistant dialogue in which the user asks for a purpose-built {esql} query,90%] + +The image above shows an {esql} query generated by AI Assistant in response to a user prompt. Learn more about <>. + +At any point in a conversation with AI Assistant, you can add data, narrative summaries, and other information from its responses to {elastic-sec}'s case management system to generate incident reports. + +[discrete] +[[use-case-incident-reporting-create-a-case-using-ai-assistant]] +== Create a case using AI Assistant + +From the AI Assistant dialog window, click **Add to case** (image:images/icon-add-to-case.png[Add to case icon,19,16]) next to a message to add the information in that message to a <>. Cases help centralize relevant details in one place for easy sharing with stakeholders. + +If you add a message that contains a discovery to a case, AI Assistant automatically adds the attack summary and all associated alerts to the case. You can also add AI Assistant messages that contain remediation steps and relevant data to the case. + +[discrete] +[[use-case-incident-reporting-translate]] +== Translate incident information to a different human language using AI Assistant +AI Assistant can translate its findings into other human languages, helping to enable collaboration among global security teams, and making it easier to operate within multilingual organizations. + +After AI Assistant provides information in one language, you can ask it to translate its responses. For example, if it provides remediation steps for an incident, you can instruct it to “Translate these remediation steps into Japanese.” You can then add the translated output to a case. This can help team members receive the same information and insights regardless of their primary language. + +NOTE: In our internal testing, AI Assistant translations preserved the accuracy of the original content. However, all LLMs can make mistakes, so use caution. + diff --git a/docs/attack-discovery/attack-discovery.asciidoc b/docs/attack-discovery/attack-discovery.asciidoc index c8a8ce2177..0be333f939 100644 --- a/docs/attack-discovery/attack-discovery.asciidoc +++ b/docs/attack-discovery/attack-discovery.asciidoc @@ -9,10 +9,24 @@ preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."] -NOTE: This feature is available starting with {elastic-sec} version 8.14.0. - Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond. +For a demo, refer to the following video. +======= +++++ + + +
+++++ +======= + This page describes: * <> @@ -38,7 +52,7 @@ image::images/select-model-empty-state.png[] + . Once you've selected a connector, click **Generate** to start the analysis. -It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery only analyzes alerts from the past 24 hours. +It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours. IMPORTANT: Attack discovery uses the same data anonymization settings as <>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. diff --git a/docs/events/timeline-templates.asciidoc b/docs/events/timeline-templates.asciidoc index 5027c6018a..69019cf2f1 100644 --- a/docs/events/timeline-templates.asciidoc +++ b/docs/events/timeline-templates.asciidoc @@ -136,8 +136,7 @@ NOTE: You cannot delete prebuilt templates. === Export and import Timeline templates You can import and export Timeline templates, which enables importing templates -from one {kib} space or instance to another. Exported templates are saved in an -http://ndjson.org[`ndjson`] file. +from one {kib} space or instance to another. Exported templates are saved in an `ndjson` file. . Go to *Timelines* -> *Templates*. . To export templates, do one of the following: diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 1aa844bd68..eb638efb5e 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -158,8 +158,7 @@ then select an action from the *Bulk actions* menu. == Export and import Timelines You can export and import Timelines, which enables you to share Timelines from one -{kib} space or instance to another. Exported Timelines are saved as -http://ndjson.org[`.ndjson`] files. +{kib} space or instance to another. Exported Timelines are saved as `.ndjson` files. To export Timelines: diff --git a/docs/getting-started/elastic-endpoint-reqs.asciidoc b/docs/getting-started/elastic-endpoint-reqs.asciidoc index 3afa4e99dd..38f255e0bf 100644 --- a/docs/getting-started/elastic-endpoint-reqs.asciidoc +++ b/docs/getting-started/elastic-endpoint-reqs.asciidoc @@ -9,4 +9,18 @@ To properly deploy {elastic-endpoint} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the endpoint before {elastic-endpoint} can be fully functional. For more information, refer to the instructions for your macOS version: * <> -* <> \ No newline at end of file +* <> + +[discrete] +== Minimum system requirements + +[width="100%",options="header"] +|=== +|Requirement |Value + +|**CPU** |Under 2% +|**Disk space** |1 GB +|**Resident set size (RSS) memory** |500 MB +|=== + + diff --git a/docs/getting-started/siem-ui.asciidoc b/docs/getting-started/siem-ui.asciidoc index 5c5b024182..6e0657d484 100644 --- a/docs/getting-started/siem-ui.asciidoc +++ b/docs/getting-started/siem-ui.asciidoc @@ -299,8 +299,7 @@ drop area for further introspection. ==== Export and import timelines You can import and export timelines, which enables importing timelines from one -{kib} space or instance to another. Exported timelines are saved in an -http://ndjson.org[`ndjson`] file. +{kib} space or instance to another. Exported Timelines are saved in an `ndjson` file. . Go to *SIEM* -> *Timelines*. . To export timelines, do one of the following: diff --git a/docs/getting-started/threat-intel-integrations.asciidoc b/docs/getting-started/threat-intel-integrations.asciidoc index e1f9f9d287..308d7034a9 100644 --- a/docs/getting-started/threat-intel-integrations.asciidoc +++ b/docs/getting-started/threat-intel-integrations.asciidoc @@ -26,19 +26,7 @@ There are a few scenarios when data won't display in the Threat Intelligence vie + [TIP] ========================= -If you know the name of {agent} integration you want to install, you can search for it directly. You can use the following {agent} integrations with the Threat Intelligence view: - -* AbuseCH -* AlienVault OTX -* Anomali -* Cybersixgill -* Maltiverse -* MISP -* Mimecast -* Recorded Future -* ThreatQuotient - - +If you know the name of {agent} integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available {integrations-docs}/threat-intelligence-intro[threat intelligence {integrations}]. ========================= . Select an {agent} integration, then complete the installation steps. . Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn't displaying, refresh the page or refer to these <>. diff --git a/docs/management/admin/images/trusted-apps-list.png b/docs/management/admin/images/trusted-apps-list.png index d7e9c90bb0..828f6e85ea 100644 Binary files a/docs/management/admin/images/trusted-apps-list.png and b/docs/management/admin/images/trusted-apps-list.png differ diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index 8509df5816..7ede416432 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> diff --git a/docs/release-notes/8.14.asciidoc b/docs/release-notes/8.14.asciidoc index a68effdeea..7f6d8ad971 100644 --- a/docs/release-notes/8.14.asciidoc +++ b/docs/release-notes/8.14.asciidoc @@ -1,6 +1,20 @@ [[release-notes-header-8.14.0]] == 8.14 +[discrete] +[[release-notes-8.14.1]] +=== 8.14.1 + +[discrete] +[[bug-fixes-8.14.1]] +==== Bug fixes + +* Fixes a bug that caused the Osquery flyout to appear behind Timeline ({kibana-pull}184951[#184951]). +* Fixes a bug that prevented dates from being displayed properly in Timeline if the {kib} space used a custom date and time format ({kibana-pull}184799[#184799]). +* Fixes a bug that didn't allow you to use leading wildcards in queries when filtering data in the Summary and Treemap charts on the Alerts page ({kibana-pull}182875[#182875]). +* Fixes a text formatting issue in the visual analyzer's left panel, where you can find event details ({kibana-pull}xc[#183453]). +* Fixes a bug that that incorrectly led you to Timeline's **Query** tab if you opened the detailed visual analyzer view from the alert details flyout. Now, you're correctly navigated to Timeline's **Analyzer** tab ({kibana-pull}182749[#182749]). + [discrete] [[release-notes-8.14.0]] === 8.14.0 diff --git a/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.mdx b/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.mdx index 247327ad71..42741b16a2 100644 --- a/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.mdx +++ b/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAdvancedBehavioralDetections slug: /serverless/security/advanced-behavioral-detections title: Advanced behavioral detections description: Learn about advanced behavioral detections and its capabilities. @@ -13,5 +12,5 @@ Elastic's ((ml)) capabilities and advanced correlation, scoring, and visualizati Advanced behavioral detections includes two key capabilities: -* Anomaly detection -* +* Anomaly detection +* diff --git a/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.mdx b/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.mdx index 19bff4ee5d..1866f91f18 100644 --- a/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.mdx +++ b/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAdvancedEntityAnalytics slug: /serverless/security/advanced-entity-analytics title: Advanced Entity Analytics description: Learn about Advanced Entity Analytics and its capabilities. @@ -13,5 +12,5 @@ Advanced Entity Analytics generates a set of threat detection and risk analytics Advanced Entity Analytics provides two key capabilities: -* -* +* +* diff --git a/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.mdx b/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.mdx index 7984542aa4..30a28bfdd6 100644 --- a/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.mdx +++ b/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAnalyzeRiskScoreData slug: /serverless/security/analyze-risk-score-data title: View and analyze risk score data description: Monitor risk score changes of hosts and users in your environment. @@ -11,16 +10,16 @@ status: in review The ((security-app)) provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the ((security-app)) to view and analyze risk score data: -* Entity Analytics dashboard -* Alerts page -* Alert details flyout -* Hosts and Users pages -* Host and user details pages -* Host and user details flyouts +* Entity Analytics dashboard +* Alerts page +* Alert details flyout +* Hosts and Users pages +* Host and user details pages +* Host and user details flyouts -We recommend that you prioritize alert triaging to identify anomalies or abnormal behavior patterns. +We recommend that you prioritize alert triaging to identify anomalies or abnormal behavior patterns. ## Entity Analytics dashboard @@ -46,7 +45,7 @@ To display entity risk score and asset criticality data in the Alerts table, sel * `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` * `user.asset.criticality` or `host.asset.criticality` -Learn more about customizing the Alerts table. +Learn more about customizing the Alerts table. ![Risk scores in the Alerts table](../images/analyze-risk-score-data/alerts-table-rs.png) @@ -58,7 +57,7 @@ To analyze alerts associated with high-risk or business-critical entities, you c If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. -* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, edit the default controls to filter by: +* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, edit the default controls to filter by: * `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: diff --git a/docs/serverless/advanced-entity-analytics/asset-criticality.mdx b/docs/serverless/advanced-entity-analytics/asset-criticality.mdx index 1d831a73c7..a8e6a8d966 100644 --- a/docs/serverless/advanced-entity-analytics/asset-criticality.mdx +++ b/docs/serverless/advanced-entity-analytics/asset-criticality.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAssetCriticality slug: /serverless/security/asset-criticality title: Asset criticality description: Learn how to use asset criticality to improve your security operations. @@ -12,9 +11,9 @@ status: in review To view and assign asset criticality, you must: * Have the appropriate user role. -* Turn on the `securitySolution:enableAssetCriticality` advanced setting. +* Turn on the `securitySolution:enableAssetCriticality` advanced setting. -For more information, refer to Entity risk scoring prerequisites. +For more information, refer to Entity risk scoring prerequisites. The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. @@ -30,7 +29,7 @@ For example, you can assign **Extreme impact** to business-critical entities, or ## View and assign asset criticality -Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or bulk assign it to multiple entities by importing a text file. +Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or bulk assign it to multiple entities by importing a text file. When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated. @@ -40,15 +39,15 @@ If you assign asset criticality using the file import feature, risk scores are * You can view, assign, change, or unassign asset criticality from the following places in the ((elastic-sec)) app: -* The host details page and user details page: +* The host details page and user details page: ![Assign asset criticality from the host details page](../images/asset-criticality/-assign-asset-criticality-host-details.png) -* The host details flyout and user details flyout: +* The host details flyout and user details flyout: ![Assign asset criticality from the host details flyout](../images/asset-criticality/-assign-asset-criticality-host-flyout.png) -* The host details flyout and user details flyout in Timeline: +* The host details flyout and user details flyout in Timeline: ![Assign asset criticality from the host details flyout in Timeline](../images/asset-criticality/-assign-asset-criticality-timeline.png) @@ -92,22 +91,22 @@ This process overwrites any previously assigned asset criticality levels for the With asset criticality, you can improve your security operations by: -* Prioritizing open alerts -* Monitoring an entity's risk +* Prioritizing open alerts +* Monitoring an entity's risk ### Prioritize open alerts You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. -Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to prioritize alerts associated with business-critical entities. +Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to prioritize alerts associated with business-critical entities. ### Monitor an entity's risk -The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to calculate the entity's overall risk score. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. +The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to calculate the entity's overall risk score. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. To view the impact of asset criticality on an entity's risk score, follow these steps: -1. Open the host details flyout or user details flyout. The risk summary section shows asset criticality's contribution to the overall risk score. +1. Open the host details flyout or user details flyout. The risk summary section shows asset criticality's contribution to the overall risk score. 1. Click **View risk contributions** to open the flyout's left panel. 1. In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated. diff --git a/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.mdx b/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.mdx index 9b3e1a57f3..8ed886a669 100644 --- a/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.mdx +++ b/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityBehavioralDetectionUseCases slug: /serverless/security/behavioral-detection-use-cases title: Behavioral detection use cases description: Detect internal and external threats using behavioral detection integrations. @@ -18,8 +17,8 @@ The behavioral detection feature is built on ((elastic-sec))'s foundational SIEM Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, ((ml)) jobs, and scripts. -* Behavioral detection integrations require the Security Analytics Complete project feature. -* To learn more about the requirements for using ((ml)) jobs, refer to . +* Behavioral detection integrations require the Security Analytics Complete project feature. +* To learn more about the requirements for using ((ml)) jobs, refer to . Here's a list of integrations for various behavioral detection use cases: diff --git a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx index 3f35aa2b01..afac426c31 100644 --- a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx +++ b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEntityRiskScoring slug: /serverless/security/entity-risk-scoring title: Entity risk scoring description: Learn about the risk scoring engine and its features. @@ -30,11 +29,11 @@ Entity risk scores are determined by the following risk inputs: } ]}> - Alerts + Alerts `.alerts-security.alerts-` index alias - Asset criticality level + Asset criticality level `.asset-criticality.asset-criticality-` index alias @@ -44,7 +43,7 @@ The resulting entity risk scores are stored in the `risk-score.risk-score- * Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score. -* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` advanced setting. +* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` advanced setting. @@ -52,9 +51,9 @@ The resulting entity risk scores are stored in the `risk-score.risk-score-risk summary. +1. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's risk summary. -1. The engine then verifies the entity's asset criticality level. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary. +1. The engine then verifies the entity's asset criticality level. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary. | Asset criticality level | Default risk weight | |-------------------------|---------------------| @@ -113,4 +112,4 @@ If `User_A` had no asset criticality level assigned, the user risk score would r -Learn how to turn on the risk scoring engine. +Learn how to turn on the risk scoring engine. diff --git a/docs/serverless/advanced-entity-analytics/machine-learning.mdx b/docs/serverless/advanced-entity-analytics/machine-learning.mdx index e7ea222bc0..f78ecb703d 100644 --- a/docs/serverless/advanced-entity-analytics/machine-learning.mdx +++ b/docs/serverless/advanced-entity-analytics/machine-learning.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityMachineLearning slug: /serverless/security/machine-learning title: Detect anomalies description: Use the power of machine learning to detect outliers and suspicious events. @@ -11,7 +10,7 @@ status: in review
[((ml-cap))](((ml-docs))/ml-ad-overview.html) functionality is available when -you have the appropriate role. Refer to Machine learning job and rule requirements for more information. +you have the appropriate role. Refer to Machine learning job and rule requirements for more information. You can view the details of detected anomalies within the `Anomalies` table widget shown on the Hosts, Network, and associated details pages, or even narrow @@ -33,7 +32,7 @@ If you have the `machine_learning_admin` role, you can use the **ML job settings You can also check the status of ((ml)) detection rules, and start or stop their associated ((ml)) jobs: -* On the **Rules** page, the **Last response** column displays the rule's current status. An indicator icon () also appears if a required ((ml)) job isn't running. Click the icon to list the affected jobs, then click **Visit rule details page to investigate** to open the rule's details page. +* On the **Rules** page, the **Last response** column displays the rule's current status. An indicator icon () also appears if a required ((ml)) job isn't running. Click the icon to list the affected jobs, then click **Visit rule details page to investigate** to open the rule's details page. ![Rules table ((ml)) job error](../images/machine-learning/-detections-machine-learning-rules-table-ml-job-error.png) @@ -50,7 +49,7 @@ host and network anomalies. The jobs are displayed in the `Anomaly Detection` interface. They are available when either: * You ship data using [Beats](https://www.elastic.co/products/beats) or the - ((agent)), and ((kib)) is configured with the required index + ((agent)), and ((kib)) is configured with the required index patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*` in **Project settings** → **Management** → **Index Management**). @@ -61,12 +60,12 @@ Or Or -* You install one or more of the Advanced Analytics integrations. +* You install one or more of the Advanced Analytics integrations. -Prebuilt job reference describes all available ((ml)) jobs and lists which ECS +Prebuilt job reference describes all available ((ml)) jobs and lists which ECS fields are required on your hosts when you are not using ((beats)) or the ((agent)) to ship your data. For information on tuning anomaly results to reduce the -number of false positives, see Optimizing anomaly results. +number of false positives, see Optimizing anomaly results. Machine learning jobs look back and analyze two weeks of historical data diff --git a/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.mdx b/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.mdx index 02c69f99ae..a67a6ae8f0 100644 --- a/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.mdx +++ b/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityPrebuiltMlJobs slug: /serverless/security/prebuilt-ml-jobs title: Prebuilt ML job reference # description: Description to be written diff --git a/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.mdx b/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.mdx index b0f15837a9..511876c4f8 100644 --- a/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.mdx +++ b/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTuningAnomalyResults slug: /serverless/security/tuning-anomaly-results title: Optimizing anomaly results description: Learn how to fine-tune and filter anomaly results. @@ -12,8 +11,8 @@ status: in review To gain clearer insights into real threats, you can tune the anomaly results. The following procedures help to reduce the number of false positives: -* Tune results for rare applications and processes -* Define an anomaly threshold for a job +* Tune results for rare applications and processes +* Define an anomaly threshold for a job
@@ -25,9 +24,9 @@ you can filter out the unwanted results. For example, to filter out results from a housekeeping process, named `maintenanceservice.exe`, that only executes occasionally you need to: -1. Create a filter list -1. Add the filter to the relevant job -1. Clone and rerun the job (optional) +1. Create a filter list +1. Add the filter to the relevant job +1. Clone and rerun the job (optional)
@@ -70,7 +69,7 @@ For example, to filter out results from a housekeeping process, named example). 1. The _IS IN_ statement. - 1. The filter you created as part of the Create a filter list procedure. + 1. The filter you created as part of the Create a filter list procedure. For more information, see diff --git a/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.mdx b/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.mdx index 18ef53a629..a0c4751a33 100644 --- a/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.mdx +++ b/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTurnOnRiskEngine slug: /serverless/security/turn-on-risk-engine title: Turn on the risk scoring engine description: Start generating host and user risk scores. @@ -10,7 +9,7 @@ status: in review -To use entity risk scoring, you must have the appropriate user role. For more information, refer to . +To use entity risk scoring, you must have the appropriate user role. For more information, refer to . ## Preview risky entities diff --git a/docs/serverless/alerts/alert-schema.mdx b/docs/serverless/alerts/alert-schema.mdx index 8d9ea60da2..fb407cbf92 100644 --- a/docs/serverless/alerts/alert-schema.mdx +++ b/docs/serverless/alerts/alert-schema.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAlertSchema slug: /serverless/security/alert-schema title: Alert schema description: The alert schema describes all the fields present in alert events. @@ -412,7 +411,7 @@ The non-ECS fields listed below are beta and subject to change. `kibana.alert.rule.author` - The value of the `author` who created the rule. Refer to configure advanced rule settings. + The value of the `author` who created the rule. Refer to configure advanced rule settings. Type: keyword @@ -421,7 +420,7 @@ The non-ECS fields listed below are beta and subject to change. `kibana.alert.building_block_type` - The value of `building_block_type` from the rule that generated this alert. Refer to configure advanced rule settings. + The value of `building_block_type` from the rule that generated this alert. Refer to configure advanced rule settings. Type: keyword diff --git a/docs/serverless/alerts/alert-suppression.mdx b/docs/serverless/alerts/alert-suppression.mdx index ec9b5b3354..1a9d1dd6c3 100644 --- a/docs/serverless/alerts/alert-suppression.mdx +++ b/docs/serverless/alerts/alert-suppression.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAlertSuppression slug: /serverless/security/alert-suppression title: Suppress detection alerts description: Reduce noise from rules that create repeated or duplicate alerts. @@ -16,11 +15,11 @@ Alert suppression is in technical preview for threshold, indicator match, event Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: -* -* -* -* (non-sequence queries only) -* +* +* +* +* (non-sequence queries only) +* Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values. @@ -32,7 +31,7 @@ Alert suppression is not available for Elastic prebuilt rules. However, if you w ## Configure alert suppression -You can configure alert suppression when you create or edit a supported rule type. Refer to documentation for creating , , , , or rules for detailed instructions. +You can configure alert suppression when you create or edit a supported rule type. Refer to documentation for creating , , , , or rules for detailed instructions. 1. When configuring the rule type (the **Define rule** step for a new rule, or the **Definition** tab for an existing rule), specify how you want to group events for alert suppression: @@ -76,7 +75,7 @@ You can configure alert suppression when you create or edit a supported rule typ * Use the **Rule preview** before saving the rule to visualize how alert suppression will affect the alerts created, based on historical data. -* If a rule times out while suppression is turned on, try shortening the rule's time or turn off suppression to improve the rule's performance. +* If a rule times out while suppression is turned on, try shortening the rule's time or turn off suppression to improve the rule's performance. ## Confirm suppressed alerts @@ -113,5 +112,5 @@ With alert suppression, detection alerts aren't created for the grouped source e Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): -* **Threshold and event correlation (non-sequence queries only)** - The maximum number is the value you choose for the rule's **Max alerts per run** advanced setting, which is `100` by default. -* **Indicator match and new terms** - The maximum number is five times the value you choose for the the rule's **Max alerts per run** advanced setting. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`. \ No newline at end of file +* **Threshold and event correlation (non-sequence queries only)** - The maximum number is the value you choose for the rule's **Max alerts per run** advanced setting, which is `100` by default. +* **Indicator match and new terms** - The maximum number is five times the value you choose for the the rule's **Max alerts per run** advanced setting. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`. \ No newline at end of file diff --git a/docs/serverless/alerts/alerts-ui-manage.mdx b/docs/serverless/alerts/alerts-ui-manage.mdx index 633c6a1b67..f398a48750 100644 --- a/docs/serverless/alerts/alerts-ui-manage.mdx +++ b/docs/serverless/alerts/alerts-ui-manage.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAlertsUiManage slug: /serverless/security/alerts-manage title: Manage detection alerts description: Filter alerts, view trends, and start investigating and analyzing detections on the Alerts page. @@ -19,27 +18,27 @@ The Alerts page displays all detection alerts. ## View and filter detection alerts The Alerts page offers various ways for you to organize and triage detection alerts as you investigate suspicious events. You can: -* View an alert's details. Click the **View details** button from the Alerts table to open the alert details flyout. Learn more at View detection alert details. +* View an alert's details. Click the **View details** button from the Alerts table to open the alert details flyout. Learn more at View detection alert details. * View the rule that created an alert. Click a name in the **Rule** column to open the rule's details page. -* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the host details flyout, or a user name to open the user details flyout. +* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the host details flyout, or a user name to open the user details flyout. * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices. * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours. -* Use the drop-down filter controls to filter alerts by up to four fields. By default, you can filter alerts by **Status**, **Severity**, **User**, and **Host**, and you can edit the controls to use other fields. +* Use the drop-down filter controls to filter alerts by up to four fields. By default, you can filter alerts by **Status**, **Severity**, **User**, and **Host**, and you can edit the controls to use other fields. -* Visualize and group alerts by specific fields in the visualization section. Use the buttons on the left to select a view type (**Summary**, **Trend**, **Counts**, or **Treemap**), and use the menus on the right to select the ECS fields used for grouping alerts. Refer to Visualize detection alerts for more on each view type. +* Visualize and group alerts by specific fields in the visualization section. Use the buttons on the left to select a view type (**Summary**, **Trend**, **Counts**, or **Treemap**), and use the menus on the right to select the ECS fields used for grouping alerts. Refer to Visualize detection alerts for more on each view type. -* Hover over a value to display available inline actions, such as **Filter In**, **Filter Out**, and **Add to timeline**. Click the expand icon for more options, including **Show top _x_** and **Copy to Clipboard**. The available options vary based on the type of data. +* Hover over a value to display available inline actions, such as **Filter In**, **Filter Out**, and **Add to timeline**. Click the expand icon for more options, including **Show top _x_** and **Copy to Clipboard**. The available options vary based on the type of data. -* Filter alert results to include building block alerts or to only show alerts from indicator match rules by selecting the **Additional filters** drop-down. By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. +* Filter alert results to include building block alerts or to only show alerts from indicator match rules by selecting the **Additional filters** drop-down. By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. ![Alerts table with Additional filters menu highlighted](../images/alerts-ui-manage/-detections-additional-filters.png) @@ -102,7 +101,7 @@ Each group displays information such as the alerts' severity and how many users, To interact with grouped alerts: -* Select the **Take actions** menu to perform a bulk action on all alerts in a group, such as changing their status. +* Select the **Take actions** menu to perform a bulk action on all alerts in a group, such as changing their status. * Click a group's name or the expand icon () to display alerts within that group. You can filter and customize this view like any other alerts table. @@ -115,7 +114,7 @@ Use the toolbar buttons in the upper-left of the Alerts table to customize the c * **Columns**: Reorder the columns. * **_x_ fields sorted**: Sort the table by one or more columns. -* **Fields**: Select the fields to display in the table. You can also add runtime fields to detection alerts and display them in the Alerts table. +* **Fields**: Select the fields to display in the table. You can also add runtime fields to detection alerts and display them in the Alerts table. Click the **Full screen** button in the upper-right to view the table in full-screen mode. @@ -137,18 +136,18 @@ When using grid view, you can view alert-rendered reason statements and event re ## Take actions on an alert From the Alerts table or the alert details flyout, you can: -* Add detection alerts to cases -* Change an alert's status -* Add a rule exception from an alert -* Apply and filter alert tags -* Assign users to alerts -* Filter assigned alerts -* Add an endpoint exception from an alert -* Isolate an alert's host -* Perform response actions on an alert's host (Alert details flyout only) -* Run Osquery against an alert -* View alerts in Timeline -* Visually analyze an alert's process relationships +* Add detection alerts to cases +* Change an alert's status +* Add a rule exception from an alert +* Apply and filter alert tags +* Assign users to alerts +* Filter assigned alerts +* Add an endpoint exception from an alert +* Isolate an alert's host +* Perform response actions on an alert's host (Alert details flyout only) +* Run Osquery against an alert +* View alerts in Timeline +* Visually analyze an alert's process relationships
@@ -166,7 +165,7 @@ To change an alert's status, do one of the following: -* To bulk-change the status of grouped alerts, select the **Take actions** menu for the group, then select a status. +* To bulk-change the status of grouped alerts, select the **Take actions** menu for the group, then select a status. * In an alert's details flyout, click **Take action** and select a status. @@ -174,10 +173,10 @@ To change an alert's status, do one of the following: ### Apply and filter alert tags -Use alert tags to organize related alerts into categories that you can filter and group. For example, use the `False Positive` alert tag to label a group of alerts as false positives. Then, search for them by entering the `kibana.alert.workflow_tags : "False Positive"` query into the KQL bar. Alternatively, use the Alert table's drop-down filters to filter for tagged alerts. +Use alert tags to organize related alerts into categories that you can filter and group. For example, use the `False Positive` alert tag to label a group of alerts as false positives. Then, search for them by entering the `kibana.alert.workflow_tags : "False Positive"` query into the KQL bar. Alternatively, use the Alert table's drop-down filters to filter for tagged alerts. -You can manage alert tag options by updating the `securitySolution:alertTags` advanced setting. Refer to Manage alert tag options for more information. +You can manage alert tag options by updating the `securitySolution:alertTags` advanced setting. Refer to Manage alert tag options for more information. @@ -200,7 +199,7 @@ To apply or remove alert tags on multiple alerts, select the alerts you want to Assign users to alerts that you want them to investigate, and manage alert assignees throughout an alert's lifecycle. -All Security roles, except for the Viewer role, can assign and unassign users to alerts. +All Security roles, except for the Viewer role, can assign and unassign users to alerts. @@ -287,7 +286,7 @@ To add an exception, click the **More actions** menu (**...**) in the Alerts tab **Add exception**. Alternatively, select **Take action** → **Add rule exception** in the alert details flyout. For information about exceptions and how to use them, refer to -Add and manage exceptions. +Add and manage exceptions.
@@ -303,7 +302,7 @@ For information about exceptions and how to use them, refer to When you send an alert generated by a -threshold rule to Timeline, all matching events are +threshold rule to Timeline, all matching events are listed in the Timeline, even ones that did not reach the threshold value. For example, if you have an alert generated by a threshold rule that detects 10 failed login attempts, when you send that alert to Timeline, all failed login @@ -321,7 +320,7 @@ alerts's `host.name` value is `Windows-ArsenalFC`, the Timeline dropzone query is `host.name: "Windows-ArsenalFC"`. -Refer to Investigate events in Timeline for information on creating Timelines and Timeline -templates. For information on how to add Timeline templates to rules, refer to . +Refer to Investigate events in Timeline for information on creating Timelines and Timeline +templates. For information on how to add Timeline templates to rules, refer to . diff --git a/docs/serverless/alerts/query-alert-indices.mdx b/docs/serverless/alerts/query-alert-indices.mdx index 191dd1a8f5..227bfc06cc 100644 --- a/docs/serverless/alerts/query-alert-indices.mdx +++ b/docs/serverless/alerts/query-alert-indices.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityQueryAlertIndices slug: /serverless/security/query-alert-indices title: Query alert indices description: Index patterns for querying alert data. @@ -10,7 +9,7 @@ status: in review
-This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the Alert schema. +This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the Alert schema. ## Alert index aliases We recommend querying the `.alerts-security.alerts-` index alias. You should not include a dash or wildcard after the space ID. To query all spaces, use the following syntax: `.alerts-security.alerts-*`. diff --git a/docs/serverless/alerts/reduce-notifications-alerts.mdx b/docs/serverless/alerts/reduce-notifications-alerts.mdx index b76189083b..d4fcb3c3b4 100644 --- a/docs/serverless/alerts/reduce-notifications-alerts.mdx +++ b/docs/serverless/alerts/reduce-notifications-alerts.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityReduceNotificationsAlerts slug: /serverless/security/reduce-notifications-alerts title: Reduce notifications and alerts description: A comparison of alert-reduction features. @@ -24,13 +23,13 @@ status: in review ]}> - Rule action snoozing + Rule action snoozing **_Stops a specific rule's notification actions from running_**. - Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its notification actions don't run. + Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its notification actions don't run. @@ -43,12 +42,12 @@ status: in review **_Prevents all rules' notification actions from running_**. - Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their notification actions don't run. + Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their notification actions don't run. - Alert suppression + Alert suppression @@ -61,7 +60,7 @@ status: in review - Rule exception + Rule exception diff --git a/docs/serverless/alerts/signals-to-cases.mdx b/docs/serverless/alerts/signals-to-cases.mdx index 2d24eea316..589b3cc780 100644 --- a/docs/serverless/alerts/signals-to-cases.mdx +++ b/docs/serverless/alerts/signals-to-cases.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySignalsToCases slug: /serverless/security/signals-to-cases title: Add detection alerts to cases description: Add alerts to new or existing cases in ((elastic-sec)). @@ -10,7 +9,7 @@ status: in review
-From the Alerts table, you can attach one or more alerts to a new case or an existing one. Alerts from any rule type can be added to a case. +From the Alerts table, you can attach one or more alerts to a new case or an existing one. Alerts from any rule type can be added to a case. - After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the [((elastic-sec)) Cases API](((security-guide))/cases-api-overview.html). @@ -36,7 +35,7 @@ To add alerts to a new case: 1. Optionally, add a category, assignees and relevant tags. You can add users only if they - meet the necessary prerequisites. + meet the necessary prerequisites. 1. Specify whether you want to sync the status of associated alerts. It is enabled by default; however, you can toggle this setting on or off at any time. If it remains enabled, the alert's status updates whenever the case's status is modified. 1. Select a connector. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`. diff --git a/docs/serverless/alerts/view-alert-details.mdx b/docs/serverless/alerts/view-alert-details.mdx index 321703920f..b4aea26b8c 100644 --- a/docs/serverless/alerts/view-alert-details.mdx +++ b/docs/serverless/alerts/view-alert-details.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityViewAlertDetails slug: /serverless/security/view-alert-details title: View detection alert details description: Expand an alert to view detailed alert data. @@ -26,15 +25,15 @@ The alert details flyout has a right panel, a preview panel, and a left panel. E ### Right panel -The right panel provides an overview of the alert. Expand any of the collapsed sections to learn more about the alert. You can also hover over fields on the **Overview** and **Table** tabs to display available inline actions. +The right panel provides an overview of the alert. Expand any of the collapsed sections to learn more about the alert. You can also hover over fields on the **Overview** and **Table** tabs to display available inline actions. From the right panel, you can also: -* Click **Expand details** to open the left panel, which shows more information about sections in the right panel. -* Click the **Chat** icon () to access the . +* Click **Expand details** to open the left panel, which shows more information about sections in the right panel. +* Click the **Chat** icon () to access the . * Click the **Share alert** icon () to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. @@ -58,7 +57,7 @@ From the right panel, you can also: ### Preview panel -The preview panel shows more information about the rule associated with the alert and the reason the alert was generated. This panel overlays the right panel when you click **Show rule details** or **Show full reason** in the About section. To close the preview panel, click **x**. +The preview panel shows more information about the rule associated with the alert and the reason the alert was generated. This panel overlays the right panel when you click **Show rule details** or **Show full reason** in the About section. To close the preview panel, click **x**. ![Preview panel of the alert details flyout](../images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif) @@ -86,9 +85,9 @@ The About section is located on the **Overview** tab in the right panel. It prov The About section has the following information: -* **Rule description**: Describes the rule's purpose or detection goals. Click **Show rule summary** to display more details about the rule within the preview panel. From the preview panel, click **Show rule details** to view the rule's details page. +* **Rule description**: Describes the rule's purpose or detection goals. Click **Show rule summary** to display more details about the rule within the preview panel. From the preview panel, click **Show rule details** to view the rule's details page. -* **Alert reason**: Describes the source event that generated the alert. Event details are displayed in plain text and ordered logically to provide context for the alert. Click **Show full reason** to display the alert reason in the event rendered format within the preview panel. +* **Alert reason**: Describes the source event that generated the alert. Event details are displayed in plain text and ordered logically to provide context for the alert. Click **Show full reason** to display the alert reason in the event rendered format within the preview panel. The event renderer only displays if an event renderer exists for the alert type. Fields are interactive; hover over them to access the available actions. @@ -110,7 +109,7 @@ The Investigation section provides the following information: * **Investigation guide**: The **Show investigation guide** button displays if the rule associated with the alert has an investigation guide. Click the button to open the expanded Investigation view in the left panel. - Add an investigation guide to a rule when creating a new custom rule or modifying an existing custom rule's settings. + Add an investigation guide to a rule when creating a new custom rule or modifying an existing custom rule's settings. * **Highlighted fields**: Shows relevant fields for the alert and any custom highlighted fields you added to the rule. @@ -126,15 +125,15 @@ The Visualizations section is located on the **Overview** tab in the right panel Click **Visualizations** to display the following previews: -* **Session view preview**: Shows a preview of session view data. Click **Session viewer preview** to open the **Session View** tab in Timeline. +* **Session view preview**: Shows a preview of session view data. Click **Session viewer preview** to open the **Session View** tab in Timeline. -* **Analyzer preview**: Shows a preview of the visual analyzer graph. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline. +* **Analyzer preview**: Shows a preview of the visual analyzer graph. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline.
## Insights -The Insights section is located on the **Overview** tab in the right panel. It offers different perspectives from which you can assess the alert. Click **Insights** to display overviews for related entities, threat intelligence, correlated data, and host and user prevalence. +The Insights section is located on the **Overview** tab in the right panel. It offers different perspectives from which you can assess the alert. Click **Insights** to display overviews for related entities, threat intelligence, correlated data, and host and user prevalence. @@ -142,7 +141,7 @@ The Insights section is located on the **Overview** tab in the right panel. It o ### Entities -The Entities overview provides high-level details about the user and host that are related to the alert. Host and user risk classifications are also available if you have the Security Analytics Complete . +The Entities overview provides high-level details about the user and host that are related to the alert. Host and user risk classifications are also available if you have the Security Analytics Complete . @@ -150,7 +149,7 @@ The Entities overview provides high-level details about the user and host that a #### Expanded entities view -From the right panel, click **Entities** to open a detailed view of the host and user associated with the alert. The expanded view also includes risk scores and classifications (if you have the Security Analytics Complete ) and activity on related hosts and users. +From the right panel, click **Entities** to open a detailed view of the host and user associated with the alert. The expanded view also includes risk scores and classifications (if you have the Security Analytics Complete ) and activity on related hosts and users. ![Expanded view of entity details](../images/view-alert-details/-detections-expanded-entities-view.png) @@ -164,7 +163,7 @@ The Threat intelligence overview shows matched indicators, which provide threat The Threat intelligence overview provides the following information: -* **Threat match detected**: Only available when examining an alert generated from an indicator match rule. Shows the number of matched indicators that are present in the alert document. Shows zero if there are no matched indicators or you're examining an alert generated by another type of rule. +* **Threat match detected**: Only available when examining an alert generated from an indicator match rule. Shows the number of matched indicators that are present in the alert document. Shows zero if there are no matched indicators or you're examining an alert generated by another type of rule. * **Fields enriched with threat intelligence**: Shows the number of matched indicators that are present on an alert that _wasn't_ generated from an indicator match rule. If none exist, the total number of matched indicators is zero. @@ -175,7 +174,7 @@ The Threat intelligence overview provides the following information: From the right panel, click **Threat intelligence** to open the expanded Threat intelligence view within the left panel. -The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to Update default Elastic Security threat intelligence indices to learn more about threat intelligence indices. +The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to Update default Elastic Security threat intelligence indices to learn more about threat intelligence indices. ![Expanded view of threat intelligence on the alert](../images/view-alert-details/-detections-expanded-threat-intelligence-view.png) @@ -238,7 +237,7 @@ In the expanded view, corelation data is organized into several tables: * **Suppressed alerts**: Shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. * **Related cases**: Shows cases to which the alert has been added. Click a case's name to open its details. * **Alerts related by source event**: Shows alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the **Investigate in timeline** button to examine related alerts in Timeline. -* **Alerts related by session**: Shows alerts generated during the same session. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Collect session data** setting in your ((elastic-defend)) integration policy. Refer to Enable Session View data for more information. +* **Alerts related by session**: Shows alerts generated during the same session. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Collect session data** setting in your ((elastic-defend)) integration policy. Refer to Enable Session View data for more information. * **Alerts related by ancestry**: Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click **Investigate in timeline**.
