-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'staging-serverless-security-docs/closin…
…g-time-every-new-beginning' into migration-test2
- Loading branch information
Showing
506 changed files
with
16,852 additions
and
0 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,2 @@ | ||
| * @elastic/security-docs | ||
| /.github/workflows/ @elastic/docs-engineering |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| name: Staging Docs | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| paths: | ||
| - '**.mdx' | ||
| - '**.docnav.json' | ||
| - '**.docapi.json' | ||
| - '**.devdocs.json' | ||
| - '**.jpg' | ||
| - '**.jpeg' | ||
| - '**.png' | ||
| - '**.svg' | ||
| - '**.gif' | ||
| types: [opened, closed, synchronize] | ||
|
|
||
| jobs: | ||
| publish: | ||
| name: Vercel Build Check | ||
| uses: elastic/workflows/.github/workflows/docs-elastic-co-publish.yml@main | ||
| secrets: | ||
| VERCEL_GITHUB_TOKEN: ${{ secrets.VERCEL_GITHUB_TOKEN }} | ||
| VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }} | ||
| VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }} | ||
| VERCEL_PROJECT_ID_DOCS_CO: ${{ secrets.VERCEL_PROJECT_ID_DOCS_CO }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,3 +2,4 @@ | |
| docs/html_docs | ||
| /html_docs | ||
| .vscode/ | ||
| .vs/ | ||
17 changes: 17 additions & 0 deletions
17
docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| id: serverlessSecurityAdvancedBehavioralDetections | ||
| slug: /serverless/security/advanced-behavioral-detections | ||
| title: Advanced behavioral detections | ||
| description: Learn about advanced behavioral detections and its capabilities. | ||
| tags: [ 'serverless', 'security', 'overview', 'analyze' ] | ||
| status: in review | ||
| --- | ||
|
|
||
| <DocBadge template="technical preview" /> | ||
|
|
||
| Elastic's ((ml)) capabilities and advanced correlation, scoring, and visualization techniques can help you identify potential behavioral threats that may be associated with security incidents. | ||
|
|
||
| Advanced behavioral detections includes two key capabilities: | ||
|
|
||
| * <DocLink id="serverlessSecurityMachineLearning">Anomaly detection</DocLink> | ||
| * <DocLink id="serverlessSecurityBehavioralDetectionUseCases" /> |
17 changes: 17 additions & 0 deletions
17
docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| --- | ||
| id: serverlessSecurityAdvancedEntityAnalytics | ||
| slug: /serverless/security/advanced-entity-analytics | ||
| title: Advanced Entity Analytics | ||
| description: Learn about Advanced Entity Analytics and its capabilities. | ||
| tags: [ 'serverless', 'security', 'overview', 'analyze' ] | ||
| status: in review | ||
| --- | ||
|
|
||
| <DocBadge template="technical preview" /> | ||
|
|
||
| Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's ((ml)) capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts and users. | ||
|
|
||
| Advanced Entity Analytics provides two key capabilities: | ||
|
|
||
| * <DocLink id="serverlessSecurityEntityRiskScoring" /> | ||
| * <DocLink id="serverlessSecurityAdvancedBehavioralDetections" /> |
127 changes: 127 additions & 0 deletions
127
docs/serverless/advanced-entity-analytics/analyze-risk-score-data.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| --- | ||
| id: serverlessSecurityAnalyzeRiskScoreData | ||
| slug: /serverless/security/analyze-risk-score-data | ||
| title: View and analyze risk score data | ||
| description: Monitor risk score changes of hosts and users in your environment. | ||
| tags: [ 'serverless', 'security', 'how-to', 'analyze' ] | ||
| status: in review | ||
| --- | ||
|
|
||
| <DocBadge template="technical preview" /> | ||
|
|
||
| The ((security-app)) provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the ((security-app)) to view and analyze risk score data: | ||
|
|
||
| * <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="entity-analytics-dashboard">Entity Analytics dashboard</DocLink> | ||
| * <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="alerts-page">Alerts page</DocLink> | ||
| * <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="alert-details-flyout">Alert details flyout</DocLink> | ||
| * <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="hosts-and-users-pages">Hosts and Users pages</DocLink> | ||
| * <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="host-and-user-details-pages">Host and user details pages</DocLink> | ||
| * <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="host-and-user-details-flyouts">Host and user details flyouts</DocLink> | ||
|
|
||
|
|
||
| <DocCallOut title="Tip"> | ||
| We recommend that you prioritize <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="alert-triaging">alert triaging</DocLink> to identify anomalies or abnormal behavior patterns. | ||
| </DocCallOut> | ||
|
|
||
| ## Entity Analytics dashboard | ||
|
|
||
| From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. | ||
|
|
||
|  | ||
|
|
||
| ## Alert triaging | ||
| You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the ((security-app)). | ||
|
|
||
| ### Alerts page | ||
|
|
||
| Use the Alerts table to investigate and analyze: | ||
|
|
||
| * Host and user risk levels | ||
| * Host and user risk scores | ||
| * Asset criticality | ||
|
|
||
