User/host details flyouts + Asset criticality (#4939) (#4975)

(cherry picked from commit 494ce02)

Co-authored-by: natasha-moore-elastic <[email protected]>

docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc

@@ -9,6 +9,7 @@ Advanced Entity Analytics provides two key capabilities:
 * <<advanced-behavioral-detections, Advanced behavioral detections>>
 
 include::entity-risk-scoring.asciidoc[leveloffset=+1]
+include::asset-criticality.asciidoc[leveloffset=+2]
 include::turn-on-risk-engine.asciidoc[leveloffset=+2]
 include::analyze-risk-score-data.asciidoc[leveloffset=+2]
 include::advanced-behavioral-detections.asciidoc[leveloffset=+1]

docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc

@@ -8,6 +8,7 @@ The {security-app} provides several options to monitor the change in the risk po
 * <<alert-details-flyout, Alert details flyout>>
 * <<hosts-users-pages, Hosts and Users pages>>
 * <<host-user-details-pages, Host and user details pages>>
+* <<host-and-user-details-flyouts, Host and user details flyouts>>
 
 TIP: We recommend that you prioritize <<alert-triaging, alert triaging>> to identify anomalies or abnormal behavior patterns.
 
@@ -23,22 +24,90 @@ image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard]
 [discrete]
 [[alert-triaging]]
 == Alert triaging 
-You can prioritize alert triaging to analyze alerts associated with risky entities using the following features in the {security-app}. 
+You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the {security-app}. 
 
 [discrete]
 [[alerts-page]]
 === Alerts page
 
-Use the Alerts table to investigate and analyze host and user risk levels and scores. We recommend adding the `user.risk.calculated_level` and `host.risk.calculated_level` columns to the Alerts table to easily display this data. To do this, select **Fields**, search for `user.risk` and `host.risk`, then select the appropriate fields from the list. Learn more about <<customize-the-alerts-table, customizing the Alerts table>>. 
+Use the Alerts table to investigate and analyze:
+
+* Host and user risk levels
+* Host and user risk scores
+* Asset criticality
+
+To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following:
+
+* `user.risk.calculated_level` or `host.risk.calculated_level`
+* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm`
+* `user.asset.criticality` or `host.asset.criticality`
+
+Learn more about <<customize-the-alerts-table, customizing the Alerts table>>.
 
 [role="screenshot"]
 image::images/alerts-table-rs.png[Risk scores in the Alerts table]
 
-You can use the drop-down filter controls to filter alerts by their risk score level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`:
+[discrete]
+==== Triage alerts associated with high-risk entities
 
+To analyze alerts associated with high-risk entities, you can filter or group them by entity risk level.
+
+* Use the drop-down filter controls to filter alerts by entity risk level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`:
++
 [role="screenshot"]
 image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level]
 
+* To group alerts by entity risk level, select **Group alerts by**, then select **Custom field** and search for `host.risk.calculated_level` or `user.risk.calculated_level`.
++
+[role="screenshot"]
+image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels]
+
+** You can further sort the grouped alerts by highest entity risk score:
++
+--
+... Expand a risk level group, for example **High**.
+... Select **Sort fields** → **Pick fields to sort by**.
+... Select fields in the following order:
+.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
+.... `Risk score`: **High-Low**
+.... `@timestamp`: **New-Old**
+--
++
+[role="screenshot"]
+image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score]
+
+[discrete]
+[[triage-alerts-associated-with-business-critical-entities]]
+==== Triage alerts associated with business-critical entities
+
+To analyze alerts associated with business-critical entities, you can filter or group them by entity asset criticality.
+
+NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level.
+
+* Use the drop-down filter controls to filter alerts by asset criticality level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.asset.criticality` or `host.asset.criticality`:
++
+[role="screenshot"]
+image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level]
+
+* To group alerts by asset criticality level, select **Group alerts by**, then select **Custom field** and search for `host.asset.criticality` or `user.asset.criticality`.
++
+[role="screenshot"]
+image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels]
+
+** You can further sort the grouped alerts by highest entity risk score:
++
+--
+... Expand an asset criticality group, for example **high_impact**.
+... Select **Sort fields** → **Pick fields to sort by**.
+... Select fields in the following order:
+.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
+.... `Risk score`: **High-Low**
+.... `@timestamp`: **New-Old**
+--
++
+[role="screenshot"]
+image::images/ac-sort-by-host-risk-score.png[High-impact alerts sorted by host risk score]
+
 [discrete]
 [[alert-details-flyout]]
 === Alert details flyout
@@ -78,4 +147,13 @@ image::images/host-details-overview.png[Host risk data in the Overview section o
 * On the **Host risk** or **User risk** tab:
 +
 [role="screenshot"]
-image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page]
+image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page]
+
+[discrete]
+[[host-and-user-details-flyouts]]
+=== Host and user details flyouts
+
+In the host details and user details flyouts, you can access the risk score data in the risk summary section:
+
+[role="screenshot"]
+image::images/risk-summary.png[Host risk data in the Host risk summary section]