@@ -261,7 +260,7 @@ Update the date time picker for the table to show data from a different time ran The expanded Prevalence view provides the following details: -* **Field**: Shows highlighted fields for the alert and any custom highlighted fields that were added to the alert's rule. +* **Field**: Shows highlighted fields for the alert and any custom highlighted fields that were added to the alert's rule. * **Value**: Shows values for highlighted fields and any custom highlighted fields that were added to the alert's rule. @@ -277,6 +276,6 @@ The expanded Prevalence view provides the following details: ## Response -The **Response** section is located on the **Overview** tab in the right panel. It shows response actions that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel. +The **Response** section is located on the **Overview** tab in the right panel. It shows response actions that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel. diff --git a/docs/serverless/alerts/visual-event-analyzer.mdx b/docs/serverless/alerts/visual-event-analyzer.mdx index 64cf3445a5..02a3b8d75b 100644 --- a/docs/serverless/alerts/visual-event-analyzer.mdx +++ b/docs/serverless/alerts/visual-event-analyzer.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityVisualEventAnalyzer slug: /serverless/security/visual-event-analyzer title: Visual event analyzer description: Examine events and processes in a graphical timeline. @@ -13,7 +12,7 @@ status: in review ((elastic-sec)) allows any event detected by ((elastic-endpoint)) to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. -If you're experiencing performance degradation, you can exclude cold and frozen tier data from analyzer queries. +If you're experiencing performance degradation, you can exclude cold and frozen tier data from analyzer queries.
@@ -51,7 +50,7 @@ To find events that can be visually analyzed: ![](../images/visual-event-analyzer/-detections-analyze-event-timeline.png) - You can also analyze events from Timelines. + You can also analyze events from Timelines.
diff --git a/docs/serverless/alerts/visualize-alerts.mdx b/docs/serverless/alerts/visualize-alerts.mdx index c51b85c32a..c34968e816 100644 --- a/docs/serverless/alerts/visualize-alerts.mdx +++ b/docs/serverless/alerts/visualize-alerts.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityVisualizeAlerts slug: /serverless/security/visualize-alerts title: Visualize detection alerts description: Display alert trends and distributions on the Alerts page. diff --git a/docs/serverless/assets/asset-management.mdx b/docs/serverless/assets/asset-management.mdx index 7d8ebefc31..c13c882a97 100644 --- a/docs/serverless/assets/asset-management.mdx +++ b/docs/serverless/assets/asset-management.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAssetManagement slug: /serverless/security/asset-management title: Asset management # description: Description to be written @@ -12,5 +11,5 @@ The **Assets** page allows you to manage the following features: * [((fleet))](((fleet-guide))/manage-agents-in-fleet.html) * [((integrations))](((fleet-guide))/integrations.html) -* Endpoint protection -* Cloud security +* Endpoint protection +* Cloud security diff --git a/docs/serverless/assistant/ai-assistant-alert-triage.mdx b/docs/serverless/assistant/ai-assistant-alert-triage.mdx index e6ca8b50eb..d230314a38 100644 --- a/docs/serverless/assistant/ai-assistant-alert-triage.mdx +++ b/docs/serverless/assistant/ai-assistant-alert-triage.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAssistantAlertTriage slug: /serverless/security/triage-alerts-with-elastic-ai-assistant title: Triage alerts with Elastic AI Assistant description: Elastic AI Assistant can help you enhance and streamline your alert triage workflows. @@ -20,7 +19,7 @@ AI Assistant can help you interpret an alert and understand its context. When yo 1. Choose an alert to investigate, then click the **View details** button from the Alerts table. 2. On the details flyout, click **Chat** to launch AI Assistant. Data related to the selected alert is automatically added to the prompt. -3. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant. (For more information about selecting which fields to send, and to learn about anonymizing your data, refer to AI Assistant.) +3. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant. (For more information about selecting which fields to send, and to learn about anonymizing your data, refer to AI Assistant.) 4. (Optional) Click a quick prompt to use it as a starting point for your query, for example, **Alert summarization**. Customize the prompt and add detail to improve AI Assistant's response. Once you’ve submitted your query, the AI Assistant will process the information and provide a detailed response. Depending on your prompt and which alert data you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions. 6. (Optional) Ask follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report. diff --git a/docs/serverless/assistant/ai-assistant.mdx b/docs/serverless/assistant/ai-assistant.mdx index 4d463c935a..43a6e25b9e 100644 --- a/docs/serverless/assistant/ai-assistant.mdx +++ b/docs/serverless/assistant/ai-assistant.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAIAssistant slug: /serverless/security/ai-assistant title: Elastic AI Assistant description: Elastic AI Assistant is a generative AI open-code chat assistant. @@ -30,7 +29,7 @@ For example, refer to OpenAI's documentation on [rate limits](https://platform.o -* This feature requires the Security Analytics Complete . +* This feature requires the Security Analytics Complete . * You must have the appropriate user role to set up and use AI Assistant. {/* Placeholder statement until we know which specific roles are required. */} @@ -48,7 +47,7 @@ Elastic does not store or examine prompts or results used by AI Assistant, or us Elastic does not control third-party tools, and assumes no responsibility or liability for their content, operation, or use, nor for any loss or damage that may arise from your using such tools. Please exercise caution when using AI tools with personal, sensitive, or confidential information. Any data you submit may be used by the provider for AI training or other purposes. There is no guarantee that the provider will keep any information you provide secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. -Elastic can automatically anonymize event data that you provide to AI Assistant as context. To learn more, refer to Configure AI Assistant. +Elastic can automatically anonymize event data that you provide to AI Assistant as context. To learn more, refer to Configure AI Assistant.
@@ -57,7 +56,7 @@ Elastic can automatically anonymize event data that you provide to AI Assistant You must create a generative AI connector before you can use AI Assistant. -For more information about setting up generative AI connectors, refer to , , or . +For more information about setting up generative AI connectors, refer to , , or .
@@ -71,10 +70,10 @@ This opens the **Welcome** chat interface, where you can ask general questions a You can also chat with AI Assistant from several particular pages in ((elastic-sec)) where you can easily send context-specific data and prompts to AI Assistant. -* Alert details or Event details flyout: Click **Chat** while viewing the details of an alert or event. -* Rules page: Select one or more rules, then click the **Chat** button at the top right of the page. -* Data Quality dashboard: Select the **Incompatible fields** tab, then click **Chat**. (This is only available for fields marked red, indicating they’re incompatible). -* Timeline: Select the **Security Assistant** tab. +* Alert details or Event details flyout: Click **Chat** while viewing the details of an alert or event. +* Rules page: Select one or more rules, then click the **Chat** button at the top right of the page. +* Data Quality dashboard: Select the **Incompatible fields** tab, then click **Chat**. (This is only available for fields marked red, indicating they’re incompatible). +* Timeline: Select the **Security Assistant** tab. Each user's chat history and custom quick prompts are automatically saved, so you can leave ((elastic-sec)) and return to pick up a conversation later. Chat history is saved in the `.kibana-elastic-ai-assistant-conversations` data stream. diff --git a/docs/serverless/assistant/connect-to-azure-openai.mdx b/docs/serverless/assistant/connect-to-azure-openai.mdx index 609c5c5d2b..6ffdc2666c 100644 --- a/docs/serverless/assistant/connect-to-azure-openai.mdx +++ b/docs/serverless/assistant/connect-to-azure-openai.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityConnectAzureOpenAI slug: /serverless/security/connect-to-azure-openai title: Connect to Azure OpenAI description: Set up an Azure OpenAI LLM connector. @@ -56,7 +55,7 @@ Now, set up the Azure OpenAI model: 8. Click **Create**. -The models available to you will depend on [region availability](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models#model-summary-table-and-region-availability). For best results, use `GPT 4 Turbo version 0125-preview` or `GPT 4-32k` with the maximum Tokens-Per-Minute (TPM) capacity. In most regions, the GPT 4 Turbo model offers the largest supported context window. +The models available to you will depend on [region availability](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models#model-summary-table-and-region-availability). For best results, use `GPT-4o 2024-05-13` with the maximum Tokens-Per-Minute (TPM) capacity. For more information on how different models perform for different tasks, refer to the . The following video demonstrates these steps. diff --git a/docs/serverless/assistant/connect-to-bedrock.mdx b/docs/serverless/assistant/connect-to-bedrock.mdx index c2b72f9cce..7c8609b043 100644 --- a/docs/serverless/assistant/connect-to-bedrock.mdx +++ b/docs/serverless/assistant/connect-to-bedrock.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityConnectBedrock slug: /serverless/security/connect-to-bedrock title: Connect to Amazon Bedrock description: Set up an Amazon Bedrock LLM connector. diff --git a/docs/serverless/assistant/connect-to-openai.mdx b/docs/serverless/assistant/connect-to-openai.mdx index ebe4b50fe4..9946730295 100644 --- a/docs/serverless/assistant/connect-to-openai.mdx +++ b/docs/serverless/assistant/connect-to-openai.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityConnectOpenAI slug: /serverless/security/connect-to-openai title: Connect to OpenAI description: Set up an OpenAI LLM connector. @@ -18,7 +17,7 @@ This page provides step-by-step instructions for setting up an OpenAI connector Before creating an API key, you must choose a model. Refer to the [OpenAI docs](https://platform.openai.com/docs/models/gpt-4-turbo-and-gpt-4) to select a model. Take note of the specific model name (for example `gpt-4-turbo`); you'll need it when configuring ((kib)). -`GPT-4 Turbo` offers increased performance. `GPT-4` and `GPT-3.5` are also supported. +`GPT-4o` offers increased performance over previous versions. For more information on how different models perform for different tasks, refer to the . ### Create an API key @@ -43,9 +42,10 @@ To integrate with ((kib)): 2. Navigate to **Stack Management → Connectors → Create Connector → OpenAI**. 3. Provide a name for your connector, such as `OpenAI (GPT-4 Turbo Preview)`, to help keep track of the model and version you are using. 4. Under **Select an OpenAI provider**, choose **OpenAI**. -5. The **URL** field can generally be left unchanged. -6. Enter the API key that you previously created in the corresponding field. -7. Click **Save**. +5. The **URL** field can be left as default. +6. Under **Default model**, specify which [model](https://platform.openai.com/docs/models/gpt-4-turbo-and-gpt-4) you want to use. +7. Paste the API key that you created into the corresponding field. +8. Click **Save**. The following video demonstrates these steps. diff --git a/docs/serverless/assistant/llm-performance-matrix.mdx b/docs/serverless/assistant/llm-performance-matrix.mdx index bec3ea79a5..f59504ec9f 100644 --- a/docs/serverless/assistant/llm-performance-matrix.mdx +++ b/docs/serverless/assistant/llm-performance-matrix.mdx @@ -1,5 +1,4 @@ --- -id: llm-performance-matrix slug: /serverless/security/llm-performance-matrix title: Large language model performance matrix description: Learn how different models perform on different tasks in ((elastic-sec)). @@ -7,7 +6,7 @@ tags: ["security", "overview", "get-started"] status: in review --- -This table describes the performance of various large language models (LLMs) for different use cases in ((elastic-sec)), based on our internal testing. To learn more about these use cases, refer to or . +This table describes the performance of various large language models (LLMs) for different use cases in ((elastic-sec)), based on our internal testing. To learn more about these use cases, refer to or . | **Feature:** | **Model** | | | | | | |-------------------------------|-----------------------|--------------------|--------------------|------------|-----------------|----------------| diff --git a/docs/serverless/attack-discovery/attack-discovery.mdx b/docs/serverless/attack-discovery/attack-discovery.mdx index 21a15e325e..6e910f541e 100644 --- a/docs/serverless/attack-discovery/attack-discovery.mdx +++ b/docs/serverless/attack-discovery/attack-discovery.mdx @@ -1,5 +1,4 @@ --- -id: attackDiscovery slug: /serverless/security/attack-discovery title: Attack discovery description: Accelerate threat identification by triaging alerts with a large language model. @@ -15,17 +14,20 @@ This feature is in technical preview. It may change in the future, and you shoul Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond. +For a demo, refer to the following video. + + This page describes: -- How to start generating discoveries -- What information each discovery includes -- How you can interact with discoveries to enhance ((elastic-sec)) workflows +- How to start generating discoveries +- What information each discovery includes +- How you can interact with discoveries to enhance ((elastic-sec)) workflows
## Generate discoveries -When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as Elastic AI Assistant. To get started: +When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as Elastic AI Assistant. To get started: 1. Click the **Attack discovery** page from ((elastic-sec))'s navigation menu. @@ -39,11 +41,11 @@ While Attack discovery is compatible with many different models, our testing fou 3. Once you've selected a connector, click **Generate** to start the analysis. -It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery only analyzes alerts from the past 24 hours. +It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours. -Attack discovery uses the same data anonymization settings as Elastic AI Assistant. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. +Attack discovery uses the same data anonymization settings as Elastic AI Assistant. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. Once the analysis is complete, any threats it identifies appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts. diff --git a/docs/serverless/billing.mdx b/docs/serverless/billing.mdx index 72662c191f..3b12f7e337 100644 --- a/docs/serverless/billing.mdx +++ b/docs/serverless/billing.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityBilling slug: /serverless/security/security-billing title: Security billing dimensions description: Learn about how Security usage affects pricing. @@ -34,7 +33,7 @@ Cloud Protection is an _optional_ add-on to Security Analytics that provides val Your total cost depends on the number of protected cloud workloads and other billable cloud assets you configure for use with Elastic Cloud Security. -For , billing is based on how many billable resources (`resource.id`s) you monitor. The following types of assets are considered billable: +For , billing is based on how many billable resources (`resource.id`s) you monitor. The following types of assets are considered billable: - VMs: - **AWS:** EC2 instances @@ -49,11 +48,11 @@ For , billing is based on how - **Azure:** SQL database, Cosmos DB, Synapse Analytics - **GCP:** Cloud SQL, Firestore, BigQuery -For , billing is based on how many Kubernetes nodes (`agent.id`s) you monitor. +For , billing is based on how many Kubernetes nodes (`agent.id`s) you monitor. -For , billing is based on how many cloud assets (`cloud.instance.id`s) you monitor. +For , billing is based on how many cloud assets (`cloud.instance.id`s) you monitor. -For , billing is based on how many agents (`agent.id`s) you use. +For , billing is based on how many agents (`agent.id`s) you use. Logs, events, alerts, and configuration data ingested into your security project are billed using the **Ingest** and **Retention** pricing described above. diff --git a/docs/serverless/cloud-native-security/benchmark-rules.mdx b/docs/serverless/cloud-native-security/benchmark-rules.mdx index 01a8930835..1c47d9727e 100644 --- a/docs/serverless/cloud-native-security/benchmark-rules.mdx +++ b/docs/serverless/cloud-native-security/benchmark-rules.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityBenchmarkRules slug: /serverless/security/benchmark-rules title: Benchmarks description: Review the cloud security benchmark rules used by the CSPM and KSPM integrations. @@ -10,7 +9,7 @@ status: in review
-The Benchmarks page lets you view the cloud security posture (CSP) benchmarks for the Cloud security posture management (CSPM) and Kubernetes security posture management (KSPM) integrations. +The Benchmarks page lets you view the cloud security posture (CSP) benchmarks for the Cloud security posture management (CSPM) and Kubernetes security posture management (KSPM) integrations. ![Benchmark rules page](../images/benchmark-rules/-cloud-native-security-benchmark-rules.png) @@ -24,7 +23,7 @@ Each benchmark rule checks to see if a specific type of resource is configured a * `Ensure IAM policies that allow full "*:*" administrative privileges are not attached` * `Ensure the default namespace is not in use` -When benchmark rules are evaluated, the resulting findings data appears on the Cloud Security Posture dashboard. +When benchmark rules are evaluated, the resulting findings data appears on the Cloud Security Posture dashboard. Benchmark rules are not editable. diff --git a/docs/serverless/cloud-native-security/cloud-native-security-overview.mdx b/docs/serverless/cloud-native-security/cloud-native-security-overview.mdx index b64ef69793..29926e71d8 100644 --- a/docs/serverless/cloud-native-security/cloud-native-security-overview.mdx +++ b/docs/serverless/cloud-native-security/cloud-native-security-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCloudNativeSecurityOverview slug: /serverless/security/cloud-native-security-overview title: Secure cloud native resources description: Helps you improve your cloud security posture. @@ -17,25 +16,25 @@ This page describes what each solution does and provides links to more informati ## Cloud Security Posture Management (CSPM) Discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the [Center for Internet Security](https://www.cisecurity.org/) (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data. -Read the CSPM docs. +Read the CSPM docs. ## Kubernetes Security Posture Management (KSPM) Allows you to identify configuration risks in the various components that make up your Kubernetes cluster. It does this by evaluating your Kubernetes clusters against secure configuration guidelines defined by the Center for Internet Security (CIS) and generating findings with step-by-step instructions for remediating potential security risks. -Read the KSPM docs. +Read the KSPM docs. ## Cloud Native Vulnerability Management (CNVM) Scans your cloud workloads for known vulnerabilities. When it finds a vulnerability, it supports your risk assessment by quickly providing information such as the vulnerability's CVSS and severity, which software versions it affects, and whether a fix is available. -Read the CNVM docs. +Read the CNVM docs. ## Cloud Workload Protection for Kubernetes Provides cloud-native runtime protections for containerized environments by identifying and (optionally) blocking unexpected system behavior in Kubernetes containers. These capabilities are sometimes referred to as container drift detection and prevention. The solution also captures detailed process and file telemetry from monitored containers, allowing you to set up custom alerts and protection rules. -Read the CWP for Kubernetes docs. +Read the CWP for Kubernetes docs. ## Cloud Workload Protection for VMs Helps you monitor and protect your Linux VMs. It uses ((elastic-defend)) to instantly detect and prevent malicious behavior and malware, and captures workload telemetry data for process, file, and network activity. You can use this data with Elastic's out-of-the-box detection rules and ((ml)) models. These detections generate alerts that quickly help you identify and remediate threats. -Read the CWP for VMs docs. \ No newline at end of file +Read the CWP for VMs docs. \ No newline at end of file diff --git a/docs/serverless/cloud-native-security/cloud-workload-protection.mdx b/docs/serverless/cloud-native-security/cloud-workload-protection.mdx index 49b0fc189a..773914da23 100644 --- a/docs/serverless/cloud-native-security/cloud-workload-protection.mdx +++ b/docs/serverless/cloud-native-security/cloud-workload-protection.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCloudWorkloadProtection slug: /serverless/security/cloud-workload-protection title: Cloud workload protection for VMs description: Use cloud workload protection to monitor and protect your Linux VMs. @@ -10,7 +9,7 @@ status: in review
-Cloud workload protection helps you monitor and protect your Linux VMs. It uses the ((elastic-defend)) integration to capture cloud workload telemetry containing process, file, and network activity. +Cloud workload protection helps you monitor and protect your Linux VMs. It uses the ((elastic-defend)) integration to capture cloud workload telemetry containing process, file, and network activity. Use this telemetry with out-of-the-box detection rules and machine learning models to automate processes that identify cloud threats. @@ -22,8 +21,8 @@ Use this telemetry with out-of-the-box detection rules and machine learning mode To continue setting up your cloud workload protection, learn more about: -* **Getting started with ((elastic-defend))**: configure ((elastic-defend)) to protect your hosts. Be sure to select one of the "Cloud workloads" presets if you want to collect session data by default, including process, file, and network telemetry. -* **Session view**: examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. Use it to monitor and investigate session activity, and to understand user and service behavior on your Linux infrastructure. -* **The Kubernetes dashboard**: Explore an overview of your protected Kubernetes clusters, and drill down into individual sessions within your Kubernetes infrastructure. -* **Environment variable capture**: Capture the environment variables associated with process events, such as `PATH`, `LD_PRELOAD`, or `USER`. +* **Getting started with ((elastic-defend))**: configure ((elastic-defend)) to protect your hosts. Be sure to select one of the "Cloud workloads" presets if you want to collect session data by default, including process, file, and network telemetry. +* **Session view**: examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. Use it to monitor and investigate session activity, and to understand user and service behavior on your Linux infrastructure. +* **The Kubernetes dashboard**: Explore an overview of your protected Kubernetes clusters, and drill down into individual sessions within your Kubernetes infrastructure. +* **Environment variable capture**: Capture the environment variables associated with process events, such as `PATH`, `LD_PRELOAD`, or `USER`. diff --git a/docs/serverless/cloud-native-security/cspm-findings-page.mdx b/docs/serverless/cloud-native-security/cspm-findings-page.mdx index 8445d368f3..4719892ddb 100644 --- a/docs/serverless/cloud-native-security/cspm-findings-page.mdx +++ b/docs/serverless/cloud-native-security/cspm-findings-page.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCspmFindingsPage slug: /serverless/security/cspm-findings-page title: Findings page description: Review your cloud security posture management data. @@ -10,7 +9,7 @@ status: in review
-The **Misconfigurations** tab on the Findings page displays the configuration risks identified by the CSPM and KSPM integrations. +The **Misconfigurations** tab on the Findings page displays the configuration risks identified by the CSPM and KSPM integrations. ![Findings page](../images/findings-page/-cloud-native-security-findings-page.png) @@ -60,7 +59,7 @@ You can also click a column's name to open a menu that allows you to perform mul ## Remediate failed findings To remediate failed findings and reduce your attack surface: -1. First, filter for failed findings. +1. First, filter for failed findings. 1. Click the arrow to the left of a failed finding to open the findings flyout. 1. Follow the steps under **Remediation**. diff --git a/docs/serverless/cloud-native-security/cspm-get-started-azure.mdx b/docs/serverless/cloud-native-security/cspm-get-started-azure.mdx index d148b2b8e4..3a7d056a4b 100644 --- a/docs/serverless/cloud-native-security/cspm-get-started-azure.mdx +++ b/docs/serverless/cloud-native-security/cspm-get-started-azure.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCspmGetStartedAzure slug: /serverless/security/cspm-get-started-azure title: Get started with CSPM for Azure description: Start monitoring the security posture of your Azure cloud assets. diff --git a/docs/serverless/cloud-native-security/cspm-get-started-gcp.mdx b/docs/serverless/cloud-native-security/cspm-get-started-gcp.mdx index 7ef4459b46..fbd1a56132 100644 --- a/docs/serverless/cloud-native-security/cspm-get-started-gcp.mdx +++ b/docs/serverless/cloud-native-security/cspm-get-started-gcp.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCspmGetStartedGcp slug: /serverless/security/cspm-get-started-gcp title: Get started with CSPM for GCP description: Start monitoring the security posture of your GCP cloud assets. diff --git a/docs/serverless/cloud-native-security/cspm-get-started.mdx b/docs/serverless/cloud-native-security/cspm-get-started.mdx index c140999279..f3c8c9218c 100644 --- a/docs/serverless/cloud-native-security/cspm-get-started.mdx +++ b/docs/serverless/cloud-native-security/cspm-get-started.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCspmGetStarted slug: /serverless/security/cspm-get-started title: Get started with CSPM for AWS description: Start monitoring the security posture of your AWS cloud assets. @@ -180,11 +179,11 @@ When deploying to an organization using any of the authentication methods below, ## Manual authentication methods -* Default instance role (recommended) -* Direct access keys -* Temporary security credentials -* Shared credentials file -* IAM role Amazon Resource Name (ARN) +* Default instance role (recommended) +* Direct access keys +* Temporary security credentials +* Shared credentials file +* IAM role Amazon Resource Name (ARN) Whichever method you use to authenticate, make sure AWS’s built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor) is attached. @@ -195,7 +194,7 @@ Whichever method you use to authenticate, make sure AWS’s built-in [`SecurityA ### Option 1 - Default instance role -If you are deploying to an AWS organization instead of an AWS account, you should already have created a new role, `cloudbeat-root`. Skip to step 2 "Attach your new IAM role to an EC2 instance", and attach this role. You can use either an existing or new EC2 instance. +If you are deploying to an AWS organization instead of an AWS account, you should already have created a new role, `cloudbeat-root`. Skip to step 2 "Attach your new IAM role to an EC2 instance", and attach this role. You can use either an existing or new EC2 instance. Follow AWS's [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) documentation to create an IAM role using the IAM console, which automatically generates an instance profile. @@ -220,7 +219,7 @@ Follow AWS's [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/lates 1. On the **Modify IAM role** page, search for and select your new IAM role. 1. Click **Update IAM role**. - 1. Return to ((kib)) and finish manual setup. + 1. Return to ((kib)) and finish manual setup. Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in Kibana, in the **Setup Access** section, select **Assume role** and leave **Role ARN** empty. Click **Save and continue**. @@ -229,7 +228,7 @@ Make sure to deploy the CSPM integration to this EC2 instance. When completing s
### Option 2 - Direct access keys -Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. After you provide credentials, finish manual setup. +Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. After you provide credentials, finish manual setup. For more details, refer to [Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html). @@ -260,7 +259,7 @@ The output from this command includes the following fields, which you should pro * `Secret Access Key`: The second part of the access key. * `Session Token`: The required token when using temporary security credentials. -After you provide credentials, finish manual setup. +After you provide credentials, finish manual setup.
@@ -279,7 +278,7 @@ If you don't provide values for all configuration fields, the integration will u - If `Shared Credential File` is empty, the default directory will be used. - For Linux or Unix, the shared credentials file is located at `~/.aws/credentials`. -After providing credentials, finish manual setup. +After providing credentials, finish manual setup.
diff --git a/docs/serverless/cloud-native-security/cspm-security-posture-faq.mdx b/docs/serverless/cloud-native-security/cspm-security-posture-faq.mdx index 08ebda93ee..7070fff474 100644 --- a/docs/serverless/cloud-native-security/cspm-security-posture-faq.mdx +++ b/docs/serverless/cloud-native-security/cspm-security-posture-faq.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCspmSecurityPostureFaq slug: /serverless/security/cspm-security-posture-faq title: Frequently asked questions (FAQ) description: Frequently asked questions about the CSPM and KSPM integrations. @@ -39,7 +38,7 @@ For self-managed/vanilla clusters, Kubernetes version 1.23 is supported. For EKS clusters, all Kubernetes versions available at the time of cluster deployment are supported. **Do benchmark rules support multiple Kubernetes deployment types?** -Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to Get started with KSPM for more information about setting up each deployment type. +Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to Get started with KSPM for more information about setting up each deployment type. **Can I evaluate the security posture of my Amazon EKS clusters?** Yes. KSPM currently supports the security posture evaluation of Amazon EKS and unmanaged Kubernetes clusters. diff --git a/docs/serverless/cloud-native-security/cspm.mdx b/docs/serverless/cloud-native-security/cspm.mdx index 812f923d9c..6c57adf859 100644 --- a/docs/serverless/cloud-native-security/cspm.mdx +++ b/docs/serverless/cloud-native-security/cspm.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCspm slug: /serverless/security/cspm title: Cloud security posture management description: Identify misconfigured cloud resources. @@ -12,7 +11,7 @@ status: in review The Cloud Security Posture Management (CSPM) feature discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the [Center for Internet Security](https://www.cisecurity.org/) (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data. -This feature currently supports Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. For step-by-step getting started guides, refer to Get started with CSPM for AWS, Get started with CSPM for GCP, or Get started with CSPM for Azure. +This feature currently supports Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. For step-by-step getting started guides, refer to Get started with CSPM for AWS, Get started with CSPM for GCP, or Get started with CSPM for Azure. @@ -26,4 +25,4 @@ This feature currently supports Amazon Web Services (AWS), Google Cloud Platform ## How CSPM works Using the read-only credentials you will provide during the setup process, it will evaluate the configuration of resources in your environment every 24 hours. -After each evaluation, the integration sends findings to Elastic. A high-level summary of the findings appears on the Cloud Security Posture dashboard, and detailed findings appear on the Findings page. +After each evaluation, the integration sends findings to Elastic. A high-level summary of the findings appears on the Cloud Security Posture dashboard, and detailed findings appear on the Findings page. diff --git a/docs/serverless/cloud-native-security/d4c-get-started.mdx b/docs/serverless/cloud-native-security/d4c-get-started.mdx index 628829156e..e1b7be3aa6 100644 --- a/docs/serverless/cloud-native-security/d4c-get-started.mdx +++ b/docs/serverless/cloud-native-security/d4c-get-started.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityD4cGetStarted slug: /serverless/security/d4c-get-started title: Get started with CWP description: Secure your containerized workloads and start detecting threats and vulnerabilities. @@ -24,7 +23,7 @@ First, you'll need to deploy Elastic's Defend for Containers integration to the 1. Go to **Assets → Cloud**, then click **Add D4C Integration**. 1. Name the integration. The default name, which you can change, is `cloud_defend-1`. -1. Optional — make any desired changes to the integration's policy by adjusting the **Selectors** and **Responses** sections. (For more information, refer to the Defend for Containers policy guide). You can also change these later. +1. Optional — make any desired changes to the integration's policy by adjusting the **Selectors** and **Responses** sections. (For more information, refer to the Defend for Containers policy guide). You can also change these later. 1. Under **Where to add this integration**, select an existing or new agent policy. 1. Click **Save & Continue**, then **Add ((agent)) to your hosts**. 1. On the ((agent)) policy page, click **Add agent** to open the Add agent flyout. @@ -47,9 +46,9 @@ First, you'll need to deploy Elastic's Defend for Containers integration to the ## Get started with threat detection -One of the default D4C policies sends process telemetry events (`fork` and `exec`) to ((es)). +One of the default D4C policies sends process telemetry events (`fork` and `exec`) to ((es)). -In order to detect threats using this data, you'll need active detection rules. Elastic has prebuilt detection rules designed for this data. (You can also create your own custom rules.) +In order to detect threats using this data, you'll need active detection rules. Elastic has prebuilt detection rules designed for this data. (You can also create your own custom rules.) To install and enable the prebuilt rules: @@ -67,7 +66,7 @@ To install and enable the prebuilt rules: To enable drift detection, you can use the default D4C policy: -1. Make sure the default D4C policy is active. +1. Make sure the default D4C policy is active. 1. Make sure you enabled at least the "Container Workload Protection" rule, by following the steps to install prebuilt rules, above. To enable drift prevention, create a new policy: diff --git a/docs/serverless/cloud-native-security/d4c-overview.mdx b/docs/serverless/cloud-native-security/d4c-overview.mdx index 2fdf26deb4..e7db10007b 100644 --- a/docs/serverless/cloud-native-security/d4c-overview.mdx +++ b/docs/serverless/cloud-native-security/d4c-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityD4cOverview slug: /serverless/security/d4c-overview title: Container workload protection description: Identify and block unexpected system behavior in Kubernetes containers. @@ -45,6 +44,6 @@ Your D4C integration policy determines which system behaviors (for example, proc The default D4C policy sends data about all running processes to your ((es)) cluster. This data is used by ((elastic-sec))'s prebuilt detection rules to detect malicious behavior in container workloads. -To learn more about D4C policies, including how to create your own, refer to the D4C policies guide. +To learn more about D4C policies, including how to create your own, refer to the D4C policies guide. diff --git a/docs/serverless/cloud-native-security/d4c-policy-guide.mdx b/docs/serverless/cloud-native-security/d4c-policy-guide.mdx index ab1013d166..0419edd948 100644 --- a/docs/serverless/cloud-native-security/d4c-policy-guide.mdx +++ b/docs/serverless/cloud-native-security/d4c-policy-guide.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityD4cPolicyGuide slug: /serverless/security/d4c-policy-guide title: Container workload protection policies description: Learn to build policies for cloud workload protection for Kubernetes. diff --git a/docs/serverless/cloud-native-security/enable-cloudsec.mdx b/docs/serverless/cloud-native-security/enable-cloudsec.mdx index 1fb83baed8..5a765d5855 100644 --- a/docs/serverless/cloud-native-security/enable-cloudsec.mdx +++ b/docs/serverless/cloud-native-security/enable-cloudsec.mdx @@ -1,5 +1,4 @@ --- -id: serverlessEnableCloudSecurity slug: /serverless/security/enable-cloudsec title: Enable cloud security features description: Learn to turn on cloud security features in your project diff --git a/docs/serverless/cloud-native-security/environment-variable-capture.mdx b/docs/serverless/cloud-native-security/environment-variable-capture.mdx index df14008215..2c9557100b 100644 --- a/docs/serverless/cloud-native-security/environment-variable-capture.mdx +++ b/docs/serverless/cloud-native-security/environment-variable-capture.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEnvironmentVariableCapture slug: /serverless/security/environment-variable-capture title: Capture environment variables description: Capture environment variables from monitored Linux sessions. diff --git a/docs/serverless/cloud-native-security/get-started-with-kspm.mdx b/docs/serverless/cloud-native-security/get-started-with-kspm.mdx index 5ee75e8132..539aee4fe2 100644 --- a/docs/serverless/cloud-native-security/get-started-with-kspm.mdx +++ b/docs/serverless/cloud-native-security/get-started-with-kspm.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityGetStartedWithKspm slug: /serverless/security/get-started-with-kspm title: Get started with KSPM # description: Description to be written @@ -26,15 +25,15 @@ This page explains how to configure the Kubernetes Security Posture Management ( The instructions differ depending on whether you're installing on EKS or on unmanaged clusters. * Install on EKS-managed clusters: - 1. Name your integration and select a Kubernetes deployment type - 1. Authenticate to AWS - 1. Finish configuring the KSPM integration - 1. Deploy the DaemonSet to your clusters + 1. Name your integration and select a Kubernetes deployment type + 1. Authenticate to AWS + 1. Finish configuring the KSPM integration + 1. Deploy the DaemonSet to your clusters * Install on unmanaged clusters: - 1. Configure the KSPM integration - 1. Deploy the DaemonSet manifest to your clusters + 1. Configure the KSPM integration + 1. Deploy the DaemonSet manifest to your clusters
@@ -54,12 +53,12 @@ The instructions differ depending on whether you're installing on EKS or on unma There are several options for how to provide AWS credentials: -* Use Kubernetes Service Account to assume IAM role -* Use default instance role -* Use access keys directly -* Use temporary security credentials -* Use a shared credentials file -* Use an IAM role ARN +* Use Kubernetes Service Account to assume IAM role +* Use default instance role +* Use access keys directly +* Use temporary security credentials +* Use a shared credentials file +* Use an IAM role ARN Regardless of which option you use, you'll need to grant the following permissions: @@ -202,7 +201,7 @@ An IAM role's ARN can be used to specify which AWS IAM role to use to generate t For more details, refer to AWS' [AssumeRole API](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) documentation. Follow AWS' instructions to [create an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html), and define the IAM role's permissions using the JSON permissions policy above. -To use an IAM role's ARN, you need to provide either a credential profile or access keys along with the `ARN role`. +To use an IAM role's ARN, you need to provide either a credential profile or access keys along with the `ARN role`. The `ARN Role` value specifies which AWS IAM role to use for generating temporary credentials. @@ -228,7 +227,7 @@ The **Add agent** wizard helps you deploy the KSPM integration on the Kubernetes 1. Download the manifest and make any necessary revisions to its configuration to suit the needs of your environment. 1. Apply the manifest using the `kubectl apply -f` command. For example: `kubectl apply -f elastic-agent-managed-kubernetes.yaml` -After a few minutes, a message confirming the ((agent)) enrollment appears, followed by a message confirming that data is incoming. You can then click **View assets** to see where the newly-collected configuration information appears, including the Findings page and the Cloud Security Posture dashboard. +After a few minutes, a message confirming the ((agent)) enrollment appears, followed by a message confirming that data is incoming. You can then click **View assets** to see where the newly-collected configuration information appears, including the Findings page and the Cloud Security Posture dashboard.
