diff --git a/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc b/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc index 2a035c4a2a..802809a1b5 100644 --- a/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc +++ b/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc @@ -9,6 +9,7 @@ Advanced Entity Analytics provides two key capabilities: * <> include::entity-risk-scoring.asciidoc[leveloffset=+1] +include::asset-criticality.asciidoc[leveloffset=+2] include::turn-on-risk-engine.asciidoc[leveloffset=+2] include::analyze-risk-score-data.asciidoc[leveloffset=+2] include::advanced-behavioral-detections.asciidoc[leveloffset=+1] diff --git a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc index d4570835ca..be3087461c 100644 --- a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc +++ b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc @@ -8,6 +8,7 @@ The {security-app} provides several options to monitor the change in the risk po * <> * <> * <> +* <> TIP: We recommend that you prioritize <> to identify anomalies or abnormal behavior patterns. @@ -23,22 +24,90 @@ image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard] [discrete] [[alert-triaging]] == Alert triaging -You can prioritize alert triaging to analyze alerts associated with risky entities using the following features in the {security-app}. +You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the {security-app}. [discrete] [[alerts-page]] === Alerts page -Use the Alerts table to investigate and analyze host and user risk levels and scores. We recommend adding the `user.risk.calculated_level` and `host.risk.calculated_level` columns to the Alerts table to easily display this data. To do this, select **Fields**, search for `user.risk` and `host.risk`, then select the appropriate fields from the list. Learn more about <>. +Use the Alerts table to investigate and analyze: + +* Host and user risk levels +* Host and user risk scores +* Asset criticality + +To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following: + +* `user.risk.calculated_level` or `host.risk.calculated_level` +* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` +* `user.asset.criticality` or `host.asset.criticality` + +Learn more about <>. [role="screenshot"] image::images/alerts-table-rs.png[Risk scores in the Alerts table] -You can use the drop-down filter controls to filter alerts by their risk score level. To do this, <> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`: +[discrete] +==== Triage alerts associated with high-risk entities +To analyze alerts associated with high-risk entities, you can filter or group them by entity risk level. + +* Use the drop-down filter controls to filter alerts by entity risk level. To do this, <> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`: ++ [role="screenshot"] image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level] +* To group alerts by entity risk level, select **Group alerts by**, then select **Custom field** and search for `host.risk.calculated_level` or `user.risk.calculated_level`. ++ +[role="screenshot"] +image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels] + +** You can further sort the grouped alerts by highest entity risk score: ++ +-- +... Expand a risk level group, for example **High**. +... Select **Sort fields** → **Pick fields to sort by**. +... Select fields in the following order: +.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low** +.... `Risk score`: **High-Low** +.... `@timestamp`: **New-Old** +-- ++ +[role="screenshot"] +image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score] + +[discrete] +[[triage-alerts-associated-with-business-critical-entities]] +==== Triage alerts associated with business-critical entities + +To analyze alerts associated with business-critical entities, you can filter or group them by entity asset criticality. + +NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. + +* Use the drop-down filter controls to filter alerts by asset criticality level. To do this, <> to filter by `user.asset.criticality` or `host.asset.criticality`: ++ +[role="screenshot"] +image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level] + +* To group alerts by asset criticality level, select **Group alerts by**, then select **Custom field** and search for `host.asset.criticality` or `user.asset.criticality`. ++ +[role="screenshot"] +image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels] + +** You can further sort the grouped alerts by highest entity risk score: ++ +-- +... Expand an asset criticality group, for example **high_impact**. +... Select **Sort fields** → **Pick fields to sort by**. +... Select fields in the following order: +.