From 010996cebef3d27153460841318ab722df171b92 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 1 Nov 2023 17:52:35 +0000 Subject: [PATCH 01/12] Entity Analytics: Requirements and limitations --- docs/getting-started/ea-req.asciidoc | 37 +++++++++++++++++++ docs/getting-started/index.asciidoc | 1 + .../sec-app-requirements.asciidoc | 1 + 3 files changed, 39 insertions(+) create mode 100644 docs/getting-started/ea-req.asciidoc diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc new file mode 100644 index 0000000000..6107eb8010 --- /dev/null +++ b/docs/getting-started/ea-req.asciidoc @@ -0,0 +1,37 @@ +[[ea-requirements]] += Entity analytics prerequisites + +[discrete] +== Privileges + +To enable the risk scoring engine, you need the following privileges: + +Cluster privileges: + +* `manage_index_templates` +* `manage_transform` + +Index privileges: + +`all` privilege for `risk-score.risk-score-*` + +Kibana privileges: + +* **All** for the **Saved Objects Management** feature under **Management** +* **Read** for the **Security** feature + +[discrete] +== {es} resource guidelines + +Follow these guidelines to ensure clusters have adequate memory to handle data volume: + +* With 2GB of Java Virtual Machine (JVM) heap memory, the risk scoring task can safely process around 44 million documents (30 days of risk data with an ingest rate of 1000 documents per minute). + +* With 1GB of JVM heap, the risk scoring task can safely process around 20 million documents (30 days of risk data with an ingest rate of around 450 documents per minute). + +[discrete] +== Known limitations + +* You can only enable the risk scoring engine in a single {kib} space within a cluster. + +* The risk scoring engine uses the internal {kib} user to score all hosts and users. This means the scoring task does not respect custom user or role permissions. All alerts from the configured {kib} space will contribute to the entity's risk. diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 8c2ad22bfb..13184a1834 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -9,6 +9,7 @@ TIP: View the https://www.elastic.co/training/elastic-security-quick-start[{elas include::sec-app-requirements.asciidoc[leveloffset=+1] include::detections-req.asciidoc[leveloffset=+2] include::cases-req.asciidoc[leveloffset=+2] +include::ea-req.asciidoc[leveloffset=+2] include::ml-req.asciidoc[leveloffset=+2] include::defend-feature-privs.asciidoc[leveloffset=+2] include::net-map-req.asciidoc[leveloffset=+2] diff --git a/docs/getting-started/sec-app-requirements.asciidoc b/docs/getting-started/sec-app-requirements.asciidoc index 44ad0300ea..3eb8cb7887 100644 --- a/docs/getting-started/sec-app-requirements.asciidoc +++ b/docs/getting-started/sec-app-requirements.asciidoc @@ -44,6 +44,7 @@ There are some additional requirements for specific features: * <> * <> +* <> * <> * <> * <> From a3a12ea7a3af4b3baf725d95c7e3dcc2c3234d8e Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 1 Nov 2023 17:53:19 +0000 Subject: [PATCH 02/12] Fixes capitalization --- docs/getting-started/ea-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc index 6107eb8010..bb68546dc9 100644 --- a/docs/getting-started/ea-req.asciidoc +++ b/docs/getting-started/ea-req.asciidoc @@ -1,5 +1,5 @@ [[ea-requirements]] -= Entity analytics prerequisites += Entity Analytics prerequisites [discrete] == Privileges From 89a424c40c95213ec272a88669f802921e6da7a7 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 1 Nov 2023 18:16:10 +0000 Subject: [PATCH 03/12] Uses attribute --- docs/getting-started/ea-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc index bb68546dc9..e27a891a45 100644 --- a/docs/getting-started/ea-req.asciidoc +++ b/docs/getting-started/ea-req.asciidoc @@ -15,7 +15,7 @@ Index privileges: `all` privilege for `risk-score.risk-score-*` -Kibana privileges: +{kib} privileges: * **All** for the **Saved Objects Management** feature under **Management** * **Read** for the **Security** feature From d12e9e05edb0f385b89e92b5aedf7a853304474d Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:56:50 +0000 Subject: [PATCH 04/12] Update docs/getting-started/ea-req.