EA doc enhancements (#5038)

* EA doc enhancements * Adds missing colons * Update docs/advanced-entity-analytics/entity-risk-scoring.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> --------- Co-authored-by: Nastasha Solomon <[email protected]> (cherry picked from commit 3b081a9) # Conflicts: # docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
elastic · Apr 12, 2024 · ceba115 · ceba115
1 parent 1766175
commit ceba115
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 47 deletions.
diff --git a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc
@@ -48,65 +48,50 @@ Learn more about <<customize-the-alerts-table, customizing the Alerts table>>.
 image::images/alerts-table-rs.png[Risk scores in the Alerts table]
 
 [discrete]
-==== Triage alerts associated with high-risk entities
+[[triage-alerts-associated-with-high-risk-or-business-critical-entities]]
+==== Triage alerts associated with high-risk or business-critical entities
 
-To analyze alerts associated with high-risk entities, you can filter or group them by entity risk level.
+To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level.
 
-* Use the drop-down filter controls to filter alerts by entity risk level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`:
-+
-[role="screenshot"]
-image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level]
+NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level.
+
+* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by:
 
-* To group alerts by entity risk level, select **Group alerts by**, then select **Custom field** and search for `host.risk.calculated_level` or `user.risk.calculated_level`.
+** `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level:
 +
 [role="screenshot"]
-image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels]
+image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level]
 
-** You can further sort the grouped alerts by highest entity risk score:
-+
---
-... Expand a risk level group, for example **High**.
-... Select **Sort fields** → **Pick fields to sort by**.
-... Select fields in the following order:
-.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
-.... `Risk score`: **High-Low**
-.... `@timestamp`: **New-Old**
---
+** `user.asset.criticality` or `host.asset.criticality` for asset criticality level:
 +
 [role="screenshot"]
-image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score]
-
-[discrete]
-[[triage-alerts-associated-with-business-critical-entities]]
-==== Triage alerts associated with business-critical entities
-
-To analyze alerts associated with business-critical entities, you can filter or group them by entity asset criticality.
+image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level]
 
-NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level.
+* To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for:
 
-* Use the drop-down filter controls to filter alerts by asset criticality level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.asset.criticality` or `host.asset.criticality`:
+** `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level:
 +
 [role="screenshot"]
-image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level]
+image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels]
 
-* To group alerts by asset criticality level, select **Group alerts by**, then select **Custom field** and search for `host.asset.criticality` or `user.asset.criticality`.
+** `host.asset.criticality` or `user.asset.criticality` for asset criticality level:
 +
 [role="screenshot"]
 image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels]
 
 ** You can further sort the grouped alerts by highest entity risk score:
 +
 --
-... Expand an asset criticality group, for example **high_impact**.
+... Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**).
 ... Select **Sort fields** → **Pick fields to sort by**.
 ... Select fields in the following order:
-.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
+.... `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low**
 .... `Risk score`: **High-Low**
 .... `@timestamp`: **New-Old**
 --
 +
 [role="screenshot"]
-image::images/ac-sort-by-host-risk-score.png[High-impact alerts sorted by host risk score]
+image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score]
 
 [discrete]
 [[alert-details-flyout]]

diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc
@@ -57,7 +57,7 @@ With asset criticality, you can improve your security operations by:
 
 You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities.
 
-Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <<triage-alerts-associated-with-business-critical-entities, prioritize alerts associated with high-impact entities>>.
+Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <<triage-alerts-associated-with-high-risk-or-business-critical-entities, prioritize alerts associated with business-critical entities>>.
 
 [discrete]
 [[monitor-entity-risk]]

diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
@@ -14,8 +14,14 @@ It also generates risk scores on a recurring interval, and allows for easy onboa
 
 Entity risk scores are determined by the following risk inputs:
 
-* <<alerts-ui-manage, Alerts>>, stored in the `.alerts-security.alerts-<space-id>` index alias
-* <<asset-criticality, Asset criticality level>>, stored in the `.asset-criticality.asset-criticality-<space-id>` index alias
+[width="100%",options="header"]
+|==============================================
+|Risk input |Storage location
+
+|<<alerts-ui-manage, Alerts>> |`.alerts-security.alerts-<space-id>` index alias
+|<<asset-criticality, Asset criticality level>> |`.asset-criticality.asset-criticality-<space-id>` index alias
+|==============================================
+
 
 The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
 
@@ -29,10 +35,16 @@ The resulting entity risk scores are stored in the `risk-score.risk-score-<space
 [[how-is-risk-score-calculated]]
 == How is risk score calculated?
 
+<<<<<<< HEAD
 The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. It groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
+=======
+. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
+>>>>>>> 3b081a9b (EA doc enhancements (#5038))
 
-The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level:
+. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
 
+. The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
++
 [width="100%",options="header"]
 |==============================================
 |Asset criticality level |Default risk weight
@@ -43,13 +55,11 @@ The engine then verifies the entity's <<asset-criticality, asset criticality lev
 |Extreme impact |2
 
 |==============================================
-
++
 NOTE: Asset criticality levels and default risk weights are subject to change.
 
-The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
-
-Based on the two risk inputs, the risk scoring engine generates a single numeric value, normalized to a 0-100 range, as the entity risk score. It assigns a risk level by mapping the normalized risk score to one of these levels:
-
+. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels:
++
 [width="100%",options="header"]
 |==============================================
 |Risk level |Risk score

diff --git a/docs/advanced-entity-analytics/images/ac-sort-by-host-risk-score.png b/docs/advanced-entity-analytics/images/ac-sort-by-host-risk-score.png
diff --git a/docs/getting-started/users-page.asciidoc b/docs/getting-started/users-page.asciidoc
@@ -61,9 +61,9 @@ In addition to the user details page, relevant user information is also availabl
 
 The user details flyout includes the following sections:
 
-* <<user-risk-summary, User risk summary>>
-* <<user-asset-criticality-section, Asset Criticality>>
-* <<user-observed-data, Observed data>>
+* <<user-risk-summary, User risk summary>>, which displays user risk data and inputs.
+* <<user-asset-criticality-section, Asset Criticality>>, which allows you to view and assign asset criticality.
+* <<user-observed-data, Observed data>>, which displays user details.
 
 [role="screenshot"]
 image::images/users/user-details-flyout.png[User details flyout]

diff --git a/docs/management/hosts/hosts-overview.asciidoc b/docs/management/hosts/hosts-overview.asciidoc
@@ -64,9 +64,9 @@ In addition to the host details page, relevant host information is also availabl
 
 The host details flyout includes the following sections:
 
-* <<host-risk-summary, Host risk summary>>
-* <<host-asset-criticality-section, Asset Criticality>>
-* <<host-observed-data, Observed data>>
+* <<host-risk-summary, Host risk summary>>, which displays host risk data and inputs.
+* <<host-asset-criticality-section, Asset Criticality>>, which allows you to view and assign asset criticality.
+* <<host-observed-data, Observed data>>, which displays host details.
 
 [role="screenshot"]
 image::images/host-details-flyout.png[Host details flyout]