From 9610dfdc7002d62e2e7564178c0d69772cbd7020 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Mon, 12 Feb 2024 13:51:31 -0500 Subject: [PATCH] Reworks the security docs landing page (#4528) * First draft. Complete rework of security landing page * troubleshoot build error * fixes broken link * moves self-protection content to a new page * Update docs/es-overview.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/es-overview.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/es-overview.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * incorporates feedback * Update docs/es-overview.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> * incorporates Nat's feedback --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> (cherry picked from commit a40ca23d02986597d317218f1db464ccb888f5da) --- docs/detections/rules-ui-create.asciidoc | 2 +- docs/es-overview.asciidoc | 178 +++--------------- .../admin/endpoint-self-protection.asciidoc | 29 +++ docs/management/manage-intro.asciidoc | 3 +- 4 files changed, 58 insertions(+), 154 deletions(-) create mode 100644 docs/management/admin/endpoint-self-protection.asciidoc diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 1060d6b90d..4ab82af4f2 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -198,7 +198,7 @@ NOTE: You can use {kib} saved queries (image:images/saved-query-menu.png[Saved q .. *Indicator index patterns*: The indicator index patterns containing field values for which you want to generate alerts. This field is automatically populated with indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, see <>. + -IMPORTANT: Data in indicator indices must be <>, and so it must contain a `@timestamp` field. +IMPORTANT: Data in indicator indices must be <>, and so it must contain a `@timestamp` field. + .. *Indicator index query*: The query and filters used to filter the fields from the indicator index patterns. The default query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`). diff --git a/docs/es-overview.asciidoc b/docs/es-overview.asciidoc index 2abc8b3384..a9cd565a6f 100644 --- a/docs/es-overview.asciidoc +++ b/docs/es-overview.asciidoc @@ -2,169 +2,43 @@ [chapter, role="xpack"] = Elastic Security overview -Elastic Security combines SIEM threat detection features with endpoint -prevention and response capabilities in one solution. These analytical and -protection capabilities, leveraged by the speed and extensibility of -Elasticsearch, enable analysts to defend their organization from threats before -damage and loss occur. +{elastic-sec} combines threat detection analytics, cloud native security, and endpoint protection capabilities in a single solution, so you can quickly detect, investigate, and respond to threats and vulnerabilities across your environment. -Elastic Security provides the following security benefits and capabilities: +Elastic Security provides: -* A detection engine to identify attacks and system misconfigurations -* A workspace for event triage and investigations -* Interactive visualizations to investigate process relationships -* Inbuilt case management with automated actions -* Detection of signatureless attacks with prebuilt machine learning anomaly jobs and detection rules +* A detection engine that identifies a wide range of threats +* A workspace for event triage, investigation, and case management +* Interactive data visualization tools +* Integrations for collecting data from various sources [discrete] -== Elastic Security components and workflow - -The following diagram provides a comprehensive illustration of the Elastic Security workflow. - -[role="screenshot"] -image::images/workflow.png[Elastic Security workflow] - -Here's an overview of the flow and its components: - -* Data is shipped from your hosts to {es} in the following ways: -** <>: {agent} integration that -protects your hosts <> and ships these data sets: -*** *Windows*: Process, network, file, DNS, registry, DLL and driver loads, -malware security detections, API -*** *Linux/macOS*: Process, network, file -** {integrations-docs}[{integrations}]: Integrations are a streamlined way to send your data to the {stack}. Integrations are available for popular services and platforms, like Nginx, AWS, and MongoDB, as well as many generic input types like log files. -** https://www.elastic.co/integrations?solution=security[Beat modules]: {beats} -are lightweight data shippers. Beat modules provide a way of collecting and -parsing specific data sets from common sources, such as cloud and OS events, -logs, and metrics. Common security-related modules are listed -<>. -* The {security-app} in {kib} is used to manage the *Detection engine*, -*Cases*, and *Timeline*, as well as administer hosts running {elastic-defend}: -** Detection engine: Automatically searches for suspicious host and network -activity via the following: -*** <>: Periodically search the data -({es} indices) sent from your hosts for suspicious events. When a suspicious -event