@@ -259,7 +258,7 @@ The **Add agent** wizard helps you deploy the KSPM integration on the Kubernetes 1. Download the manifest and make any necessary revisions to its configuration to suit the needs of your environment. 1. Apply the manifest using the `kubectl apply -f` command. For example: `kubectl apply -f elastic-agent-managed-kubernetes.yaml` -After a few minutes, a message confirming the ((agent)) enrollment appears, followed by a message confirming that data is incoming. You can then click **View assets** to see where the newly-collected configuration information appears, including the Findings page and the Cloud Security Posture dashboard. +After a few minutes, a message confirming the ((agent)) enrollment appears, followed by a message confirming that data is incoming. You can then click **View assets** to see where the newly-collected configuration information appears, including the Findings page and the Cloud Security Posture dashboard.
diff --git a/docs/serverless/cloud-native-security/kspm.mdx b/docs/serverless/cloud-native-security/kspm.mdx index ec5ce06334..0654a559cf 100644 --- a/docs/serverless/cloud-native-security/kspm.mdx +++ b/docs/serverless/cloud-native-security/kspm.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityKspm slug: /serverless/security/kspm title: Kubernetes security posture management description: Identify configuration risks in your Kubernetes clusters. @@ -16,7 +15,7 @@ status: in review The Kubernetes Security Posture Management (KSPM) integration allows you to identify configuration risks in the various components that make up your Kubernetes cluster. It does this by evaluating your Kubernetes clusters against secure configuration guidelines defined by the Center for Internet Security (CIS) and generating findings with step-by-step instructions for remediating potential security risks. -This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setup instructions, refer to Get started with KSPM. +This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setup instructions, refer to Get started with KSPM. @@ -35,7 +34,7 @@ This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setu ## How KSPM works 1. When you add a KSPM integration, it generates a Kubernetes manifest. When applied to a cluster, the manifest deploys an ((agent)) as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset) to ensure all nodes are evaluated. 1. Upon deployment, the integration immediately assesses the security posture of your Kubernetes resources. The evaluation process repeats every four hours. -1. After each evaluation, the integration sends findings to ((es)). Findings appear on the Cloud Security Posture dashboard and the findings page. +1. After each evaluation, the integration sends findings to ((es)). Findings appear on the Cloud Security Posture dashboard and the findings page.
@@ -53,7 +52,7 @@ The KSPM integration helps you to: To identify and remediate failed failed findings: -1. Go to the Cloud Security Posture dashboard. +1. Go to the Cloud Security Posture dashboard. 1. Click **View all failed findings**, either for an individual cluster or for all monitored clusters. 1. Click a failed finding. The findings flyout opens. 1. Follow the steps under **Remediation** to correct the misconfiguration. @@ -68,7 +67,7 @@ To identify and remediate failed failed findings: To identify the Kubernetes resources generating the most failed findings: -1. Go to the Findings page. +1. Go to the Findings page. 1. Click the **Group by** menu near the search box and select **Resource** to view a list of resources sorted by their total number of failed findings. 1. Click a resource ID to view the findings associated with that resource. @@ -78,7 +77,7 @@ To identify the Kubernetes resources generating the most failed findings: To identify risks in particular CIS sections: -1. Go to the Cloud Security Posture dashboard (**Dashboards → Cloud Security Posture**). +1. Go to the Cloud Security Posture dashboard (**Dashboards → Cloud Security Posture**). 1. In the Failed findings by CIS section widget, click the name of a CIS section to view all failed findings for that section. Alternatively: diff --git a/docs/serverless/cloud-native-security/security-posture-faq.mdx b/docs/serverless/cloud-native-security/security-posture-faq.mdx index e72a386fe8..f188318406 100644 --- a/docs/serverless/cloud-native-security/security-posture-faq.mdx +++ b/docs/serverless/cloud-native-security/security-posture-faq.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySecurityPostureFaq slug: /serverless/security/security-posture-faq title: Frequently asked questions (FAQ) description: Frequently asked questions about the CSPM integration. @@ -41,7 +40,7 @@ Frequently asked questions about the Kubernetes Security Posture Management (KSP For self-managed/vanilla clusters, Kubernetes version 1.23 is supported. **Do benchmark rules support multiple Kubernetes deployment types?** -Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to Get started with KSPM for more information about setting up each deployment type. +Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to Get started with KSPM for more information about setting up each deployment type. **Can I evaluate the security posture of my Amazon EKS clusters?** Yes. KSPM currently supports the security posture evaluation of Amazon EKS and unmanaged Kubernetes clusters. diff --git a/docs/serverless/cloud-native-security/security-posture-management.mdx b/docs/serverless/cloud-native-security/security-posture-management.mdx index 64c4b0d916..c8a40f0492 100644 --- a/docs/serverless/cloud-native-security/security-posture-management.mdx +++ b/docs/serverless/cloud-native-security/security-posture-management.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySecurityPostureManagement slug: /serverless/security/security-posture-management title: Security posture management overview description: Discovers and evaluates your cloud services and resources against security best practices. @@ -11,7 +10,7 @@ status: in review
## Overview -Elastic's Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) features help you discover and evaluate the services and resources in your cloud environment — like storage, compute, IAM, and more — against security guidelines defined by the Center for Internet Security (CIS). They help you identify and remediate configuration risks that could undermine the confidentiality, integrity, and availability of your cloud assets, such as publicly exposed storage buckets or overly permissive networking objects. +Elastic's Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) features help you discover and evaluate the services and resources in your cloud environment — like storage, compute, IAM, and more — against security guidelines defined by the Center for Internet Security (CIS). They help you identify and remediate configuration risks that could undermine the confidentiality, integrity, and availability of your cloud assets, such as publicly exposed storage buckets or overly permissive networking objects. The KSPM feature assesses the security of your Kubernetes assets, while the CSPM feature assesses the security of your AWS resources such as storage, compute, IAM, and more. @@ -20,8 +19,8 @@ The KSPM feature assesses the security of your Kubernetes assets, while the CSPM ## Getting started For setup instructions, refer to: -* Get started with KSPM -* Get started with CSPM +* Get started with KSPM +* Get started with CSPM
diff --git a/docs/serverless/cloud-native-security/session-view.mdx b/docs/serverless/cloud-native-security/session-view.mdx index 4b30e6168f..07d5206917 100644 --- a/docs/serverless/cloud-native-security/session-view.mdx +++ b/docs/serverless/cloud-native-security/session-view.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySessionView slug: /serverless/security/session-view title: Session View description: Examine Linux process data in context with Session View. @@ -26,7 +25,7 @@ and investigating session activity on your Linux infrastructure and understandin * **Terminal output:** Terminal output associated with each process in the session. -To view Linux session data from your Kubernetes infrastructure, you'll need to set up the Kubernetes dashboard. +To view Linux session data from your Kubernetes infrastructure, you'll need to set up the Kubernetes dashboard.
diff --git a/docs/serverless/cloud-native-security/vuln-management-faq.mdx b/docs/serverless/cloud-native-security/vuln-management-faq.mdx index cca13d1ae9..5eecfd2589 100644 --- a/docs/serverless/cloud-native-security/vuln-management-faq.mdx +++ b/docs/serverless/cloud-native-security/vuln-management-faq.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityVulnManagementFaq slug: /serverless/security/vuln-management-faq title: Frequently asked questions (FAQ) description: Frequently asked questions about the CNVM integration. diff --git a/docs/serverless/cloud-native-security/vuln-management-findings.mdx b/docs/serverless/cloud-native-security/vuln-management-findings.mdx index 62806411f1..915b707b7f 100644 --- a/docs/serverless/cloud-native-security/vuln-management-findings.mdx +++ b/docs/serverless/cloud-native-security/vuln-management-findings.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityVulnManagementFindings slug: /serverless/security/vuln-management-findings title: Findings page description: The Findings page displays information about cloud vulnerabilities found in your environment. @@ -10,7 +9,7 @@ status: in review
-The **Vulnerabilities** tab on the Findings page displays the vulnerabilities detected by the CNVM integration. +The **Vulnerabilities** tab on the Findings page displays the vulnerabilities detected by the CNVM integration. ![The Vulnerabilities tab of the Findings page](../images/vuln-management-findings/-cloud-native-security-cnvm-findings-page.png) diff --git a/docs/serverless/cloud-native-security/vuln-management-get-started.mdx b/docs/serverless/cloud-native-security/vuln-management-get-started.mdx index 2538781bff..fb8bbadbdc 100644 --- a/docs/serverless/cloud-native-security/vuln-management-get-started.mdx +++ b/docs/serverless/cloud-native-security/vuln-management-get-started.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityVulnManagementGetStarted slug: /serverless/security/vuln-management-get-started title: Get started with CNVM description: Set up cloud native vulnerability management. @@ -34,7 +33,7 @@ CNVM currently only supports AWS EC2 Linux workloads. To set up the CNVM integration for AWS, install the integration on a new ((agent)) policy, sign into the AWS account you want to scan, and run the [CloudFormation](https://docs.aws.amazon.com/cloudformation/index.html) template. -Do not add the integration to an existing ((agent)) policy. It should always be added to a new policy since it should not run on VMs with existing workloads. For more information, refer to How CNVM works. +Do not add the integration to an existing ((agent)) policy. It should always be added to a new policy since it should not run on VMs with existing workloads. For more information, refer to How CNVM works.
@@ -73,5 +72,5 @@ The integration will only scan VMs in the region you select. To scan multiple re 1. Click **Create stack**. To avoid authentication problems, you can only make configuration changes to the VM InstanceType, which you could make larger to increase scanning speed. 1. Wait for the confirmation that ((agent)) was enrolled. -1. Your data will start to appear on the **Vulnerabilities** tab of the Findings page. +1. Your data will start to appear on the **Vulnerabilities** tab of the Findings page. diff --git a/docs/serverless/cloud-native-security/vuln-management-overview.mdx b/docs/serverless/cloud-native-security/vuln-management-overview.mdx index 6a6ab12c3a..87ca2fad3b 100644 --- a/docs/serverless/cloud-native-security/vuln-management-overview.mdx +++ b/docs/serverless/cloud-native-security/vuln-management-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityVulnManagementOverview slug: /serverless/security/vuln-management-overview title: Cloud native vulnerability management description: Find and track vulnerabilities in your cloud. @@ -12,7 +11,7 @@ status: in review Elastic's Cloud Native Vulnerability Management (CNVM) feature helps you identify known vulnerabilities in your cloud workloads. -Setup uses infrastructure as code. For instructions, refer to Get started with Cloud Native Vulnerability Management. +Setup uses infrastructure as code. For instructions, refer to Get started with Cloud Native Vulnerability Management. CNVM currently only supports AWS EC2 Linux workloads. @@ -35,7 +34,7 @@ During setup, you will use an infrastructure as code provisioning template to cr The CNVM integration uses [Trivy](https://github.com/aquasecurity/trivy), a comprehensive open-source security scanner, to scan cloud workloads and identify security vulnerabilities. During each scan, the VM running the integration takes a snapshot of all cloud workloads in its region using the snapshot APIs of the cloud service provider, and analyzes them for vulnerabilities using Trivy. Therefore, scanning does not use resources on the VMs being scanned. All resource usage occurs on the VM installed during CNVM setup. -The scanning process begins immediately upon deployment, then repeats every twenty-four hours. After each scan, the integration sends the discovered vulnerabilities to ((es)), where they appear in the **Vulnerabilities** tab of the Findings page. +The scanning process begins immediately upon deployment, then repeats every twenty-four hours. After each scan, the integration sends the discovered vulnerabilities to ((es)), where they appear in the **Vulnerabilities** tab of the Findings page. Environments with more VMs take longer to scan. diff --git a/docs/serverless/dashboards/cloud-posture-dashboard-dash.mdx b/docs/serverless/dashboards/cloud-posture-dashboard-dash.mdx index b8abfe7994..9fee49f066 100644 --- a/docs/serverless/dashboards/cloud-posture-dashboard-dash.mdx +++ b/docs/serverless/dashboards/cloud-posture-dashboard-dash.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCloudPostureDashboard slug: /serverless/security/cloud-posture-dashboard-dash title: Cloud Security Posture dashboard description: The Cloud Security Posture dashboard summarizes your cloud infrastructure's performance on CIS security benchmarks. @@ -10,7 +9,7 @@ status: in review
-The Cloud Security Posture dashboard summarizes your cloud infrastructure's overall performance against security guidelines defined by the Center for Internet Security (CIS). To start collecting this data, refer to Get started with Cloud Security Posture Management or Get started with Kubernetes Security Posture Management. +The Cloud Security Posture dashboard summarizes your cloud infrastructure's overall performance against security guidelines defined by the Center for Internet Security (CIS). To start collecting this data, refer to Get started with Cloud Security Posture Management or Get started with Kubernetes Security Posture Management. ![The cloud Security dashboard](../images/cloud-posture-dashboard/-dashboards-cloud-sec-dashboard.png) @@ -27,7 +26,7 @@ The Cloud Security Posture dashboard shows: At the top of the dashboard, you can switch between the Cloud accounts and Kubernetes cluster views. -The top section of either view summarizes your overall cloud security posture (CSP) by aggregating data from all monitored resources. The summary cards on the left show the number of cloud accounts or clusters evaluated, and the number of resources evaluated. You can click **Enroll more accounts** or **Enroll more clusters** to deploy to additional cloud assets. Click **View all resources** to open the Findings page. +The top section of either view summarizes your overall cloud security posture (CSP) by aggregating data from all monitored resources. The summary cards on the left show the number of cloud accounts or clusters evaluated, and the number of resources evaluated. You can click **Enroll more accounts** or **Enroll more clusters** to deploy to additional cloud assets. Click **View all resources** to open the Findings page. The remaining summary cards show your overall compliance score, and your compliance score for each CIS section. Click **View all failed findings** to view all failed findings, or click a CIS section name to view failed findings from only that section on the Findings page. diff --git a/docs/serverless/dashboards/dashboards-overview.mdx b/docs/serverless/dashboards/dashboards-overview.mdx index 9722864acc..72fa0615ca 100644 --- a/docs/serverless/dashboards/dashboards-overview.mdx +++ b/docs/serverless/dashboards/dashboards-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDashboardsOverview slug: /serverless/security/dashboards-overview title: Dashboards description: Dashboards give you insight into your security environment. diff --git a/docs/serverless/dashboards/data-quality-dash.mdx b/docs/serverless/dashboards/data-quality-dash.mdx index be1ec523fe..5f2d4fafe0 100644 --- a/docs/serverless/dashboards/data-quality-dash.mdx +++ b/docs/serverless/dashboards/data-quality-dash.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDataQualityDash slug: /serverless/security/data-quality-dash title: Data Quality dashboard description: The Data Quality dashboard summarizes the health of your data ingest pipeline. @@ -67,18 +66,18 @@ Fields in the Same family category have the correct search behavior, but might h ## Export data quality results -You can share data quality results to help track your team's remediation efforts. First, follow the instructions under Check indices to generate results, then either: +You can share data quality results to help track your team's remediation efforts. First, follow the instructions under Check indices to generate results, then either: **Export results for all indices in the current data view**: 1. At the top of the dashboard, under the **Check all** button, are two buttons that allow you to share results. Exported results include all the data which appears in the dashboard. -1. Click **Add to new case** to open a new case. +1. Click **Add to new case** to open a new case. 1. Click **Copy to clipboard** to copy a Markdown report to your clipboard. **Export results for one index**: 1. Expand an index that has at least one incompatible field by clicking the arrow to the left of its **Result**. -1. From the **Summary** or **Incompatible fields** tabs, select **Add to new case** to open a new case, or click **Copy to clipboard** to copy a Markdown report to your clipboard. +1. From the **Summary** or **Incompatible fields** tabs, select **Add to new case** to open a new case, or click **Copy to clipboard** to copy a Markdown report to your clipboard. For more information about how to fix mapping problems, refer to [Mapping](((ref))/mapping.html). diff --git a/docs/serverless/dashboards/detection-entity-dashboard.mdx b/docs/serverless/dashboards/detection-entity-dashboard.mdx index 5e47e58b04..62ad1f2393 100644 --- a/docs/serverless/dashboards/detection-entity-dashboard.mdx +++ b/docs/serverless/dashboards/detection-entity-dashboard.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDetectionEntityDashboard slug: /serverless/security/detection-entity-dashboard title: Entity Analytics dashboard description: The Entity Analytics dashboard provides a centralized view of emerging insider threats @@ -14,16 +13,16 @@ The Entity Analytics dashboard provides a centralized view of emerging insider t -To display host and user risk scores, you must turn on the risk scoring engine. +To display host and user risk scores, you must turn on the risk scoring engine. The dashboard includes the following sections: -* Entity KPIs (key performance indicators) -* Host Risk Scores -* User Risk Scores -* Anomalies +* Entity KPIs (key performance indicators) +* Host Risk Scores +* User Risk Scores +* Anomalies ![Entity dashboard](../images/detection-entity-dashboard/-dashboards-entity-dashboard.png) @@ -49,7 +48,7 @@ Interact with the table to filter data, view more details, and take action: * Click **View all** in the upper-right to display all host risk information on the Hosts page. * Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** () to launch Timeline with a query that includes the associated host name value. -For more information about host risk scores, refer to Entity risk scoring. +For more information about host risk scores, refer to Entity risk scoring.
@@ -67,7 +66,7 @@ Interact with the table to filter data, view more details, and take action: * Click **View all** in the upper-right to display all user risk information on the Users page. * Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** () to launch Timeline with a query that includes the associated user name value. -For more information about user risk scores, refer to Entity risk scoring. +For more information about user risk scores, refer to Entity risk scoring.
diff --git a/docs/serverless/dashboards/detection-response-dashboard.mdx b/docs/serverless/dashboards/detection-response-dashboard.mdx index 1d8d53026f..dd09bfbd1a 100644 --- a/docs/serverless/dashboards/detection-response-dashboard.mdx +++ b/docs/serverless/dashboards/detection-response-dashboard.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDetectionResponseDashboard slug: /serverless/security/detection-response-dashboard title: Detection & Response dashboard description: The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment diff --git a/docs/serverless/dashboards/kubernetes-dashboard-dash.mdx b/docs/serverless/dashboards/kubernetes-dashboard-dash.mdx index ab78de17a6..891d83281b 100644 --- a/docs/serverless/dashboards/kubernetes-dashboard-dash.mdx +++ b/docs/serverless/dashboards/kubernetes-dashboard-dash.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityKubernetesDashboardDash slug: /serverless/security/kubernetes-dashboard-dash title: Kubernetes dashboard description: The Kubernetes dashboard provides insight into Linux process data from your Kubernetes clusters. @@ -24,10 +23,10 @@ You can filter the data using the KQL search bar and date picker at the top of t From the sessions table's Actions column, you can take the following investigative actions: - View details -- Open in Timeline -- Run Osquery -- Analyze event -- Open Session View +- Open in Timeline +- Run Osquery +- Analyze event +- Open Session View Session View displays Kubernetes metadata under the **Metadata** tab of the Detail panel: @@ -43,7 +42,7 @@ The **Metadata** tab is organized into these expandable sections:
## Setup -To get data for this dashboard, set up Cloud Workload Protection for Kubernetes for the clusters you want to display on the dashboard. +To get data for this dashboard, set up Cloud Workload Protection for Kubernetes for the clusters you want to display on the dashboard. @@ -66,5 +65,5 @@ This feature is currently available on GKE and EKS using Linux hosts and Kuberne | Mount point awareness | ✓ | ✓ | -This dashboard uses data from the `logs-*` index pattern, which is included by default in the `securitySolution:defaultIndex` advanced setting. To collect data from multiple ((es)) clusters (as in a cross-cluster deployment), update `logs-*` to `*:logs-*`. +This dashboard uses data from the `logs-*` index pattern, which is included by default in the `securitySolution:defaultIndex` advanced setting. To collect data from multiple ((es)) clusters (as in a cross-cluster deployment), update `logs-*` to `*:logs-*`. \ No newline at end of file diff --git a/docs/serverless/dashboards/overview-dashboard.mdx b/docs/serverless/dashboards/overview-dashboard.mdx index 8b675db4e7..effec8e44e 100644 --- a/docs/serverless/dashboards/overview-dashboard.mdx +++ b/docs/serverless/dashboards/overview-dashboard.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityOverviewDashboard slug: /serverless/security/overview-dashboard title: Overview dashboard description: The Overview dashboard provides a high-level snapshot of alerts and events. @@ -43,7 +42,7 @@ The Threat Intelligence view on the Overview dashboard provides streamlined thre The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To learn more about the ingested indicator data, click **View indicators**. -For more information about connecting to threat intelligence sources, visit Enable threat intelligence integrations. +For more information about connecting to threat intelligence sources, visit Enable threat intelligence integrations. diff --git a/docs/serverless/dashboards/rule-monitoring-dashboard.mdx b/docs/serverless/dashboards/rule-monitoring-dashboard.mdx index 5fd32eabae..547cb4ae91 100644 --- a/docs/serverless/dashboards/rule-monitoring-dashboard.mdx +++ b/docs/serverless/dashboards/rule-monitoring-dashboard.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityRuleMonitoringDashboard slug: /serverless/security/rule-monitoring-dashboard title: Detection rule monitoring dashboard description: Visualize your detection rules' performance. diff --git a/docs/serverless/dashboards/vuln-management-dashboard-dash.mdx b/docs/serverless/dashboards/vuln-management-dashboard-dash.mdx index 1ff125154b..6121ec6621 100644 --- a/docs/serverless/dashboards/vuln-management-dashboard-dash.mdx +++ b/docs/serverless/dashboards/vuln-management-dashboard-dash.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityVulnManagementDashboardDash slug: /serverless/security/vuln-management-dashboard-dash title: Cloud Native Vulnerability Management Dashboard description: The CNVM dashboard gives an overview of vulnerabilities detected in your cloud infrastructure. @@ -16,7 +15,7 @@ The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview -* To collect this data, install the Cloud Native Vulnerability Management integration. +* To collect this data, install the Cloud Native Vulnerability Management integration. @@ -40,4 +39,4 @@ The page also includes three tables: * **Top 10 patchable vulnerabilities** shows the most common vulnerabilities in your environment that can be fixed by a software update. * **Top 10 vulnerabilities** shows the most common vulnerabilities in your environment, with additional details. -Click **View all vulnerabilities** at the bottom of a table to open the Vulnerabilities Findings page, where you can view additional details. +Click **View all vulnerabilities** at the bottom of a table to open the Vulnerabilities Findings page, where you can view additional details. diff --git a/docs/serverless/edr-install-config/agent-tamper-protection.mdx b/docs/serverless/edr-install-config/agent-tamper-protection.mdx index d01b33f278..5ac1f86f7f 100644 --- a/docs/serverless/edr-install-config/agent-tamper-protection.mdx +++ b/docs/serverless/edr-install-config/agent-tamper-protection.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAgentTamperProtection slug: /serverless/security/agent-tamper-protection title: Prevent ((agent)) uninstallation description: Block unauthorized attempts to uninstall ((agent)) on hosts. @@ -15,7 +14,7 @@ When enabled, ((agent)) and ((elastic-endpoint)) can only be uninstalled on the -* Agent tamper protection requires the Endpoint Protection Complete . +* Agent tamper protection requires the Endpoint Protection Complete . * Hosts must be enrolled in the ((elastic-defend)) integration. @@ -37,10 +36,10 @@ You can enable Agent tamper protection by configuring the ((agent)) policy. 1. Select the **Settings** tab on the policy details page. 1. In the **Agent tamper protection** section, turn on the **Prevent agent tampering** setting. - This makes the **Get uninstall command** link available, which you can follow to get the uninstall token and CLI command if you need to uninstall an Agent on this policy. + This makes the **Get uninstall command** link available, which you can follow to get the uninstall token and CLI command if you need to uninstall an Agent on this policy. - You can also access an Agent policy's uninstall tokens on the **Uninstall tokens** tab on the **((fleet))** page. Refer to Access uninstall tokens for more information. + You can also access an Agent policy's uninstall tokens on the **Uninstall tokens** tab on the **((fleet))** page. Refer to Access uninstall tokens for more information. 1. Select **Save changes**. diff --git a/docs/serverless/edr-install-config/artifact-control.mdx b/docs/serverless/edr-install-config/artifact-control.mdx index ac114e6d80..9fa3601001 100644 --- a/docs/serverless/edr-install-config/artifact-control.mdx +++ b/docs/serverless/edr-install-config/artifact-control.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityProtectionArtifactControl slug: /serverless/security/protection-artifact-control title: Configure updates for protection artifacts description: Configure updates for protection artifacts. diff --git a/docs/serverless/edr-install-config/configure-endpoint-integration-policy.mdx b/docs/serverless/edr-install-config/configure-endpoint-integration-policy.mdx index d047f61042..a59a02988f 100644 --- a/docs/serverless/edr-install-config/configure-endpoint-integration-policy.mdx +++ b/docs/serverless/edr-install-config/configure-endpoint-integration-policy.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityConfigureEndpointIntegrationPolicy slug: /serverless/security/configure-endpoint-integration-policy title: Configure an integration policy for ((elastic-defend)) description: Configure settings on an ((elastic-defend)) integration policy. @@ -12,11 +11,11 @@ status: in review After the ((agent)) is installed with the ((elastic-defend)) integration, several protections features — including preventions against malware, ransomware, memory threats, and malicious behavior — are automatically enabled -on protected hosts (most features require the Endpoint Protection Essentials or Endpoint Protection Complete ). If needed, you can update the +on protected hosts (most features require the Endpoint Protection Essentials or Endpoint Protection Complete ). If needed, you can update the integration policy to configure protection settings, event collection, antivirus settings, trusted applications, event filters, host isolation exceptions, and blocked applications to meet your organization's security needs. -You can also create multiple ((elastic-defend)) integration policies to maintain unique configuration profiles. To create an additional ((elastic-defend)) integration policy, go to **Project settings** → **Integrations**, then follow the steps for adding the ((elastic-defend)) integration. +You can also create multiple ((elastic-defend)) integration policies to maintain unique configuration profiles. To create an additional ((elastic-defend)) integration policy, go to **Project settings** → **Integrations**, then follow the steps for adding the ((elastic-defend)) integration. @@ -36,17 +35,17 @@ To configure an integration policy: 1. Select the integration policy you want to configure. The integration policy configuration page appears. 1. On the **Policy settings** tab, review and configure the following settings as appropriate: - * Malware protection - * Ransomware protection - * Memory threat protection - * Malicious behavior protection - * Attack surface reduction - * Event collection - * Register ((elastic-sec)) as antivirus (optional) - * Advanced policy settings (optional) - * Save the general policy settings + * Malware protection + * Ransomware protection + * Memory threat protection + * Malicious behavior protection + * Attack surface reduction + * Event collection + * Register ((elastic-sec)) as antivirus (optional) + * Advanced policy settings (optional) + * Save the general policy settings -1. Click the **Trusted applications**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to trusted applications, event filters, host isolation exceptions, and blocklist). On these tabs, you can: +1. Click the **Trusted applications**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to trusted applications, event filters, host isolation exceptions, and blocklist). On these tabs, you can: * Expand and view an artifact — Click the arrow next to its name. * View an artifact's details — Click the actions menu (), then select **View full details**. @@ -61,13 +60,13 @@ To configure an integration policy: to create a new trusted application, go to **Assets** → **Endpoints** → **Trusted applications**). -1. Click the **Protection updates** tab to configure how ((elastic-defend)) receives updates from Elastic with the latest threat detections, malware models, and other protection artifacts. Refer to for more information. +1. Click the **Protection updates** tab to configure how ((elastic-defend)) receives updates from Elastic with the latest threat detections, malware models, and other protection artifacts. Refer to for more information.
## Malware protection -((elastic-defend)) malware prevention detects and stops malicious attacks by using a machine learning model +((elastic-defend)) malware prevention detects and stops malicious attacks by using a machine learning model that looks for static attributes to determine if a file is malicious or benign. By default, malware protection is enabled on Windows, macOS, and Linux hosts. @@ -75,7 +74,7 @@ To disable malware protection, turn off the **Malware protections** toggle. -Malware protection requires the Endpoint Protection Essentials . +Malware protection requires the Endpoint Protection Essentials . @@ -88,7 +87,7 @@ Malware protection levels are: These additional options are available for malware protection: -* **Blocklist**: Enable or disable the blocklist for all hosts associated with this ((elastic-defend)) policy. The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. +* **Blocklist**: Enable or disable the blocklist for all hosts associated with this ((elastic-defend)) policy. The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. * **Scan files upon modification**: By default, ((elastic-defend)) scans files every time they're modified, which can be resource-intensive on hosts where files are frequently modified, such as servers and developer machines. Turn off this option to only scan files when they're executed. ((elastic-defend)) will continue to identify malware as it attempts to run, providing a robust level of protection while improving endpoint performance. @@ -113,12 +112,12 @@ The quarantine folder location varies by operating system: - Windows - ((elastic-defend)) versions 8.5 and later: `[DriveLetter:]\.quarantine`, unless the files are from the `C:` drive. These files are moved to `C:\Program Files\Elastic\Endpoint\state\.equarantine`. - Windows - ((elastic-defend)) versions 8.4 and earlier: `[DriveLetter:]\.quarantine`, for any drive -To restore a quarantined file to its original state and location, add an exception to the rule that identified the file as malicious. If the exception would've stopped the rule from identifying the file as malicious, ((elastic-defend)) restores the file. +To restore a quarantined file to its original state and location, add an exception to the rule that identified the file as malicious. If the exception would've stopped the rule from identifying the file as malicious, ((elastic-defend)) restores the file. -You can access a quarantined file by using the `get-file` response action command in the response console. To do this, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. This action doesn't restore the file to its original location, so you will need to do this manually. +You can access a quarantined file by using the `get-file` response action command in the response console. To do this, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. This action doesn't restore the file to its original location, so you will need to do this manually. -Response actions and the response console UI are Endpoint Protection Complete . +Response actions and the response console UI are Endpoint Protection Complete .
@@ -131,7 +130,7 @@ ransomware families — including those targeting the system’s master boot rec -Ransomware protection requires the Endpoint Protection Essentials . +Ransomware protection requires the Endpoint Protection Essentials . @@ -162,7 +161,7 @@ which are used to evade traditional file-based detection techniques. -Memory threat protection requires the Endpoint Protection Essentials . +Memory threat protection requires the Endpoint Protection Essentials . @@ -192,7 +191,7 @@ for adversaries to evade than traditional file-based detection techniques. -Malicious behavior protection requires the Endpoint Protection Essentials . +Malicious behavior protection requires the Endpoint Protection Essentials . @@ -222,7 +221,7 @@ This section helps you reduce vulnerabilities that attackers can target on Windo -Attack surface reduction requires the Endpoint Protection Essentials . +Attack surface reduction requires the Endpoint Protection Essentials . @@ -250,7 +249,7 @@ register ((elastic-sec)) as your hosts' antivirus software by enabling **Registe Windows Server is not supported. Antivirus registration requires Windows Security Center, which is not included in Windows Server operating systems. -You can also choose **Sync with malware protection level** to automatically set antivirus registration based on how you've configured ((elastic-defend))'s malware protection. If malware protection is turned on and set to **Prevent**, antivirus registration will also be enabled; in any other case, antivirus registration will be disabled. +You can also choose **Sync with malware protection level** to automatically set antivirus registration based on how you've configured ((elastic-defend))'s malware protection. If malware protection is turned on and set to **Prevent**, antivirus registration will also be enabled; in any other case, antivirus registration will be disabled. ![Detail of Register as antivirus option.](../images/configure-endpoint-integration-policy/-getting-started-register-as-antivirus.png) @@ -267,9 +266,9 @@ Advanced settings are not recommended for most users. This section includes: -* Turn off diagnostic data for ((elastic-defend)) -* Configure self-healing rollback for Windows endpoints -* Configure Linux file system monitoring +* Turn off diagnostic data for ((elastic-defend)) +* Configure self-healing rollback for Windows endpoints +* Configure Linux file system monitoring
diff --git a/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.mdx b/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.mdx index 3cd2b61ea6..04d3fa8cf4 100644 --- a/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.mdx +++ b/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDeployElasticEndpoint slug: /serverless/security/install-endpoint-manually title: Install ((elastic-endpoint)) manually on macOS Catalina through Monterey description: Manually install and deploy ((elastic-endpoint)) on macOS Catalina through Monterey. @@ -12,12 +11,12 @@ status: in review To properly install and configure ((elastic-endpoint)) manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before ((elastic-endpoint)) can be fully functional: -* Approve the system extension -* Approve network content filtering -* Enable Full Disk Access +* Approve the system extension +* Approve network content filtering +* Enable Full Disk Access -The following permissions that need to be enabled are required after you configure and install the ((elastic-defend)) integration, which includes enrolling the ((agent)). +The following permissions that need to be enabled are required after you configure and install the ((elastic-defend)) integration, which includes enrolling the ((agent)).
@@ -47,7 +46,7 @@ After successfully loading the ((elastic-endpoint)) system extension, an additi ![](../images/deploy-elastic-endpoint/-getting-started-install-endpoint-filter-network-content.png) -* Click **Allow** to enable content filtering for the ((elastic-endpoint)) system extension. Without this approval, ((elastic-endpoint)) cannot receive network events and, therefore, cannot enable network-related features such as host isolation. +* Click **Allow** to enable content filtering for the ((elastic-endpoint)) system extension. Without this approval, ((elastic-endpoint)) cannot receive network events and, therefore, cannot enable network-related features such as host isolation.
@@ -56,7 +55,7 @@ After successfully loading the ((elastic-endpoint)) system extension, an additi ((elastic-endpoint)) requires Full Disk Access to subscribe to system events via the ((elastic-defend)) framework and to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS Catalina (10.15) and later, you must manually approve ((elastic-endpoint)). -The following instructions apply only to ((elastic-endpoint)) version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to . +The following instructions apply only to ((elastic-endpoint)) version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to . {/* Might need to revisit this note and the section. Keep an eye on https://github.com/elastic/staging-serverless-security-docs/issues/124 */} diff --git a/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.mdx b/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.mdx index 759e532d99..2fa2720314 100644 --- a/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.mdx +++ b/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDeployElasticEndpointVen slug: /serverless/security/deploy-elastic-endpoint-ven title: Install ((elastic-endpoint)) manually on macOS Ventura and higher description: Manually install and deploy ((elastic-endpoint)) on macOS Ventura and higher. @@ -12,12 +11,12 @@ status: in review To properly install and configure ((elastic-endpoint)) manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the endpoint before ((elastic-endpoint)) can be fully functional: -* Approve the system extension -* Approve network content filtering -* Enable Full Disk Access +* Approve the system extension +* Approve network content filtering +* Enable Full Disk Access -The following permissions that need to be enabled are required after you configure and install the ((elastic-defend)) integration, which includes enrolling the ((agent)). +The following permissions that need to be enabled are required after you configure and install the ((elastic-defend)) integration, which includes enrolling the ((agent)).
@@ -51,7 +50,7 @@ After successfully loading the ElasticEndpoint system extension, an additional m ![](../images/deploy-elastic-endpoint-ven/-getting-started-install-endpoint-ven-allow_network_filter_ven.png) -Click **Allow** to enable content filtering for the ElasticEndpoint system extension. Without this approval, ((elastic-endpoint)) cannot receive network events and, therefore, cannot enable network-related features such as host isolation. +Click **Allow** to enable content filtering for the ElasticEndpoint system extension. Without this approval, ((elastic-endpoint)) cannot receive network events and, therefore, cannot enable network-related features such as host isolation.
@@ -66,7 +65,7 @@ If you have not granted Full Disk Access, the following notification prompt will To enable Full Disk Access, you must manually approve ((elastic-endpoint)). -The following instructions apply only to ((elastic-endpoint)) version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to . +The following instructions apply only to ((elastic-endpoint)) version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to . 1. Open the **System Settings** application. diff --git a/docs/serverless/edr-install-config/deploy-endpoint-reqs.mdx b/docs/serverless/edr-install-config/deploy-endpoint-reqs.mdx index 3d51835081..f3ea8e2760 100644 --- a/docs/serverless/edr-install-config/deploy-endpoint-reqs.mdx +++ b/docs/serverless/edr-install-config/deploy-endpoint-reqs.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityElasticEndpointDeployReqs slug: /serverless/security/elastic-endpoint-deploy-reqs title: Install ((elastic-endpoint)) manually description: Manually install and deploy ((elastic-endpoint)). @@ -12,6 +11,16 @@ status: in review To properly deploy ((elastic-endpoint)) without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the endpoint before ((elastic-endpoint)) can be fully functional. For more information, refer to the instructions for your macOS version: -* Install ((elastic-endpoint)) manually on macOS Catalina through Monterey -* Install ((elastic-endpoint)) manually on macOS Ventura and higher +* Install ((elastic-endpoint)) manually on macOS Catalina through Monterey +* Install ((elastic-endpoint)) manually on macOS Ventura and higher + +## Minimum system requirements + +| Requirement | Value | +|------------------------------------|----------| +| **CPU** | Under 2% | +| **Disk space** | 1 GB | +| **Resident set size (RSS) memory** | 500 MB | + + diff --git a/docs/serverless/edr-install-config/endgame-sensor-full-disk-access.mdx b/docs/serverless/edr-install-config/endgame-sensor-full-disk-access.mdx index 506d79eea5..8b75fd2fda 100644 --- a/docs/serverless/edr-install-config/endgame-sensor-full-disk-access.mdx +++ b/docs/serverless/edr-install-config/endgame-sensor-full-disk-access.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEndgameSensorFullDiskAccess slug: /serverless/security/endgame-sensor-full-disk-access title: Enable Full Disk Access for the Endgame sensor # description: Description to be written @@ -20,16 +19,16 @@ The behavior of the Elastic Endgame sensor differs based on your macOS version. Here are the following Full Disk Access requirements for specific versions of macOS: -- `10.15`: You cannot install the sensor without allowing it to load a kernel extension. During installation, you'll be prompted to go to System Preferences and approve it. Upon approval, installation proceeds. +- `10.15`: You cannot install the sensor without allowing it to load a kernel extension. During installation, you'll be prompted to go to System Preferences and approve it. Upon approval, installation proceeds. -- `11.0`, `12.0`: You cannot install the sensor without allowing it to load a system extension. During installation, you'll be prompted to go to System Preferences and approve it. Upon approval, a second prompt appears to enable Network Filtering. Approve this final prompt to proceed. +- `11.0`, `12.0`: You cannot install the sensor without allowing it to load a system extension. During installation, you'll be prompted to go to System Preferences and approve it. Upon approval, a second prompt appears to enable Network Filtering. Approve this final prompt to proceed. You must also grant Full Disk Access to `com.endgame.systemextension`. -- `10.15, 11.0, 12.0`: Grant the esensor file Full Disk Access. +- `10.15, 11.0, 12.0`: Grant the esensor file Full Disk Access. -The following instructions apply to the Elastic Endgame sensor only. To see requirements for the ((elastic-endpoint)), refer to ((elastic-endpoint)) requirements. +The following instructions apply to the Elastic Endgame sensor only. To see requirements for the ((elastic-endpoint)), refer to ((elastic-endpoint)) requirements.
