diff --git a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc index be3087461c..97ba3a4c41 100644 --- a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc +++ b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc @@ -48,48 +48,33 @@ Learn more about <>. image::images/alerts-table-rs.png[Risk scores in the Alerts table] [discrete] -==== Triage alerts associated with high-risk entities +[[triage-alerts-associated-with-high-risk-or-business-critical-entities]] +==== Triage alerts associated with high-risk or business-critical entities -To analyze alerts associated with high-risk entities, you can filter or group them by entity risk level. +To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level. -* Use the drop-down filter controls to filter alerts by entity risk level. To do this, <> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`: -+ -[role="screenshot"] -image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level] +NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. + +* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, <> to filter by: -* To group alerts by entity risk level, select **Group alerts by**, then select **Custom field** and search for `host.risk.calculated_level` or `user.risk.calculated_level`. +** `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: + [role="screenshot"] -image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels] +image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level] -** You can further sort the grouped alerts by highest entity risk score: -+ --- -... Expand a risk level group, for example **High**. -... Select **Sort fields** → **Pick fields to sort by**. -... Select fields in the following order: -.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low** -.... `Risk score`: **High-Low** -.... `@timestamp`: **New-Old** --- +** `user.asset.criticality` or `host.asset.criticality` for asset criticality level: + [role="screenshot"] -image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score] - -[discrete] -[[triage-alerts-associated-with-business-critical-entities]] -==== Triage alerts associated with business-critical entities - -To analyze alerts associated with business-critical entities, you can filter or group them by entity asset criticality. +image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level] -NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. +* To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for: -* Use the drop-down filter controls to filter alerts by asset criticality level. To do this, <> to filter by `user.asset.criticality` or `host.asset.criticality`: +** `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level: + [role="screenshot"] -image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level] +image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels] -* To group alerts by asset criticality level, select **Group alerts by**, then select **Custom field** and search for `host.asset.criticality` or `user.asset.criticality`. +** `host.asset.criticality` or `user.asset.criticality` for asset criticality level: + [role="screenshot"] image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels] @@ -97,16 +82,16 @@ image::images/group-by-asset-criticality.png[Alerts grouped by entity asset crit ** You can further sort the grouped alerts by highest entity risk score: + -- -... Expand an asset criticality group, for example **high_impact**. +... Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**). ... Select **Sort fields** → **Pick fields to sort by**. ... Select fields in the following order: -.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low** +.... `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low** .... `Risk score`: **High-Low** .... `@timestamp`: **New-Old** -- + [role="screenshot"] -image::images/ac-sort-by-host-risk-score.png[High-impact alerts sorted by host risk score] +image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score] [discrete] [[alert-details-flyout]] diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc index 74ae671bab..7009251dc7 100644 --- a/docs/advanced-entity-analytics/asset-criticality.asciidoc +++ b/docs/advanced-entity-analytics/asset-criticality.asciidoc @@ -57,7 +57,7 @@ With asset criticality, you can improve your security operations by: You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. -Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <>. +Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <>. [discrete] [[monitor-entity-risk]] diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc index 76b8f120ba..6eb5042269 100644 --- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -14,8 +14,14 @@ It also generates risk scores on a recurring interval, and allows for easy onboa Entity risk scores are determined by the following risk inputs: -* <>, stored in the `.alerts-security.alerts-` index alias -* <>, stored in the `.asset-criticality.asset-criticality-` index alias +[width="100%",options="header"] +|============================================== +|Risk input |Storage location + +|<> |`.alerts-security.alerts-` index alias +|<> |`.asset-criticality.asset-criticality-` index alias +|============================================== + The resulting entity risk scores are stored in the `risk-score.risk-score-` data stream alias. @@ -29,10 +35,12 @@ The resulting entity risk scores are stored in the `risk-score.risk-score->. +. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. -The engine then verifies the entity's <>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level: +. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <>. +. The engine then verifies the entity's <>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary. ++ [width="100%",options="header"] |============================================== |Asset criticality level |Default risk weight @@ -43,13 +51,11 @@ The engine then verifies the entity's <> -* <> -* <> +* <>, which displays user risk data and inputs. +* <>, which allows you to view and assign asset criticality. +* <>, which displays user details. [role="screenshot"] image::images/users/user-details-flyout.png[User details flyout] diff --git a/docs/management/hosts/hosts-overview.asciidoc b/docs/management/hosts/hosts-overview.asciidoc index 21338b110e..389ecfe647 100644 --- a/docs/management/hosts/hosts-overview.asciidoc +++ b/docs/management/hosts/hosts-overview.asciidoc @@ -65,9 +65,9 @@ In addition to the host details page, relevant host information is also availabl The host details flyout includes the following sections: -* <> -* <> -* <> +* <>, which displays host risk data and inputs. +* <>, which allows you to view and assign asset criticality. +* <>, which displays host details. [role="screenshot"] image::images/host-details-flyout.png[Host details flyout]