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/getting-started/ea-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc index e27a891a45..1f355fa43c 100644 --- a/docs/getting-started/ea-req.asciidoc +++ b/docs/getting-started/ea-req.asciidoc @@ -4,7 +4,7 @@ [discrete] == Privileges -To enable the risk scoring engine, you need the following privileges: +To turn on the risk scoring engine, you need the following privileges: Cluster privileges: From a3ec7b195ed0b5ddc8bf32d93410936f7f05a017 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 2 Nov 2023 11:01:20 +0000 Subject: [PATCH 05/12] Update docs/getting-started/ea-req.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/getting-started/ea-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc index 1f355fa43c..0afbdf074d 100644 --- a/docs/getting-started/ea-req.asciidoc +++ b/docs/getting-started/ea-req.asciidoc @@ -34,4 +34,4 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v * You can only enable the risk scoring engine in a single {kib} space within a cluster. -* The risk scoring engine uses the internal {kib} user to score all hosts and users. This means the scoring task does not respect custom user or role permissions. All alerts from the configured {kib} space will contribute to the entity's risk. +* The risk scoring engine uses the internal {kib} user to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores. From 69ccf0fbb32647e45019a2357bcec2c6483db3f4 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 2 Nov 2023 11:04:27 +0000 Subject: [PATCH 06/12] Update docs/getting-started/ea-req.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/getting-started/ea-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc index 0afbdf074d..397033e2dd 100644 --- a/docs/getting-started/ea-req.asciidoc +++ b/docs/getting-started/ea-req.asciidoc @@ -27,7 +27,7 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v * With 2GB of Java Virtual Machine (JVM) heap memory, the risk scoring task can safely process around 44 million documents (30 days of risk data with an ingest rate of 1000 documents per minute). -* With 1GB of JVM heap, the risk scoring task can safely process around 20 million documents (30 days of risk data with an ingest rate of around 450 documents per minute). +* With 1GB of JVM heap, the risk scoring task can safely process around 20 million documents, or 30 days of risk data with an ingest rate of around 450 documents per minute. [discrete] == Known limitations From 6ae21aa06241e88834c9ae6e4cb3f67c1dcad8fa Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 2 Nov 2023 11:04:42 +0000 Subject: [PATCH 07/12] Update docs/getting-started/ea-req.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/getting-started/ea-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc index 397033e2dd..d6dab725e7 100644 --- a/docs/getting-started/ea-req.asciidoc +++ b/docs/getting-started/ea-req.asciidoc @@ -25,7 +25,7 @@ Index privileges: Follow these guidelines to ensure clusters have adequate memory to handle data volume: -* With 2GB of Java Virtual Machine (JVM) heap memory, the risk scoring task can safely process around 44 million documents (30 days of risk data with an ingest rate of 1000 documents per minute). +* With 2GB of Java Virtual Machine (JVM) heap memory, the risk scoring task can safely process around 44 million documents, or 30 days of risk data with an ingest rate of 1000 documents per minute. * With 1GB of JVM heap, the risk scoring task can safely process around 20 million documents, or 30 days of risk data with an ingest rate of around 450 documents per minute. From 981b0c64ca0edbfb7916aa2458deff1421cd9f3d Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 2 Nov 2023 11:35:17 +0000 Subject: [PATCH 08/12] Applies review comments --- docs/getting-started/ea-req.asciidoc | 37 ---------------- docs/getting-started/ers-req.asciidoc | 44 +++++++++++++++++++ docs/getting-started/index.asciidoc | 2 +- .../sec-app-requirements.asciidoc | 2 +- 4 files changed, 46 insertions(+), 39 deletions(-) delete