@@ -88,7 +87,7 @@ After successfully loading the Elastic Endgame system extension, an additional m ![](../images/endgame-sensor-full-disk-access/-getting-started-fda-endgame-allow-network-filter-ven.png) -Click **Allow** to enable content filtering for the Elastic Endgame system extension. Without this approval, Elastic Endgame cannot receive network events and, therefore, cannot enable network-related features such as host isolation. +Click **Allow** to enable content filtering for the Elastic Endgame system extension. Without this approval, Elastic Endgame cannot receive network events and, therefore, cannot enable network-related features such as host isolation.
diff --git a/docs/serverless/edr-install-config/endpoint-diagnostic-data.mdx b/docs/serverless/edr-install-config/endpoint-diagnostic-data.mdx index 0c34e8e58e..9b4a17b012 100644 --- a/docs/serverless/edr-install-config/endpoint-diagnostic-data.mdx +++ b/docs/serverless/edr-install-config/endpoint-diagnostic-data.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEndpointDiagnosticData slug: /serverless/security/endpoint-diagnostic-data title: Turn off diagnostic data for ((elastic-defend)) description: Stop producing diagnostic data for Elastic defend by configuring your integration policy. diff --git a/docs/serverless/edr-install-config/install-elastic-defend.mdx b/docs/serverless/edr-install-config/install-elastic-defend.mdx index 73b56b8376..0758bb46f6 100644 --- a/docs/serverless/edr-install-config/install-elastic-defend.mdx +++ b/docs/serverless/edr-install-config/install-elastic-defend.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityInstallDefend slug: /serverless/security/install-edr title: Install and configure the ((elastic-defend)) integration description: Start protecting your endpoints with ((elastic-defend)). @@ -20,7 +19,7 @@ Like other Elastic integrations, ((elastic-defend)) is integrated into the ((age * You must have the appropriate user role to configure an integration policy and access the **Endpoints** page. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* * You must have the **((elastic-defend)) Policy Management: All** privilege to configure an integration policy, and the **Endpoint List** privilege to access the **Endpoints** page. */} +{/* * You must have the **((elastic-defend)) Policy Management: All** privilege to configure an integration policy, and the **Endpoint List** privilege to access the **Endpoints** page. */} @@ -28,7 +27,7 @@ Like other Elastic integrations, ((elastic-defend)) is integrated into the ((age ## Before you begin -If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to requirements for ((elastic-endpoint)) if you're installing the ((elastic-endpoint)) or requirements for the Endgame sensor for more information. +If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to requirements for ((elastic-endpoint)) if you're installing the ((elastic-endpoint)) or requirements for the Endgame sensor for more information.
@@ -46,14 +45,14 @@ If you're using macOS, some versions may require you to grant Full Disk Access t 1. Search for and select **((elastic-defend))**, then select **Add ((elastic-defend))**. The integration configuration page appears. - If this is the first integration you've installed and the **Ready to add your first integration?** page appears instead, select **Add integration only (skip agent installation)** to proceed. You can install ((agent)) after setting up the ((elastic-defend)) integration. + If this is the first integration you've installed and the **Ready to add your first integration?** page appears instead, select **Add integration only (skip agent installation)** to proceed. You can install ((agent)) after setting up the ((elastic-defend)) integration. 1. Configure the ((elastic-defend)) integration with an **Integration name** and optional **Description**. 1. Select the type of environment you want to protect, either **Traditional Endpoints** or **Cloud Workloads**. -1. Select a configuration preset. Each preset comes with different default settings for ((agent)) — you can further customize these later by configuring the ((elastic-defend)) integration policy. +1. Select a configuration preset. Each preset comes with different default settings for ((agent)) — you can further customize these later by configuring the ((elastic-defend)) integration policy. - Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, session data collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events. + Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, session data collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events. * **All events:** Includes data from automated sessions. - * **Interactive only:** Filters out data from non-interactive sessions by creating an event filter. + * **Interactive only:** Filters out data from non-interactive sessions by creating an event filter. @@ -139,5 +138,5 @@ Before you add an ((agent)), a ((fleet-server)) must be running. Refer to [Add a The host will now appear on the **Endpoints** page in the ((security-app)). It may take another minute or two for endpoint data to appear in ((elastic-sec)). -1. For macOS, continue with these instructions to grant ((elastic-endpoint)) the required permissions. +1. For macOS, continue with these instructions to grant ((elastic-endpoint)) the required permissions. diff --git a/docs/serverless/edr-install-config/linux-file-monitoring.mdx b/docs/serverless/edr-install-config/linux-file-monitoring.mdx index 09c12976dd..749d11aa36 100644 --- a/docs/serverless/edr-install-config/linux-file-monitoring.mdx +++ b/docs/serverless/edr-install-config/linux-file-monitoring.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityLinuxFileMonitoring slug: /serverless/security/linux-file-monitoring title: Configure Linux file system monitoring description: Configure monitoring for Linux file systems. @@ -38,7 +37,7 @@ Even when configured to monitor all file systems (`ignore_unknown_filesystems` i
`linux.advanced.fanotify.monitored_filesystems` - : Specifies additional file systems to monitor. Enter a comma-separated list of file system names as they appear in `/proc/filesystems` (for example: `jfs,ufs,ramfs`). + : Specifies additional file systems to monitor. Enter a comma-separated list of file system names as they appear in `/proc/filesystems` (for example: `jfs,ufs,ramfs`). It's recommended to avoid monitoring network-backed file systems. @@ -52,7 +51,7 @@ Even when configured to monitor all file systems (`ignore_unknown_filesystems` i
`linux.advanced.fanotify.ignored_filesystems` - : Specifies additional file systems to ignore. Enter a comma-separated list of file system names as they appear in `/proc/filesystems` (for example: `ext4,tmpfs`). + : Specifies additional file systems to ignore. Enter a comma-separated list of file system names as they appear in `/proc/filesystems` (for example: `ext4,tmpfs`). Entries in this setting override entries in `monitored_filesystems`. diff --git a/docs/serverless/edr-install-config/self-healing-rollback.mdx b/docs/serverless/edr-install-config/self-healing-rollback.mdx index 8e3ba2abf0..baaaf54730 100644 --- a/docs/serverless/edr-install-config/self-healing-rollback.mdx +++ b/docs/serverless/edr-install-config/self-healing-rollback.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySelfHealingRollback slug: /serverless/security/self-healing-rollback title: Configure self-healing rollback for Windows endpoints description: Revert file changes on the Windows endpoints. @@ -14,7 +13,7 @@ status: in review This can help contain the impact of malicious activity, as ((elastic-defend)) not only stops the activity but also erases any attack artifacts deployed prior to detection. -Self-healing rollback requires the Endpoint Protection Complete and is only supported for Windows endpoints. +Self-healing rollback requires the Endpoint Protection Complete and is only supported for Windows endpoints. diff --git a/docs/serverless/edr-install-config/uninstall-agent.mdx b/docs/serverless/edr-install-config/uninstall-agent.mdx index 3755a1df72..d1e885c3be 100644 --- a/docs/serverless/edr-install-config/uninstall-agent.mdx +++ b/docs/serverless/edr-install-config/uninstall-agent.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityUninstallAgent slug: /serverless/security/uninstall-agent title: Uninstall ((agent)) description: Remove ((agent)) from a host. @@ -11,7 +10,7 @@ tags: [ 'serverless', 'security', 'how-to' ] To uninstall ((agent)) from a host, run the `uninstall` command from the directory where it's running. Refer to the [((fleet)) and ((agent)) documentation](((fleet-guide))/uninstall-elastic-agent.html) for more information. -If Agent tamper protection is enabled on the Agent policy for the host, you'll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can find the uninstall token on the Agent policy or at **((fleet))** -> **Uninstall tokens**. +If Agent tamper protection is enabled on the Agent policy for the host, you'll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can find the uninstall token on the Agent policy or at **((fleet))** -> **Uninstall tokens**. For example: diff --git a/docs/serverless/edr-install-config/uninstall-endpoint.mdx b/docs/serverless/edr-install-config/uninstall-endpoint.mdx index 1f15e96221..a66b399265 100644 --- a/docs/serverless/edr-install-config/uninstall-endpoint.mdx +++ b/docs/serverless/edr-install-config/uninstall-endpoint.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityUninstallEndpoint slug: /serverless/security/uninstall-endpoint title: Uninstall ((elastic-endpoint)) description: Uninstall ((elastic-endpoint)). diff --git a/docs/serverless/edr-manage/blocklist.mdx b/docs/serverless/edr-manage/blocklist.mdx index 24bef6d18f..95c8c4e845 100644 --- a/docs/serverless/edr-manage/blocklist.mdx +++ b/docs/serverless/edr-manage/blocklist.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityBlocklist slug: /serverless/security/blocklist title: Blocklist # description: Description to be written @@ -12,15 +11,15 @@ status: in review The blocklist (**Assets** → **Blocklist**) allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. This helps ensure that known malicious processes aren't accidentally executed by end users. -The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to . +The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to . -* In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the ((elastic-defend)) integration policy in the Malware protection settings. This setting is enabled by default. +* In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the ((elastic-defend)) integration policy in the Malware protection settings. This setting is enabled by default. * You must have the appropriate user role to use this feature. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* * You must have the **Blocklist** privilege to access this feature. */} +{/* * You must have the **Blocklist** privilege to access this feature. */} diff --git a/docs/serverless/edr-manage/endpoint-event-capture.mdx b/docs/serverless/edr-manage/endpoint-event-capture.mdx index 730e60e447..65234e0b7e 100644 --- a/docs/serverless/edr-manage/endpoint-event-capture.mdx +++ b/docs/serverless/edr-manage/endpoint-event-capture.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEndpointEventCapture slug: /serverless/security/endpoint-event-capture title: Event capture and ((elastic-defend)) description: Learn more about how ((elastic-defend)) collects event data. diff --git a/docs/serverless/edr-manage/endpoints-page.mdx b/docs/serverless/edr-manage/endpoints-page.mdx index 3aefedbdfa..515a1b4cf1 100644 --- a/docs/serverless/edr-manage/endpoints-page.mdx +++ b/docs/serverless/edr-manage/endpoints-page.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEndpointsPage slug: /serverless/security/endpoints-page title: Endpoints # description: Description to be written @@ -10,7 +9,7 @@ status: in review
-The **Endpoints** page (**Assets** → **Endpoints**) allows administrators to view and manage endpoints that are running the ((elastic-defend)) integration. +The **Endpoints** page (**Assets** → **Endpoints**) allows administrators to view and manage endpoints that are running the ((elastic-defend)) integration. @@ -18,7 +17,7 @@ The **Endpoints** page (**Assets** → **Endpoints**) allows administrators to v * You must have the appropriate user role to use this feature. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* * You must have the **Endpoint List** privilege to access this feature. */} +{/* * You must have the **Endpoint List** privilege to access this feature. */} @@ -32,7 +31,7 @@ The **Endpoints** list displays all hosts running ((elastic-defend)) and their r The Endpoints list provides the following data: -* **Endpoint**: The system hostname. Click the link to display endpoint details in a flyout. +* **Endpoint**: The system hostname. Click the link to display endpoint details in a flyout. * **Agent Status**: The current status of the ((agent)), which is one of the following: @@ -40,7 +39,7 @@ The Endpoints list provides the following data: * `Unenrolling`: The agent is currently unenrolling and will soon be removed from Fleet. Afterward, the endpoint will also uninstall. - * `Unhealthy`: The agent is online but requires attention from an administrator because it's reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to Endpoint management troubleshooting for more on resolving an unhealthy agent status. + * `Unhealthy`: The agent is online but requires attention from an administrator because it's reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to Endpoint management troubleshooting for more on resolving an unhealthy agent status. * `Updating`: The agent is online and is updating the agent policy or binary, or is enrolling or unenrolling. @@ -50,9 +49,9 @@ The Endpoints list provides the following data: ((agent)) statuses in ((fleet)) correspond to the agent statuses in the ((security-app)). -* **Policy:** The name of the associated integration policy when the agent was installed. Click the link to display the integration policy details page. +* **Policy:** The name of the associated integration policy when the agent was installed. Click the link to display the integration policy details page. -* **Policy status:** Indicates whether the integration policy was successfully applied. Click the link to view policy status response details in a flyout. +* **Policy status:** Indicates whether the integration policy was successfully applied. Click the link to view policy status response details in a flyout. * **OS**: The host's operating system. @@ -64,11 +63,11 @@ The Endpoints list provides the following data: * **Actions**: Select the context menu (*...*) to do the following: - * **Isolate host**: Isolate the host from your network, blocking communication until the host is released. + * **Isolate host**: Isolate the host from your network, blocking communication until the host is released. - * **Respond**: Open the response console to perform response actions directly on the host. + * **Respond**: Open the response console to perform response actions directly on the host. - * **View response actions history**: View a history of response actions performed on the host. + * **View response actions history**: View a history of response actions performed on the host. * **View host details**: View host details on the **Hosts** page in the ((security-app)). @@ -90,7 +89,7 @@ Click any link in the **Endpoint** column to display host details in a flyout. Y ### Response actions history -The endpoint details flyout also includes the **Response actions history** tab, which provides a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to Response actions history for more details. +The endpoint details flyout also includes the **Response actions history** tab, which provides a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to Response actions history for more details. @@ -137,7 +136,7 @@ The status of the integration policy appears in the **Policy status** column and For more details on what's causing a policy status, click the link in the **Policy status** column and review the details flyout. Expand each section and subsection to display individual responses from the agent. -If you need help troubleshooting a configuration failure, refer to Endpoint management troubleshooting and [((fleet)) troubleshooting](((fleet-guide))/fleet-troubleshooting.html). +If you need help troubleshooting a configuration failure, refer to Endpoint management troubleshooting and [((fleet)) troubleshooting](((fleet-guide))/fleet-troubleshooting.html). diff --git a/docs/serverless/edr-manage/event-filters.mdx b/docs/serverless/edr-manage/event-filters.mdx index c5a65057d5..3e34fe6424 100644 --- a/docs/serverless/edr-manage/event-filters.mdx +++ b/docs/serverless/edr-manage/event-filters.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEventFilters slug: /serverless/security/event-filters title: Event filters # description: Description to be written @@ -12,13 +11,13 @@ status: in review Event filters (**Assets** → **Event filters**) allow you to filter out endpoint events that you don't want stored in ((es)) — for example, high-volume events. By creating event filters, you can optimize your storage in ((es)). -Event filters do not lower CPU usage on hosts; ((elastic-endpoint)) still monitors events to detect and prevent possible threats, but without writing event data to ((es)). To compare event filters with other endpoint artifacts, refer to . +Event filters do not lower CPU usage on hosts; ((elastic-endpoint)) still monitors events to detect and prevent possible threats, but without writing event data to ((es)). To compare event filters with other endpoint artifacts, refer to . You must have the appropriate user role to use this feature. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* You must have the **Event Filters** privilege to access this feature. */} +{/* You must have the **Event Filters** privilege to access this feature. */} diff --git a/docs/serverless/edr-manage/host-isolation-exceptions.mdx b/docs/serverless/edr-manage/host-isolation-exceptions.mdx index 213e4cf56c..d8e487368f 100644 --- a/docs/serverless/edr-manage/host-isolation-exceptions.mdx +++ b/docs/serverless/edr-manage/host-isolation-exceptions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityHostIsolationExceptions slug: /serverless/security/host-isolation-exceptions title: Host isolation exceptions # description: Description to be written @@ -10,7 +9,7 @@ status: in review
-You can configure host isolation exceptions (**Assets** → **Host isolation exceptions**) for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. Isolated hosts can still send data to ((elastic-sec)), so you don't need to set up host isolation exceptions for them. +You can configure host isolation exceptions (**Assets** → **Host isolation exceptions**) for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. Isolated hosts can still send data to ((elastic-sec)), so you don't need to set up host isolation exceptions for them. Host isolation exceptions support IPv4 addresses, with optional classless inter-domain routing (CIDR) notation. @@ -18,7 +17,7 @@ Host isolation exceptions support IPv4 addresses, with optional classless inter- You must have the appropriate user role to use this feature. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* You must have the **Host Isolation Exceptions** privilege to access this feature. */} +{/* You must have the **Host Isolation Exceptions** privilege to access this feature. */} @@ -26,7 +25,7 @@ You must have the appropriate user role to use this feature. Each host isolation exception IP address should be a highly trusted and secure location since you're allowing it to communicate with hosts that have been isolated to prevent a potential threat from spreading. -Host isolation requires the Endpoint Protection Complete . By default, a host isolation exception is recognized globally across all hosts running ((elastic-defend)). You can also assign a host isolation exception to a specific ((elastic-defend)) integration policy, affecting only the hosts assigned to that policy. +Host isolation requires the Endpoint Protection Complete . By default, a host isolation exception is recognized globally across all hosts running ((elastic-defend)). You can also assign a host isolation exception to a specific ((elastic-defend)) integration policy, affecting only the hosts assigned to that policy. 1. Go to **Assets** → **Host isolation exceptions**. 1. Click **Add Host isolation exception**. diff --git a/docs/serverless/edr-manage/manage-endpoint-protection.mdx b/docs/serverless/edr-manage/manage-endpoint-protection.mdx index 4a344e747a..23e62a4964 100644 --- a/docs/serverless/edr-manage/manage-endpoint-protection.mdx +++ b/docs/serverless/edr-manage/manage-endpoint-protection.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityManageEndpointProtection slug: /serverless/security/manage-endpoint-protection title: Manage endpoint protection description: Manage endpoint protection artifacts for ((elastic-defend)). diff --git a/docs/serverless/edr-manage/optimize-edr.mdx b/docs/serverless/edr-manage/optimize-edr.mdx index 559e08d30d..562b7a4879 100644 --- a/docs/serverless/edr-manage/optimize-edr.mdx +++ b/docs/serverless/edr-manage/optimize-edr.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityOptimizeEdr slug: /serverless/security/optimize-edr title: Optimize ((elastic-defend)) # description: Description to be written @@ -22,7 +21,7 @@ The following table explains the differences between several Endpoint artifacts ]}> - Trusted application + Trusted application @@ -32,7 +31,7 @@ The following table explains the differences between several Endpoint artifacts * Doesn't monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc. * Doesn't generate events for the application except process events for visualizations and other internal use by the ((stack)). * Might improve performance, since ((elastic-endpoint)) monitors fewer processes. - * Might still generate malicious behavior alerts, if the application's process events indicate malicious behavior. To suppress alerts, create Endpoint alert exceptions. + * Might still generate malicious behavior alerts, if the application's process events indicate malicious behavior. To suppress alerts, create Endpoint alert exceptions. @@ -40,7 +39,7 @@ The following table explains the differences between several Endpoint artifacts - Event filter + Event filter @@ -53,7 +52,7 @@ The following table explains the differences between several Endpoint artifacts - Blocklist + Blocklist @@ -66,7 +65,7 @@ The following table explains the differences between several Endpoint artifacts - Endpoint alert exception + Endpoint alert exception diff --git a/docs/serverless/edr-manage/policies-page-ov.mdx b/docs/serverless/edr-manage/policies-page-ov.mdx index 120956e87a..9a7884aa69 100644 --- a/docs/serverless/edr-manage/policies-page-ov.mdx +++ b/docs/serverless/edr-manage/policies-page-ov.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityPoliciesPageOv slug: /serverless/security/policies-page title: Policies # description: Description to be written @@ -16,10 +15,10 @@ The **Policies** page (**Assets** → **Policies**) lists all of the integration You must have the appropriate user role to use this feature. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* You must have the **((elastic-defend)) Policy Management** privilege to access this feature. */} +{/* You must have the **((elastic-defend)) Policy Management** privilege to access this feature. */} -Click on an integration policy's name to configure its settings. For more information on configuring an integration policy, refer to Configure an integration policy for ((elastic-defend)). +Click on an integration policy's name to configure its settings. For more information on configuring an integration policy, refer to Configure an integration policy for ((elastic-defend)). ![](../images/policies-page-ov/-management-admin-policy-list.png) diff --git a/docs/serverless/edr-manage/troubleshoot-endpoints.mdx b/docs/serverless/edr-manage/troubleshoot-endpoints.mdx index dcc4820c91..9ef60c6fac 100644 --- a/docs/serverless/edr-manage/troubleshoot-endpoints.mdx +++ b/docs/serverless/edr-manage/troubleshoot-endpoints.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTroubleshootEndpoints slug: /serverless/security/troubleshoot-endpoints title: Troubleshoot endpoints # description: Description to be written @@ -10,7 +9,7 @@ status: in review
-This topic covers common troubleshooting issues when using ((elastic-sec)) endpoint management tools. +This topic covers common troubleshooting issues when using ((elastic-sec)) endpoint management tools.
@@ -28,9 +27,9 @@ Integration policy response information is also available from the **Endpoints** Common causes of failure in the ((elastic-defend)) integration policy include missing prerequisites or unexpected system configuration. Consult the following topics to resolve a specific error: -- Approve the system extension for ((elastic-endpoint)) (macOS) -- Enable Full Disk Access for ((elastic-endpoint)) (macOS) -- Resolve a potential system deadlock (Linux) +- Approve the system extension for ((elastic-endpoint)) (macOS) +- Enable Full Disk Access for ((elastic-endpoint)) (macOS) +- Resolve a potential system deadlock (Linux) If the ((elastic-defend)) integration policy is not the cause of the `Unhealthy` agent status, refer to [((fleet)) troubleshooting](((fleet-guide))/fleet-troubleshooting.html) for help with the ((agent)). @@ -42,7 +41,7 @@ If the ((elastic-defend)) integration policy is not the cause of the `Unhealthy` If you have an `Unhealthy` ((agent)) status with the message `Disabled due to potential system deadlock`, that means malware protection was disabled on the ((elastic-defend)) integration policy due to errors while monitoring a Linux host. -You can resolve the issue by configuring the policy's advanced settings related to **fanotify**, a Linux feature that monitors file system events. By default, ((elastic-defend)) works with fanotify to monitor specific file system types that Elastic has tested for compatibility, and ignores other unknown file system types. +You can resolve the issue by configuring the policy's advanced settings related to **fanotify**, a Linux feature that monitors file system events. By default, ((elastic-defend)) works with fanotify to monitor specific file system types that Elastic has tested for compatibility, and ignores other unknown file system types. If your network includes nonstandard, proprietary, or otherwise unrecognized Linux file systems that cause errors while being monitored, you can configure ((elastic-defend)) to ignore those file systems. This allows ((elastic-defend)) to resume monitoring and protecting the hosts on the integration policy. @@ -56,7 +55,7 @@ To resolve the potential system deadlock error: 1. Scroll to the bottom of the policy and click **Show advanced settings**. -1. In the setting `linux.advanced.fanotify.ignored_filesystems`, enter a comma-separated list of file system names to ignore, as they appear in `/proc/filesystems` (for example: `ext4,tmpfs`). Refer to Find file system names for more on determining the file system names. +1. In the setting `linux.advanced.fanotify.ignored_filesystems`, enter a comma-separated list of file system names to ignore, as they appear in `/proc/filesystems` (for example: `ext4,tmpfs`). Refer to Find file system names for more on determining the file system names. 1. Click **Save**. diff --git a/docs/serverless/edr-manage/trusted-apps-ov.mdx b/docs/serverless/edr-manage/trusted-apps-ov.mdx index 8eb6e977cb..359b6db2be 100644 --- a/docs/serverless/edr-manage/trusted-apps-ov.mdx +++ b/docs/serverless/edr-manage/trusted-apps-ov.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTrustedAppsOv slug: /serverless/security/trusted-applications title: Trusted applications # description: Description to be written @@ -16,15 +15,15 @@ On the **Trusted applications** page (**Assets** → **Trusted applications**), You must have the appropriate user role to use this feature. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* You must have the **Trusted Applications** privilege to access this feature. */} +{/* You must have the **Trusted Applications** privilege to access this feature. */} Trusted applications create blindspots for ((elastic-defend)), because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application's process. -Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an Endpoint alert exception, which prevents ((elastic-defend)) from generating alerts. To compare trusted applications with other endpoint artifacts, refer to . +Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an Endpoint alert exception, which prevents ((elastic-defend)) from generating alerts. To compare trusted applications with other endpoint artifacts, refer to . -Additionally, trusted applications still generate process events for visualizations and other internal use by the ((stack)). To prevent process events from being written to ((es)), use an event filter to filter out the specific events that you don't want stored in ((es)), but be aware that features that depend on these process events may not function correctly. +Additionally, trusted applications still generate process events for visualizations and other internal use by the ((stack)). To prevent process events from being written to ((es)), use an event filter to filter out the specific events that you don't want stored in ((es)), but be aware that features that depend on these process events may not function correctly. By default, a trusted application is recognized globally across all hosts running ((elastic-defend)). You can also assign a trusted application to a specific ((elastic-defend)) integration policy, enabling the application to be trusted by only the hosts assigned to that policy. diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx index 32dc4fc4fa..2c91d21d22 100644 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAutomatedResponseActions slug: /serverless/security/automated-response-actions title: Automated response actions description: Automatically respond to events with endpoint response actions triggered by detection rules. @@ -9,13 +8,13 @@ tags: ["serverless","security","defend","how-to","manage"]
-Add ((elastic-defend))'s response actions to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. +Add ((elastic-defend))'s response actions to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. - Automated response actions require an [Enterprise subscription](https://www.elastic.co/pricing). - Hosts must have ((agent)) installed with the ((elastic-defend)) integration. -- Your user role must have the ability to create detection rules and to perform specific response actions. +- Your user role must have the ability to create detection rules and to perform specific response actions. - You can only add automated response actions to custom query rules. @@ -23,11 +22,11 @@ Add ((elastic-defend))'s respons You can add automated response actions to a new or existing custom query rule. 1. Do one of the following: - - **New rule**: On the last step of custom query rule creation, go to the **Response Actions** section and select **((elastic-defend))**. + - **New rule**: On the last step of custom query rule creation, go to the **Response Actions** section and select **((elastic-defend))**. - **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **((elastic-defend))** under the **Response Actions** section. 1. Select an option in the **Response action** field: - - **Isolate**: Isolate the host, blocking communication with other hosts on the network. + - **Isolate**: Isolate the host, blocking communication with other hosts on the network. - **Kill process**: Terminate a process on the host. - **Suspend process**: Temporarily suspend a process on the host. diff --git a/docs/serverless/endpoint-response-actions/host-isolation-ov.mdx b/docs/serverless/endpoint-response-actions/host-isolation-ov.mdx index cb2bf9698f..9dfcc1ed16 100644 --- a/docs/serverless/endpoint-response-actions/host-isolation-ov.mdx +++ b/docs/serverless/endpoint-response-actions/host-isolation-ov.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityHostIsolationOv slug: /serverless/security/isolate-host title: Isolate a host description: Host isolation allows you to cut off a host's network access until you release it. @@ -12,11 +11,11 @@ status: in review Host isolation allows you to isolate hosts from your network, blocking communication with other hosts on your network until you release the host. Isolating a host is useful for responding to malicious activity or preventing potential attacks, as it prevents lateral movement across other hosts. -Isolated hosts, however, can still send data to ((elastic-sec)). You can also create host isolation exceptions for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. +Isolated hosts, however, can still send data to ((elastic-sec)). You can also create host isolation exceptions for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. -* Host isolation requires the Endpoint Protection Complete . +* Host isolation requires the Endpoint Protection Complete . * Hosts must have ((agent)) installed with the ((elastic-defend)) integration. @@ -27,7 +26,7 @@ Isolated hosts, however, can still send data to ((elastic-sec)). You can also cr * Ubuntu 18.04, 20.04, and 22.04 * AWS Linux 2 -* To isolate and release hosts running any operating system, you must have the appropriate user role. {/* **Host Isolation** privilege */} +* To isolate and release hosts running any operating system, you must have the appropriate user role. {/* **Host Isolation** privilege */} @@ -39,7 +38,7 @@ You can isolate a host from a detection alert's details flyout, from the Endpoin If the request fails, verify that the ((agent)) and your endpoint are both online before trying again. -All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to View host isolation history for more information. +All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to View host isolation history for more information.
@@ -69,7 +68,7 @@ All actions executed on a host are tracked in the host’s response actions hist -The response console requires the Endpoint Protection Complete . +The response console requires the Endpoint Protection Complete . 1. Open the response console for the host (select the **Respond** button or actions menu option on the host, endpoint, or alert details view). @@ -84,7 +83,7 @@ The response console requires the Endpoint Protection Complete -The host isolation endpoint response action requires the Endpoint Protection Complete . +The host isolation endpoint response action requires the Endpoint Protection Complete . @@ -92,7 +91,7 @@ Be aware that automatic host isolation can result in unintended consequences, su 1. Add an endpoint response action to a new or existing custom query rule. The endpoint response action will run whenever rule conditions are met: - * **New rule**: On the last step of custom query rule creation, go to the **Response Actions** section and select **((elastic-defend))**. + * **New rule**: On the last step of custom query rule creation, go to the **Response Actions** section and select **((elastic-defend))**. * **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **((elastic-defend))** under the **Response Actions** section. 1. Click the **Response action** field, then select **Isolate**. 1. Enter a comment describing why you’re isolating the host (optional). @@ -132,7 +131,7 @@ After the host is successfully isolated, an **Isolated** status is added to the -The response console requires the Endpoint Protection Complete . +The response console requires the Endpoint Protection Complete . 1. Open the response console for the host (select the **Respond** button or actions menu option on the host, endpoint, or alert details view). @@ -154,6 +153,6 @@ After the host is successfully released, the **Isolated** status is removed from To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host. -Go to **Assets** → **Endpoints**, click an endpoint's name, then click the **Response action history** tab. You can filter the information displayed in this view. Refer to Response actions history for more details. +Go to **Assets** → **Endpoints**, click an endpoint's name, then click the **Response action history** tab. You can filter the information displayed in this view. Refer to Response actions history for more details. diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.mdx b/docs/serverless/endpoint-response-actions/response-actions-config.mdx index 3b5c2b4909..ed49021ffc 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-config.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions-config.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityResponseActionsConfig slug: /serverless/security/response-actions-config title: Configure third-party response actions description: Configure ((elastic-sec)) to perform response actions on hosts protected by third-party systems. @@ -21,8 +20,8 @@ You can direct SentinelOne to perform response actions on protected hosts, such -* Project features add-on: Endpoint Protection Complete -* User roles: **SOC manager** or **Endpoint operations analyst** +* Project features add-on: Endpoint Protection Complete +* User roles: **SOC manager** or **Endpoint operations analyst** * Endpoints must have actively running SentinelOne agents installed. @@ -48,7 +47,7 @@ Configuration requires the following general steps. Expand the steps and follow - **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data. 1. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on ((agent)) configuration settings, refer to [((agent)) policies](((fleet-guide))/agent-policy.html). 1. Click **Save and continue**. - 1. Select **Add ((agent)) to your hosts** and continue with the ((agent)) installation steps to install ((agent)) on a resource in your network (such as a server or VM). ((agent)) will act as a bridge collecting data from SentinelOne and sending it back to ((elastic-sec)). + 1. Select **Add ((agent)) to your hosts** and continue with the ((agent)) installation steps to install ((agent)) on a resource in your network (such as a server or VM). ((agent)) will act as a bridge collecting data from SentinelOne and sending it back to ((elastic-sec)). 1. **Create a SentinelOne connector.** Elastic's [SentinelOne connector](((kibana-ref))/sentinelone-action-type.html) enables ((elastic-sec)) to perform actions on SentinelOne-protected hosts. @@ -67,7 +66,7 @@ Configuration requires the following general steps. Expand the steps and follow 1. Click **Save**. -1. **Create and enable a rule to generate ((elastic-sec)) alerts.** Create a custom query detection rule to generate ((elastic-sec)) alerts whenever SentinelOne generates alerts. +1. **Create and enable a rule to generate ((elastic-sec)) alerts.** Create a custom query detection rule to generate ((elastic-sec)) alerts whenever SentinelOne generates alerts. Use these settings when creating the custom query rule to target the data collected from SentinelOne: diff --git a/docs/serverless/endpoint-response-actions/response-actions-history.mdx b/docs/serverless/endpoint-response-actions/response-actions-history.mdx index 3c4e87075a..3195550a22 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-history.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions-history.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityResponseActionsHistory slug: /serverless/security/response-actions-history title: Response actions history description: The response actions history log keeps a record of actions taken on endpoints. @@ -10,13 +9,13 @@ status: in review
-((elastic-sec)) keeps a log of the response actions performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the user who requested the action, any comments added to the action, and the action's current status. +((elastic-sec)) keeps a log of the response actions performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the user who requested the action, any comments added to the action, and the action's current status. You must have the appropriate user role to use this feature. {/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* You must have the **Response Actions History** privilege to access this feature. */} +{/* You must have the **Response Actions History** privilege to access this feature. */} diff --git a/docs/serverless/endpoint-response-actions/response-actions.mdx b/docs/serverless/endpoint-response-actions/response-actions.mdx index 7d65f46ad6..cae21136ac 100644 --- a/docs/serverless/endpoint-response-actions/response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityResponseActions slug: /serverless/security/response-actions title: Endpoint response actions description: Perform response actions on endpoints using a terminal-like interface. @@ -10,13 +9,13 @@ status: rough content
-The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's response actions history for reference. +The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's response actions history for reference. Response actions are supported on all endpoint platforms (Linux, macOS, and Windows). -* Response actions and the response console UI require the Endpoint Protection Complete . +* Response actions and the response console UI require the Endpoint Protection Complete . * Endpoints must have ((agent)) version 8.4 or higher installed with the ((elastic-defend)) integration to receive response actions. @@ -35,7 +34,7 @@ Launch the response console from any of the following places in ((elastic-sec)): * Alert details flyout → **Take action** → **Respond** * Host details page → **Respond** -To perform an action on the endpoint, enter a response action command in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console. +To perform an action on the endpoint, enter a response action command in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console. If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history. @@ -43,7 +42,7 @@ If a host is unavailable, pending actions will execute once the host comes onlin Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running. -Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the response actions history. +Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the response actions history. Once you submit a response action, you can't cancel it, even if the action is pending for an offline host. @@ -56,7 +55,7 @@ Once you submit a response action, you can't cancel it, even if the action is pe The following response action commands are available in the response console. ### `isolate` -Isolate the host, blocking communication with other hosts on the network. +Isolate the host, blocking communication with other hosts on the network. Required role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** @@ -120,12 +119,12 @@ Required role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations ana Example: `get-file --path "/full/path/to/file.txt" --comment "Possible malware"` -You can use the Osquery manager integration to query a host's operating system and gain insight into its files and directories, then use `get-file` to retrieve specific files. +You can use the Osquery manager integration to query a host's operating system and gain insight into its files and directories, then use `get-file` to retrieve specific files. -When ((elastic-defend)) prevents file activity due to malware prevention, the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with `get-file`, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. +When ((elastic-defend)) prevents file activity due to malware prevention, the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with `get-file`, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. @@ -196,7 +195,7 @@ Clear all output from the response console. List supported commands in the console output area. -You can also get a list of commands in the Help panel, which stays on the screen independently of the output area. +You can also get a list of commands in the Help panel, which stays on the screen independently of the output area.