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low** +.... `Risk score`: **High-Low** +.... `@timestamp`: **New-Old** +-- ++ +[role="screenshot"] +image::images/ac-sort-by-host-risk-score.png[High-impact alerts sorted by host risk score] + [discrete] [[alert-details-flyout]] === Alert details flyout @@ -78,4 +147,13 @@ image::images/host-details-overview.png[Host risk data in the Overview section o * On the **Host risk** or **User risk** tab: + [role="screenshot"] -image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page] \ No newline at end of file +image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page] + +[discrete] +[[host-and-user-details-flyouts]] +=== Host and user details flyouts + +In the host details and user details flyouts, you can access the risk score data in the risk summary section: + +[role="screenshot"] +image::images/risk-summary.png[Host risk data in the Host risk summary section] diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc new file mode 100644 index 0000000000..1d546cb68f --- /dev/null +++ b/docs/advanced-entity-analytics/asset-criticality.asciidoc @@ -0,0 +1,77 @@ +[[asset-criticality]] += Asset criticality + +.Requirements +[sidebar] +-- +To view and assign asset criticality, you must: + +* Have the appropriate user role. +* Turn on the `securitySolution:enableAssetCriticality` <>. + +For more information, refer to <>. +-- + +The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. + +You can assign one of the following asset criticality levels to your entities, based on their impact: + +* Low impact +* Medium impact +* High impact +* Extreme impact + +For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. + +[discrete] +== View and assign asset criticality + +Entities do not have a default asset criticality level. You can view, assign, and change asset criticality from the following places in the {elastic-sec} app: + +* The <> and <>: ++ +[role="screenshot"] +image::images/assign-asset-criticality-host-details.png[Assign asset criticality from the host details page] + +* The <> and <>: ++ +[role="screenshot"] +image::images/assign-asset-criticality-host-flyout.png[Assign asset criticality from the host details flyout] + +* The host details flyout and user details flyout in <>: ++ +[role="screenshot"] +image::images/assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline] + +[discrete] +== Improve your security operations + +With asset criticality, you can improve your security operations by: + +* <> +* <> + +[discrete] +[[prioritize-open-alerts]] +=== Prioritize open alerts + +You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. + +Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <>. + +[discrete] +[[monitor-entity-risk]] +=== Monitor an entity's risk + +The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to <>. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. + +To view the impact of asset criticality on an entity's risk score, follow these steps: + +. Open the <> or <>. The risk summary section shows asset criticality's contribution to the overall risk score. +. Click **View risk contributions** to open the flyout's left panel. +. In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated. + +NOTE: The risk summary and **Risk contributions** sections display an entity's asset criticality from the latest risk scoring execution. If you change the asset criticality level, subsequent risk calculations will automatically factor in the newest criticality level. + +[role="screenshot"] +image::images/asset-criticality-impact.png[View asset criticality impact on host risks core] diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc index bbfc7ea1a0..1c69595ebb 100644 --- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -9,5 +9,87 @@ Entity risk scoring allows you to monitor risk score changes of hosts and users It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated. +[discrete] +== Risk scoring inputs + +Entity risk scores are determined by the following risk inputs: + +* <>, stored in the `.alerts-security.alerts-` index alias +* <>, stored in the `.asset-criticality.asset-criticality-` index alias + +The resulting entity risk scores are stored in the `risk-score.risk-score-` data stream alias. + +[NOTE] +====== +* Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score. +* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` <>. +====== + +[discrete] +[[how-is-risk-score-calculated]] +== How is risk score calculated? + +The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. It groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <>. + +The engine then verifies the entity's <>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level: + +[width="100%",options="header"] +|============================================== +|Asset criticality level |Default risk weight + +|Low impact |0.5 +|Medium impact |1 +|High impact |1.5 +|Extreme impact |2 + +|============================================== + +NOTE: Asset criticality levels and default risk weights are subject to change. + +The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary. + +Based on the two risk inputs, the risk scoring engine generates a single numeric value, normalized to a 0-100 range, as the entity risk score. It assigns a risk level by mapping the normalized risk score to one of these levels: + +[width="100%",options="header"] +|============================================== +|Risk level |Risk score + +|Unknown |< 20 +|Low |20-40 +|Moderate |40-70 +|High |70-90 +|Critical |> 90 + +|============================================== + +.Click for a risk score calculation example +[%collapsible] +==== +This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**. + +There are 5 open alerts associated with `User_A`: + +* Alert 1 with alert risk score 21 +* Alert 2 with alert risk score 45 +* Alert 3 with alert risk score 21 +* Alert 4 with alert risk score 70 +* Alert 5 with alert risk score 21 + +To calculate the user risk score, the risk scoring engine: + +. Sorts the associated alerts in descending order of alert risk score: +** Alert 4 with alert risk score 70 +** Alert 2 with alert risk score 45 +** Alert 1 with alert risk score 21 +** Alert 3 with alert risk score 21 +** Alert 5 with alert risk score 21 +. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category. +. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**. +. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95. +. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level. + +If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16. +==== + Learn how to <>. diff --git a/docs/advanced-entity-analytics/images/ac-sort-by-host-risk-score.png b/docs/advanced-entity-analytics/images/ac-sort-by-host-risk-score.png new file mode 100644 index 0000000000..f417fd9c39 Binary files /dev/null and b/docs/advanced-entity-analytics/images/ac-sort-by-host-risk-score.png differ diff --git a/docs/advanced-entity-analytics/images/alerts-table-rs.png b/docs/advanced-entity-analytics/images/alerts-table-rs.png index 1ff91095e7..d572deafa7 100644 Binary files a/docs/advanced-entity-analytics/images/alerts-table-rs.png and b/docs/advanced-entity-analytics/images/alerts-table-rs.png differ diff --git a/docs/advanced-entity-analytics/images/asset-criticality-impact.png b/docs/advanced-entity-analytics/images/asset-criticality-impact.png new file mode 100644 index 0000000000..d53957b832 Binary files /dev/null and b/docs/advanced-entity-analytics/images/asset-criticality-impact.png differ diff --git a/docs/advanced-entity-analytics/images/assign-asset-criticality-host-details.png b/docs/advanced-entity-analytics/images/assign-asset-criticality-host-details.png new file mode 100644 index 0000000000..c55e4b5e7d Binary files /dev/null and b/docs/advanced-entity-analytics/images/assign-asset-criticality-host-details.png differ diff --git a/docs/advanced-entity-analytics/images/assign-asset-criticality-host-flyout.png b/docs/advanced-entity-analytics/images/assign-asset-criticality-host-flyout.png new file mode 100644 index 0000000000..cc3e8cd29d Binary files /dev/null and b/docs/advanced-entity-analytics/images/assign-asset-criticality-host-flyout.png differ diff --git a/docs/advanced-entity-analytics/images/assign-asset-criticality-timeline.png b/docs/advanced-entity-analytics/images/assign-asset-criticality-timeline.png new file mode 100644 index 0000000000..7551ac7eb9 Binary files /dev/null and b/docs/advanced-entity-analytics/images/assign-asset-criticality-timeline.png differ diff --git a/docs/advanced-entity-analytics/images/filter-by-asset-criticality.png b/docs/advanced-entity-analytics/images/filter-by-asset-criticality.png new file mode 100644 index 0000000000..d5f426ca27 Binary files /dev/null and b/docs/advanced-entity-analytics/images/filter-by-asset-criticality.png differ diff --git a/docs/advanced-entity-analytics/images/filter-by-host-risk-level.png b/docs/advanced-entity-analytics/images/filter-by-host-risk-level.png index 5f9114c85d..84a56291d6 100644 Binary files a/docs/advanced-entity-analytics/images/filter-by-host-risk-level.png and b/docs/advanced-entity-analytics/images/filter-by-host-risk-level.png differ diff --git a/docs/advanced-entity-analytics/images/group-by-asset-criticality.png b/docs/advanced-entity-analytics/images/group-by-asset-criticality.png new file mode 100644 index 0000000000..5d5fa6e283 Binary files /dev/null and b/docs/advanced-entity-analytics/images/group-by-asset-criticality.png differ diff --git a/docs/advanced-entity-analytics/images/group-by-host-risk-level.png b/docs/advanced-entity-analytics/images/group-by-host-risk-level.png new file mode 100644 index 0000000000..3c40e9dbf5 Binary files /dev/null and b/docs/advanced-entity-analytics/images/group-by-host-risk-level.png differ diff --git a/docs/advanced-entity-analytics/images/host-details-overview.png b/docs/advanced-entity-analytics/images/host-details-overview.png index 2de6413ade..8c19f8b90c 100644 Binary files a/docs/advanced-entity-analytics/images/host-details-overview.png and b/docs/advanced-entity-analytics/images/host-details-overview.png differ diff --git a/docs/advanced-entity-analytics/images/hrl-sort-by-host-risk-score.png b/docs/advanced-entity-analytics/images/hrl-sort-by-host-risk-score.png new file mode 100644 index 0000000000..57ee2bbee1 Binary files /dev/null and b/docs/advanced-entity-analytics/images/hrl-sort-by-host-risk-score.png differ diff --git a/docs/advanced-entity-analytics/images/risk-summary.png b/docs/advanced-entity-analytics/images/risk-summary.png