is discovered, an alert is generated. External systems, such as -Slack and email, can be used to send notifications when alerts are generated. -You can create your own rules and make use of our <>. -*** <>: Reduce noise and the number of -false positives. Exceptions are associated with rules and prevent alerts when -an exception's conditions are met. *Value lists* contain source event -values that can be used as part of an exception's conditions. When -{elastic-defend} is installed on your hosts, you can add malware exceptions -directly to the endpoint from the Security app. -*** <>: Automatic anomaly detection of host and network events. Anomaly scores are provided per host and can be used with detection rules. -** <>: Workspace for investigating alerts and events. -Timelines use queries and filters to drill down into events related to -a specific incident. Timeline templates are attached to rules and use predefined -queries when alerts are investigated. Timelines can be saved and shared with -others, as well as attached to Cases. -** <>: An internal system for opening, tracking, and sharing -security issues directly in the Security app. Cases can be integrated with -external ticketing systems. -** <>: View and manage hosts running {elastic-defend}. - -<> and <> describe how to ship security-related -data to {es}. +[[siem-integration]] +=== Learn more + +* <>: Learn about system requirements, workspaces, configuration, and data ingestion. +* <>: Navigate {elastic-sec}'s various tools and interfaces. +* <>: Use {elastic-sec}'s detection engine with custom and prebuilt rules. +* <>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs. +* <>: Enable key endpoint protection capabilities like event collection and malicious activity prevention. +* https://www.elastic.co/products/stack/machine-learning[{ml-cap}]: Enable built-in {ml} tools to help you identify malicious behavior. +* <>: Leverage {elastic-sec}'s detection engine and {ml} capabilities to generate comprehensive risk analytics for hosts and users. +* <>: Ask AI Assistant questions about how to use {elastic-sec}, how to understand particular alerts and other documents, and how to write {esql} queries. +* <>: Learn how to structure data for use with {elastic-sec}. +[discrete] +[[elastic-search-and-kibana]] +=== {es} and {kib} -For more background information, see: +{elastic-sec} uses {es} for data storage, management, and search, and {kib} is its main user interface. Learn more: * https://www.elastic.co/products/elasticsearch[{es}]: A real-time, -distributed storage, search, and analytics engine. {es} excels at indexing -streams of semi-structured data, such as logs or metrics. +distributed storage, search, and analytics engine. {elastic-sec} stores your data using {es}. * https://www.elastic.co/products/kibana[{kib}]: An open-source analytics and -visualization platform designed to work with {es}. You use {kib} to search, -view, and interact with data stored in {es} indices. You can easily perform -advanced data analysis and visualize your data in a variety of charts, tables, -and maps. - -[discrete] -=== Compatibility with cold tier nodes - -Cold tier is a {ref}/data-tiers.html[data tier] that holds time series data that is accessed only occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: - -* Index patterns specified in `securitySolution:defaultIndex` -* Index patterns specified in the definitions of detection rules, except for indicator match rules -* Index patterns specified in the data sources selector on various {security-app} pages - -{elastic-sec} does NOT support cold tier data for the following {es} indices: - -* Index patterns controlled by {elastic-sec}, including signals and list indices -* Index patterns specified in indicator match rules - -Using cold tier data for unsupported indices may result in detection rule timeouts and overall performance degradation. - -[discrete] -=== Additional {elastic-defend} information - -The https://www.elastic.co/endpoint-security/[{elastic-defend} integration] -for {agent} provides capabilities such as collecting events, detecting and preventing -malicious activity, exceptions, and artifact delivery. The -{fleet-guide}/fleet-overview.html[{fleet}] app is used to -install and manage {agents} and integrations on your hosts. +visualization platform designed to work with {es} and {elastic-sec}. {kib} allows you to search, +view, analyze and visualize data stored in {es} indices. [discrete] [[self-protection]] ==== Elastic Endpoint self-protection -Self-protection means that {elastic-endpoint} has guards against users and attackers that may try to interfere with its functionality. This protection feature is consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {elastic-endpoint}. Self-protection is enabled by default when {elastic-endpoint} installs on supported platforms, listed below. - -Self-protection is enabled on the following 64-bit Windows versions: - -* Windows 8.1 -* Windows 10 -* Windows 11 -* Windows Server 2012 R2 -* Windows Server 2016 -* Windows Server 2019 -* Windows Server 2022 - -Self-protection is also enabled on the following macOS versions: - -* macOS 10.15 (Catalina) -* macOS 11 (Big Sur) -* macOS 12 (Monterey) - -NOTE: Other Windows and macOS variants (and all Linux distributions) do not have self-protection. - -For {stack} version >= 7.11.0, self-protection defines the following permissions: - -* Users -- even Administrator/root -- *cannot* delete {elastic-endpoint} files (located at `c:\Program Files\Elastic\Endpoint` on Windows, and `/Library/Elastic/Endpoint` on macOS). -* Users *cannot* terminate the {elastic-endpoint} program or service. -* Administrator/root users *can* read the Endpoint's files. On Windows, the easiest way to read Endpoint files is to start an Administrator `cmd.exe` prompt. On macOS, an Administrator can use the `sudo` command. -* Administrator/root users *can* stop the {elastic-agent}'s service. On Windows, run the `sc stop "Elastic Agent"` command. On macOS, run the `sudo launchctl stop elastic-agent` command. - - -[discrete] -[[siem-integration]] -=== Integration with other Elastic products - -You can use {elastic-sec} with other Elastic products and features to help you -identify and investigate suspicious activity: - -* https://www.elastic.co/products/stack/machine-learning[{ml-cap}] -* https://www.elastic.co/products/stack/alerting[Alerting] -* https://www.elastic.co/products/stack/canvas[Canvas] - - - -[discrete] -[[data-sources]] -=== APM transaction data sources - -By default, {elastic-sec} monitors {apm-app-ref}/apm-getting-started.html[APM] -`apm-*-transaction*` indices. To add additional APM indices, update the -index patterns in the `securitySolution:defaultIndex` setting ({kib} -> Stack Management -> Advanced Settings -> `securitySolution:defaultIndex`). - -[discrete] -[[ecs-compliant-reqs]] -=== ECS compliance data requirements - -The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be used for -storing event data in Elasticsearch. ECS helps users normalize their event data -to better analyze, visualize, and correlate the data represented in their -events. {elastic-sec} supports events and indicator index data from any ECS-compliant data source. - -IMPORTANT: {elastic-sec} requires {ecs-ref}[ECS-compliant data]. If you use third-party data collectors to ship data to {es}, the data must be mapped to ECS. -<> lists ECS fields used in {elastic-sec}. +For information about {elastic-endpoint}'s tamper-protection features, refer to <>. \ No newline at end of file diff --git a/docs/management/admin/endpoint-self-protection.asciidoc b/docs/management/admin/endpoint-self-protection.asciidoc new file mode 100644 index 0000000000..fd2db8272b --- /dev/null +++ b/docs/management/admin/endpoint-self-protection.asciidoc @@ -0,0 +1,29 @@ +[[endpoint-self-protection]] += Endpoint self-protection features + +{elastic-endpoint} protects itself against users and attackers that may try to interfere with its functionality. Protection features are consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {elastic-endpoint}. Self-protection is enabled by default when {elastic-endpoint} installs on supported platforms, listed below. + +Self-protection is enabled on the following 64-bit Windows versions: + +* Windows 8.1 +* Windows 10 +* Windows 11 +* Windows Server 2012 R2 +* Windows Server 2016 +* Windows Server 2019 +* Windows Server 2022 + +Self-protection is also enabled on the following macOS versions: + +* macOS 10.15 (Catalina) +* macOS 11 (Big Sur) +* macOS 12 (Monterey) + +NOTE: Other Windows and macOS variants (and all Linux distributions) do not have self-protection. + +For {stack} version >= 7.11.0, self-protection defines the following permissions: + +* Users -- even Administrator/root -- *cannot* delete {elastic-endpoint} files (located at `c:\Program Files\Elastic\Endpoint` on Windows, and `/Library/Elastic/Endpoint` on macOS). +* Users *cannot* terminate the {elastic-endpoint} program or service. +* Administrator/root users *can* read the Endpoint's files. On Windows, the easiest way to read Endpoint files is to start an Administrator `cmd.exe` prompt. On macOS, an Administrator can use the `sudo` command. +* Administrator/root users *can* stop the {elastic-agent}'s service. On Windows, run the `sc stop "Elastic Agent"` command. On macOS, run the `sudo launchctl stop elastic-agent` command. diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index 25ee38ef44..724352fd44 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -15,4 +15,5 @@ include::{security-docs-root}/docs/management/admin/event-filters.asciidoc[level include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1] -include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] \ No newline at end of file +include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] +include::{security-docs-root}/docs/management/admin/endpoint-self-protection.asciidoc[leveloffset=+1]