@@ -221,6 +220,6 @@ If the endpoint is running an older version of ((agent)), some response actions ## Response actions history -Click **Response actions history** to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to Response actions history for more details. +Click **Response actions history** to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to Response actions history for more details. diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx index b7f267b068..b12d4d04b5 100644 --- a/docs/serverless/endpoint-response-actions/third-party-actions.mdx +++ b/docs/serverless/endpoint-response-actions/third-party-actions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityThirdPartyActions slug: /serverless/security/third-party-actions title: Third-party response actions description: Perform response actions on hosts protected by third-party endpoint security systems. @@ -12,7 +11,7 @@ tags: ["serverless","security","defend","reference","manage"] ## SentinelOne response actions -You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior configuration is required to connect ((elastic-sec)) with SentinelOne. +You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior configuration is required to connect ((elastic-sec)) with SentinelOne. The following response actions and related features are supported for SentinelOne-protected hosts: @@ -20,6 +19,6 @@ The following response actions and related features are supported for SentinelOn - From a detection alert - From the response console - Refer to the instructions on isolating and releasing hosts for more details. + Refer to the instructions on isolating and releasing hosts for more details. -- **View past response action activity** in the response actions history log. +- **View past response action activity** in the response actions history log. diff --git a/docs/serverless/explore/data-views-in-sec.mdx b/docs/serverless/explore/data-views-in-sec.mdx index c749b076d1..8ed3030e48 100644 --- a/docs/serverless/explore/data-views-in-sec.mdx +++ b/docs/serverless/explore/data-views-in-sec.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDataViewsInSec slug: /serverless/security/data-views-in-sec title: ((data-sources-cap)) in Elastic Security description: Use data views to control what data displays on ((elastic-sec)) pages with event or alert data. @@ -15,7 +14,7 @@ status: in review Only data from ((es)) [indices](((ref))/documents-indices.html), [data streams](((ref))/data-streams.html), or [index aliases](((ref))/alias.html) specified in the active ((data-source)) will appear. -Custom indices are not included in the default ((data-source)). Modify it or create a custom ((data-source)) to include custom indices. +Custom indices are not included in the default ((data-source)). Modify it or create a custom ((data-source)) to include custom indices. ## Switch to another ((data-source)) @@ -40,7 +39,7 @@ To learn more, refer to [((data-sources-cap))](((apm-app-ref))/data-views.html). ## The default ((data-source)) -The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in your project's advanced settings{/* path to be updated: (**Stack Management** → **Advanced Settings** → **Security Solution**) */}. To learn more about this setting, including its default value, refer to ). +The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in your project's advanced settings{/* path to be updated: (**Stack Management** → **Advanced Settings** → **Security Solution**) */}. To learn more about this setting, including its default value, refer to ). The first time a user visits ((elastic-sec)){/* within a given ((kib)) [space](((apm-app-ref))/xpack-spaces.html)*/}, the default ((data-source)) generates{/* in that space*/} and becomes active. diff --git a/docs/serverless/explore/explore-your-data.mdx b/docs/serverless/explore/explore-your-data.mdx index c906d03645..64fd6977b2 100644 --- a/docs/serverless/explore/explore-your-data.mdx +++ b/docs/serverless/explore/explore-your-data.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityExploreYourData slug: /serverless/security/explore-your-data title: Explore your data # description: Description to be written @@ -10,9 +9,9 @@ status: in review This section contains the following pages: -* -* -* -* -* -* +* +* +* +* +* +* diff --git a/docs/serverless/explore/hosts-overview.mdx b/docs/serverless/explore/hosts-overview.mdx index beaba02713..fcae2ab0d2 100644 --- a/docs/serverless/explore/hosts-overview.mdx +++ b/docs/serverless/explore/hosts-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityHostsOverview slug: /serverless/security/hosts-overview title: Hosts page description: Explore the Hosts page to analyze hosts and related security events. @@ -36,10 +35,10 @@ Beneath the KPI charts are data tables, categorized by individual tabs, which ar * **All hosts**: High-level host details. * **Uncommon processes**: Uncommon processes running on hosts. * **Anomalies**: Anomalies discovered by machine learning jobs. -* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. This feature requires the Security Analytics Complete and must be enabled to display the data. To learn more, refer to our entity risk scoring documentation. -* **Sessions**: Linux process events that you can open in Session View, an investigation tool that allows you to examine Linux process data at a hierarchal level. +* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. This feature requires the Security Analytics Complete and must be enabled to display the data. To learn more, refer to our entity risk scoring documentation. +* **Sessions**: Linux process events that you can open in Session View, an investigation tool that allows you to examine Linux process data at a hierarchal level. -The tables within the **Events** and **Sessions** tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts. +The tables within the **Events** and **Sessions** tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts. ![Events table](../images/hosts-overview/-getting-started-users-events-table.png) @@ -51,7 +50,7 @@ A host's details page displays all relevant information for the selected host. T The host details page includes the following sections: -* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` advanced setting is on, this section displays the host's current asset criticality level. +* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` advanced setting is on, this section displays the host's current asset criticality level. * **Summary**: Details such as the host ID, when the host was first and last seen, the associated IP addresses, and associated operating system. If the entity risk score feature is enabled, this section also displays host risk score data. * **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). * **Data tables**: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. @@ -71,16 +70,16 @@ In addition to the host details page, relevant host information is also availabl The host details flyout includes the following sections: -* Host risk summary, which displays host risk data and inputs. -* Asset Criticality, which allows you to view and assign asset criticality. -* Observed data, which displays host details. +* Host risk summary, which displays host risk data and inputs. +* Asset Criticality, which allows you to view and assign asset criticality. +* Observed data, which displays host details. ![Host details flyout](../images/hosts-overview/-host-details-flyout.png) ### Host risk summary -The **Host risk summary** section is only available if the risk scoring engine is turned on. +The **Host risk summary** section is only available if the risk scoring engine is turned on. The **Host risk summary** section contains a risk summary visualization and table. @@ -101,10 +100,10 @@ If more than 10 alerts contributed to the risk scoring calculation, the remainin ### Asset Criticality -The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` advanced setting is on. +The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` advanced setting is on. -The **Asset Criticality** section displays the selected host's asset criticality level. Asset criticality contributes to the overall host risk score. The criticality level defines how impactful the host is when calculating the risk score. +The **Asset Criticality** section displays the selected host's asset criticality level. Asset criticality contributes to the overall host risk score. The criticality level defines how impactful the host is when calculating the risk score. ![Asset criticality](../images/hosts-overview/-host-asset-criticality.png) diff --git a/docs/serverless/explore/network-page-overview.mdx b/docs/serverless/explore/network-page-overview.mdx index e47471cb82..bde68003f3 100644 --- a/docs/serverless/explore/network-page-overview.mdx +++ b/docs/serverless/explore/network-page-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityNetworkPageOverview slug: /serverless/security/network-page-overview title: Network page description: Analyze key network activity metrics on an interactive map, and use network event tables for deeper insights. @@ -21,7 +20,7 @@ The Network page provides key network activity metrics in an interactive map, an The map provides an interactive visual overview of your network traffic. Hover over source and destination points to show more information, such as host names and IP addresses. -To access the interactive map, you must have the appropriate user role. To learn more about map setup, refer to Configure network map data. +To access the interactive map, you must have the appropriate user role. To learn more about map setup, refer to Configure network map data. There are several ways to drill down: @@ -53,14 +52,14 @@ There are also tabs for viewing and investigating specific types of data: * **Events**: All network events. To display alerts received from external monitoring tools, scroll down to the events table and select **Show only external alerts** on the right. -The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts. +The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts. * **Flows**: Source and destination IP addresses and countries. * **DNS**: DNS network queries. * **HTTP**: Received HTTP requests (HTTP requests for applications using [Elastic APM](((apm-app-ref))/apm-getting-started.html) are monitored by default). * **TLS**: Handshake details. -* **Anomalies**: Anomalies discovered by machine learning jobs. +* **Anomalies**: Anomalies discovered by machine learning jobs.
@@ -76,7 +75,7 @@ The IP's details page includes the following sections: By default, the external sites are [Talos](https://talosintelligence.com/) and - [VirusTotal](https://www.virustotal.com/). Refer to Display reputation links on IP detail pages to learn how to configure IP reputation links. + [VirusTotal](https://www.virustotal.com/). Refer to Display reputation links on IP detail pages to learn how to configure IP reputation links. * **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). diff --git a/docs/serverless/explore/runtime-fields.mdx b/docs/serverless/explore/runtime-fields.mdx index eefcdc1686..2368ab6f2b 100644 --- a/docs/serverless/explore/runtime-fields.mdx +++ b/docs/serverless/explore/runtime-fields.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityRuntimeFields slug: /serverless/security/runtime-fields title: Create runtime fields in ((elastic-sec)) description: Create, edit, or delete runtime fields in ((elastic-sec)). @@ -12,7 +11,7 @@ status: in review Runtime fields are fields that you can add to documents after you've ingested your data. For example, you could combine two fields and treat them as one, or perform calculations on existing data and use the result as a separate field. Runtime fields are evaluated when a query is run. -You can create a runtime field and add it to your detection alerts or events from any page that lists alerts or events in a data grid table, such as **Alerts**, **Timelines**, **Hosts**, and **Users**. Once created, the new field is added to the current data view and becomes available to all ((elastic-sec)) alerts and events in the data view. +You can create a runtime field and add it to your detection alerts or events from any page that lists alerts or events in a data grid table, such as **Alerts**, **Timelines**, **Hosts**, and **Users**. Once created, the new field is added to the current data view and becomes available to all ((elastic-sec)) alerts and events in the data view. Runtime fields can impact performance because they're evaluated each time a query runs. Refer to [Runtime fields](((ref))/runtime.html) for more information. diff --git a/docs/serverless/explore/siem-field-reference.mdx b/docs/serverless/explore/siem-field-reference.mdx index 067c239c1d..6c9c7bb4bb 100644 --- a/docs/serverless/explore/siem-field-reference.mdx +++ b/docs/serverless/explore/siem-field-reference.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySiemFieldReference slug: /serverless/security/siem-field-reference title: ((elastic-sec)) ECS field reference description: Learn which ECS fields are used by ((elastic-sec)) to display various data. @@ -14,7 +13,7 @@ This section lists [Elastic Common Schema](((ecs-ref))) (ECS) fields used by ((e We recommend you use ((agent)) integrations or ((beats)) to ship your data to ((elastic-sec)). ((agent)) integrations and Beat modules (for example, [((filebeat)) modules](((filebeat-ref))/filebeat-modules.html)) are ECS-compliant, which means data they ship to ((elastic-sec)) will automatically populate the relevant ECS fields. -If you plan to use a custom implementation to map your data to ECS fields (see [how to map data to ECS](((ecs-ref))/ecs-converting.html)), ensure the always required fields are populated. Ideally, all relevant ECS fields should be populated as well. +If you plan to use a custom implementation to map your data to ECS fields (see [how to map data to ECS](((ecs-ref))/ecs-converting.html)), ensure the always required fields are populated. Ideally, all relevant ECS fields should be populated as well. For detailed information about which ECS fields can appear in documents generated by ((elastic-endpoint)), refer to the [Endpoint event documentation](https://github.com/elastic/endpoint-package/tree/main/custom_documentation/doc/endpoint). @@ -93,7 +92,7 @@ For detailed information about which ECS fields can appear in documents generate ## Fields required for network events ((elastic-sec)) relies on these fields to analyze and display network data: -* `destination.geo.location` (required for display of map data) +* `destination.geo.location` (required for display of map data) * `destination.ip` * `source.geo.location` (required to display map data) * `source.ip` diff --git a/docs/serverless/explore/users-page.mdx b/docs/serverless/explore/users-page.mdx index 3eba0bfcbb..3defe8e72d 100644 --- a/docs/serverless/explore/users-page.mdx +++ b/docs/serverless/explore/users-page.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityUsersPage slug: /serverless/security/users-page title: Users page description: Analyze authentication and user behavior within your environment. @@ -32,9 +31,9 @@ Beneath the KPI charts are data tables, which are useful for viewing and investi * **All users**: A chronological list of unique user names, when they were last active, and the associated domains. * **Authentications**: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination. * **Anomalies**: Unusual activity discovered by machine learning jobs that contain user data. -* **User risk**: The latest recorded user risk score for each user, and its user risk classification. This feature requires the Security Analytics Complete and must be enabled to display the data. To learn more, refer to our entity risk scoring documentation. +* **User risk**: The latest recorded user risk score for each user, and its user risk classification. This feature requires the Security Analytics Complete and must be enabled to display the data. To learn more, refer to our entity risk scoring documentation. -The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts. +The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to Manage detection alerts. ## User details page @@ -42,7 +41,7 @@ A user's details page displays all relevant information for the selected user. T The user details page includes the following sections: -* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` advanced setting is on, this section displays the user's current asset criticality level. +* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` advanced setting is on, this section displays the user's current asset criticality level. * **Summary**: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the entity risk score feature is enabled, this section also displays user risk score data. @@ -65,16 +64,16 @@ In addition to the user details page, relevant user information is also availabl The user details flyout includes the following sections: -* User risk summary, which displays user risk data and inputs. -* Asset Criticality, which allows you to view and assign asset criticality. -* Observed data, which displays user details. +* User risk summary, which displays user risk data and inputs. +* Asset Criticality, which allows you to view and assign asset criticality. +* Observed data, which displays user details. ![User details flyout](../images/users-page/-user-details-flyout.png) ### User risk summary -The **User risk summary** section is only available if the risk scoring engine is turned on. +The **User risk summary** section is only available if the risk scoring engine is turned on. The **User risk summary** section contains a risk summary visualization and table. @@ -95,10 +94,10 @@ If more than 10 alerts contributed to the risk scoring calculation, the remainin ### Asset Criticality -The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` advanced setting is on. +The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` advanced setting is on. -The **Asset Criticality** section displays the selected user's asset criticality level. Asset criticality contributes to the overall user risk score. The criticality level defines how impactful the user is when calculating the risk score. +The **Asset Criticality** section displays the selected user's asset criticality level. Asset criticality contributes to the overall user risk score. The criticality level defines how impactful the user is when calculating the risk score. ![Asset criticality](../images/users-page/-user-asset-criticality.png) diff --git a/docs/serverless/images/trusted-apps-ov/-management-admin-trusted-apps-list.png b/docs/serverless/images/trusted-apps-ov/-management-admin-trusted-apps-list.png index d7e9c90bb0..828f6e85ea 100644 Binary files a/docs/serverless/images/trusted-apps-ov/-management-admin-trusted-apps-list.png and b/docs/serverless/images/trusted-apps-ov/-management-admin-trusted-apps-list.png differ diff --git a/docs/serverless/ingest/ingest-data.mdx b/docs/serverless/ingest/ingest-data.mdx index 5b7b3837a9..5627395d37 100644 --- a/docs/serverless/ingest/ingest-data.mdx +++ b/docs/serverless/ingest/ingest-data.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityIngestData slug: /serverless/security/ingest-data title: Ingest data to Elastic Security description: Learn how to add your own data to ((elastic-sec)). @@ -13,18 +12,18 @@ status: in review To ingest data, you can use: * The [((agent))](((fleet-guide))/fleet-overview.html) with the **((elastic-defend))** integration, which protects - your hosts and sends logs, metrics, and endpoint security data to ((elastic-sec)). See . + your hosts and sends logs, metrics, and endpoint security data to ((elastic-sec)). See . * The ((agent)) with other integrations, which are available in the [Elastic Package Registry (EPR)](((fleet-guide))/fleet-overview.html#package-registry-intro). To install an integration that works with ((elastic-sec)), select **Add integrations** in the toolbar on most pages. On the **Integrations** page, select the **Security** category filter, then select an integration to view the installation instructions. For more information on integrations, refer to [((integrations))](((integrations-docs))). * **((beats))** shippers installed for each system you want to monitor. * The ((agent)) to send data from Splunk to ((elastic-sec)). See [Get started with data from Splunk](((observability-guide))/splunk-get-started.html). -* Third-party collectors configured to ship ECS-compliant data. provides a list of ECS fields used in ((elastic-sec)). +* Third-party collectors configured to ship ECS-compliant data. provides a list of ECS fields used in ((elastic-sec)). If you use a third-party collector to ship data to ((elastic-sec)), you must map its fields to the [Elastic Common Schema (ECS)](((ecs-ref))). Additionally, -you must add its index to the ((elastic-sec)) indices (update the **`securitySolution:defaultIndex`** advanced setting). +you must add its index to the ((elastic-sec)) indices (update the **`securitySolution:defaultIndex`** advanced setting). ((elastic-sec)) uses the [`host.name`](((ecs-ref))/ecs-host.html) ECS field as the primary key for identifying hosts. diff --git a/docs/serverless/ingest/threat-intelligence.mdx b/docs/serverless/ingest/threat-intelligence.mdx index 1dc8d15f4b..8bc9710f2b 100644 --- a/docs/serverless/ingest/threat-intelligence.mdx +++ b/docs/serverless/ingest/threat-intelligence.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityThreatIntelligence slug: /serverless/security/threat-intelligence title: Enable threat intelligence integrations description: Use threat indicators to detect known threats and malicious activity. @@ -10,15 +9,15 @@ status: in review
-The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of threat indicators ingested from third-party threat intelligence sources. +The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of threat indicators ingested from third-party threat intelligence sources. Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. -To learn more about alerts with threat intelligence, visit View alert details. +To learn more about alerts with threat intelligence, visit View alert details. -Refer to the following sections to learn how to connect to threat intelligence sources using an ((agent)) integration, the Threat Intel module, or a custom integration. +Refer to the following sections to learn how to connect to threat intelligence sources using an ((agent)) integration, the Threat Intel module, or a custom integration. @@ -36,22 +35,12 @@ There are a few scenarios when data won't display in the Threat Intelligence vie - If you know the name of ((agent)) integration you want to install, you can search for it directly. You can use the following ((agent)) integrations with the Threat Intelligence view: - - * AbuseCH - * AlienVault OTX - * Anomali - * Cybersixgill - * Maltiverse - * MISP - * Mimecast - * Recorded Future - * ThreatQuotient + If you know the name of ((agent)) integration you want to install, you can search for it directly. Alternatively, choose the **Threat Intelligence** category to display a list of available [threat intelligence integrations](((integrations-docs))/threat-intelligence-intro). 1. Select an ((agent)) integration, then complete the installation steps. -1. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn't displaying, refresh the page or refer to these troubleshooting steps. +1. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn't displaying, refresh the page or refer to these troubleshooting steps.
@@ -63,7 +52,7 @@ There are a few scenarios when data won't display in the Threat Intelligence vie For more information about enabling available threat intelligence filesets, refer to [Threat Intel module](((filebeat-ref))/filebeat-module-threatintel.html). -1. Update the `securitySolution:defaultThreatIndex` advanced setting by adding the appropriate index pattern name after the default ((fleet)) threat intelligence index pattern (`logs-ti*`): +1. Update the `securitySolution:defaultThreatIndex` advanced setting by adding the appropriate index pattern name after the default ((fleet)) threat intelligence index pattern (`logs-ti*`): 1. If you're _only_ using ((filebeat)) version 8.x, add the appropriate ((filebeat)) threat intelligence index pattern. For example, `logs-ti*`, `filebeat-8*`. 1. If you're using a previous version of Filebeat _and_ a current one, differentiate between the threat intelligence indices by using unique index pattern names. For example, if you’re using ((filebeat)) version 7.0.0 and 8.0.0, update the setting to `logs-ti*`,`filebeat-7*`,`filebeat-8*`. 1. Return to the Threat Intelligence view on the Overview dashboard. Refresh the page if indicator data isn't displaying. @@ -72,8 +61,8 @@ There are a few scenarios when data won't display in the Threat Intelligence vie ## Add a custom integration -1. Set up a way to ingest data into your system. -1. Update the `securitySolution:defaultThreatIndex` advanced setting by adding the appropriate index pattern name after the default ((fleet)) threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. +1. Set up a way to ingest data into your system. +1. Update the `securitySolution:defaultThreatIndex` advanced setting by adding the appropriate index pattern name after the default ((fleet)) threat intelligence index pattern (`logs-ti*`), for example, `logs-ti*`,`custom-ti-index*`. Threat intelligence indices aren’t required to be ECS compatible. However, we strongly recommend compatibility if you’d like your alerts to be enriched with relevant threat indicator information. You can find a list of ECS-compliant threat intelligence fields at [Threat Fields](((ecs-ref))/ecs-threat.html). diff --git a/docs/serverless/investigate/cases-open-manage.mdx b/docs/serverless/investigate/cases-open-manage.mdx index beff32b429..12c8808036 100644 --- a/docs/serverless/investigate/cases-open-manage.mdx +++ b/docs/serverless/investigate/cases-open-manage.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCasesOpenManage slug: /serverless/security/cases-open-manage title: Create and manage cases description: Create a case in ((elastic-sec)), and add files and visualizations. @@ -32,10 +31,10 @@ colleagues. You can insert a Timeline link in the case description by clicking the Timeline icon (). -1. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary prerequisites. +1. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary prerequisites. 1. Choose if you want alert statuses to sync with the case's status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case. -1. From **External incident management**, select a connector. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`. +1. From **External incident management**, select a connector. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`. 1. Click **Create case**. @@ -92,19 +91,19 @@ From the Cases page, you can search existing cases and filter them by attributes To explore a case, click on its name. You can then: -* Review the case summary -* Add and manage comments +* Review the case summary +* Add and manage comments Comments can contain Markdown. For syntax help, click the Markdown icon () in the bottom right of the comment. -* Examine alerts and indicators attached to the case -* Add files -* Add a Lens visualization +* Examine alerts and indicators attached to the case +* Add files +* Add a Lens visualization * Modify the case's description, assignees, category, severity, status, and tags. -* Manage connectors and send updates to external systems (if you've added a connector to the case) -* Copy the case UUID +* Manage connectors and send updates to external systems (if you've added a connector to the case) +* Copy the case UUID * Refresh the case to retrieve the latest updates
@@ -135,7 +134,7 @@ To edit, delete, or quote a comment, select the appropriate option from the **Mo ### Examine alerts attached to a case -To explore the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To view alert details, click the **View details** button. +To explore the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To view alert details, click the **View details** button. ![Shows you the Alerts tab](../images/cases-open-manage/-cases-cases-alert-tab.png) @@ -190,7 +189,7 @@ To add a Lens visualization to a comment within your case: 1. Click **Preview** to show how the visualization will appear in the case comment. 1. Click **Add Comment** to add the visualization to your case. -Alternatively, while viewing a dashboard you can open a panel's menu then click **More actions** (​) → **Add to existing case** or **More actions** (​) → **Add to new case**. +Alternatively, while viewing a dashboard you can open a panel's menu then click **More actions** (​) → **Add to existing case** or **More actions** (​) → **Add to new case**. After a visualization has been added to a case, you can modify or interact with it by clicking the **Open Visualization** option in the case's comment menu. @@ -208,7 +207,7 @@ Each case has a universally unique identifier (UUID) that you can copy and share ## Export and import cases -Cases can be exported and imported as saved objects using the Saved Objects project settings UI. +Cases can be exported and imported as saved objects using the Saved Objects project settings UI. Before importing Lens visualizations, Timelines, or alerts, ensure their data is present. Without it, they won't work after being imported. diff --git a/docs/serverless/investigate/cases-overview.mdx b/docs/serverless/investigate/cases-overview.mdx index 402490c2e0..65fabe5979 100644 --- a/docs/serverless/investigate/cases-overview.mdx +++ b/docs/serverless/investigate/cases-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCasesOverview slug: /serverless/security/cases-overview title: Cases description: Cases enable you to track investigation details about security issues. @@ -13,7 +12,7 @@ status: in review Collect and share information about security issues by opening a case in ((elastic-sec)). Cases allow you to track key investigation details, collect alerts in a central location, and more. The ((elastic-sec)) UI provides several ways to create and manage cases. Alternatively, you can use the [Cases API](((security-guide))/cases-api-overview.html) to perform the same tasks. {/* Link to classic docs until serverless API docs are available. */} -You can also send cases to these external systems by configuring external connectors: +You can also send cases to these external systems by configuring external connectors: * ((sn-itsm)) * ((sn-sir)) diff --git a/docs/serverless/investigate/cases-ui-integrations.mdx b/docs/serverless/investigate/cases-ui-integrations.mdx index 69a9c388d0..f41315e903 100644 --- a/docs/serverless/investigate/cases-ui-integrations.mdx +++ b/docs/serverless/investigate/cases-ui-integrations.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCasesUiIntegrations slug: /serverless/security/cases-ui-integrations title: Configure external connections description: Create and add external connectors to send cases to third-party systems. @@ -22,7 +21,7 @@ You can push ((elastic-sec)) cases to these third-party systems: To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set ((elastic-sec)) cases to automatically close when they are sent to external systems. -To create connectors and send cases to external systems, you need the Security Analytics Complete and the appropriate user role. For more information, refer to Cases prerequisites. +To create connectors and send cases to external systems, you need the Security Analytics Complete and the appropriate user role. For more information, refer to Cases prerequisites.
@@ -136,7 +135,7 @@ To change the default connector used to send cases to external systems, go to ** ## Add connectors -After you create a case, you can add connectors to it. From the case details page, go to **External incident management system**, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time. +After you create a case, you can add connectors to it. From the case details page, go to **External incident management system**, then select a connector. A case can have multiple connectors, but only one connector can be selected at a time. diff --git a/docs/serverless/investigate/indicators-of-compromise.mdx b/docs/serverless/investigate/indicators-of-compromise.mdx index ed7bf58582..1a331f9b25 100644 --- a/docs/serverless/investigate/indicators-of-compromise.mdx +++ b/docs/serverless/investigate/indicators-of-compromise.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityIndicatorsOfCompromise slug: /serverless/security/indicators-of-compromise title: Indicators of compromise description: Set up the Indicators page to detect, analyze, and respond to threats. @@ -14,7 +13,7 @@ The Indicators page collects data from enabled threat intelligence feeds and pro -* The Indicators page requires the Security Analytics Complete . +* The Indicators page requires the Security Analytics Complete . * You must have _one_ of the following installed on the hosts you want to monitor: * **((agent))** - Install a [((fleet))-managed ((agent))](((fleet-guide))/install-fleet-managed-elastic-agent.html) and ensure the agent's status is `Healthy`. Refer to [((fleet)) Troubleshooting](((fleet-guide))/fleet-troubleshooting.html) if it isn't. * **((filebeat))** - Install [((filebeat))](((filebeat-ref))/filebeat-installation-configuration.html). @@ -53,20 +52,20 @@ Install a threat intelligence integration to add indicators to the Indicators pa ### Troubleshooting If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration: -* Verify that the index storing indicator documents is included in the default ((elastic-sec)) indices (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you're collecting indicator data: +* Verify that the index storing indicator documents is included in the default ((elastic-sec)) indices (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you're collecting indicator data: * **((agent)) integrations** - `logs_ti*` * **((filebeat)) integrations** - `filebeat-*` * Ensure the indicator data you're ingesting is mapped to [Elastic Common Schema (ECS)](((ecs-ref))). -These troubleshooting steps also apply to the Threat Intelligence view. +These troubleshooting steps also apply to the Threat Intelligence view.
## Indicators page UI -After you add indicators to the Indicators page, you can examine, search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend. +After you add indicators to the Indicators page, you can examine, search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the total values in the legend. @@ -90,7 +89,7 @@ Learn more about an indicator by clicking **View details**, then opening the Ind ## Find related security events -Investigate an indicator in Timeline to identify and predict related events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout. +Investigate an indicator in Timeline to identify and predict related events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout. ![Shows the results of an indicator being investigated in Timeline](../images/indicators-of-compromise/-cases-indicator-query-timeline.png) @@ -124,7 +123,7 @@ To add indicators to cases: 1. Select one of the following: * **Add to existing case**: From the **Select case** dialog box, select the case to which you want to attach the indicator. - * **Add to new case**: Configure the case details. Refer to Open a new case to learn more about opening a new case. + * **Add to new case**: Configure the case details. Refer to Open a new case to learn more about opening a new case. The indicator is added to the case as a new comment. @@ -159,11 +158,11 @@ To remove an indicator attached to a case, click the **More actions** (blocklist to prevent selected applications from running on your hosts. You can use MD5, SHA-1, or SHA-256 hash values from `file` type indicators. +Add indicator values to the blocklist to prevent selected applications from running on your hosts. You can use MD5, SHA-1, or SHA-256 hash values from `file` type indicators. You can add indicator values to the blocklist from the Indicators table or the Indicator details flyout. From the Indicators table, select the **More actions** () menu → **Add blocklist entry**. Alternatively, open an indicator's details, then select the **Take action** menu → **Add blocklist entry**. -Refer to Blocklist for more information about blocklist entries. +Refer to Blocklist for more information about blocklist entries. diff --git a/docs/serverless/investigate/investigate-events.mdx b/docs/serverless/investigate/investigate-events.mdx index 5d949cc362..7f714fd77c 100644 --- a/docs/serverless/investigate/investigate-events.mdx +++ b/docs/serverless/investigate/investigate-events.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityInvestigateEvents slug: /serverless/security/investigate-events title: Investigate security events description: Investigate security events and track security issues in ((elastic-sec)). @@ -15,7 +14,7 @@ The following sections describe tools for investigating security events and trac These features are available in the ((security-app))'s side navigation menu: -* **Cases**: Track investigation details about security issues. -* **Investigations** → **Timelines**: Workspace for investigations and threat hunting. -* **Investigations** → **Osquery**: Run live and scheduled queries on operating systems. -* **Intelligence**: Indicators of compromise used for threat intelligence. +* **Cases**: Track investigation details about security issues. +* **Investigations** → **Timelines**: Workspace for investigations and threat hunting. +* **Investigations** → **Osquery**: Run live and scheduled queries on operating systems. +* **Intelligence**: Indicators of compromise used for threat intelligence. diff --git a/docs/serverless/investigate/timeline-object-schema.mdx b/docs/serverless/investigate/timeline-object-schema.mdx index 7d63871e40..67ccc14f15 100644 --- a/docs/serverless/investigate/timeline-object-schema.mdx +++ b/docs/serverless/investigate/timeline-object-schema.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTimelineObjectSchema slug: /serverless/security/timeline-object-schema title: Timeline schema description: A list of JSON elements inside the timeline object. @@ -21,16 +20,16 @@ This screenshot maps the Timeline UI components to their JSON objects: ![](../images/timeline-object-schema/-reference-timeline-object-ui.png) -1. Title (`title`) -2. Global notes (`globalNotes`) -3. Data view (`dataViewId`) -4. KQL bar query (`kqlQuery`) -5. Time filter (`dateRange`) -6. Additional filters (`filters`) -7. KQL bar mode (`kqlMode`) -8. Dropzone (each clause is contained in its own `dataProviders` object) -9. Column headers (`columns`) -10. Event-specific notes (`eventNotes`) +1. Title (`title`) +2. Global notes (`globalNotes`) +3. Data view (`dataViewId`) +4. KQL bar query (`kqlQuery`) +5. Time filter (`dateRange`) +6. Additional filters (`filters`) +7. KQL bar mode (`kqlMode`) +8. Dropzone (each clause is contained in its own `dataProviders` object) +9. Column headers (`columns`) +10. Event-specific notes (`eventNotes`) `columns` - columns[] + columns[] The Timeline's columns. @@ -77,7 +76,7 @@ This screenshot maps the Timeline UI components to their JSON objects: `dataProviders` - dataProviders[] + dataProviders[] Object containing dropzone query clauses. @@ -120,7 +119,7 @@ This screenshot maps the Timeline UI components to their JSON objects: `eventNotes` - eventNotes[] + eventNotes[] @@ -145,7 +144,7 @@ This screenshot maps the Timeline UI components to their JSON objects: `favorite` - favorite[] + favorite[] Indicates when and who marked a Timeline as a favorite. @@ -154,7 +153,7 @@ This screenshot maps the Timeline UI components to their JSON objects: `filters` - filters[] + filters[] Filters used in addition to the dropzone query. @@ -166,7 +165,7 @@ This screenshot maps the Timeline UI components to their JSON objects: `globalNotes` - globalNotes[] + globalNotes[] Global notes added to the Timeline. @@ -188,7 +187,7 @@ This screenshot maps the Timeline UI components to their JSON objects: `kqlQuery` - kqlQuery + kqlQuery KQL bar query. diff --git a/docs/serverless/investigate/timeline-templates-ui.mdx b/docs/serverless/investigate/timeline-templates-ui.mdx index 4e9e693c20..f225630402 100644 --- a/docs/serverless/investigate/timeline-templates-ui.mdx +++ b/docs/serverless/investigate/timeline-templates-ui.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTimelineTemplatesUi slug: /serverless/security/timeline-templates-ui title: Create Timeline templates description: Attach Timeline templates to detection rules to streamline investigations. @@ -25,7 +24,7 @@ For example, if you define the `host.name: "{host.name}"` template filter, when `host.name: "Linux_stafordshire-061"`. -For information on how to add Timeline templates to rules, refer to Create a detection rule. +For information on how to add Timeline templates to rules, refer to Create a detection rule. When you load ((elastic-sec)) prebuilt rules, ((elastic-sec)) also loads a selection of prebuilt Timeline templates, which you can attach to detection rules. **Generic** templates use broad KQL queries to retrieve event data, and **Comprehensive** templates use detailed KQL queries to retrieve additional information. The following prebuilt templates appear by default: @@ -42,7 +41,7 @@ When you load ((elastic-sec)) prebuilt rules, ((elastic-sec)) also loads a selec * **Comprehensive Registry Timeline**: Investigate registry-related detection alerts. -You can duplicate prebuilt templates and use them as +You can duplicate prebuilt templates and use them as a starting point for your own custom templates. @@ -62,11 +61,11 @@ Regular Timeline filter Template filter : - When you convert a template to a Timeline, template filters with placeholders are disabled: + When you convert a template to a Timeline, template filters with placeholders are disabled: - To enable the filter, either specify a value or change it to a field's existing filter (refer to Edit existing filters). + To enable the filter, either specify a value or change it to a field's existing filter (refer to Edit existing filters).
@@ -117,9 +116,9 @@ You can view, duplicate, export, delete, and create templates from existing Time 1. Click the **All actions** icon in the relevant row, and then select the action: - * **Create timeline from template** (refer to Create a Timeline template) + * **Create timeline from template** (refer to Create a Timeline template) * **Duplicate template** - * **Export selected** (refer to Export and import Timeline templates) + * **Export selected** (refer to Export and import Timeline templates) * **Delete selected** * **Create query rule from timeline** (only available if the Timeline contains a KQL query) * **Create EQL rule from timeline** (only available if the Timeline contains an EQL query) @@ -136,7 +135,7 @@ You cannot delete prebuilt templates. ## Export and import Timeline templates -You can import and export Timeline templates, which enables importing templates from one {/*space or (*/}((elastic-sec)) instance to another. Exported templates are saved in an [`ndjson`](http://ndjson.org) file. +You can import and export Timeline templates, which enables importing templates from one {/*space or (*/}((elastic-sec)) instance to another. Exported templates are saved in an `ndjson` file. 1. Go to **Investigations** → **Timelines** → **Templates**. 1. To export templates, do one of the following: diff --git a/docs/serverless/investigate/timelines-ui.mdx b/docs/serverless/investigate/timelines-ui.mdx index fd970e99b5..93dc327bea 100644 --- a/docs/serverless/investigate/timelines-ui.mdx +++ b/docs/serverless/investigate/timelines-ui.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTimelinesUi slug: /serverless/security/timelines-ui title: Investigate events in Timeline description: Investigate events and complex threats in your network. @@ -16,15 +15,15 @@ You can add alerts from multiple indices to a Timeline to facilitate advanced in You can drag or send fields of interest to a Timeline to create the desired query. For example, you can add fields from tables and histograms on the **Overview**, **Alerts**, **Hosts**, and **Network** pages, as well as from other Timelines. Alternatively, you can add a query directly in Timeline -by expanding the query builder and clicking **+ Add field**. +by expanding the query builder and clicking **+ Add field**. ![example Timeline with several events](../images/timelines-ui/-events-timeline-ui-updated.png) In addition to Timelines, you can create and attach Timeline templates to -detection rules. Timeline templates allow you to +detection rules. Timeline templates allow you to define the source event fields used when you investigate alerts in Timeline. You can select whether the fields use predefined values or values -retrieved from the alert. For more information, refer to Create Timeline templates. +retrieved from the alert. For more information, refer to Create Timeline templates.
@@ -56,7 +55,7 @@ You can select whether Timeline displays detection alerts and other raw events,
## Inspect an event or alert -To further inspect an event or detection alert, click the **View details** button. A flyout with event or alert details appears. +To further inspect an event or detection alert, click the **View details** button. A flyout with event or alert details appears.
@@ -75,7 +74,7 @@ interests you, you can drag it up to the drop zone below the query bar for furth You can also modify a Timeline's display in other ways: * Add, remove, reorder, or resize columns -* Create runtime fields and display them in the Timeline +* Create runtime fields and display them in the Timeline * View the Timeline in full screen mode * Add or delete notes on individual events * Add or delete investigation notes on the entire Timeline @@ -126,9 +125,9 @@ Filter for field present : Converts a `field with value` filter to a `field exists` filter. -When you convert a Timeline template to a +When you convert a Timeline template to a Timeline, some fields may be disabled. For more information, refer to -Timeline template legend. +Timeline template legend.
@@ -138,7 +137,7 @@ Timeline, some fields may be disabled. For more information, refer to To attach a Timeline to a new or existing case, open it, click **Attach to case** in the upper right corner, then select either **Attach to new case** or **Attach to existing case**. -To learn more about cases, refer to Cases. +To learn more about cases, refer to Cases.