docs/advanced-entity-analytics/asset-criticality.asciidoc

@@ -0,0 +1,77 @@
+[[asset-criticality]]
+= Asset criticality
+
+.Requirements
+[sidebar]
+--
+To view and assign asset criticality, you must:
+
+* Have the appropriate user role.
+* Turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
+
+For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
+--
+
+The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.
+
+You can assign one of the following asset criticality levels to your entities, based on their impact:
+
+* Low impact
+* Medium impact
+* High impact
+* Extreme impact
+
+For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture.
+
+[discrete]
+== View and assign asset criticality
+
+Entities do not have a default asset criticality level. You can view, assign, and change asset criticality from the following places in the {elastic-sec} app:
+
+* The <<host-details-page, host details page>> and <<user-details-page, user details page>>:
++
+[role="screenshot"]
+image::images/assign-asset-criticality-host-details.png[Assign asset criticality from the host details page]
+
+* The <<host-details-flyout, host details flyout>> and <<user-details-flyout, user details flyout>>:
++
+[role="screenshot"]
+image::images/assign-asset-criticality-host-flyout.png[Assign asset criticality from the host details flyout]
+
+* The host details flyout and user details flyout in <<timelines-ui, Timeline>>:
++
+[role="screenshot"]
+image::images/assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline]
+
+[discrete]
+== Improve your security operations
+
+With asset criticality, you can improve your security operations by:
+
+* <<prioritize-open-alerts, Prioritizing open alerts>>
+* <<monitor-entity-risk, Monitoring an entity's risk>>
+
+[discrete]
+[[prioritize-open-alerts]]
+=== Prioritize open alerts
+
+You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities.
+
+Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <<triage-alerts-associated-with-business-critical-entities, prioritize alerts associated with high-impact entities>>.
+
+[discrete]
+[[monitor-entity-risk]]
+=== Monitor an entity's risk
+
+The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to <<how-is-risk-score-calculated, calculate the entity's overall risk score>>. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. 
+
+To view the impact of asset criticality on an entity's risk score, follow these steps:
+
+. Open the <<host-details-flyout, host details flyout>> or <<user-details-flyout, user details flyout>>. The risk summary section shows asset criticality's contribution to the overall risk score.
+. Click **View risk contributions** to open the flyout's left panel.
+. In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated.
+
+NOTE: The risk summary and **Risk contributions** sections display an entity's asset criticality from the latest risk scoring execution. If you change the asset criticality level, subsequent risk calculations will automatically factor in the newest criticality level.
+
+[role="screenshot"]
+image::images/asset-criticality-impact.png[View asset criticality impact on host risks core]

docs/advanced-entity-analytics/entity-risk-scoring.asciidoc

@@ -9,5 +9,87 @@ Entity risk scoring allows you to monitor risk score changes of hosts and users
 
 It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated.
 
+[discrete]
+== Risk scoring inputs
+
+Entity risk scores are determined by the following risk inputs:
+
+* <<alerts-ui-manage, Alerts>>, stored in the `.alerts-security.alerts-<space-id>` index alias
+* <<asset-criticality, Asset criticality level>>, stored in the `.asset-criticality.asset-criticality-<space-id>` index alias
+
+The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
+
+[NOTE]
+======
+* Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
+* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
+======
+
+[discrete]
+[[how-is-risk-score-calculated]]
+== How is risk score calculated?
+
+The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. It groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
+
+The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level:
+
+[width="100%",options="header"]
+|==============================================
+|Asset criticality level |Default risk weight
+
+|Low impact |0.5
+|Medium impact |1
+|High impact |1.5
+|Extreme impact |2
+
+|==============================================
+
+NOTE: Asset criticality levels and default risk weights are subject to change.
+
+The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
+
+Based on the two risk inputs, the risk scoring engine generates a single numeric value, normalized to a 0-100 range, as the entity risk score. It assigns a risk level by mapping the normalized risk score to one of these levels:
+
+[width="100%",options="header"]
+|==============================================
+|Risk level |Risk score
+
+|Unknown |< 20
+|Low |20-40
+|Moderate |40-70
+|High |70-90
+|Critical |> 90
+
+|==============================================
+
+.Click for a risk score calculation example
+[%collapsible]
+====
+This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**.
+
+There are 5 open alerts associated with `User_A`:
+
+* Alert 1 with alert risk score 21
+* Alert 2 with alert risk score 45
+* Alert 3 with alert risk score 21
+* Alert 4 with alert risk score 70
+* Alert 5 with alert risk score 21
+
+To calculate the user risk score, the risk scoring engine:
+
+. Sorts the associated alerts in descending order of alert risk score:
+** Alert 4 with alert risk score 70
+** Alert 2 with alert risk score 45
+** Alert 1 with alert risk score 21
+** Alert 3 with alert risk score 21
+** Alert 5 with alert risk score 21
+. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category.
+. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**.
+. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95.
+. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level.
+
+If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.
+====
+
 Learn how to <<turn-on-risk-engine, turn on the latest risk scoring engine>>.
 

docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc

@@ -5,20 +5,6 @@ beta[]
 
 IMPORTANT: To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
 
-The latest risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` <<alerts-ui-manage, alerts>> from the last 30 days, and assigns risk score to the host or user. It then aggregates the individual risk scores and normalizes them to a 0-100 range. The engine assigns a risk level by mapping the normalized risk score to one of these levels:
-
-[width="100%",options="header"]
-|==============================================
-|Risk level |Risk score
-
-|Unknown |< 20
-|Low |20-40
-|Moderate |40-70
-|High     | 70-90
-|Critical  | > 90
-
-|==============================================
-
 [discrete]
 == Preview risky entities
 

docs/detections/alerts-ui-manage.asciidoc

@@ -24,6 +24,8 @@ image::images/view-alert-details.png[View details button, 200]
 
 * View the rule that created an alert. Click a name in the *Rule* column to open the rule's details page.
 
+* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the <<host-details-flyout, host details flyout>>, or a user name to open the <<user-details-flyout, user details flyout>>.
+
 * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices.
 
 * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours.

docs/getting-started/advanced-setting.asciidoc

@@ -109,6 +109,11 @@ retrieved.
 
 The `securitySolution:enableExpandableFlyout` setting enables the expandable alert details flyout on the Alerts page. This setting is turned on by default. Turn it off to apply the simplified alert details flyout design that was used in {elastic-sec} 8.9 and earlier.
 
+[discrete]
+[[enable-asset-criticality]]
+== Enable asset criticality workflows
+The `securitySolution:enableAssetCriticality` setting determines whether asset criticality is included as a risk input to entity risk scoring. This setting is turned off by default. Turn it on to enable asset criticality workflows and to use asset criticality as part of entity risk scoring.
+
 [discrete]
 [[exclude-cold-frozen-tiers]]
 == Exclude cold and frozen tier data from analyzer queries

docs/getting-started/ers-req.asciidoc

@@ -1,12 +1,15 @@
 [[ers-requirements]]
 = Entity risk scoring prerequisites
 
-To use entity risk scoring, your role must have certain cluster, index, and {kib} privileges. This feature requires a https://www.elastic.co/pricing[Platinum subscription] or higher.
+To use entity risk scoring and asset criticality, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher.
 
-This page covers the requirements and guidelines for using the entity risk scoring feature, as well as its known limitations.
+This page covers the requirements and guidelines for using the entity risk scoring and asset criticality features, as well as their known limitations.
 
 [discrete]
-== Privileges
+== Entity risk scoring
+
+[discrete]
+=== Privileges
 
 To turn on the risk scoring engine, you need the following privileges:
 
@@ -26,7 +29,7 @@ a|
 |==============================================
 
 [discrete]
-== {es} resource guidelines
+=== {es} resource guidelines
 
 Follow these guidelines to ensure clusters have adequate memory to handle data volume:
 
@@ -35,8 +38,25 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 * With 1GB of JVM heap, the risk scoring engine can safely process around 20 million documents, or 30 days of risk data with an ingest rate of around 450 documents per minute.
 
 [discrete]
-== Known limitations
+=== Known limitations
 
 * You can only enable the risk scoring engine in a single {kib} space within a cluster.
 
 * The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores.
+
+[discrete]
+== Asset criticality
+
+To use the asset criticality feature, turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
+
+[discrete]
+=== Privileges
+
+* To view an entity's asset criticality, you need the `read` privilege for the `.asset-criticality.asset-criticality-<space-id>` index.
+
+* To view, assign, or change an entity's asset criticality, you need the `read` and `write` privileges for the `.asset-criticality.asset-criticality-<space-id>` index.
+
+[discrete]
+=== Known limitations
+
+* You cannot disable asset criticality as a risk input. Once assigned, an asset criticality level can be changed but not unassigned.