| To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following: | ||
|
|
||
| * `user.risk.calculated_level` or `host.risk.calculated_level` | ||
| * `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` | ||
| * `user.asset.criticality` or `host.asset.criticality` | ||
|
|
||
| Learn more about <DocLink id="serverlessSecurityAlertsUiManage" section="customize-the-alerts-table">customizing the Alerts table</DocLink>. | ||
|
|
||
|  | ||
|
|
||
| #### Triage alerts associated with high-risk or business-critical entities | ||
|
|
||
| To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level. | ||
|
|
||
| <DocCallOut title="Note"> | ||
| If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level. | ||
| </DocCallOut> | ||
|
|
||
| * Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, <DocLink id="serverlessSecurityAlertsUiManage" section="edit-drop-down-filter-controls">edit the default controls</DocLink> to filter by: | ||
|
|
||
| * `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: | ||
|
|
||
|  | ||
|
|
||
| * `user.asset.criticality` or `host.asset.criticality` for asset criticality level: | ||
|
|
||
|  | ||
|
|
||
| * To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for: | ||
|
|
||
| * `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level: | ||
|
|
||
|  | ||
|
|
||
| * `host.asset.criticality` or `user.asset.criticality` for asset criticality level: | ||
|
|
||
|  | ||
|
|
||
| * You can further sort the grouped alerts by highest entity risk score: | ||
|
|
||
| 1. Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**). | ||
| 1. Select **Sort fields** → **Pick fields to sort by**. | ||
| 1. Select fields in the following order: | ||
| 1. `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low** | ||
| 1. `Risk score`: **High-Low** | ||
| 1. `@timestamp`: **New-Old** | ||
|
|
||
|  | ||
|
|
||
| ### Alert details flyout | ||
|
|
||
| To access risk score data in the alert details flyout, select **Insights** → **Entities** on the **Overview** tab: | ||
|
|
||
|  | ||
|
|
||
| ### Hosts and Users pages | ||
|
|
||
| On the Hosts and Users pages, you can access the risk score data: | ||
|
|
||
| * In the **Host risk level** or **User risk level** column on the **All hosts** or **All users** tab: | ||
|
|
||
|  | ||
|
|
||
| * On the **Host risk** or **User risk** tab: | ||
|
|
||
|  | ||
|
|
||
| ### Host and user details pages | ||
|
|
||
| On the host details and user details pages, you can access the risk score data: | ||
|
|
||
| * In the Overview section: | ||
|
|
||
|  | ||
|
|
||
| * On the **Host risk** or **User risk** tab: | ||
|
|
||
|  | ||
|
|
||
| ### Host and user details flyouts | ||
|
|
||
| In the host details and user details flyouts, you can access the risk score data in the risk summary section: | ||
|
|
||
|  | ||
|
|
114 changes: 114 additions & 0 deletions
114
docs/serverless/advanced-entity-analytics/asset-criticality.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| --- | ||
| id: serverlessSecurityAssetCriticality | ||
| slug: /serverless/security/asset-criticality | ||
| title: Asset criticality | ||
| description: Learn how to use asset criticality to improve your security operations. | ||
| tags: [ 'serverless', 'security', 'overview', 'analyze' ] | ||
| status: in review | ||
| --- | ||
|
|
||
| <DocBadge template="technical preview" /> | ||
|
|
||
| <DocCallOut title="Requirements"> | ||
| To view and assign asset criticality, you must: | ||
| * Have the appropriate user role. | ||
| * Turn on the `securitySolution:enableAssetCriticality` <DocLink id="serverlessSecurityAdvancedSettings" section="enable-asset-criticality-workflows" >advanced setting</DocLink>. | ||
|
|
||
| For more information, refer to <DocLink id="serverlessSecurityERSRequirements">Entity risk scoring prerequisites</DocLink>. | ||
| </DocCallOut> | ||
|
|
||
| The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. | ||
|
|
||
| You can assign one of the following asset criticality levels to your entities, based on their impact: | ||
|
|
||
| * Low impact | ||
| * Medium impact | ||
| * High impact | ||
| * Extreme impact | ||
|
|
||
| For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. | ||
|
|
||
| ## View and assign asset criticality | ||
|
|
||
| Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or <DocLink id="serverlessSecurityAssetCriticality" section="bulk-assign-asset-criticality">bulk assign</DocLink> it to multiple entities by importing a text file. | ||
|
|
||
| When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated. | ||
|
|
||
| <DocCallOut title="Note"> | ||
| If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. The newly assigned or updated asset criticality levels will impact entity risk scores during the next hourly risk scoring calculation. | ||
| </DocCallOut> | ||
|
|
||
| You can view, assign, change, or unassign asset criticality from the following places in the ((elastic-sec)) app: | ||
|
|
||
| * The <DocLink id="serverlessSecurityHostsOverview" section="host-details-page">host details page</DocLink> and <DocLink id="serverlessSecurityUsersPage" section="user-details-page">user details page</DocLink>: | ||
|
|
||
|  | ||
|
|
||