@@ -149,9 +148,9 @@ You can view, duplicate, export, delete, and create templates from existing Time 1. Go to **Investigations** → **Timelines**. 1. Click the **All actions** menu in the desired row, then select an action: -* **Create template from timeline** (refer to Create Timeline templates) +* **Create template from timeline** (refer to Create Timeline templates) * **Duplicate timeline** -* **Export selected** (refer to Export and import Timelines) +* **Export selected** (refer to Export and import Timelines) * **Delete selected** * **Create query rule from timeline** (only available if the Timeline contains a KQL query) * **Create EQL rule from timeline** (only available if the Timeline contains an EQL query) @@ -165,7 +164,7 @@ then select an action from the **Bulk actions** menu. ## Export and import Timelines -You can export and import Timelines, which enables you to share Timelines from one {/* space or */} ((elastic-sec)) instance to another. Exported Timelines are saved as [`.ndjson`](http://ndjson.org) files. +You can export and import Timelines, which enables you to share Timelines from one {/* space or */} ((elastic-sec)) instance to another. Exported Timelines are saved as `.ndjson` files. To export Timelines: @@ -216,7 +215,7 @@ You can use ((esql)) in Timeline by opening the **((esql))** tab. From there, yo This query does the following: - - It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the Security data view. + - It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the Security data view. - Then, the query limits the output to the top 10 results. - Finally, it keeps the default Timeline fields (`@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name`) in the output. @@ -229,7 +228,7 @@ You can use ((esql)) in Timeline by opening the **((esql))** tab. From there, yo - Click the help icon () on the far right side of the query editor to open the in-product reference documentation for all ((esql)) commands and functions. -- Visualize query results using Discover functionality. +- Visualize query results using Discover functionality. diff --git a/docs/serverless/osquery/alerts-run-osquery.mdx b/docs/serverless/osquery/alerts-run-osquery.mdx index 5baac1ca72..80e5cecf3f 100644 --- a/docs/serverless/osquery/alerts-run-osquery.mdx +++ b/docs/serverless/osquery/alerts-run-osquery.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAlertsRunOsquery slug: /serverless/security/alerts-run-osquery title: Run Osquery from alerts description: Run live queries against an alert's host to investigate potential security threats and system compromises. @@ -40,7 +39,7 @@ To run Osquery from an alert: - Use placeholder fields to dynamically add existing alert data to your query. + Use placeholder fields to dynamically add existing alert data to your query. * **Pack**: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. @@ -55,7 +54,7 @@ To run Osquery from an alert: 1. Click **Submit**. Query results will display within the flyout. - Refer to Examine Osquery results for more information about query results. + Refer to Examine Osquery results for more information about query results. 1. Click **Save for later** to save the query for future use (optional). diff --git a/docs/serverless/osquery/invest-guide-run-osquery.mdx b/docs/serverless/osquery/invest-guide-run-osquery.mdx index f50d9f2009..7feada211f 100644 --- a/docs/serverless/osquery/invest-guide-run-osquery.mdx +++ b/docs/serverless/osquery/invest-guide-run-osquery.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityInvestGuideRunOsquery slug: /serverless/security/invest-guide-run-osquery title: Run Osquery from investigation guides description: Add and run live queries from a rule's investigation guide. @@ -37,7 +36,7 @@ You can only add Osquery to investigation guides for custom rules because prebui 1. Select a saved query or enter a new one. - Use placeholder fields to dynamically add existing alert data to your query. + Use placeholder fields to dynamically add existing alert data to your query. 1. Expand the **Advanced** section to set a timeout period for the query, and view or set [mapped ECS fields](((kibana-ref))/osquery.html#osquery-map-fields) included in the results from the live query (optional). @@ -67,7 +66,7 @@ You can only add Osquery to investigation guides for custom rules because prebui 1. Click **Submit** to run the query. Query results display in the flyout. - Refer to Examine Osquery results for more information about query results. + Refer to Examine Osquery results for more information about query results. 1. Click **Save for later** to save the query for future use (optional). diff --git a/docs/serverless/osquery/osquery-placeholder-fields.mdx b/docs/serverless/osquery/osquery-placeholder-fields.mdx index 12488ebb9a..5c0b1556a6 100644 --- a/docs/serverless/osquery/osquery-placeholder-fields.mdx +++ b/docs/serverless/osquery/osquery-placeholder-fields.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityOsqueryPlaceholderFields slug: /serverless/security/osquery-placeholder-fields title: Use placeholder fields in Osquery queries description: Pass data into queries dynamically, to enhance their flexibility and reusability. @@ -14,9 +13,9 @@ Instead of hard-coding alert and event values into Osquery queries, you can use Placeholder fields work in single queries or query packs. They're also supported in the following features: -* Live queries -* Osquery Response Actions -* Investigation guides using Osquery queries +* Live queries +* Osquery Response Actions +* Investigation guides using Osquery queries
diff --git a/docs/serverless/osquery/osquery-response-action.mdx b/docs/serverless/osquery/osquery-response-action.mdx index a812b68e76..bf2d4857f7 100644 --- a/docs/serverless/osquery/osquery-response-action.mdx +++ b/docs/serverless/osquery/osquery-response-action.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityOsqueryResponseAction slug: /serverless/security/osquery-response-action title: Add Osquery Response Actions description: Osquery Response Actions allow you to add live queries to custom query rules so you can automatically collect data on systems the rules are monitoring. @@ -16,7 +15,7 @@ Osquery Response Actions allow you to add live queries to custom query rules so -* Osquery Response Actions require the Endpoint Protection Complete . +* Osquery Response Actions require the Endpoint Protection Complete . * The [Osquery manager integration](((kibana-ref))/manage-osquery-integration.html) must be installed. * ((agent))'s [status](((fleet-guide))/monitor-elastic-agent.html) must be `Healthy`. Refer to [((fleet)) Troubleshooting](((fleet-guide))/fleet-troubleshooting.html) if it isn't. * You must have the appropriate user role to use this feature. @@ -33,7 +32,7 @@ Osquery Response Actions allow you to add live queries to custom query rules so You can add Osquery Response Actions to new or existing custom query rules. Queries run every time the rule executes. 1. Choose one of the following: - * **New rule**: When you are on the last step of custom query rule creation, go to the Response Actions section and click the **Osquery** icon. + * **New rule**: When you are on the last step of custom query rule creation, go to the Response Actions section and click the **Osquery** icon. * **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, click the **Osquery** icon under the Response Actions section. @@ -48,7 +47,7 @@ You can add Osquery Response Actions to new or existing custom query rules. Quer - You can use placeholder fields to dynamically add alert data to your query. + You can use placeholder fields to dynamically add alert data to your query. * **Pack**: Select from available query packs. After you select a pack, all of the queries in the pack are displayed. @@ -83,7 +82,7 @@ If you edited a saved query or query pack that an Osquery Response Action is usi When a rule generates an alert, Osquery automatically collects data on the host. Query results are displayed within the **Response Results** tab in the Alert details flyout. The number next to the **Response Results** tab represents the number of queries attached to the rule, in addition to endpoint response actions run by the rule. -Refer to Examine Osquery results for more information about query results. +Refer to Examine Osquery results for more information about query results. diff --git a/docs/serverless/osquery/use-osquery.mdx b/docs/serverless/osquery/use-osquery.mdx index eaf4c514c6..da531f1c7a 100644 --- a/docs/serverless/osquery/use-osquery.mdx +++ b/docs/serverless/osquery/use-osquery.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityUseOsquery slug: /serverless/security/query-operating-systems title: Query operating systems description: Integrate Osquery with ((elastic-sec)) for comprehensive data collection and security monitoring. @@ -14,7 +13,7 @@ Osquery is an open source tool that lets you use SQL to query operating systems Osquery is supported for Linux, macOS, and Windows. You can use it with ((elastic-sec)) to perform real-time incident response, threat hunting, and monitoring to detect vulnerability or compliance issues. The following Osquery features are available from ((elastic-sec)): -* Osquery Response Actions - Use Osquery Response Actions to add live queries to custom query rules. -* Live queries from investigation guides - Incorporate live queries into investigation guides to enhance your research capabilities while investigating possible security issues. -* Live queries from alerts - Run live queries against an alert's host to learn more about your infrastructure and operating systems. +* Osquery Response Actions - Use Osquery Response Actions to add live queries to custom query rules. +* Live queries from investigation guides - Incorporate live queries into investigation guides to enhance your research capabilities while investigating possible security issues. +* Live queries from alerts - Run live queries against an alert's host to learn more about your infrastructure and operating systems. * [Osquery settings](((kibana-ref))/osquery.html) - Navigate to **Investigations** → **Osquery** to manage project-level Osquery settings. diff --git a/docs/serverless/osquery/view-osquery-results.mdx b/docs/serverless/osquery/view-osquery-results.mdx index fb869f5bfe..1d2791f708 100644 --- a/docs/serverless/osquery/view-osquery-results.mdx +++ b/docs/serverless/osquery/view-osquery-results.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityViewOsqueryResults slug: /serverless/security/examine-osquery-results title: Examine Osquery results description: Analyze results from queries and query packs. diff --git a/docs/serverless/projects-create/create-project.mdx b/docs/serverless/projects-create/create-project.mdx index 4b9e39d06e..2e5fb5c664 100644 --- a/docs/serverless/projects-create/create-project.mdx +++ b/docs/serverless/projects-create/create-project.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCreateProject slug: /serverless/security/create-project title: Create a Security project description: Get started with ((serverless-short)) ((elastic-sec)) in a few steps. diff --git a/docs/serverless/rules/about-rules.mdx b/docs/serverless/rules/about-rules.mdx index 60ff5e5c19..47827957d9 100644 --- a/docs/serverless/rules/about-rules.mdx +++ b/docs/serverless/rules/about-rules.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAboutRules slug: /serverless/security/about-rules title: About detection rules description: Learn about detection rule types and how they work. @@ -18,11 +17,11 @@ Rules run periodically and search for source events, matches, sequences, or ((ml You can create the following types of rules: -* **Custom query**: Query-based rule, which searches the defined indices and +* **Custom query**: Query-based rule, which searches the defined indices and creates an alert when one or more documents match the rule's query. -* **Machine learning**: ((ml-cap)) rule, which creates an alert when a ((ml)) job - discovers an anomaly above the defined threshold (see Detect anomalies). +* **Machine learning**: ((ml-cap)) rule, which creates an alert when a ((ml)) job + discovers an anomaly above the defined threshold (see Detect anomalies). For ((ml)) rules, the associated ((ml)) job must be running. If the ((ml)) job isn't running, the rule will: @@ -31,7 +30,7 @@ You can create the following types of rules: are discovered. * Issue an error stating the ((ml)) job was not running when the rule executed. -* **Threshold**: Searches the defined indices and creates a detections alert +* **Threshold**: Searches the defined indices and creates a detections alert when the number of times the specified field's value is present and meets the threshold during a single execution. When multiple values meet the threshold, an alert is generated for each value. @@ -40,21 +39,21 @@ You can create the following types of rules: alert is generated for every source IP address that appears in at least 10 of the rule's search results. -* **Event correlation**: Searches the defined indices and creates an alert when results match an +* **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](((ref))/eql.html) query. -* **Indicator match**: Creates an alert when ((elastic-sec)) index field values match field values defined in the specified indicator index patterns. For example, you can create an indicator index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. Indicator index field mappings should be [ECS-compliant](((ecs-ref))). For information on creating ((es)) indices and field types, see +* **Indicator match**: Creates an alert when ((elastic-sec)) index field values match field values defined in the specified indicator index patterns. For example, you can create an indicator index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. Indicator index field mappings should be [ECS-compliant](((ecs-ref))). For information on creating ((es)) indices and field types, see [Index some documents](((ref))/getting-started-index.html), [Create index API](((ref))/indices-create-index.html), and [Field data types](((ref))/mapping-types.html). If you have indicators in a standard file format, such as CSV or JSON, you can also use the Machine Learning Data Visualizer to import your indicators into an indicator index. See [Explore the data in ((kib))](((ml-docs))/ml-getting-started.html#sample-data-visualizer) and use the **Import Data** option to import your indicators. - You can also use value lists as the indicator match index. See Use value lists with indicator match rules at the end of this topic for more information. + You can also use value lists as the indicator match index. See Use value lists with indicator match rules at the end of this topic for more information. -* **New terms**: Generates an alert for each new term detected in source documents within a specified time range. You can also detect a combination of up to three new terms (for example, a `host.ip` and `host.id` that have never been observed together before). +* **New terms**: Generates an alert for each new term detected in source documents within a specified time range. You can also detect a combination of up to three new terms (for example, a `host.ip` and `host.id` that have never been observed together before). -* **((esql))**: Searches the defined indices and creates an alert when results match an [((esql)) query](((ref))/esql.html). +* **((esql))**: Searches the defined indices and creates an alert when results match an [((esql)) query](((ref))/esql.html). ![Shows the Rules page](../images/about-rules/-detections-all-rules.png) @@ -62,7 +61,7 @@ You can create the following types of rules: ## Data views and index patterns -When you create a rule, you must either specify the ((es)) index pattens for which you'd like the rule to run, or select a data view field as the data source. If you select a data view, you can select runtime fields associated with that data view to create a query for the rule (with the exception of ((ml)) rules, which do not use queries). +When you create a rule, you must either specify the ((es)) index pattens for which you'd like the rule to run, or select a data view field as the data source. If you select a data view, you can select runtime fields associated with that data view to create a query for the rule (with the exception of ((ml)) rules, which do not use queries). To access data views, ensure you have the [required permissions](((kibana-ref))/data-views.html#data-views-read-only-access). @@ -90,7 +89,7 @@ If a rule requires certain privileges to run, such as index privileges, keep in ## Exceptions -When modifying rules or managing detection alerts, you can add exceptions that prevent a rule from generating alerts even when its criteria are met. This is useful for reducing noise, such as preventing alerts from trusted processes and internal IP addresses. +When modifying rules or managing detection alerts, you can add exceptions that prevent a rule from generating alerts even when its criteria are met. This is useful for reducing noise, such as preventing alerts from trusted processes and internal IP addresses. You can add exceptions to custom query, machine learning, event correlation, and indicator match rule types. diff --git a/docs/serverless/rules/add-exceptions.mdx b/docs/serverless/rules/add-exceptions.mdx index 1b9c6b4cdd..dd84590796 100644 --- a/docs/serverless/rules/add-exceptions.mdx +++ b/docs/serverless/rules/add-exceptions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAddExceptions slug: /serverless/security/add-exceptions title: Add and manage exceptions description: Learn how to create and manage rule exceptions. @@ -16,7 +15,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t * To ensure an exception is successfully applied, ensure that the fields you've defined for its query are correctly and consistently mapped in their respective indices. Refer to [ECS](((ecs-ref))) to learn more about supported mappings. -* Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. +* Be careful when adding exceptions to event correlation rules. Exceptions are evaluated against every event in the sequence, and if an exception matches any events that are necessary to complete the sequence, alerts are not created. To exclude values from a specific event in the sequence, update the rule's EQL statement. For example: @@ -29,7 +28,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t and process.name != "process-name.exe"]` ``` -* Be careful when adding exceptions to indicator match rules. Exceptions are evaluated against source and indicator indices, so if the exception matches events in _either_ index, alerts are not generated. +* Be careful when adding exceptions to indicator match rules. Exceptions are evaluated against source and indicator indices, so if the exception matches events in _either_ index, alerts are not generated. @@ -75,7 +74,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t - A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to Troubleshooting type conflicts and unmapped fields for more information. + A warning displays for fields with conflicts. Using these fields might cause unexpected exceptions behavior. Refer to Troubleshooting type conflicts and unmapped fields for more information. @@ -89,7 +88,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. * Wildcards are not supported in value lists. - * If a value list can't be used due to size or data type, it'll be unavailable in the **Value** menu. + * If a value list can't be used due to size or data type, it'll be unavailable in the **Value** menu. @@ -120,7 +119,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t 1. Click **AND** or **OR** to create multiple conditions and define their relationships. 1. Click **Add nested condition** to create conditions using nested fields. This is only required for - these nested fields. For all other fields, nested conditions should not be used. + these nested fields. For all other fields, nested conditions should not be used. 1. Choose to add the exception to a rule or a shared exception list. @@ -129,7 +128,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t - If a shared exception list doesn't exist, you can create one from the Shared Exception Lists page. + If a shared exception list doesn't exist, you can create one from the Shared Exception Lists page. 1. (Optional) Enter a comment describing the exception. @@ -154,7 +153,7 @@ Like detection rule exceptions, you can add Endpoint agent exceptions either by * `kibana.alert.original_event.module determined:endpoint` * `kibana.alert.original_event.kind:alert` -You can also add Endpoint exceptions to rules that are associated with ((elastic-endpoint)) rule exceptions. To associate rules when creating or editing a rule, select the **((elastic-endpoint)) exceptions** option. +You can also add Endpoint exceptions to rules that are associated with ((elastic-endpoint)) rule exceptions. To associate rules when creating or editing a rule, select the **((elastic-endpoint)) exceptions** option. Endpoint exceptions are added to the Endpoint Security rule **and** the ((elastic-endpoint)) on your hosts. @@ -190,21 +189,21 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there 1. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click **Add endpoint exception**. - The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the **((elastic-endpoint)) exceptions** option selected. + The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the **((elastic-endpoint)) exceptions** option selected. The **Add Endpoint Exception** flyout opens. ![](../images/add-exceptions/-detections-endpoint-add-exp.png) -1. If required, modify the conditions. Refer to Exceptions with nested conditions for more information on when nested conditions are required. +1. If required, modify the conditions. Refer to Exceptions with nested conditions for more information on when nested conditions are required. Rule exceptions are case-sensitive, which means that any character that's entered as an uppercase or lowercase letter will be treated as such. In the event you _don't_ want a field evaluated as case-sensitive, some ECS fields have a `.caseless` version that you can use. - - Fields with conflicts are marked with a warning icon (). Using these fields might cause unexpected exceptions behavior. For more information, refer to Troubleshooting type conflicts and unmapped fields. + - Fields with conflicts are marked with a warning icon (). Using these fields might cause unexpected exceptions behavior. For more information, refer to Troubleshooting type conflicts and unmapped fields. - Identical, case-sensitive values are supported for the `is one of` and `is not one of` operators. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. diff --git a/docs/serverless/rules/alerts-ui-monitor.mdx b/docs/serverless/rules/alerts-ui-monitor.mdx index 6764af1f4a..afcd139889 100644 --- a/docs/serverless/rules/alerts-ui-monitor.mdx +++ b/docs/serverless/rules/alerts-ui-monitor.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAlertsUiMonitor slug: /serverless/security/alerts-ui-monitor title: Monitor and troubleshoot rule executions description: Find out how your rules are performing, and troubleshoot common rule issues. @@ -12,13 +11,13 @@ status: in review Several tools can help you gain insight into the performance of your detection rules: -* Rule Monitoring tab — The current state of all detection rules and their most recent executions. Go to the **Rule Monitoring** tab to get an overview of which rules are running, how long they're taking, and if they're having any trouble. +* Rule Monitoring tab — The current state of all detection rules and their most recent executions. Go to the **Rule Monitoring** tab to get an overview of which rules are running, how long they're taking, and if they're having any trouble. -* Execution results — Historical data for a single detection rule's executions over time. Consult the execution results to understand how a particular rule is running and whether it's creating the alerts you expect. +* Execution results — Historical data for a single detection rule's executions over time. Consult the execution results to understand how a particular rule is running and whether it's creating the alerts you expect. -* Detection rule monitoring dashboard — Visualizations to help you monitor the overall health and performance of ((elastic-sec))'s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they're taking to run, search data, and create alerts. +* Detection rule monitoring dashboard — Visualizations to help you monitor the overall health and performance of ((elastic-sec))'s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they're taking to run, search data, and create alerts. -Refer to the Troubleshoot missing alerts section below for strategies on adjusting rules if they aren't creating the expected alerts. +Refer to the Troubleshoot missing alerts section below for strategies on adjusting rules if they aren't creating the expected alerts.
@@ -30,13 +29,13 @@ times, select the **Rule Monitoring** tab on the **Rules** page (**Rules** → ![](../images/alerts-ui-monitor/-detections-monitor-table.png) -On the **Rule Monitoring** tab, you can sort and filter rules just like you can on the **Installed Rules** tab. +On the **Rule Monitoring** tab, you can sort and filter rules just like you can on the **Installed Rules** tab. To sort the rules list, click any column header. To sort in descending order, click the column header again. -For detailed information on a rule, the alerts it generated, and associated errors, click on its name in the table. This also allows you to perform the same actions that are available on the **Installed Rules** tab, such as modifying or deleting rules, activating or deactivating rules, exporting or importing rules, and duplicating prebuilt rules. +For detailed information on a rule, the alerts it generated, and associated errors, click on its name in the table. This also allows you to perform the same actions that are available on the **Installed Rules** tab, such as modifying or deleting rules, activating or deactivating rules, exporting or importing rules, and duplicating prebuilt rules.
@@ -70,9 +69,9 @@ Use these controls to filter what's included in the logs table: When a rule fails to run close to its scheduled time, some alerts may be missing. There are a number of ways to try to resolve this issue: -* Troubleshoot gaps -* Troubleshoot ingestion pipeline delay -* Troubleshoot missing alerts for ((ml)) jobs +* Troubleshoot gaps +* Troubleshoot ingestion pipeline delay +* Troubleshoot missing alerts for ((ml)) jobs You can also use Task Manager in ((kib)) to troubleshoot background tasks and processes that may be related to missing alerts: @@ -87,7 +86,7 @@ You can also use Task Manager in ((kib)) to troubleshoot background tasks and pr When a rule reaches the maximum number of alerts it can generate during a single rule execution, the following warning appears on the rule's details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` -If you receive this warning, go to the rule's **Alerts** tab and check for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add rule exceptions or suppress alerts. +If you receive this warning, go to the rule's **Alerts** tab and check for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add rule exceptions or suppress alerts.
@@ -105,7 +104,7 @@ run exactly at its scheduled time. `Additional look-back time` are _not_ created. -If the rule that experiences gaps is an indicator match rule, see how to tune indicator match rules. Also please note that ((elastic-sec)) provides limited support for indicator match rules. +If the rule that experiences gaps is an indicator match rule, see how to tune indicator match rules. Also please note that ((elastic-sec)) provides limited support for indicator match rules. If you see gaps for numerous rules: @@ -128,7 +127,7 @@ Even if your rule runs at its scheduled time, there might still be missing alert In addition, use caution when creating custom rule schedules to ensure that the specified interval + additional look-back time is greater than your deployment's ingestion pipeline delay. -You can reduce the number of missed alerts due to ingestion pipeline delay by specifying the `Timestamp override` field value to `event.ingested` in advanced settings during rule creation or editing. The detection engine uses the value from the `event.ingested` field as the timestamp when executing the rule. +You can reduce the number of missed alerts due to ingestion pipeline delay by specifying the `Timestamp override` field value to `event.ingested` in advanced settings during rule creation or editing. The detection engine uses the value from the `event.ingested` field as the timestamp when executing the rule. For example, say an event occurred at 10:00 but wasn't ingested into ((es)) until 10:10 due to an ingestion pipeline delay. If you created a rule to detect that event with an interval + additional look-back time of 6 minutes, and the rule executes at 10:12, it would still detect the event because the `event.ingested` timestamp was from 10:10, only 2 minutes before the rule executed and well within the rule's 6-minute interval + additional look-back time. diff --git a/docs/serverless/rules/building-block-rule.mdx b/docs/serverless/rules/building-block-rule.mdx index ed0f6c690b..1beab4e166 100644 --- a/docs/serverless/rules/building-block-rule.mdx +++ b/docs/serverless/rules/building-block-rule.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityBuildingBlockRule slug: /serverless/security/building-block-rules title: Use building block rules description: Set up building block rules and view building block alerts. diff --git a/docs/serverless/rules/detection-engine-overview.mdx b/docs/serverless/rules/detection-engine-overview.mdx index 7adf2803a0..0566916ab1 100644 --- a/docs/serverless/rules/detection-engine-overview.mdx +++ b/docs/serverless/rules/detection-engine-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDetectionEngineOverview slug: /serverless/security/detection-engine-overview title: Detection engine overview description: Learn about the detection engine and its features. @@ -14,15 +13,15 @@ Use the detection engine to create and manage rules and view the alerts these rules create. Rules periodically search indices (such as `logs-*` and `filebeat-*`) for suspicious source events and create alerts when a rule's conditions are met. When an alert is created, its status is `Open`. To help -track investigations, an alert's status can be set as +track investigations, an alert's status can be set as `Open`, `Acknowledged`, or `Closed`. ![Alerts page](../images/detection-engine-overview/-detections-alert-page.png) -In addition to creating your own rules, enable -Elastic prebuilt rules to immediately start detecting -suspicious activity. For detailed information on all the prebuilt rules, see the Prebuilt rules reference. Once the prebuilt rules are loaded and -running, Tune detection rules and Add and manage exceptions explain +In addition to creating your own rules, enable +Elastic prebuilt rules to immediately start detecting +suspicious activity. For detailed information on all the prebuilt rules, see the Prebuilt rules reference. Once the prebuilt rules are loaded and +running, Tune detection rules and Add and manage exceptions explain how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules. @@ -33,7 +32,7 @@ There are two special prebuilt rules you need to know about: * **Endpoint Security**: Automatically creates an alert from all incoming Elastic Endpoint alerts. To receive Elastic Endpoint alerts, you must install the Endpoint agent on your - hosts (see Install and configure the ((elastic-defend)) integration). + hosts (see Install and configure the ((elastic-defend)) integration). When this rule is enabled, the following Endpoint events are displayed as detection alerts: @@ -55,7 +54,7 @@ email, when alerts are created, use the [Alerting and Actions](((kibana-ref))/al After rules have started running, you can monitor their executions to verify they are functioning correctly, as well as view, manage, and troubleshoot -alerts (see Manage detection alerts and Monitor and troubleshoot rule executions). +alerts (see Manage detection alerts and Monitor and troubleshoot rule executions). You can create and manage rules and alerts via the UI or the [Detections API](((security-guide))/rule-api-overview.html). {/* Link to classic docs until serverless API docs are available. */} @@ -63,7 +62,7 @@ You can create and manage rules and alerts via the UI or the [Detections API]((( To make sure you can access Detections and manage rules, see -Detections prerequisites and requirements. +Detections prerequisites and requirements. @@ -71,7 +70,7 @@ To make sure you can access Detections and manage rules, see ## Limited support for indicator match rules -Indicator match rules provide a powerful capability to search your security data; however, their queries can consume significant deployment resources. When creating an indicator match rule, we recommend limiting the time range of the indicator index query to the minimum period necessary for the desired rule coverage. For example, the default indicator index query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the query start time down to the nearest day (resolves to UTC `00:00:00`). Without this limitation, the rule will include all of the indicators in your indicator indices, which may extend the time it takes for the indicator index query to complete. +Indicator match rules provide a powerful capability to search your security data; however, their queries can consume significant deployment resources. When creating an indicator match rule, we recommend limiting the time range of the indicator index query to the minimum period necessary for the desired rule coverage. For example, the default indicator index query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the query start time down to the nearest day (resolves to UTC `00:00:00`). Without this limitation, the rule will include all of the indicators in your indicator indices, which may extend the time it takes for the indicator index query to complete. In addition, indicator match rules with an additional look-back time value greater than 24 hours are not supported. @@ -79,7 +78,7 @@ In addition, indicator match rules with an additional look-back time value great ## Detections configuration and prerequisites -Detections requirements provides detailed information on all the +Detections requirements provides detailed information on all the permissions required to initiate and use the Detections feature.
@@ -96,7 +95,7 @@ often embedded in non-malicious files, non-suspicious websites, and standard pro source difficult to identify. If infected and not resolved promptly, malware can cause irreparable damage to a computer network. -For information on how to enable malware protection on your host, see Malware Protection. +For information on how to enable malware protection on your host, see Malware Protection.
@@ -121,7 +120,7 @@ through spear-phishing or drive-by downloads. If not resolved immediately, ranso Behavioral ransomware prevention on the Elastic Endpoint detects and stops ransomware attacks on Windows systems by analyzing data from low-level system processes, and is effective across an array of widespread ransomware families — including those targeting the system’s master boot record. -For information on how to enable ransomware protection on your host, see Ransomware protection. +For information on how to enable ransomware protection on your host, see Ransomware protection. ### Resolve UI error messages @@ -132,11 +131,11 @@ open the **Alerts** or **Rules** page: If you get this message, a user with specific privileges must visit the **Alerts** or **Rules** page before you can view detection alerts and rules. - Refer to Enable and access detections for a list of all the requirements. + Refer to Enable and access detections for a list of all the requirements. * **`Detection engine permissions required`** If you get this message, you do not have the - required privileges to view the **Detections** feature, + required privileges to view the **Detections** feature, and you should contact your project administrator. diff --git a/docs/serverless/rules/detections-ui-exceptions.mdx b/docs/serverless/rules/detections-ui-exceptions.mdx index 1f1eb8f54b..bed724de78 100644 --- a/docs/serverless/rules/detections-ui-exceptions.mdx +++ b/docs/serverless/rules/detections-ui-exceptions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDetectionsUiExceptions slug: /serverless/security/rule-exceptions title: Rule exceptions description: Understand the different types of rule exceptions. @@ -12,7 +11,7 @@ status: in review You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives. -When creating exceptions, you can assign them to individual rules or to multiple rules. +When creating exceptions, you can assign them to individual rules or to multiple rules.
@@ -20,18 +19,18 @@ When creating exceptions, you can assign them to Add and manage exceptions. +You can create exceptions that apply exclusively to a single rule. These types of exceptions can't be used by other rules, and you must manage them from the rule’s details page. To learn more about creating and managing single-rule exceptions, refer to Add and manage exceptions. -You can also use value lists to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values. +You can also use value lists to define exceptions for detection rules. Value lists allow you to match an exception against a list of possible values.
## Exceptions shared among multiple rules -If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to Create and manage shared exception lists to learn more. +If you want an exception to apply to multiple rules, you can add an exception to a shared exception list. Shared exception lists allow you to group exceptions together and then associate them with multiple rules. Refer to Create and manage shared exception lists to learn more. ![Shared Exception Lists page](../images/detections-ui-exceptions/-detections-rule-exceptions-page.png) diff --git a/docs/serverless/rules/interactive-investigation-guides.mdx b/docs/serverless/rules/interactive-investigation-guides.mdx index 4b2661b7ec..79642020c8 100644 --- a/docs/serverless/rules/interactive-investigation-guides.mdx +++ b/docs/serverless/rules/interactive-investigation-guides.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityInteractiveInvestigationGuides slug: /serverless/security/interactive-investigation-guides title: Launch Timeline from investigation guides description: Pivot from detection alerts to investigations with interactive investigation guide actions. @@ -10,7 +9,7 @@ status: in review
-Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. For custom rules, you can create an interactive investigation guide that includes buttons for launching runtime queries in Timeline, using alert data and hard-coded literal values. This allows you to start detailed Timeline investigations directly from an alert using relevant data. +Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. For custom rules, you can create an interactive investigation guide that includes buttons for launching runtime queries in Timeline, using alert data and hard-coded literal values. This allows you to start detailed Timeline investigations directly from an alert using relevant data. @@ -30,7 +29,7 @@ The **Investigation** tab displays query buttons, and each query button displays You can only create interactive investigation guides with custom rules because Elastic prebuilt rules can't be edited. However, you can duplicate a prebuilt rule, then configure the investigation guide for the duplicated rule. -You can configure an interactive investigation guide when you create a new rule or edit an existing rule. +You can configure an interactive investigation guide when you create a new rule or edit an existing rule. 1. When configuring the rule's settings (the **About rule** step for a new rule, or the **About** tab for an existing rule), expand the **Advanced settings**, then scroll down to the **Investigation guide** Markdown editor. @@ -54,7 +53,7 @@ You can configure an interactive investigation guide when you - If you need to change the query button's configuration, you can either edit the syntax directly in the editor (refer to the syntax reference below), or delete the syntax and use the query builder form to recreate the query. + If you need to change the query button's configuration, you can either edit the syntax directly in the editor (refer to the syntax reference below), or delete the syntax and use the query builder form to recreate the query. 1. Save and enable the rule. @@ -154,7 +153,7 @@ This example creates the following Timeline query, as illustrated below: ### Timeline template fields -When viewing an interactive investigation guide in contexts unconnected to a specific alert (such a rule's details page), queries open as Timeline templates, and `parameter` fields are treated as Timeline template fields. +When viewing an interactive investigation guide in contexts unconnected to a specific alert (such a rule's details page), queries open as Timeline templates, and `parameter` fields are treated as Timeline template fields. diff --git a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.mdx b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.mdx index 1386d1ab83..0ea063b0f2 100644 --- a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.mdx +++ b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityPrebuiltRulesManagement slug: /serverless/security/prebuilt-rules-management title: Install and manage Elastic prebuilt rules description: Start detections quickly with prebuilt rules designed and updated by Elastic. @@ -10,19 +9,19 @@ status: in review
-Follow these guidelines to start using the ((security-app))'s prebuilt rules, keep them updated, and make sure they have the data needed to run successfully. +Follow these guidelines to start using the ((security-app))'s prebuilt rules, keep them updated, and make sure they have the data needed to run successfully. -* Install and enable Elastic prebuilt rules -* Prebuilt rule tags -* Select and duplicate all prebuilt rules -* Update Elastic prebuilt rules -* Confirm rule prerequisites +* Install and enable Elastic prebuilt rules +* Prebuilt rule tags +* Select and duplicate all prebuilt rules +* Update Elastic prebuilt rules +* Confirm rule prerequisites * Prebuilt rules don't start running by default. You must first install the rules, then enable them. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule. -* You can't modify most settings on Elastic prebuilt rules. You can only edit rule actions and add exceptions. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. +* You can't modify most settings on Elastic prebuilt rules. You can only edit rule actions and add exceptions. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. @@ -47,7 +46,7 @@ Follow these guidelines to start using the ((security-app))'s - Use the search bar and **Tags** filter to find the rules you want to install. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to Prebuilt rule tags. + Use the search bar and **Tags** filter to find the rules you want to install. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to Prebuilt rule tags. @@ -58,7 +57,7 @@ Follow these guidelines to start using the ((security-app))'s **Execution results** tab. +Once you enable a rule, it starts running on its configured schedule. To confirm that it's running successfully, check its **Last response** status in the rules table, or open the rule's details page and check the **Execution results** tab.
@@ -123,5 +122,5 @@ Elastic regularly updates prebuilt rules to optimize their performance and ensur * Update multiple rules: Select the rules and click **Update _x_ selected rule(s)**. - Use the search bar and **Tags** filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to Prebuilt rule tags. + Use the search bar and **Tags** filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to Prebuilt rule tags. diff --git a/docs/serverless/rules/prebuilt-rules/prebuilt-rules.mdx b/docs/serverless/rules/prebuilt-rules/prebuilt-rules.mdx index bbd339a763..5fa189ca7e 100644 --- a/docs/serverless/rules/prebuilt-rules/prebuilt-rules.mdx +++ b/docs/serverless/rules/prebuilt-rules/prebuilt-rules.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityPrebuiltRules slug: /serverless/security/prebuilt-rules title: Prebuilt rule reference description: Learn more about Elastic's prebuilt detection rules. diff --git a/docs/serverless/rules/rules-coverage.mdx b/docs/serverless/rules/rules-coverage.mdx index 307d103d49..e3f4d3fb70 100644 --- a/docs/serverless/rules/rules-coverage.mdx +++ b/docs/serverless/rules/rules-coverage.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityRulesCoverage slug: /serverless/security/rules-coverage title: MITRE ATT&CK® coverage description: Review your current coverage of MITRE ATT&CK® tactics and techniques, based on installed rules. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index adc73a45b6..4658e9ab05 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityRulesUiCreate slug: /serverless/security/rules-create title: Create a detection rule description: Create detection rules to monitor your environment for suspicious and malicious behavior. @@ -12,7 +11,7 @@ status: in review To create a new detection rule, follow these steps: -1. Define the **rule type**. The configuration for this step varies depending on the rule type. +1. Define the **rule type**. The configuration for this step varies depending on the rule type. 1. Configure basic rule settings. 1. Configure advanced rule settings (optional). 1. Set the rule's schedule. @@ -23,12 +22,12 @@ To create a new detection rule, follow these steps: * To create detection rules, you must have access to data views, which requires the appropriate user role. -* You'll also need permissions to enable and view detections, manage rules, manage alerts, and preview rules. These permissions depend on the user role. Refer to Detections requirements for more information. +* You'll also need permissions to enable and view detections, manage rules, manage alerts, and preview rules. These permissions depend on the user role. Refer to Detections requirements for more information. -At any step, you can preview the rule before saving it to see what kind of results you can expect. +At any step, you can preview the rule before saving it to see what kind of results you can expect.
@@ -52,13 +51,13 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} -1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. +1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. 1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. 1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -1. Click **Continue** to configure basic rule settings. +1. Click **Continue** to configure basic rule settings.
@@ -94,7 +93,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, * Deselect this to load the saved query as a one-time way of populating the rule's **Custom query** field and filters. This copies the settings from the saved query to the rule, so you can then further adjust the rule's query and filters as needed. If the saved query is later changed, the rule will not inherit those changes. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -104,13 +103,13 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, 1. Enter the field's data type. -1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. +1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. 1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. 1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -1. Click **Continue** to configure basic rule settings. +1. Click **Continue** to configure basic rule settings.
@@ -136,7 +135,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the **Group by** fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. -1. (Optional) Select **Suppress alerts** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Select **Suppress alerts** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -146,13 +145,13 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, 1. Enter the field's data type. -1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. +1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. 1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. 1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -1. Click **Continue** to configure basic rule settings. +1. Click **Continue** to configure basic rule settings.
@@ -202,7 +201,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, * **Tiebreaker field**: Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp. * **Timestamp field**: Contains the event timestamp used for sorting a sequence of events. This is different from the **Timestamp override** advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -212,20 +211,20 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, 1. Enter the field's data type. -1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. +1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. 1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. 1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -1. Click **Continue** to configure basic rule settings. +1. Click **Continue** to configure basic rule settings.