new file mode 100644 index 0000000000..0389dade2e Binary files /dev/null and b/docs/advanced-entity-analytics/images/risk-summary.png differ diff --git a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc index a711268ef8..7cbd3c1e40 100644 --- a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc +++ b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc @@ -5,20 +5,6 @@ beta[] IMPORTANT: To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to <>. -The latest risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` <> from the last 30 days, and assigns risk score to the host or user. It then aggregates the individual risk scores and normalizes them to a 0-100 range. The engine assigns a risk level by mapping the normalized risk score to one of these levels: - -[width="100%",options="header"] -|============================================== -|Risk level |Risk score - -|Unknown |< 20 -|Low |20-40 -|Moderate |40-70 -|High | 70-90 -|Critical | > 90 - -|============================================== - [discrete] == Preview risky entities diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index 623d661b58..f129eafd10 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -24,6 +24,8 @@ image::images/view-alert-details.png[View details button, 200] * View the rule that created an alert. Click a name in the *Rule* column to open the rule's details page. +* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the <>, or a user name to open the <>. + * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices. * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours. diff --git a/docs/getting-started/advanced-setting.asciidoc b/docs/getting-started/advanced-setting.asciidoc index 38fe3dd10d..942085cfea 100644 --- a/docs/getting-started/advanced-setting.asciidoc +++ b/docs/getting-started/advanced-setting.asciidoc @@ -109,6 +109,11 @@ retrieved. The `securitySolution:enableExpandableFlyout` setting enables the expandable alert details flyout on the Alerts page. This setting is turned on by default. Turn it off to apply the simplified alert details flyout design that was used in {elastic-sec} 8.9 and earlier. +[discrete] +[[enable-asset-criticality]] +== Enable asset criticality workflows +The `securitySolution:enableAssetCriticality` setting determines whether asset criticality is included as a risk input to entity risk scoring. This setting is turned off by default. Turn it on to enable asset criticality workflows and to use asset criticality as part of entity risk scoring. + [discrete] [[exclude-cold-frozen-tiers]] == Exclude cold and frozen tier data from analyzer queries diff --git a/docs/getting-started/ers-req.asciidoc b/docs/getting-started/ers-req.asciidoc index ddfc1e8e44..141e4f9879 100644 --- a/docs/getting-started/ers-req.asciidoc +++ b/docs/getting-started/ers-req.asciidoc @@ -1,12 +1,15 @@ [[ers-requirements]] = Entity risk scoring prerequisites -To use entity risk scoring, your role must have certain cluster, index, and {kib} privileges. This feature requires a https://www.elastic.co/pricing[Platinum subscription] or higher. +To use entity risk scoring and asset criticality, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher. -This page covers the requirements and guidelines for using the entity risk scoring feature, as well as its known limitations. +This page covers the requirements and guidelines for using the entity risk scoring and asset criticality features, as well as their known limitations. [discrete] -== Privileges +== Entity risk scoring + +[discrete] +=== Privileges To turn on the risk scoring engine, you need the following privileges: @@ -26,7 +29,7 @@ a| |============================================== [discrete] -== {es} resource guidelines +=== {es} resource guidelines Follow these guidelines to ensure clusters have adequate memory to handle data volume: @@ -35,8 +38,25 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v * With 1GB of JVM heap, the risk scoring engine can safely process around 20 million documents, or 30 days of risk data with an ingest rate of around 450 documents per minute. [discrete] -== Known limitations +=== Known limitations * You can only enable the risk scoring engine in a single {kib} space within a cluster. * The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores. + +[discrete] +== Asset criticality + +To use the asset criticality feature, turn on the `securitySolution:enableAssetCriticality` <>. + +[discrete] +=== Privileges + +* To view an entity's asset criticality, you need the `read` privilege for the `.asset-criticality.asset-criticality-` index. + +* To view, assign, or change an entity's asset criticality, you need the `read` and `write` privileges for the `.asset-criticality.asset-criticality-` index. + +[discrete] +=== Known limitations + +* You cannot disable asset criticality as a risk input. Once assigned, an asset criticality level can be changed but not unassigned. \ No newline at end of file diff --git a/docs/getting-started/images/users/user-asset-criticality.png b/docs/getting-started/images/users/user-asset-criticality.png