| * The <DocLink id="serverlessSecurityHostsOverview" section="host-details-flyout">host details flyout</DocLink> and <DocLink id="serverlessSecurityUsersPage" section="user-details-flyout">user details flyout</DocLink>: | ||
|
|
||
|  | ||
|
|
||
| * The host details flyout and user details flyout in <DocLink id="serverlessSecurityTimelinesUi">Timeline</DocLink>: | ||
|
|
||
|  | ||
|
|
||
| ### Bulk assign asset criticality | ||
|
|
||
| You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools. | ||
|
|
||
| The file must contain three columns, with each entity record listed on a separate row: | ||
|
|
||
| 1. The first column should indicate whether the entity is a `host` or a `user`. | ||
| 1. The second column should specify the entity's `host.name` or `user.name`. | ||
| 1. The third column should specify one of the following asset criticality levels: | ||
| * `extreme_impact` | ||
| * `high_impact` | ||
| * `medium_impact` | ||
| * `low_impact` | ||
|
|
||
| The maximum file size is 1 MB. | ||
|
|
||
| File structure example: | ||
|
|
||
| ``` | ||
| user,user-001,low_impact | ||
| user,user-002,medium_impact | ||
| host,host-001,extreme_impact | ||
| ```` | ||
| To import a file: | ||
| 1. Go to **Project Settings** → **Stack Management** → **Asset criticality**. | ||
| 1. Select or drag and drop the file you want to import. | ||
| <DocCallOut title="Note"> | ||
| The file validation step highlights any lines that don't follow the required file structure. The asset criticality levels for those entities won't be assigned. We recommend that you fix any invalid lines and re-upload the file. | ||
| </DocCallOut> | ||
| 1. Click **Assign**. | ||
| This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows and will impact entity risk scores during the next risk scoring calculation. | ||
| ## Improve your security operations | ||
| With asset criticality, you can improve your security operations by: | ||
| * <DocLink id="serverlessSecurityAssetCriticality" section="prioritize-open-alerts">Prioritizing open alerts</DocLink> | ||
| * <DocLink id="serverlessSecurityAssetCriticality" section="monitor-an-entitys-risk">Monitoring an entity's risk</DocLink> | ||
| ### Prioritize open alerts | ||
| You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities. | ||
| Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <DocLink id="serverlessSecurityAnalyzeRiskScoreData" section="triage-alerts-associated-with-high-risk-or-business-critical-entities">prioritize alerts associated with business-critical entities</DocLink>. | ||
| ### Monitor an entity's risk | ||
| The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to <DocLink id="serverlessSecurityEntityRiskScoring" section="how-is-risk-score-calculated">calculate the entity's overall risk score</DocLink>. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. | ||
| To view the impact of asset criticality on an entity's risk score, follow these steps: | ||
| 1. Open the <DocLink id="serverlessSecurityHostsOverview" section="host-details-flyout">host details flyout</DocLink> or <DocLink id="serverlessSecurityUsersPage" section="user-details-flyout">user details flyout</DocLink>. The risk summary section shows asset criticality's contribution to the overall risk score. | ||
| 1. Click **View risk contributions** to open the flyout's left panel. | ||
| 1. In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated. | ||
|  |
33 changes: 33 additions & 0 deletions
33
docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| --- | ||
| id: serverlessSecurityBehavioralDetectionUseCases | ||
| slug: /serverless/security/behavioral-detection-use-cases | ||
| title: Behavioral detection use cases | ||
| description: Detect internal and external threats using behavioral detection integrations. | ||
| tags: [ 'serverless', 'security', 'overview', 'analyze' ] | ||
| status: in review | ||
| --- | ||
|
|
||
| <DocBadge template="technical preview" /> | ||
|
|
||
| Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. | ||
|
|
||
| The behavioral detection feature is built on ((elastic-sec))'s foundational SIEM detection capabilities, leveraging ((ml)) algorithms to enable proactive threat detection and hunting. | ||
|
|
||
| ## Elastic integrations for behavioral detection use cases | ||
|
|
||
| Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, ((ml)) jobs, and scripts. | ||
|
|
||
| <DocCallOut title="Requirements"> | ||
| * Behavioral detection integrations require the Security Analytics Complete <DocLink id="serverlessGeneralManageProject">project feature</DocLink>. | ||
| * To learn more about the requirements for using ((ml)) jobs, refer to <DocLink id="serverlessSecurityMlRequirements" />. | ||
| </DocCallOut> | ||
|
|
||
| Here's a list of integrations for various behavioral detection use cases: | ||
|
|
||
| * [Data Exfiltration Detection](((integrations-docs))/ded) | ||
| * [Domain Generation Algorithm Detection](((integrations-docs))/dga) | ||
| * [Lateral Movement Detection](((integrations-docs))/lmd) | ||
| * [Living off the Land Attack Detection](((integrations-docs))/problemchild) | ||
| * [Network Beaconing Identification](((integrations-docs))/beaconing) | ||
|
|
||
| To learn more about ((ml)) jobs enabled by these integrations, refer to [Prebuilt job reference](((security-guide))/prebuilt-ml-jobs.html). |
Oops, something went wrong.