## Create an indicator match rule -((elastic-sec)) provides limited support for indicator match rules. See Limited support for indicator match rules for more information. +((elastic-sec)) provides limited support for indicator match rules. See Limited support for indicator match rules for more information. 1. Go to **Rules** → **Detection rules (SIEM)** → **Create new rule**. The **Create new rule** page displays. @@ -243,10 +242,10 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, You can use saved queries () and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. - 1. **Indicator index patterns**: The indicator index patterns containing field values for which you want to generate alerts. This field is automatically populated with indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, see Update default Elastic Security threat intelligence indices. + 1. **Indicator index patterns**: The indicator index patterns containing field values for which you want to generate alerts. This field is automatically populated with indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, see Update default Elastic Security threat intelligence indices. - Data in indicator indices must be ECS compatible, and so it must contain a `@timestamp` field. + Data in indicator indices must be ECS compatible, and so it must contain a `@timestamp` field. 1. **Indicator index query**: The query and filters used to filter the fields from @@ -276,11 +275,11 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, ![Indicator match rule settings](../images/rules-ui-create/-detections-indicator-rule-example.png) - Before you create rules, create Timeline templates so + Before you create rules, create Timeline templates so they can be selected here. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -290,13 +289,13 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, 1. Enter the field's data type. -1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. +1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. 1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. 1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -1. Click **Continue** to configure basic rule settings. +1. Click **Continue** to configure basic rule settings.
@@ -345,9 +344,9 @@ You uploaded a value list of known ransomware domains, and you want to be notifi 1. Use the **History Window Size** menu to specify the time range to search in minutes, hours, or days to determine if a term is new. The history window size must be larger than the rule interval plus additional look-back time, because the rule will look for terms where the only time(s) the term appears within the history window is _also_ within the rule interval and additional look-back time. - For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you set the rule's schedule. + For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you set the rule's schedule. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -357,13 +356,13 @@ You uploaded a value list of known ransomware domains, and you want to be notifi 1. Enter the field's data type. -1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. +1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. 1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. 1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -1. Click **Continue** to configure basic rule settings. +1. Click **Continue** to configure basic rule settings.
@@ -377,7 +376,7 @@ To create an ((esql)) rule: 1. Select **((esql))**, then write a query. - Refer to the sections below to learn more about ((esql)) query types, query design considerations, and rule limitations. + Refer to the sections below to learn more about ((esql)) query types, query design considerations, and rule limitations. @@ -392,13 +391,13 @@ To create an ((esql)) rule: 1. Enter the field's data type. -1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. +1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's installation status when viewing the rule. 1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. 1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -1. Click **Continue** to configure basic rule settings. +1. Click **Continue** to configure basic rule settings.
@@ -451,7 +450,7 @@ FROM logs-* METADATA _id, _index, _version | WHERE event.category == "process" AND event.id == "8a4f500d" | LIMIT 10 ``` -- This query starts by querying logs from indices that match the pattern `logs-*`. The `METADATA _id, _index, _version` operator allows alert deduplication. +- This query starts by querying logs from indices that match the pattern `logs-*`. The `METADATA _id, _index, _version` operator allows alert deduplication. - Next, the query filters events where the `event.category` is a process and the `event.id` is `8a4f500d`. - Then, it limits the output to the top 10 results. @@ -505,13 +504,13 @@ When writing your query, consider the following: ### ((esql)) rule limitations -If your ((esql)) query creates new fields that aren’t part of the ECS schema, they aren't mapped to the alerts index, so you can't search for or filter them in the Alerts table. As a workaround, create runtime fields. +If your ((esql)) query creates new fields that aren’t part of the ECS schema, they aren't mapped to the alerts index, so you can't search for or filter them in the Alerts table. As a workaround, create runtime fields.
### Highlight fields returned by the ((esql)) rule query -When configuring an ((esql)) rule's **Custom highlighted fields**, you can specify any fields that the rule's aggregating or non-aggregating query return. This can help ensure that returned fields are visible in the alert details flyout while you're investigating alerts. +When configuring an ((esql)) rule's **Custom highlighted fields**, you can specify any fields that the rule's aggregating or non-aggregating query return. This can help ensure that returned fields are visible in the alert details flyout while you're investigating alerts.
@@ -561,8 +560,8 @@ When configuring an ((esql)) rule's **Configure advanced rule settings (optional) - * Set the rule's schedule + * Configure advanced rule settings (optional) + * Set the rule's schedule
@@ -576,7 +575,7 @@ When configuring an ((esql)) rule's **Highlighted fields section within the alert details flyout. Fields without values aren't added. After you create the rule, you can find all custom highlighted fields in the About section of the rule details page. + 1. **Custom highlighted fields** (optional): Specify highlighted fields for personalized alert investigation flows. Fields with values are added to the Highlighted fields section within the alert details flyout. Fields without values aren't added. After you create the rule, you can find all custom highlighted fields in the About section of the rule details page. There's no limit to the number of custom highlighted fields you can add. @@ -585,18 +584,18 @@ When configuring an ((esql)) rule's **run Osquery or launch Timeline investigations using alert data. + alerts created by the rule. You can also add action buttons to run Osquery or launch Timeline investigations using alert data. 1. **Author** (optional): The rule's authors. 1. **License** (optional): The rule's license. 1. **Elastic endpoint exceptions** (optional): Adds all Elastic Endpoint Security - rule exceptions to this rule (refer to Add ((elastic-endpoint)) exceptions to learn more about adding endpoint exceptions). + rule exceptions to this rule (refer to Add ((elastic-endpoint)) exceptions to learn more about adding endpoint exceptions). - If you select this option, you can add Endpoint exceptions on the Rule details page. Additionally, all future exceptions added to the Endpoint Security rule also affect this rule. + If you select this option, you can add Endpoint exceptions on the Rule details page. Additionally, all future exceptions added to the Endpoint Security rule also affect this rule. - 1. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See Use building block rules for more information. + 1. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See Use building block rules for more information. 1. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100. @@ -628,7 +627,7 @@ When configuring an ((esql)) rule's **setting the rule's schedule. +1. Continue with setting the rule's schedule.
@@ -659,7 +658,7 @@ When configuring an ((esql)) rule's **setting up alert notifications and Response Actions (optional). + * Continue onto setting up alert notifications and Response Actions (optional). * Create the rule (with or without activation).
@@ -669,7 +668,7 @@ When configuring an ((esql)) rule's ** -To use Actions for alert notifications, you need the appropriate user role. For more information, see Cases requirements. +To use Actions for alert notifications, you need the appropriate user role. For more information, see Cases requirements. 1. Select a connector type to determine how notifications are sent. For example, if you select the ((jira)) connector, notifications are sent to your ((jira)) system. @@ -702,7 +701,7 @@ To use Actions for alert notifications, you need the appropriate user role. For ![](../images/rules-ui-create/-detections-selected-action-type.png) -1. Use the default notification message or customize it. You can add more context to the message by clicking the icon above the message text box and selecting from a list of available alert notification variables. +1. Use the default notification message or customize it. You can add more context to the message by clicking the icon above the message text box and selecting from a list of available alert notification variables. 1. Create the rule with or without activation. @@ -715,8 +714,8 @@ To use Actions for alert notifications, you need the appropriate user role. For After you activate a rule, you can check if it is running as expected -using the Monitoring tab on the Rules page. If you see -values in the `Gap` column, you can Troubleshoot missing alerts. +using the Monitoring tab on the Rules page. If you see +values in the `Gap` column, you can Troubleshoot missing alerts. When a rule fails to run, the ((security-app)) tries to rerun it at its next scheduled run time. @@ -828,9 +827,9 @@ Example using the mustache "current element" notation `{{.}}` to output all the ## Set up response actions (optional) Use Response Actions to set up additional functionality that will run whenever a rule executes: -* **Osquery**: Include live Osquery queries with a custom query rule. When an alert is generated, Osquery automatically collects data on the system related to the alert. Refer to Add Osquery Response Actions to learn more. +* **Osquery**: Include live Osquery queries with a custom query rule. When an alert is generated, Osquery automatically collects data on the system related to the alert. Refer to Add Osquery Response Actions to learn more. -* **((elastic-defend))**: Automatically run response actions on an endpoint when rule conditions are met. For example, you can automatically isolate a host or terminate a process when specific activities or events are detected on the host. Refer to to learn more. +* **((elastic-defend))**: Automatically run response actions on an endpoint when rule conditions are met. For example, you can automatically isolate a host or terminate a process when specific activities or events are detected on the host. Refer to to learn more. Host isolation involves quarantining a host from the network to prevent further spread of threats and limit potential damage. Be aware that automatic host isolation can cause unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. @@ -845,7 +844,7 @@ Host isolation involves quarantining a host from the network to prevent further You can preview any custom or prebuilt rule to find out how noisy it will be. For a custom rule, you can then adjust the rule's query or other settings. -To preview rules, you must have the appropriate user role. Refer to Detections requirements for more information. +To preview rules, you must have the appropriate user role. Refer to Detections requirements for more information. Click the **Rule preview** button while creating or editing a rule. The preview opens in a side panel, showing a histogram and table with the alerts you can expect, based on the defined rule settings and past events in your indices. diff --git a/docs/serverless/rules/rules-ui-management.mdx b/docs/serverless/rules/rules-ui-management.mdx index ec5d040e87..e2ac65ac6b 100644 --- a/docs/serverless/rules/rules-ui-management.mdx +++ b/docs/serverless/rules/rules-ui-management.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityRulesUiManagement slug: /serverless/security/rules-ui-management title: Manage detection rules description: Manage your detection rules and enable Elastic prebuilt rules on the Rules page. @@ -16,14 +15,14 @@ The Rules page allows you to view and manage all prebuilt and custom detection r On the Rules page, you can: -* Sort and filter the rules list -* Check the current status of rules -* Modify existing rules settings -* Manage rules -* Snooze rule actions -* Export and import rules -* Confirm rule prerequisites -* Troubleshoot missing alerts +* Sort and filter the rules list +* Check the current status of rules +* Modify existing rules settings +* Manage rules +* Snooze rule actions +* Export and import rules +* Confirm rule prerequisites +* Troubleshoot missing alerts
@@ -65,7 +64,7 @@ You can edit an existing rule's settings, and can bulk edit settings for multipl -For prebuilt Elastic rules, you can't modify most settings. You can only edit rule actions and add exceptions. If you try to bulk edit with both prebuilt and custom rules selected, the action will affect only the rules that can be modified. +For prebuilt Elastic rules, you can't modify most settings. You can only edit rule actions and add exceptions. If you try to bulk edit with both prebuilt and custom rules selected, the action will affect only the rules that can be modified. Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. @@ -73,22 +72,22 @@ Similarly, rules will be skipped if they can't be modified by a bulk edit. For e 1. Go to **Rules** → **Detection rules (SIEM)**. 1. Do one of the following: - * **Edit a single rule**: Select the **All actions** menu () on a rule, then select **Edit rule settings**. The **Edit rule settings** view opens, where you can modify the rule's settings. + * **Edit a single rule**: Select the **All actions** menu () on a rule, then select **Edit rule settings**. The **Edit rule settings** view opens, where you can modify the rule's settings. * **Bulk edit multiple rules**: Select the rules you want to edit, then select an action from the **Bulk actions** menu: * **Index patterns**: Add or delete the index patterns used by all selected rules. * **Tags**: Add or delete tags on all selected rules. - * **Add rule actions**: Add rule actions on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions select the option to **Overwrite all selected rules actions**. + * **Add rule actions**: Add rule actions on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions select the option to **Overwrite all selected rules actions**. Rule actions won't run during a [maintenance window](((kibana-ref))/maintenance-windows.html). They'll resume running after the maintenance window ends. - * **Update rule schedules**: Update the schedules and look-back times on all selected rules. - * **Apply Timeline template**: Apply a specified Timeline template to the selected rules. You can also choose **None** to remove Timeline templates from the selected rules. + * **Update rule schedules**: Update the schedules and look-back times on all selected rules. + * **Apply Timeline template**: Apply a specified Timeline template to the selected rules. You can also choose **None** to remove Timeline templates from the selected rules. 1. On the page or flyout that opens, update the rule settings and actions. - To snooze rule actions, go to the **Actions** tab and click the bell icon. + To snooze rule actions, go to the **Actions** tab and click the bell icon. 1. If available, select **Overwrite all selected _x_** to overwrite the settings on the rules. For example, if you're adding tags to multiple rules, selecting **Overwrite all selected rules tags** removes all the rules' original tags and replaces them with the tags you specify. @@ -101,7 +100,7 @@ Similarly, rules will be skipped if they can't be modified by a bulk edit. For e You can duplicate, enable, disable, delete, and snooze actions for rules: -When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's default rule list. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. +When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's default rule list. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. 1. Go to **Rules** → **Detection rules (SIEM)**. @@ -109,7 +108,7 @@ When duplicating a rule with exceptions, you can choose to duplicate the rule an * Select the **All actions** menu () on a rule, then select an action. * Select all the rules you want to modify, then select an action from the **Bulk actions** menu. * To enable or disable a single rule, switch on the rule's **Enabled** toggle. - * To snooze actions for rules, click the bell icon. + * To snooze actions for rules, click the bell icon.
@@ -149,7 +148,7 @@ To import into a different ((stack)) deployment, the destination cluster must in You can also use the [Saved Objects](((kibana-ref))/managing-saved-objects.html#managing-saved-objects-share-to-space) UI (**Project settings** → **Content** → **Saved Objects**) to export and import necessary connectors before importing detection rules. -- **Value lists**: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the Manage value lists UI (**Rules** → **Detection rules (SIEM)** → **Manage value lists**) to export and import value lists separately. +- **Value lists**: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the Manage value lists UI (**Rules** → **Detection rules (SIEM)** → **Manage value lists**) to export and import value lists separately. To export and import detection rules: @@ -160,7 +159,7 @@ To export and import detection rules: 1. To import rules: - To import rules with and without actions, and to manage rule connectors, you must have the appropriate user role. Refer to Enable and access detections for more information. + To import rules with and without actions, and to manage rule connectors, you must have the appropriate user role. Refer to Enable and access detections for more information. 1. Click **Import rules**. diff --git a/docs/serverless/rules/shared-exception-lists.mdx b/docs/serverless/rules/shared-exception-lists.mdx index a7bbab3161..d793009b30 100644 --- a/docs/serverless/rules/shared-exception-lists.mdx +++ b/docs/serverless/rules/shared-exception-lists.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySharedExceptionLists slug: /serverless/security/shared-exception-lists title: Create and manage shared exception lists description: Learn how to create and manage shared exception lists. @@ -36,7 +35,7 @@ Add exception items: 1. Click **Create shared exception list** → **Create exception item**. - You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking **Create rule exception**. After creating an exception, you can associate the shared exception list with rules. Refer to Associate shared exception lists with rules to learn more. + You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking **Create rule exception**. After creating an exception, you can associate the shared exception list with rules. Refer to Associate shared exception lists with rules to learn more. 1. In the **Add rule exception** flyout, name the exception item and add conditions that define when the exception prevents alerts. When the exception's query conditions are met (the query evaluates to `true`), rules do not generate alerts even when other rule criteria are met. @@ -52,7 +51,7 @@ Add exception items: * An exception defined by a value list must use `is in list` or `is not in list` in all conditions. * Wildcards are not supported in value lists. - * If a value list can't be used due to size or data type, it'll be unavailable in the **Value** menu. + * If a value list can't be used due to size or data type, it'll be unavailable in the **Value** menu. @@ -67,12 +66,12 @@ Add exception items: 1. Click **AND** or **OR** to create multiple conditions and define their relationships. 1. Click **Add nested condition** to create conditions using nested fields. This is only required for - these nested fields. For all other fields, nested conditions should not be used. + these nested fields. For all other fields, nested conditions should not be used. 1. Choose to add the exception to shared exception lists. - This option will be unavailable if a shared exception list doesn't exist. In addition, you can't add an endpoint exception item to the Endpoint Security Exception List from this UI. Refer to Add ((elastic-endpoint)) exceptions for instructions about creating endpoint exceptions. + This option will be unavailable if a shared exception list doesn't exist. In addition, you can't add an endpoint exception item to the Endpoint Security Exception List from this UI. Refer to Add ((elastic-endpoint)) exceptions for instructions about creating endpoint exceptions. 1. (Optional) Enter a comment describing the exception. @@ -140,7 +139,7 @@ You can edit, export, import, duplicate, and delete shared exception lists from To export or delete an exception list, select the required action button on the appropriate list. Note the following: * Exception lists are exported to `.ndjson` files. -* Exception lists are also exported as part of any exported detection rules configured with exceptions. Refer to Export and import rules. +* Exception lists are also exported as part of any exported detection rules configured with exceptions. Refer to Export and import rules. * If an exception list is linked to any rules, you'll get a warning asking you to confirm the deletion. * If an exception list contains expired exceptions, you can choose whether to include them in the exported file. diff --git a/docs/serverless/rules/ts-detection-rules.mdx b/docs/serverless/rules/ts-detection-rules.mdx index 5b28c1f62b..b12d4287b1 100644 --- a/docs/serverless/rules/ts-detection-rules.mdx +++ b/docs/serverless/rules/ts-detection-rules.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTsDetectionRules slug: /serverless/security/ts-detection-rules title: Troubleshoot detection rules description: Covers common troubleshooting issues when creating or managing detection rules. @@ -10,7 +9,7 @@ status: in review
-This topic covers common troubleshooting issues when creating or managing detection rules. +This topic covers common troubleshooting issues when creating or managing detection rules.
@@ -78,7 +77,7 @@ Turning off `autocomplete:useTimeRange` could cause performance issues if the da -A warning icon () and message appear for fields with type conflicts across multiple indices or fields that are unmapped. You can learn more about the conflict by clicking the warning message. +A warning icon () and message appear for fields with type conflicts across multiple indices or fields that are unmapped. You can learn more about the conflict by clicking the warning message. A field can have type conflicts _and_ be unmapped in specified indices. diff --git a/docs/serverless/rules/tuning-detection-signals.mdx b/docs/serverless/rules/tuning-detection-signals.mdx index dd452eed75..2210187f14 100644 --- a/docs/serverless/rules/tuning-detection-signals.mdx +++ b/docs/serverless/rules/tuning-detection-signals.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTuningDetectionSignals slug: /serverless/security/tune-detection-signals title: Tune detection rules description: Tune prebuilt and custom detection rules to optimize alert generation. @@ -12,7 +11,7 @@ status: in review Using the ((security-app)), you can tune prebuilt and custom detection rules to optimize alert generation. To reduce noise, you can: -* Add exceptions to detection rules. +* Add exceptions to detection rules. Using exceptions is recommended as this ensure excluded source event values @@ -22,21 +21,21 @@ Using the ((security-app)), you can tune prebuilt and custom detection rules to * Disable detection rules that rarely produce actionable alerts because they match expected local behavior, workflows, or policy exceptions. -* Clone and modify detection rule queries so they are +* Clone and modify detection rule queries so they are aligned with local policy exceptions. This reduces noise while retaining actionable alerts. * Clone and modify detection rule risk scores, and use branching logic to map higher risk scores to higher priority workflows. -* Enable alert suppression for custom query rules to reduce the number of repeated or duplicate alerts. +* Enable alert suppression for custom query rules to reduce the number of repeated or duplicate alerts. For details about tuning rules for specific categories: -* Tune rules detecting authorized processes -* Tune Windows child process and PowerShell rules -* Tune network rules -* Tune indicator match rules +* Tune rules detecting authorized processes +* Tune Windows child process and PowerShell rules +* Tune network rules +* Tune indicator match rules
@@ -92,7 +91,7 @@ To reduce noise for authorized activity, you can do any of these: the relevant host names, agent names, or other common identifiers. For example, `host.name is `. -* Add an exception to the rules that exclude specific +* Add an exception to the rules that exclude specific processes. For example, `process.name is `. @@ -185,7 +184,7 @@ Take the following steps to tune indicator match rules: * Avoid cluster performance issues by scheduling your rule to run in one-hour intervals or longer. For example, avoid scheduling an indicator match rule to check for indicators every five minutes. -((elastic-sec)) provides limited support for indicator match rules. Visit support limitations for more information. +((elastic-sec)) provides limited support for indicator match rules. Visit support limitations for more information. ### Noise from common cloud-based network traffic @@ -203,6 +202,6 @@ tuning to reduce noise from legitimate administrative activities: If your organization is widely distributed and the workforce travels a lot, use the `windows_anomalous_user_name_ecs`, `linux_anomalous_user_name_ecs`, and `suspicious_login_activity_ecs` -((ml)) jobs to detect suspicious authentication activity. +((ml)) jobs to detect suspicious authentication activity. diff --git a/docs/serverless/rules/value-lists-exceptions.mdx b/docs/serverless/rules/value-lists-exceptions.mdx index d1babd8621..5bf8e9961d 100644 --- a/docs/serverless/rules/value-lists-exceptions.mdx +++ b/docs/serverless/rules/value-lists-exceptions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityValueListsExceptions slug: /serverless/security/value-lists-exceptions title: Create and manage value lists description: Make and manage value lists. @@ -19,10 +18,10 @@ Value lists are lists of items with the same ((es)) [data type](((ref))/mapping- * `IP Ranges` * `Text` -After creating value lists, you can use `is in list` and `is not in list` operators to define exceptions. +After creating value lists, you can use `is in list` and `is not in list` operators to define exceptions. -You can also use a value list as the indicator match index when creating an indicator match rule. +You can also use a value list as the indicator match index when creating an indicator match rule.
diff --git a/docs/serverless/security-overview.mdx b/docs/serverless/security-overview.mdx index e923b9ee37..44b95ac32a 100644 --- a/docs/serverless/security-overview.mdx +++ b/docs/serverless/security-overview.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityOverview slug: /serverless/security/overview title: ((elastic-sec)) overview # description: Description to be written @@ -33,8 +32,8 @@ The following diagram provides a comprehensive illustration of the ((elastic-sec Here's an overview of the flow and its components: * Data is shipped from your hosts to ((elastic-sec)) in the following ways: - * ((elastic-defend)): ((agent)) integration that - protects your hosts against malware and ships these data sets: + * ((elastic-defend)): ((agent)) integration that + protects your hosts against malware and ships these data sets: * **Windows**: Process, network, file, DNS, registry, DLL and driver loads, malware security detections, API @@ -45,7 +44,7 @@ Here's an overview of the flow and its components: are lightweight data shippers. Beat modules provide a way of collecting and parsing specific data sets from common sources, such as cloud and OS events, logs, and metrics. Common security-related modules are listed - here. + here. * The ((security-app)) is used to manage the **Detection engine**, **Cases**, and **Timeline**, as well as administer hosts running ((elastic-defend)): @@ -53,33 +52,33 @@ Here's an overview of the flow and its components: * Detection engine: Automatically searches for suspicious host and network activity via the following: - * Detection rules: Periodically search the data + * Detection rules: Periodically search the data (((es)) indices) sent from your hosts for suspicious events. When a suspicious event is discovered, an alert is generated. External systems, such as Slack and email, can be used to send notifications when alerts are generated. - You can create your own rules and make use of our prebuilt ones. + You can create your own rules and make use of our prebuilt ones. - * Exceptions: Reduce noise and the number of + * Exceptions: Reduce noise and the number of false positives. Exceptions are associated with rules and prevent alerts when an exception's conditions are met. **Value lists** contain source event values that can be used as part of an exception's conditions. When ((elastic-defend)) is installed on your hosts, you can add malware exceptions directly to the endpoint from the Security app. - * ((ml-cap)) jobs: Automatic anomaly detection of host and network events. Anomaly scores are provided per host and can be used with detection rules. - * Timeline: Workspace for investigating alerts and events. + * ((ml-cap)) jobs: Automatic anomaly detection of host and network events. Anomaly scores are provided per host and can be used with detection rules. + * Timeline: Workspace for investigating alerts and events. Timelines use queries and filters to drill down into events related to a specific incident. Timeline templates are attached to rules and use predefined queries when alerts are investigated. Timelines can be saved and shared with others, as well as attached to Cases. - * Cases: An internal system for opening, tracking, and sharing + * Cases: An internal system for opening, tracking, and sharing security issues directly in the ((security-app)). Cases can be integrated with external ticketing systems. - * Administration: View and manage hosts running ((elastic-defend)). + * Administration: View and manage hosts running ((elastic-defend)). -Ingest data to ((elastic-sec)) and Install and configure the ((elastic-defend)) integration describe how to ship security-related data. +Ingest data to ((elastic-sec)) and Install and configure the ((elastic-defend)) integration describe how to ship security-related data. ### Additional ((elastic-defend)) information @@ -151,5 +150,5 @@ events. ((elastic-sec)) supports events and indicator index data from any ECS-co ((elastic-sec)) requires [ECS-compliant data](((ecs-ref))). If you use third-party data collectors to ship data to ((es)), the data must be mapped to ECS. - lists ECS fields used in ((elastic-sec)). + lists ECS fields used in ((elastic-sec)). diff --git a/docs/serverless/security-ui.mdx b/docs/serverless/security-ui.mdx index 92930472f6..6f4c318cea 100644 --- a/docs/serverless/security-ui.mdx +++ b/docs/serverless/security-ui.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEsUiOverview slug: /serverless/security/security-ui title: Elastic Security UI # description: Description to be written @@ -78,11 +77,11 @@ The ((security-app)) contains the following pages that enable analysts to view, ### Discover -Use the Discover UI to filter your data or learn about its structure. +Use the Discover UI to filter your data or learn about its structure. ### Dashboards -Expand this section to access the Overview, Detection & Response, Kubernetes, Cloud Security Posture, Cloud Native Vulnerability Management, and Entity Analytics dashboards, which provide interactive visualizations that summarize your data. You can also create and view custom dashboards. Refer to Dashboards for more information. +Expand this section to access the Overview, Detection & Response, Kubernetes, Cloud Security Posture, Cloud Native Vulnerability Management, and Entity Analytics dashboards, which provide interactive visualizations that summarize your data. You can also create and view custom dashboards. Refer to Dashboards for more information. ![The dashboards landing page, 75%](images/es-ui-overview/-dashboards-dashboards-landing-page.png) @@ -90,37 +89,37 @@ Expand this section to access the Overview, Detection & Response, Kubernetes, Cl Expand this section to access the following pages: -* **Rules**: Create and manage rules to monitor suspicious events. +* **Rules**: Create and manage rules to monitor suspicious events. ![Rules page](images/es-ui-overview/-detections-all-rules.png) -* **Benchmark Rules**: View, enable, or disable benchmark rules. +* **Benchmark Rules**: View, enable, or disable benchmark rules. ![Benchmark Rules page](images/es-ui-overview/-cloud-native-security-benchmark-rules.png) -* **Shared Exception Lists**: View and manage rule exceptions and shared exception lists. +* **Shared Exception Lists**: View and manage rule exceptions and shared exception lists. ![Shared Exception Lists page](images/es-ui-overview/-detections-rule-exceptions-page.png) -* **MITRE ATT&CK® coverage**: Review your coverage of MITRE ATT&CK® tactics and techniques, based on installed rules. +* **MITRE ATT&CK® coverage**: Review your coverage of MITRE ATT&CK® tactics and techniques, based on installed rules. ![MITRE ATT&CK® coverage page](images/es-ui-overview/-detections-rules-coverage.png) ### Alerts -View and manage alerts to monitor activity within your network. Refer to for more information. +View and manage alerts to monitor activity within your network. Refer to for more information. ![](images/es-ui-overview/-detections-alert-page.png) ### Findings -Identify misconfigurations and vulnerabilities in your cloud infrastructure. For setup instructions, refer to , , or . +Identify misconfigurations and vulnerabilities in your cloud infrastructure. For setup instructions, refer to , , or . ![Findings page](images/findings-page/-cloud-native-security-findings-page.png) ### Cases -Open and track security issues. Refer to Cases to learn more. +Open and track security issues. Refer to Cases to learn more. ![Cases page](images/es-ui-overview/-cases-cases-home-page.png) @@ -128,7 +127,7 @@ Open and track security issues. Refer to Timelines: Investigate alerts and complex threats — such as lateral movement — in your network. Timelines are interactive and allow you to share your findings with other team members. + * Timelines: Investigate alerts and complex threats — such as lateral movement — in your network. Timelines are interactive and allow you to share your findings with other team members. ![Timeline page](images/es-ui-overview/-events-timeline-ui.png) @@ -136,11 +135,11 @@ Expand this section to access the following pages: Click the **Timeline** button at the bottom of the ((security-app)) to start an investigation. - * Osquery: Deploy Osquery with ((agent)), then run and schedule queries. + * Osquery: Deploy Osquery with ((agent)), then run and schedule queries. ### Intelligence -The Intelligence section contains the Indicators page, which collects data from enabled threat intelligence feeds and provides a centralized view of indicators of compromise (IoCs). Refer to Indicators of compromise to learn more. +The Intelligence section contains the Indicators page, which collects data from enabled threat intelligence feeds and provides a centralized view of indicators of compromise (IoCs). Refer to Indicators of compromise to learn more. ![Indicators page](images/es-ui-overview/-cases-indicators-table.png) @@ -148,15 +147,15 @@ The Intelligence section contains the Indicators page, which collects data from Expand this section to access the following pages: -* **Hosts**: Examine key metrics for host-related security events using graphs, charts, and interactive data tables. +* **Hosts**: Examine key metrics for host-related security events using graphs, charts, and interactive data tables. ![Hosts page](images/es-ui-overview/-management-hosts-hosts-ov-pg.png) -* **Network**: Explore the interactive map to discover key network activity metrics and investigate network events further in Timeline. +* **Network**: Explore the interactive map to discover key network activity metrics and investigate network events further in Timeline. ![Network page](images/es-ui-overview/-getting-started-network-ui.png) -* **Users**: Access a comprehensive overview of user data to help you understand authentication and user behavior within your environment. +* **Users**: Access a comprehensive overview of user data to help you understand authentication and user behavior within your environment. ![Users page](images/es-ui-overview/-getting-started-users-users-page.png) @@ -166,16 +165,16 @@ The Assets section allows you to manage the following features: * [((fleet))](((fleet-guide))/manage-agents-in-fleet.html) * [((integrations))](((fleet-guide))/integrations.html) -* Endpoint protection - * Endpoints: View and manage hosts running ((elastic-defend)). - * Policies: View and manage ((elastic-defend)) integration policies. - * Trusted applications: View and manage trusted Windows, macOS, and Linux applications. - * Event filters: View and manage event filters, which allow you to filter endpoint events you don't need to want stored in ((es)). - * Host isolation exceptions: View and manage host isolation exceptions, which specify IP addresses that can communicate with your hosts even when those hosts are blocked from your network. - * Blocklist: View and manage the blocklist, which allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. - * Response actions history: Find the history of response actions performed on hosts. -* Cloud security - * Container Workload Protection: Identify and block unexpected system behavior in Kubernetes containers. +* Endpoint protection + * Endpoints: View and manage hosts running ((elastic-defend)). + * Policies: View and manage ((elastic-defend)) integration policies. + * Trusted applications: View and manage trusted Windows, macOS, and Linux applications. + * Event filters: View and manage event filters, which allow you to filter endpoint events you don't need to want stored in ((es)). + * Host isolation exceptions: View and manage host isolation exceptions, which specify IP addresses that can communicate with your hosts even when those hosts are blocked from your network. + * Blocklist: View and manage the blocklist, which allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. + * Response actions history: Find the history of response actions performed on hosts. +* Cloud security + * Container Workload Protection: Identify and block unexpected system behavior in Kubernetes containers. ### ((ml-cap)) diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json index fbc65af420..c0748f1b38 100644 --- a/docs/serverless/serverless-security.docnav.json +++ b/docs/serverless/serverless-security.docnav.json @@ -1,246 +1,246 @@ { "mission": "Elastic Security", "id": "serverless-security", - "landingPageId": "serverlessSecurityWhatIsSecurityServerless", + "landingPageSlug": "/serverless/security/what-is-security-serverless", "icon": "logoSecurity", "description": "Description to be written", "items": [ { - "pageId": "serverlessSecurityOverview", + "slug": "/serverless/security/overview", "classic-sources": [ "enSecurityEsOverview" ] }, { - "pageId": "serverlessSecurityBilling" + "slug": "/serverless/security/security-billing" }, { - "pageId": "serverlessSecurityCreateProject" + "slug": "/serverless/security/create-project" }, { - "pageId": "serverlessSecurityEsUiOverview", + "slug": "/serverless/security/security-ui", "classic-sources": [ "enSecurityEsUiOverview" ] }, { - "pageId": "attackDiscovery" + "slug": "/serverless/security/attack-discovery" }, { "label": "Elastic AI Assistant", - "pageId": "serverlessSecurityAIAssistant", + "slug": "/serverless/security/ai-assistant", "classic-sources": [ "enSecuritySecurityAssistant" ], "items": [ { - "id":"serverlessSecurityAssistantAlertTriage" + "slug": "/serverless/security/triage-alerts-with-elastic-ai-assistant" }, { - "id":"llm-performance-matrix" + "slug": "/serverless/security/llm-performance-matrix" }, { - "id": "serverlessSecurityConnectBedrock" + "slug": "/serverless/security/connect-to-bedrock" }, { - "id": "serverlessSecurityConnectOpenAI" + "slug": "/serverless/security/connect-to-openai" }, { - "id": "serverlessSecurityConnectAzureOpenAI" + "slug": "/serverless/security/connect-to-azure-openai" } ] }, { "label": "Ingest data", - "pageId": "serverlessSecurityIngestData", + "slug": "/serverless/security/ingest-data", "classic-sources": [ "enSecurityIngestData" ], "items": [ { - "id": "serverlessSecurityThreatIntelligence", + "slug": "/serverless/security/threat-intelligence", "classic-sources": [ "enSecurityEsThreatIntelIntegrations" ] } ] }, { "label": "Secure your endpoints", - "pageId": "serverlessSecurityInstallDefend", + "slug": "/serverless/security/install-edr", "classic-sources": [ "enSecurityInstallEndpoint" ], "items": [ { "label": "Prevent Agent uninstallation", - "id": "serverlessSecurityAgentTamperProtection" + "slug": "/serverless/security/agent-tamper-protection" }, { "label": "Configure an integration policy", - "id": "serverlessSecurityConfigureEndpointIntegrationPolicy", + "slug": "/serverless/security/configure-endpoint-integration-policy", "classic-sources": [ "enSecurityConfigureEndpointIntegrationPolicy" ], "items": [ { "label": "Configure protection updates", - "id": "serverlessSecurityProtectionArtifactControl" + "slug": "/serverless/security/protection-artifact-control" }, { - "id": "serverlessSecurityEndpointDiagnosticData", + "slug": "/serverless/security/endpoint-diagnostic-data", "classic-sources": [ "enSecurityEndpointDiagnosticData" ] }, { "label": "Self-healing rollback (Windows)", - "id": "serverlessSecuritySelfHealingRollback", + "slug": "/serverless/security/self-healing-rollback", "classic-sources": [ "enSecuritySelfHealingRollback" ] }, { "label": "File system monitoring (Linux)", - "id": "serverlessSecurityLinuxFileMonitoring", + "slug": "/serverless/security/linux-file-monitoring", "classic-sources": [ "enSecurityLinuxFileMonitoring" ] } ] }, { - "id": "serverlessSecurityElasticEndpointDeployReqs", + "slug": "/serverless/security/elastic-endpoint-deploy-reqs", "classic-sources": [ "enSecurityElasticEndpointDeployReqs" ], "items": [ { "label": "macOS Catalina through Monterey", - "id": "serverlessSecurityDeployElasticEndpoint", + "slug": "/serverless/security/install-endpoint-manually", "classic-sources": [ "enSecurityDeployElasticEndpoint" ] }, { "label": "macOS Ventura and higher", - "id": "serverlessSecurityDeployElasticEndpointVen", + "slug": "/serverless/security/deploy-elastic-endpoint-ven", "classic-sources": [ "enSecurityDeployElasticEndpointVen" ] }, { "label": "Enable the Endgame sensor (Optional)", - "id": "serverlessSecurityEndgameSensorFullDiskAccess", + "slug": "/serverless/security/endgame-sensor-full-disk-access", "classic-sources": [ "enSecurityEndgameSensorFullDiskAccess" ] } ] }, { - "id": "serverlessSecurityUninstallAgent" + "slug": "/serverless/security/uninstall-agent" }, { "label": "Uninstall Elastic Endpoint", - "id": "serverlessSecurityUninstallEndpoint", + "slug": "/serverless/security/uninstall-endpoint", "classic-sources": [ "enSecurityUninstallEndpoint" ] } ] }, { - "pageId": "serverlessSecurityCloudNativeSecurityOverview", + "slug": "/serverless/security/cloud-native-security-overview", "classic-sources": [ "enSecurityCloudNativeSecurityOverview" ], "items": [ { - "id": "serverlessSecuritySecurityPostureManagement", + "slug": "/serverless/security/security-posture-management", "classic-sources": [ "enSecuritySecurityPostureManagement" ] }, { - "id": "serverlessEnableCloudSecurity" + "slug": "/serverless/security/enable-cloudsec" }, { - "id": "serverlessSecurityCspm", + "slug": "/serverless/security/cspm", "classic-sources": [ "enSecurityCspm" ], "items": [ { - "id": "serverlessSecurityCspmGetStarted", + "slug": "/serverless/security/cspm-get-started", "classic-sources": [ "enSecurityCspmGetStarted" ] }, { - "id": "serverlessSecurityCspmGetStartedGcp", + "slug": "/serverless/security/cspm-get-started-gcp", "classic-sources": [ "enSecurityCspmGetStartedGcp" ] }, { - "id": "serverlessSecurityCspmGetStartedAzure", + "slug": "/serverless/security/cspm-get-started-azure", "classic-sources": [ "enSecurityCspmGetStartedAzure" ] }, { - "id": "serverlessSecurityCspmFindingsPage", + "slug": "/serverless/security/cspm-findings-page", "classic-sources": [ "enSecurityCspmFindingsPage" ] }, { - "id": "serverlessSecurityBenchmarkRules", + "slug": "/serverless/security/benchmark-rules", "classic-sources": [ "enSecurityCspmBenchmarkRules" ] }, { - "id": "serverlessSecurityCloudPostureDashboard", + "slug": "/serverless/security/cloud-posture-dashboard-dash", "classic-sources": [ "enSecurityCloudPostureDashboard" ] }, { - "id": "serverlessSecurityCspmSecurityPostureFaq", + "slug": "/serverless/security/cspm-security-posture-faq", "classic-sources": [ "enSecurityCspmSecurityPostureFaq" ] } ] }, { - "id": "serverlessSecurityKspm", + "slug": "/serverless/security/kspm", "classic-sources": [ "enSecurityKspm" ], "items": [ { - "id": "serverlessSecurityGetStartedWithKspm", + "slug": "/serverless/security/get-started-with-kspm", "classic-sources": [ "enSecurityGetStartedWithKspm" ] }, { - "id": "serverlessSecurityCspmFindingsPage", + "slug": "/serverless/security/cspm-findings-page", "classic-sources": [ "enSecurityCspmFindingsPage" ] }, { - "id": "serverlessSecurityBenchmarkRules", + "slug": "/serverless/security/benchmark-rules", "classic-sources": [ "enSecurityBenchmarkRules" ] }, { - "id": "serverlessSecurityCloudPostureDashboard", + "slug": "/serverless/security/cloud-posture-dashboard-dash", "classic-sources": [ "enSecurityCloudPostureDashboard" ] }, { - "id": "serverlessSecuritySecurityPostureFaq", + "slug": "/serverless/security/security-posture-faq", "classic-sources": [ "enSecuritySecurityPostureFaq" ] } ] }, { - "id": "serverlessSecurityVulnManagementOverview", + "slug": "/serverless/security/vuln-management-overview", "classic-sources": [ "enSecurityVulnManagementOverview" ], "items": [ { - "id": "serverlessSecurityVulnManagementGetStarted", + "slug": "/serverless/security/vuln-management-get-started", "classic-sources": [ "enSecurityVulnManagementGetStarted" ] }, { - "id": "serverlessSecurityVulnManagementFindings", + "slug": "/serverless/security/vuln-management-findings", "classic-sources": [ "enSecurityVulnManagementFindings" ] }, { - "id": "serverlessSecurityVulnManagementDashboardDash", + "slug": "/serverless/security/vuln-management-dashboard-dash", "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] }, { - "id": "serverlessSecurityVulnManagementFaq", + "slug": "/serverless/security/vuln-management-faq", "classic-sources": [ "enSecurityVulnManagementFaq" ] } ] }, { - "id": "serverlessSecurityD4cOverview", + "slug": "/serverless/security/d4c-overview", "classic-sources": [ "enSecurityD4cOverview" ], "items": [ { - "id": "serverlessSecurityD4cGetStarted", + "slug": "/serverless/security/d4c-get-started", "classic-sources": [ "enSecurityD4cGetStarted" ] }, { - "id": "serverlessSecurityD4cPolicyGuide", + "slug": "/serverless/security/d4c-policy-guide", "classic-sources": [ "enSecurityD4cPolicyGuide" ] }, { - "id": "serverlessSecurityKubernetesDashboardDash", + "slug": "/serverless/security/kubernetes-dashboard-dash", "classic-sources": [ "enSecurityKubernetesDashboard" ] } ] }, { - "id": "serverlessSecurityCloudWorkloadProtection", + "slug": "/serverless/security/cloud-workload-protection", "classic-sources": [ "enSecurityCloudWorkloadProtection" ], "items": [ { - "id": "serverlessSecuritySessionView", + "slug": "/serverless/security/session-view", "classic-sources": [ "enSecuritySessionView" ] }, { - "id": "serverlessSecurityEnvironmentVariableCapture", + "slug": "/serverless/security/environment-variable-capture", "classic-sources": [ "enSecurityEnvironmentVariableCapture" ] } ] @@ -248,148 +248,148 @@ ] }, { - "pageId": "serverlessSecurityExploreYourData", + "slug": "/serverless/security/explore-your-data", "classic-sources": [ "enSecurityExploreYourData" ], "items": [ { - "id": "serverlessSecurityHostsOverview", + "slug": "/serverless/security/hosts-overview", "classic-sources": [ "enSecurityHostsOverview" ] }, { - "id": "serverlessSecurityNetworkPageOverview", + "slug": "/serverless/security/network-page-overview", "classic-sources": [ "enSecurityNetworkPageOverview" ] }, { - "id": "serverlessSecurityUsersPage", + "slug": "/serverless/security/users-page", "classic-sources": [ "enSecurityUsersPage" ] }, { - "id": "serverlessSecurityDataViewsInSec", + "slug": "/serverless/security/data-views-in-sec", "classic-sources": [ "enSecurityDataViewsInSec" ] }, { "label": "Create runtime fields", - "id": "serverlessSecurityRuntimeFields", + "slug": "/serverless/security/runtime-fields", "classic-sources": [ "enSecurityRuntimeFields" ] }, { - "id": "serverlessSecuritySiemFieldReference", + "slug": "/serverless/security/siem-field-reference", "classic-sources": [ "enSecuritySiemFieldReference" ] } ] }, { - "pageId": "serverlessSecurityDashboardsOverview", + "slug": "/serverless/security/dashboards-overview", "classic-sources": [ "enSecurityDashboardsOverview" ], "items": [ { "label": "Overview", - "id": "serverlessSecurityOverviewDashboard", + "slug": "/serverless/security/overview-dashboard", "classic-sources": [ "enSecurityOverviewDashboard" ] }, { "label": "Detection & Response", - "id": "serverlessSecurityDetectionResponseDashboard", + "slug": "/serverless/security/detection-response-dashboard", "classic-sources": [ "enSecurityDetectionResponseDashboard" ] }, { "label": "Kubernetes", - "id": "serverlessSecurityKubernetesDashboardDash", + "slug": "/serverless/security/kubernetes-dashboard-dash", "classic-sources": [ "enSecurityKubernetesDashboard" ] }, { "label": "Cloud Security Posture", - "id": "serverlessSecurityCloudPostureDashboard", + "slug": "/serverless/security/cloud-posture-dashboard-dash", "classic-sources": [ "enSecurityCloudPostureDashboard" ] }, { "label": "Entity Analytics", - "id": "serverlessSecurityDetectionEntityDashboard", + "slug": "/serverless/security/detection-entity-dashboard", "classic-sources": [ "enSecurityDetectionEntityDashboard" ] }, { "label": "Data Quality", - "id": "serverlessSecurityDataQualityDash" + "slug": "/serverless/security/data-quality-dash" }, { "label": "Cloud Native Vulnerability Management", - "id": "serverlessSecurityVulnManagementDashboardDash", + "slug": "/serverless/security/vuln-management-dashboard-dash", "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] }, { "label": "Detection rule monitoring", - "id": "serverlessSecurityRuleMonitoringDashboard", + "slug": "/serverless/security/rule-monitoring-dashboard", "classic-sources": [ "enSecurityRuleMonitoringDashboard" ] } ] }, { - "pageId": "serverlessSecurityDetectionEngineOverview", + "slug": "/serverless/security/detection-engine-overview", "classic-sources": [ "enSecurityDetectionEngineOverview" ] }, { "label": "Rules", - "pageId": "serverlessSecurityAboutRules", + "slug": "/serverless/security/about-rules", "classic-sources": [ "enSecurityAboutRules" ], "items": [ { - "id": "serverlessSecurityRulesUiCreate", + "slug": "/serverless/security/rules-create", "classic-sources": [ "enSecurityRulesUiCreate" ], "items": [ { - "id": "serverlessSecurityInteractiveInvestigationGuides", + "slug": "/serverless/security/interactive-investigation-guides", "classic-sources": [ "enSecurityInteractiveInvestigationGuides" ] }, { - "id": "serverlessSecurityBuildingBlockRule", + "slug": "/serverless/security/building-block-rules", "classic-sources": [ "enSecurityBuildingBlockRule" ] } ] }, { "label": "Use Elastic prebuilt rules", - "id": "serverlessSecurityPrebuiltRulesManagement", + "slug": "/serverless/security/prebuilt-rules-management", "classic-sources": [ "enSecurityPrebuiltRulesManagement" ] }, { - "id": "serverlessSecurityRulesUiManagement", + "slug": "/serverless/security/rules-ui-management", "classic-sources": [ "enSecurityRulesUiManagement" ] }, { - "id": "serverlessSecurityAlertsUiMonitor", + "slug": "/serverless/security/alerts-ui-monitor", "classic-sources": [ "enSecurityAlertsUiMonitor" ] }, { - "id": "serverlessSecurityDetectionsUiExceptions", + "slug": "/serverless/security/rule-exceptions", "classic-sources": [ "enSecurityDetectionsUiExceptions" ], "items": [ { - "id": "serverlessSecurityValueListsExceptions", + "slug": "/serverless/security/value-lists-exceptions", "classic-sources": [ "enSecurityValueListsExceptions" ] }, { - "id": "serverlessSecurityAddExceptions", + "slug": "/serverless/security/add-exceptions", "classic-sources": [ "enSecurityAddExceptions" ] }, { - "id": "serverlessSecuritySharedExceptionLists", + "slug": "/serverless/security/shared-exception-lists", "classic-sources": [ "enSecuritySharedExceptionLists" ] } ] }, { - "id": "serverlessSecurityRulesCoverage", + "slug": "/serverless/security/rules-coverage", "classic-sources": [ "enSecurityRulesCoverage" ] }, { - "id": "serverlessSecurityTuningDetectionSignals", + "slug": "/serverless/security/tune-detection-signals", "classic-sources": [ "enSecurityTuningDetectionSignals" ] }, { - "id": "serverlessSecurityTsDetectionRules", + "slug": "/serverless/security/ts-detection-rules", "classic-sources": [ "enSecurityTsDetectionRules" ] }, { - "id": "serverlessSecurityPrebuiltRules", + "slug": "/serverless/security/prebuilt-rules", "classic-sources": [ "enSecurityPrebuiltRules" ], "classic-skip": true } @@ -397,86 +397,86 @@ }, { "label": "Alerts", - "pageId": "serverlessSecurityAlertsUiManage", + "slug": "/serverless/security/alerts-manage", "classic-sources": [ "enSecurityAlertsUiManage" ], "items": [ { "label": "Visualize alerts", - "id": "serverlessSecurityVisualizeAlerts", + "slug": "/serverless/security/visualize-alerts", "classic-sources": [ "enSecurityVisualizeAlerts" ] }, { "label": "View alert details", - "id": "serverlessSecurityViewAlertDetails", + "slug": "/serverless/security/view-alert-details", "classic-sources": [ "enSecurityViewAlertDetails" ] }, { "label": "Add alerts to cases", - "id": "serverlessSecuritySignalsToCases", + "slug": "/serverless/security/signals-to-cases", "classic-sources": [ "enSecuritySignalsToCases" ] }, { "label": "Suppress alerts", - "id": "serverlessSecurityAlertSuppression", + "slug": "/serverless/security/alert-suppression", "classic-sources": [ "enSecurityAlertSuppression" ] }, { - "id": "serverlessSecurityReduceNotificationsAlerts", + "slug": "/serverless/security/reduce-notifications-alerts", "classic-sources": [ "enSecurityReduceNotificationsAlerts" ] }, { - "id": "serverlessSecurityVisualEventAnalyzer", + "slug": "/serverless/security/visual-event-analyzer", "classic-sources": [ "enSecurityVisualEventAnalyzer" ] }, { - "id": "serverlessSecurityQueryAlertIndices", + "slug": "/serverless/security/query-alert-indices", "classic-sources": [ "enSecurityQueryAlertIndices" ] }, { - "id": "serverlessSecurityAlertSchema", + "slug": "/serverless/security/alert-schema", "classic-sources": [ "enSecurityAlertSchema" ] } ] }, { "label": "Advanced Entity Analytics", - "pageId": "serverlessSecurityAdvancedEntityAnalytics", + "slug": "/serverless/security/advanced-entity-analytics", "items": [ { "label": "Entity risk scoring", - "id": "serverlessSecurityEntityRiskScoring", + "slug": "/serverless/security/entity-risk-scoring", "items": [ { "label": "Asset criticality", - "id": "serverlessSecurityAssetCriticality" + "slug": "/serverless/security/asset-criticality" }, { "label": "Turn on risk scoring", - "id": "serverlessSecurityTurnOnRiskEngine" + "slug": "/serverless/security/turn-on-risk-engine" }, { "label": "View risk score data", - "id": "serverlessSecurityAnalyzeRiskScoreData" + "slug": "/serverless/security/analyze-risk-score-data" } ] }, { "label": "Advanced behavioral detections", - "id": "serverlessSecurityAdvancedBehavioralDetections", + "slug": "/serverless/security/advanced-behavioral-detections", "items": [ { - "pageId": "serverlessSecurityMachineLearning", + "slug": "/serverless/security/machine-learning", "classic-sources": [ "enSecurityMachineLearning" ] }, { - "id": "serverlessSecurityTuningAnomalyResults", + "slug": "/serverless/security/tuning-anomaly-results", "classic-sources": [ "enSecurityTuningAnomalyResults" ] }, { - "id": "serverlessSecurityBehavioralDetectionUseCases" + "slug": "/serverless/security/behavioral-detection-use-cases" }, { - "id": "serverlessSecurityPrebuiltMlJobs", + "slug": "/serverless/security/prebuilt-ml-jobs", "classic-sources": [ "enSecurityPrebuiltMlJobs" ] } ] @@ -484,167 +484,167 @@ ] }, { - "pageId": "serverlessSecurityInvestigateEvents", + "slug": "/serverless/security/investigate-events", "classic-sources": [ "enSecurityInvestigateEvents" ], "items": [ { - "id": "serverlessSecurityTimelinesUi", + "slug": "/serverless/security/timelines-ui", "classic-sources": [ "enSecurityTimelinesUi" ], "items": [ { - "id": "serverlessSecurityTimelineTemplatesUi", + "slug": "/serverless/security/timeline-templates-ui", "classic-sources": [ "enSecurityTimelineTemplatesUi" ] }, { - "id": "serverlessSecurityTimelineObjectSchema", + "slug": "/serverless/security/timeline-object-schema", "classic-sources": [ "enSecurityTimelineObjectSchema" ] } ] }, { - "id": "serverlessSecurityCasesOverview", + "slug": "/serverless/security/cases-overview", "classic-sources": [ "enSecurityCasesOverview" ], "items": [ { - "id": "serverlessSecurityCasesOpenManage", + "slug": "/serverless/security/cases-open-manage", "classic-sources": [ "enSecurityCasesOpenManage" ] }, { - "id": "serverlessSecurityCasesUiIntegrations", + "slug": "/serverless/security/cases-ui-integrations", "classic-sources": [ "enSecurityCasesUiIntegrations" ] } ] }, { - "id": "serverlessSecurityIndicatorsOfCompromise", + "slug": "/serverless/security/indicators-of-compromise", "classic-sources": [ "enSecurityIndicatorsOfCompromise" ] } ] }, { - "pageId": "serverlessSecurityUseOsquery", + "slug": "/serverless/security/query-operating-systems", "classic-sources": [ "enSecurityUseOsquery" ], "items": [ { - "id": "serverlessSecurityOsqueryResponseAction", + "slug": "/serverless/security/osquery-response-action", "classic-sources": [ "enSecurityOsqueryResponseAction" ] }, { - "id": "serverlessSecurityInvestGuideRunOsquery", + "slug": "/serverless/security/invest-guide-run-osquery", "classic-sources": [ "enSecurityInvestGuideRunOsquery" ] }, { - "id": "serverlessSecurityAlertsRunOsquery", + "slug": "/serverless/security/alerts-run-osquery", "classic-sources": [ "enSecurityAlertsRunOsquery" ] }, { - "id": "serverlessSecurityViewOsqueryResults", + "slug": "/serverless/security/examine-osquery-results", "classic-sources": [ "enSecurityViewOsqueryResults" ] }, { - "id": "serverlessSecurityOsqueryPlaceholderFields", + "slug": "/serverless/security/osquery-placeholder-fields", "classic-sources": [ "enSecurityOsqueryPlaceholderFields" ] } ] }, { - "pageId": "serverlessSecurityResponseActions", + "slug": "/serverless/security/response-actions", "classic-sources": [ "enSecurityResponseActions" ], "items": [ { - "id": "serverlessSecurityAutomatedResponseActions" + "slug": "/serverless/security/automated-response-actions" }, { - "id": "serverlessSecurityHostIsolationOv", + "slug": "/serverless/security/isolate-host", "classic-sources": [ "enSecurityHostIsolationOv" ] }, { - "id": "serverlessSecurityResponseActionsHistory", + "slug": "/serverless/security/response-actions-history", "classic-sources": [ "enSecurityResponseActionsHistory" ] }, { - "id": "serverlessSecurityThirdPartyActions" + "slug": "/serverless/security/third-party-actions" }, { - "id": "serverlessSecurityResponseActionsConfig" + "slug": "/serverless/security/response-actions-config" } ] }, { - "pageId": "serverlessSecurityManageEndpointProtection", + "slug": "/serverless/security/manage-endpoint-protection", "classic-sources": [ "enSecuritySecManageIntro" ], "items": [ { - "id": "serverlessSecurityEndpointsPage", + "slug": "/serverless/security/endpoints-page", "classic-sources": [ "enSecurityAdminPageOv" ] }, { - "id": "serverlessSecurityPoliciesPageOv", + "slug": "/serverless/security/policies-page", "classic-sources": [ "enSecurityPoliciesPageOv" ] }, { - "id": "serverlessSecurityTrustedAppsOv", + "slug": "/serverless/security/trusted-applications", "classic-sources": [ "enSecurityTrustedAppsOv" ] }, { - "id": "serverlessSecurityEventFilters", + "slug": "/serverless/security/event-filters", "classic-sources": [ "enSecurityEventFilters" ] }, { - "id": "serverlessSecurityHostIsolationExceptions", + "slug": "/serverless/security/host-isolation-exceptions", "classic-sources": [ "enSecurityHostIsolationExceptions" ] }, { - "id": "serverlessSecurityBlocklist", + "slug": "/serverless/security/blocklist", "classic-sources": [ "enSecurityBlocklist" ] }, { - "id": "serverlessSecurityEndpointEventCapture" + "slug": "/serverless/security/endpoint-event-capture" }, { - "id": "serverlessSecurityOptimizeEdr", + "slug": "/serverless/security/optimize-edr", "classic-sources": [ "enSecurityEndpointArtifacts" ] }, { - "id": "serverlessSecurityTroubleshootEndpoints", + "slug": "/serverless/security/troubleshoot-endpoints", "classic-sources": [ "enSecurityTsManagement" ] } ] }, { - "pageId": "serverlessSecurityAssetManagement" + "slug": "/serverless/security/asset-management" }, { - "pageId": "serverlessSecurityManageSettings", + "slug": "/serverless/security/manage-settings", "items": [ { - "id": "serverlessSecurityProjectSettings" + "slug": "/serverless/security/project-settings" }, { - "id": "serverlessSecurityAdvancedSettings", + "slug": "/serverless/security/advanced-settings", "classic-sources": [ "enSecurityAdvancedSettings" ] }, { - "id": "serverlessSecuritySecRequirements", + "slug": "/serverless/security/requirements-overview", "classic-sources": [ "enSecuritySecRequirements" ], "items": [ { - "id": "serverlessSecurityDetectionsPermissionsSection", + "slug": "/serverless/security/detections-requirements", "classic-sources": [ "enSecurityDetectionsPermissionsSection" ] }, { - "id": "serverlessSecurityCasePermissions", + "slug": "/serverless/security/cases-requirements", "classic-sources": [ "enSecurityCasePermissions" ] }, { - "id": "serverlessSecurityERSRequirements" + "slug": "/serverless/security/ers-requirements" }, { - "id": "serverlessSecurityMlRequirements", + "slug": "/serverless/security/ml-requirements", "classic-sources": [ "enSecurityMlRequirements" ] }, { - "id": "serverlessSecurityConfMapUi", + "slug": "/serverless/security/conf-map-ui", "classic-sources": [ "enSecurityConfMapUi" ] } ] @@ -652,7 +652,7 @@ ] }, { - "pageId": "serverlessSecurityTechnicalPreviewLimitations" + "slug": "/serverless/security/security-technical-preview-limitations" } ] } diff --git a/docs/serverless/settings/advanced-settings.mdx b/docs/serverless/settings/advanced-settings.mdx index 66b3bd6c5b..67046cb80a 100644 --- a/docs/serverless/settings/advanced-settings.mdx +++ b/docs/serverless/settings/advanced-settings.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityAdvancedSettings slug: /serverless/security/advanced-settings title: Advanced settings description: Update advanced ((elastic-sec)) settings. @@ -16,10 +15,10 @@ The advanced settings determine: * Which indices ((elastic-sec)) uses to retrieve data * ((ml-cap)) anomaly score display threshold * The navigation menu style used throughout the ((security-app)) -* Whether the news feed is displayed on the Overview dashboard +* Whether the news feed is displayed on the Overview dashboard * The default time interval used to filter ((elastic-sec)) pages * The default ((elastic-sec)) pages refresh time -* Which IP reputation links appear on IP detail pages +* Which IP reputation links appear on IP detail pages * Whether cross-cluster search (CCS) privilege warnings are displayed * Whether related integrations are displayed on the Rules page tables * The options provided in the alert tag menu @@ -80,7 +79,7 @@ If you leave the `-*elastic-cloud-logs-*` index pattern selected, all Elastic cl ((elastic-sec)) requires [ECS-compliant data](((ecs-ref))). If you use third-party data collectors to ship data to ((es)), the data must be mapped to ECS. - lists ECS fields used in ((elastic-sec)). + lists ECS fields used in ((elastic-sec)).
@@ -92,7 +91,7 @@ The `securitySolution:defaultThreatIndex` advanced setting specifies threat inte You can specify a maximum of 10 threat intelligence indices; multiple indices must be separated by commas. By default, only the `logs-ti*` index pattern is specified. Do not remove or overwrite this index pattern, as it is used by ((agent)) integrations. -Threat intelligence indices aren't required to be ECS-compatible for use in indicator match rules. However, we strongly recommend compatibility if you want your alerts to be enriched with relevant threat indicator information. When searching for threat indicator data, indicator match rules use the threat indicator path specified in the **Indicator prefix override** advanced setting. Visit Configure advanced rule settings for more information. +Threat intelligence indices aren't required to be ECS-compatible for use in indicator match rules. However, we strongly recommend compatibility if you want your alerts to be enriched with relevant threat indicator information. When searching for threat indicator data, indicator match rules use the threat indicator path specified in the **Indicator prefix override** advanced setting. Visit Configure advanced rule settings for more information.
@@ -111,7 +110,7 @@ To learn more, refer to our [Privacy Statement](https://www.elastic.co/legal/pri ## Set machine learning score threshold -When security ((ml)) jobs are enabled, this setting +When security ((ml)) jobs are enabled, this setting determines the threshold above which anomaly scores appear in ((elastic-sec)): * `securitySolution:defaultAnomalyScore` @@ -133,7 +132,7 @@ The `securitySolution:enableAssetCriticality` setting determines whether asset c ## Exclude cold and frozen tier data from analyzer queries -Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in visual event analyzer queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default. +Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in visual event analyzer queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default. ## Change the default search interval and data refresh time @@ -196,4 +195,4 @@ By default, Elastic prebuilt rules in the **Rules** and **Rule Monitoring** tabl ## Manage alert tag options -The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to Apply and filter alert tags. +The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to Apply and filter alert tags. diff --git a/docs/serverless/settings/case-permissions.mdx b/docs/serverless/settings/case-permissions.mdx index d8685f9aed..035a75065d 100644 --- a/docs/serverless/settings/case-permissions.mdx +++ b/docs/serverless/settings/case-permissions.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityCasePermissions slug: /serverless/security/cases-requirements title: Cases requirements description: Requirements for using and managing cases. @@ -16,16 +15,16 @@ status: in review {/* For more information, see */} {/* ((kibana-ref))/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]. */} -User roles define feature privileges at different levels to manage feature access. To access cases, you must have the appropriate user role. +User roles define feature privileges at different levels to manage feature access. To access cases, you must have the appropriate user role. -To send cases to external systems, you need the Security Analytics Complete . +To send cases to external systems, you need the Security Analytics Complete . -Certain feature tiers and roles might be required to manage case attachments. For example, to add alerts to cases, you must have a role that allows managing alerts. +Certain feature tiers and roles might be required to manage case attachments. For example, to add alerts to cases, you must have a role that allows managing alerts. {/* Hiding the whole table because it's classic-only. We'll replace with serverless info when it's available. */} diff --git a/docs/serverless/settings/conf-map-ui.mdx b/docs/serverless/settings/conf-map-ui.mdx index a3722fe7bf..6fcf1bd8f7 100644 --- a/docs/serverless/settings/conf-map-ui.mdx +++ b/docs/serverless/settings/conf-map-ui.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityConfMapUi slug: /serverless/security/conf-map-ui title: Network map data requirements description: Requirements for setting up and using the Network page. @@ -13,9 +12,9 @@ status: in review Depending on your setup, to display and interact with data on the **Network** page's map you might need to: -* Create data views -* Add geographical IP data to events -* Map your internal network +* Create data views +* Add geographical IP data to events +* Map your internal network To see source and destination connections lines on the map, you must @@ -118,7 +117,7 @@ fields: pipeline: geoip-info [^1] ``` [^1]: The value of this field must be the same as the ingest pipeline name in - step 1 (`geoip-info` in this example). + step 1 (`geoip-info` in this example).
diff --git a/docs/serverless/settings/detections-permissions-section.mdx b/docs/serverless/settings/detections-permissions-section.mdx index 355b89dbdb..d58ba2a439 100644 --- a/docs/serverless/settings/detections-permissions-section.mdx +++ b/docs/serverless/settings/detections-permissions-section.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityDetectionsPermissionsSection slug: /serverless/security/detections-requirements title: Detections requirements description: Requirements for setting up and configuring the detections feature. @@ -10,12 +9,12 @@ status: in review
-To use the Detections feature, you first need to +To use the Detections feature, you first need to configure a few settings. You also need the appropriate role to send -notifications when detection alerts are generated. +notifications when detection alerts are generated. -Additionally, there are some advanced settings used to -configure value list upload limits. +Additionally, there are some advanced settings used to +configure value list upload limits.
@@ -27,7 +26,7 @@ To use the Detections feature, it must be enabled and you must have the appropri {/* The reference to the Detections page might be a bug in classic and serverless docs. Might need to change it to Alerts and Rules, or something different like "pages that use the Detections feature". If update this para, will need to update the table below as well. */} -For instructions about using Machine Learning jobs and rules, refer to Machine learning job and rule requirements. +For instructions about using Machine Learning jobs and rules, refer to Machine learning job and rule requirements.
@@ -48,7 +47,7 @@ If a rule requires certain privileges to run, such as index privileges, keep in ## Configure list upload limits You can set limits to the number of bytes and the buffer size used to upload -value lists to ((elastic-sec)). +value lists to ((elastic-sec)). To set the value: diff --git a/docs/serverless/settings/endpoint-management-req.mdx b/docs/serverless/settings/endpoint-management-req.mdx index 57b2e34f38..d325888d8f 100644 --- a/docs/serverless/settings/endpoint-management-req.mdx +++ b/docs/serverless/settings/endpoint-management-req.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityEndpointManagementReq # slug: /serverless/security/endpoint-management-req title: ((elastic-defend)) requirements description: Manage user roles and privileges to grant access to ((elastic-defend)) features. @@ -42,7 +41,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Access the Endpoints page, which lists all hosts running ((elastic-defend)), and associated integration details. + Access the Endpoints page, which lists all hosts running ((elastic-defend)), and associated integration details. @@ -53,7 +52,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Access the Trusted Applications page to remediate conflicts with other software, such as antivirus or endpoint security applications. + Access the Trusted Applications page to remediate conflicts with other software, such as antivirus or endpoint security applications. @@ -64,7 +63,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Access the Host Isolation Exceptions page to add specific IP addresses that isolated hosts can still communicate with. + Access the Host Isolation Exceptions page to add specific IP addresses that isolated hosts can still communicate with. @@ -75,7 +74,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Access the Blocklist page to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. + Access the Blocklist page to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. @@ -86,7 +85,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Access the Event Filters page to filter out endpoint events that you don't want stored in ((es)). + Access the Event Filters page to filter out endpoint events that you don't want stored in ((es)). @@ -97,7 +96,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Access the Policies page and ((elastic-defend)) integration policies to configure protections, event collection, and advanced policy features. + Access the Policies page and ((elastic-defend)) integration policies to configure protections, event collection, and advanced policy features. @@ -108,7 +107,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Access the response actions history for endpoints. + Access the response actions history for endpoints. @@ -119,7 +118,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Allow users to isolate and release hosts. + Allow users to isolate and release hosts. @@ -130,7 +129,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Perform host process-related response actions, including `processes`, `kill-process`, and `suspend-process`. + Perform host process-related response actions, including `processes`, `kill-process`, and `suspend-process`. @@ -141,7 +140,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Perform file-related response actions in the response console. + Perform file-related response actions in the response console. @@ -152,7 +151,7 @@ To grant access, select **All** for the **Security** feature in the **((kib)) pr - Perform shell commands and script-related response actions in the response console. + Perform shell commands and script-related response actions in the response console. The commands are run on the host using the same user account running the ((elastic-defend)) integration, which normally has full control over the system. Only grant this feature privilege to ((elastic-sec)) users who require this level of access. diff --git a/docs/serverless/settings/ers-req.mdx b/docs/serverless/settings/ers-req.mdx index 58b64540ad..903c8c52fa 100644 --- a/docs/serverless/settings/ers-req.mdx +++ b/docs/serverless/settings/ers-req.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityERSRequirements slug: /serverless/security/ers-requirements title: Entity risk scoring prerequisites description: Requirements for using entity risk scoring and asset criticality. @@ -7,7 +6,7 @@ tags: [ 'serverless', 'security', 'reference', 'manage' ] status: in review --- -To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete project feature. +To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete project feature. This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations. @@ -15,7 +14,7 @@ This page covers the requirements for using the entity risk scoring and asset cr ### User roles -To turn on the risk scoring engine, you need one of the following Security user roles: +To turn on the risk scoring engine, you need one of the following Security user roles: * Platform engineer * Detections admin @@ -28,11 +27,11 @@ To turn on the risk scoring engine, you need one of the following advanced setting. +To use the asset criticality feature, turn on the `securitySolution:enableAssetCriticality` advanced setting. ### User roles -The following Security user roles allow you to view an entity's asset criticality: +The following Security user roles allow you to view an entity's asset criticality: * Viewer * Tier 1 analyst diff --git a/docs/serverless/settings/manage-settings.mdx b/docs/serverless/settings/manage-settings.mdx index 209a8f0a9b..779bc6ce0a 100644 --- a/docs/serverless/settings/manage-settings.mdx +++ b/docs/serverless/settings/manage-settings.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityManageSettings slug: /serverless/security/manage-settings title: Manage settings # description: Description to be written @@ -10,6 +9,6 @@ status: in review These pages explain how to manage settings in various areas of the ((security-app)): -* : Configure project-wide settings related to users, billing, data management, and more. -* : Update advanced ((elastic-sec)) settings. -* : Learn about requirements for specific features. +* : Configure project-wide settings related to users, billing, data management, and more. +* : Update advanced ((elastic-sec)) settings. +* : Learn about requirements for specific features. diff --git a/docs/serverless/settings/ml-requirements.mdx b/docs/serverless/settings/ml-requirements.mdx index 3a35b20087..9ae72514d6 100644 --- a/docs/serverless/settings/ml-requirements.mdx +++ b/docs/serverless/settings/ml-requirements.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityMlRequirements slug: /serverless/security/ml-requirements title: ((ml-cap)) job and rule requirements description: Requirements for using ((ml-cap)) jobs and rules. diff --git a/docs/serverless/settings/project-settings.mdx b/docs/serverless/settings/project-settings.mdx index 369c3d087b..1175421924 100644 --- a/docs/serverless/settings/project-settings.mdx +++ b/docs/serverless/settings/project-settings.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityProjectSettings slug: /serverless/security/project-settings title: Project settings description: Configure project-wide settings related to users, billing, data management, and more. diff --git a/docs/serverless/settings/sec-requirements.mdx b/docs/serverless/settings/sec-requirements.mdx index cde0713f16..46eba849c5 100644 --- a/docs/serverless/settings/sec-requirements.mdx +++ b/docs/serverless/settings/sec-requirements.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecuritySecRequirements slug: /serverless/security/requirements-overview title: ((elastic-sec)) requirements description: Requirements for using and configuring ((elastic-sec)). @@ -17,26 +16,26 @@ supported operating systems, platforms, and browsers on which components such as There are some additional requirements for specific features: -* Detections prerequisites and requirements -* Cases prerequisites -* Entity risk scoring prerequisites -* Machine learning job and rule requirements -* ((elastic-endpoint)) requirements -* Configure network map data +* Detections prerequisites and requirements +* Cases prerequisites +* Entity risk scoring prerequisites +* Machine learning job and rule requirements +* ((elastic-endpoint)) requirements +* Configure network map data {/* Hiding the content below until we can validate equivalent statements for serverless. */} {/* ## License requirements All features are available as part of the free Basic plan **except**: -* Alert notifications via external systems -* ((ml-cap)) jobs and rules -* Cases integration with third-party ticketing +* Alert notifications via external systems +* ((ml-cap)) jobs and rules +* Cases integration with third-party ticketing systems ## Advanced configuration and UI options -Configure advanced settings describes how to modify advanced settings, such as the +Configure advanced settings describes how to modify advanced settings, such as the ((elastic-sec)) indices, default time intervals used in filters, and IP reputation links. */} @@ -47,7 +46,7 @@ to better analyze, visualize, and correlate the data represented in their events. ((elastic-sec)) can ingest and normalize events from any ECS-compliant data source. -((elastic-sec)) requires [ECS-compliant data](((ecs-ref))). If you use third-party data collectors to ship data to ((es)), the data must be mapped to ECS. ((elastic-sec)) ECS field reference lists ECS fields used in ((elastic-sec)). +((elastic-sec)) requires [ECS-compliant data](((ecs-ref))). If you use third-party data collectors to ship data to ((es)), the data must be mapped to ECS. ((elastic-sec)) ECS field reference lists ECS fields used in ((elastic-sec)). {/* Hiding the content below until we can validate equivalent statements for serverless. */} diff --git a/docs/serverless/technical-preview-limitations.mdx b/docs/serverless/technical-preview-limitations.mdx index 85e49f2a85..b6be7feb58 100644 --- a/docs/serverless/technical-preview-limitations.mdx +++ b/docs/serverless/technical-preview-limitations.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityTechnicalPreviewLimitations slug: /serverless/security/security-technical-preview-limitations title: Technical preview limitations description: Review the limitations that apply to Elastic Security projects in technical preview. diff --git a/docs/serverless/what-is-security-serverless.mdx b/docs/serverless/what-is-security-serverless.mdx index dc366bd9bd..0a9fe3ca29 100644 --- a/docs/serverless/what-is-security-serverless.mdx +++ b/docs/serverless/what-is-security-serverless.mdx @@ -1,5 +1,4 @@ --- -id: serverlessSecurityWhatIsSecurityServerless slug: /serverless/security/what-is-security-serverless title: ((elastic-sec)) # description: Description to be written @@ -34,12 +33,12 @@ Serverless projects provide you with the existing ((elastic-sec)) on-premise and { "title": "Create a Security project", "description": "Create your first ((serverless-short)) Security project.", - "pageId": "serverlessSecurityCreateProject" + slug: "/serverless/security/create-project" }, { "title": "Ingest data", "description": "Learn how to add your own data to ((elastic-sec)).", - "pageId": "serverlessSecurityIngestData" + slug: "/serverless/security/ingest-data" }, ] } @@ -52,32 +51,32 @@ Serverless projects provide you with the existing ((elastic-sec)) on-premise and { "title": "Enable detection rules", "description": "Activate prebuilt rules from Elastic, and create your own custom rules.", - "pageId": "serverlessSecurityDetectionEngineOverview" + slug: "/serverless/security/detection-engine-overview" }, { "title": "Protect endpoints", "description": "Install and configure real-time endpoint protection with ((elastic-defend)).", - "pageId": "serverlessSecurityInstallDefend" + slug: "/serverless/security/install-edr" }, { "title": "Secure your cloud", "description": "Improve cloud security posture, scan for vulnerabilities, and monitor workloads.", - "pageId": "serverlessSecurityCloudNativeSecurityOverview" + slug: "/serverless/security/cloud-native-security-overview" }, { "title": "Triage and respond to alerts", "description": "Analyze potential threats and launch investigations.", - "pageId": "serverlessSecurityAlertsUiManage" + slug: "/serverless/security/alerts-manage" }, { "title": "Investigate security events", "description": "Query security event data and hunt for threats.", - "pageId": "serverlessSecurityInvestigateEvents" + slug: "/serverless/security/investigate-events" }, { "title": "Visualize security data", "description": "Use prebuilt dashboards and create your own visualizations.", - "pageId": "serverlessSecurityDashboardsOverview" + slug: "/serverless/security/dashboards-overview" }, ] } @@ -85,3 +84,5 @@ Serverless projects provide you with the existing ((elastic-sec)) on-premise and + +