mode 100644 docs/getting-started/ea-req.asciidoc create mode 100644 docs/getting-started/ers-req.asciidoc diff --git a/docs/getting-started/ea-req.asciidoc b/docs/getting-started/ea-req.asciidoc deleted file mode 100644 index d6dab725e7..0000000000 --- a/docs/getting-started/ea-req.asciidoc +++ /dev/null @@ -1,37 +0,0 @@ -[[ea-requirements]] -= Entity Analytics prerequisites - -[discrete] -== Privileges - -To turn on the risk scoring engine, you need the following privileges: - -Cluster privileges: - -* `manage_index_templates` -* `manage_transform` - -Index privileges: - -`all` privilege for `risk-score.risk-score-*` - -{kib} privileges: - -* **All** for the **Saved Objects Management** feature under **Management** -* **Read** for the **Security** feature - -[discrete] -== {es} resource guidelines - -Follow these guidelines to ensure clusters have adequate memory to handle data volume: - -* With 2GB of Java Virtual Machine (JVM) heap memory, the risk scoring task can safely process around 44 million documents, or 30 days of risk data with an ingest rate of 1000 documents per minute. - -* With 1GB of JVM heap, the risk scoring task can safely process around 20 million documents, or 30 days of risk data with an ingest rate of around 450 documents per minute. - -[discrete] -== Known limitations - -* You can only enable the risk scoring engine in a single {kib} space within a cluster. - -* The risk scoring engine uses the internal {kib} user to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores. diff --git a/docs/getting-started/ers-req.asciidoc b/docs/getting-started/ers-req.asciidoc new file mode 100644 index 0000000000..69a6ec3c43 --- /dev/null +++ b/docs/getting-started/ers-req.asciidoc @@ -0,0 +1,44 @@ +[[ers-requirements]] += Entity Risk Scoring prerequisites +// link to Entity Risk Scoring docs to be added +To use Entity Risk Scoring, your role must have certain cluster, index, and {kib} privileges. You also need the https://www.elastic.co/subscriptions[appropriate license]. + +This page covers the requirements and guidelines for using the Entity Risk Scoring feature, as well as its known limitations. + +[discrete] +== Privileges + +To turn on the risk scoring engine, you need the following privileges: + +[discrete] +[width="100%",options="header"] +|============================================== + +| Cluster | Index | {kib} +a| +* `manage_index_templates` +* `manage_transform` + +| `all` privilege for `risk-score.risk-score-*` + +a| +* **All** for the **Saved Objects Management** feature under **Management** +* **Read** for the **Security** feature + +|============================================== + +[discrete] +== {es} resource guidelines + +Follow these guidelines to ensure clusters have adequate memory to handle data volume: + +* With 2GB of Java Virtual Machine (JVM) heap memory, the risk scoring engine can safely process around 44 million documents, or 30 days of risk data with an ingest rate of 1000 documents per minute. + +* With 1GB of JVM heap, the risk scoring engine can safely process around 20 million documents, or 30 days of risk data with an ingest rate of around 450 documents per minute. + +[discrete] +== Known limitations + +* You can only enable the risk scoring engine in a single {kib} space within a cluster. + +* The risk scoring engine uses the internal {kib} user to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores. diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 13184a1834..07bd816c11 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -9,7 +9,7 @@ TIP: View the https://www.elastic.co/training/elastic-security-quick-start[{elas include::sec-app-requirements.asciidoc[leveloffset=+1] include::detections-req.asciidoc[leveloffset=+2] include::cases-req.asciidoc[leveloffset=+2] -include::ea-req.asciidoc[leveloffset=+2] +include::ers-req.asciidoc[leveloffset=+2] include::ml-req.asciidoc[leveloffset=+2] include::defend-feature-privs.asciidoc[leveloffset=+2] include::net-map-req.asciidoc[leveloffset=+2] diff --git a/docs/getting-started/sec-app-requirements.asciidoc b/docs/getting-started/sec-app-requirements.asciidoc index 3eb8cb7887..4d5f9a4e63 100644 --- a/docs/getting-started/sec-app-requirements.asciidoc +++ b/docs/getting-started/sec-app-requirements.asciidoc @@ -44,7 +44,7 @@ There are some additional requirements for specific features: * <> * <> -* <> +* <> * <> * <> * <> From 00c76d9e14e379083d6df3ae87d47aa471146583 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 3 Nov 2023 15:15:26 +0000 Subject: [PATCH 09/12] Adds reference to Entity Risk Scoring --- docs/getting-started/ers-req.