new file mode 100644 index 0000000000..72e4e34ca1 Binary files /dev/null and b/docs/getting-started/images/users/user-asset-criticality.png differ diff --git a/docs/getting-started/images/users/user-details-flyout.png b/docs/getting-started/images/users/user-details-flyout.png new file mode 100644 index 0000000000..99452099e2 Binary files /dev/null and b/docs/getting-started/images/users/user-details-flyout.png differ diff --git a/docs/getting-started/images/users/user-details-pg.png b/docs/getting-started/images/users/user-details-pg.png index 276287449b..f26432f08d 100644 Binary files a/docs/getting-started/images/users/user-details-pg.png and b/docs/getting-started/images/users/user-details-pg.png differ diff --git a/docs/getting-started/images/users/user-observed-data.png b/docs/getting-started/images/users/user-observed-data.png new file mode 100644 index 0000000000..0f2ec3f9f4 Binary files /dev/null and b/docs/getting-started/images/users/user-observed-data.png differ diff --git a/docs/getting-started/images/users/user-risk-inputs.png b/docs/getting-started/images/users/user-risk-inputs.png new file mode 100644 index 0000000000..e08923e285 Binary files /dev/null and b/docs/getting-started/images/users/user-risk-inputs.png differ diff --git a/docs/getting-started/users-page.asciidoc b/docs/getting-started/users-page.asciidoc index 66ab3ae783..279380ee7e 100644 --- a/docs/getting-started/users-page.asciidoc +++ b/docs/getting-started/users-page.asciidoc @@ -29,13 +29,15 @@ Beneath the KPI charts are data tables, which are useful for viewing and investi The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <>. [discrete] +[[user-details-page]] == User details page - A user's details page displays all relevant information for the selected user. To view a user's details page, click its *User name* link from the *All users* table. The user details page includes the following sections: +* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` <> is on, this section displays the user's current <>. + * *Summary*: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the user risk score feature is enabled, this section also displays user risk score data. * *Alert metrics*: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). @@ -43,4 +45,72 @@ The user details page includes the following sections: * *Data tables*: The same data tables as on the main Users page, except with values for the selected user instead of for all users. [role="screenshot"] -image::images/users/user-details-pg.png[User details page] +image::images/users/user-details-pg.png[User details page] + +[discrete] +[[user-details-flyout]] +== User details flyout + +In addition to the user details page, relevant user information is also available in the user details flyout throughout the {elastic-sec} app. You can access this flyout from the following places: + +* The Alerts page, by clicking on a user name in the Alerts table +* The **Events** tab on the Users and user details pages, by clicking on a user name in the Events table +* The **User risk** tab on the user details page, by clicking on a user name in the Top risk score contributors table +* The **Events** tab on the Hosts and host details pages, by clicking on a user name in the Events table +* The **Host risk** tab on the host details page, by clicking on a user name in the Top risk score contributors table + +The user details flyout includes the following sections: + +* <> +* <> +* <> + +[role="screenshot"] +image::images/users/user-details-flyout.png[User details flyout] + +[discrete] +[[user-risk-summary]] +=== User risk summary + +.Requirements +[sidebar] +-- +The **User risk summary** section is only available if the <>. +-- + +The **User risk summary** section contains a risk summary visualization and table. + +The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. + +The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table's queries. + +To expand the **User risk summary** section, click **View risk contributions**. The left panel displays additional details about the user's risk inputs. + +[role="screenshot"] +image::images/users/user-risk-inputs.png[User risk inputs] + +[discrete] +[[user-asset-criticality-section]] +=== Asset Criticality + +.Requirements +[sidebar] +-- +The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` <> is on. +-- + +The **Asset Criticality** section displays the selected user's <>. Asset criticality contributes to the overall <>. The criticality level defines how impactful the user is when calculating the risk score. + +[role="screenshot"] +image::images/users/user-asset-criticality.png[Asset criticality] + +Click **Assign** to assign a criticality level to the selected user, or **Change** to change the currently assigned criticality level. + +[discrete] +[[user-observed-data]] +=== Observed data + +This section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system. + +[role="screenshot"] +image::images/users/user-observed-data.png[User observed data] diff --git a/docs/management/hosts/hosts-overview.asciidoc b/docs/management/hosts/hosts-overview.asciidoc index fa3e2c24f8..786f2025e8 100644 --- a/docs/management/hosts/hosts-overview.asciidoc +++ b/docs/management/hosts/hosts-overview.asciidoc @@ -34,17 +34,86 @@ The tables within the *Events* and *Sessions* tabs include inline actions and se [role="screenshot"] image::images/events-table.png[Events table] -[[host-details-page]] [discrete] +[[host-details-page]] == Host details page A host's details page displays all relevant information for the selected host. To view a host's details page, click its *Host name* link in the *All hosts* table. The host details page includes the following sections: +* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` <> is on, this section displays the host's current <>. * *Summary*: Details such as the host ID, when the host was first and last seen, the associated IP addresses, and associated operating system. If the host risk score feature is enabled, this section also displays host risk score data. * *Alert metrics*: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). * *Data tables*: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. [role="screenshot"] image::images/hosts-detail-pg.png[Host's details page] + +[discrete] +[[host-details-flyout]] +== Host details flyout + +In addition to the host details page, relevant host information is also available in the host details flyout throughout the {elastic-sec} app. You can access this flyout from the following places: + +* The Alerts page, by clicking on a host name in the Alerts table +* The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table +* The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table +* The **Events** tab on the Hosts and host details pages, by clicking on a host name in the Events table +* The **Host risk** tab on the host details page, by clicking on a host name in the Top risk score contributors table + +The host details flyout includes the following sections: + +* <> +* <> +* <> + +[role="screenshot"] +image::images/host-details-flyout.png[Host details flyout] + +[discrete] +[[host-risk-summary]] +=== Host risk summary + +.Requirements +[sidebar] +-- +The **Host risk summary** section is only available if the <>. +-- + +The **Host risk summary** section contains a risk summary visualization and table. + +The risk summary visualization shows the host risk score and host risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. + +The risk summary table shows the category, score, and number of risk inputs that determine the host risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table's queries. + +To expand the **Host risk summary** section, click **View risk contributions**. The left panel displays additional details about the host's risk inputs. + +[role="screenshot"] +image::images/host-risk-inputs.png[Host risk inputs] + +[discrete] +[[host-asset-criticality-section]] +=== Asset Criticality + +.Requirements +[sidebar] +-- +The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` <> is on. +-- + +The **Asset Criticality** section displays the selected host's <>. Asset criticality contributes to the overall <>. The criticality level defines how impactful the host is when calculating the risk score. + +[role="screenshot"] +image::images/host-asset-criticality.png[Asset criticality] + +Click **Assign** to assign a criticality level to the selected host, or **Change** to change the currently assigned criticality level. + +[discrete] +[[host-observed-data]] +=== Observed data + +This section displays details such as the host ID, when the host was first and last seen, the associated IP addresses and operating system, and the relevant Endpoint integration policy information. + +[role="screenshot"] +image::images/host-observed-data.png[Host observed data] diff --git a/docs/management/hosts/images/host-asset-criticality.png b/docs/management/hosts/images/host-asset-criticality.png new file mode 100644 index 0000000000..c3157649f1 Binary files /dev/null and b/docs/management/hosts/images/host-asset-criticality.png differ diff --git a/docs/management/hosts/images/host-details-flyout.png b/docs/management/hosts/images/host-details-flyout.png new file mode 100644 index 0000000000..cf042949d6 Binary files /dev/null and b/docs/management/hosts/images/host-details-flyout.png differ diff --git a/docs/management/hosts/images/host-observed-data.png b/docs/management/hosts/images/host-observed-data.png new file mode 100644 index 0000000000..6b4b04ccb9 Binary files /dev/null and b/docs/management/hosts/images/host-observed-data.png differ diff --git a/docs/management/hosts/images/host-risk-inputs.png b/docs/management/hosts/images/host-risk-inputs.png new file mode 100644 index 0000000000..1c0a58af10 Binary files /dev/null and b/docs/management/hosts/images/host-risk-inputs.png differ diff --git a/docs/management/hosts/images/hosts-detail-pg.png b/docs/management/hosts/images/hosts-detail-pg.png index 3076b23ace..b883fdf85b 100644 Binary files a/docs/management/hosts/images/hosts-detail-pg.png and b/docs/management/hosts/images/hosts-detail-pg.png differ