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/getting-started/ers-req.asciidoc b/docs/getting-started/ers-req.asciidoc index 69a6ec3c43..ddd485309c 100644 --- a/docs/getting-started/ers-req.asciidoc +++ b/docs/getting-started/ers-req.asciidoc @@ -1,7 +1,7 @@ [[ers-requirements]] = Entity Risk Scoring prerequisites -// link to Entity Risk Scoring docs to be added -To use Entity Risk Scoring, your role must have certain cluster, index, and {kib} privileges. You also need the https://www.elastic.co/subscriptions[appropriate license]. + +To use <>, your role must have certain cluster, index, and {kib} privileges. You also need the https://www.elastic.co/subscriptions[appropriate license]. This page covers the requirements and guidelines for using the Entity Risk Scoring feature, as well as its known limitations. From de68953d45ec7e789c178393858d3e08cca909af Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 6 Nov 2023 16:53:53 +0000 Subject: [PATCH 10/12] Updates licensing info --- docs/getting-started/ers-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ers-req.asciidoc b/docs/getting-started/ers-req.asciidoc index ddd485309c..8f2a9d6c69 100644 --- a/docs/getting-started/ers-req.asciidoc +++ b/docs/getting-started/ers-req.asciidoc @@ -1,7 +1,7 @@ [[ers-requirements]] = Entity Risk Scoring prerequisites -To use <>, your role must have certain cluster, index, and {kib} privileges. You also need the https://www.elastic.co/subscriptions[appropriate license]. +To use <>, your role must have certain cluster, index, and {kib} privileges. This feature requires a https://www.elastic.co/pricing[Platinum subscription] or higher. This page covers the requirements and guidelines for using the Entity Risk Scoring feature, as well as its known limitations. From 6662e5229a26821923eefe8d5c8bd9a1b264684b Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 7 Nov 2023 11:38:20 +0000 Subject: [PATCH 11/12] Applies review feedback --- docs/getting-started/ers-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ers-req.asciidoc b/docs/getting-started/ers-req.asciidoc index 8f2a9d6c69..44927fb2e6 100644 --- a/docs/getting-started/ers-req.asciidoc +++ b/docs/getting-started/ers-req.asciidoc @@ -41,4 +41,4 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v * You can only enable the risk scoring engine in a single {kib} space within a cluster. -* The risk scoring engine uses the internal {kib} user to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores. +* The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores. From 62a20f47c9561b9f0ca46aff866911e49a68170d Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Tue, 7 Nov 2023 13:08:38 +0000 Subject: [PATCH 12/12] Update docs/getting-started/ers-req.asciidoc --- docs/getting-started/ers-req.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/ers-req.asciidoc b/docs/getting-started/ers-req.asciidoc index 44927fb2e6..5a4092a6d0 100644 --- a/docs/getting-started/ers-req.asciidoc +++ b/docs/getting-started/ers-req.asciidoc @@ -1,7 +1,7 @@ [[ers-requirements]] = Entity Risk Scoring prerequisites -To use <>, your role must have certain cluster, index, and {kib} privileges. This feature requires a https://www.elastic.co/pricing[Platinum subscription] or higher. +To use Entity Risk Scoring, your role must have certain cluster, index, and {kib} privileges. This feature requires a https://www.elastic.co/pricing[Platinum subscription] or higher. This page covers the requirements and guidelines for using the Entity Risk Scoring feature, as well as its known limitations.