Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User/host details flyouts + Asset criticality #4939

Merged
merged 2 commits into from
Mar 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Advanced Entity Analytics provides two key capabilities:
* <<advanced-behavioral-detections, Advanced behavioral detections>>

include::entity-risk-scoring.asciidoc[leveloffset=+1]
include::asset-criticality.asciidoc[leveloffset=+2]
include::turn-on-risk-engine.asciidoc[leveloffset=+2]
include::analyze-risk-score-data.asciidoc[leveloffset=+2]
include::advanced-behavioral-detections.asciidoc[leveloffset=+1]
Expand Down
86 changes: 82 additions & 4 deletions docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ The {security-app} provides several options to monitor the change in the risk po
* <<alert-details-flyout, Alert details flyout>>
* <<hosts-users-pages, Hosts and Users pages>>
* <<host-user-details-pages, Host and user details pages>>
* <<host-and-user-details-flyouts, Host and user details flyouts>>

TIP: We recommend that you prioritize <<alert-triaging, alert triaging>> to identify anomalies or abnormal behavior patterns.

Expand All @@ -23,22 +24,90 @@ image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard]
[discrete]
[[alert-triaging]]
== Alert triaging
You can prioritize alert triaging to analyze alerts associated with risky entities using the following features in the {security-app}.
You can prioritize alert triaging to analyze alerts associated with risky or business-critical entities using the following features in the {security-app}.

[discrete]
[[alerts-page]]
=== Alerts page

Use the Alerts table to investigate and analyze host and user risk levels and scores. We recommend adding the `user.risk.calculated_level` and `host.risk.calculated_level` columns to the Alerts table to easily display this data. To do this, select **Fields**, search for `user.risk` and `host.risk`, then select the appropriate fields from the list. Learn more about <<customize-the-alerts-table, customizing the Alerts table>>.
Use the Alerts table to investigate and analyze:

* Host and user risk levels
* Host and user risk scores
* Asset criticality

To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following:

* `user.risk.calculated_level` or `host.risk.calculated_level`
* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm`
* `user.asset.criticality` or `host.asset.criticality`

Learn more about <<customize-the-alerts-table, customizing the Alerts table>>.

[role="screenshot"]
image::images/alerts-table-rs.png[Risk scores in the Alerts table]

You can use the drop-down filter controls to filter alerts by their risk score level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`:
[discrete]
==== Triage alerts associated with high-risk entities

To analyze alerts associated with high-risk entities, you can filter or group them by entity risk level.

* Use the drop-down filter controls to filter alerts by entity risk level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`:
+
[role="screenshot"]
image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level]

* To group alerts by entity risk level, select **Group alerts by**, then select **Custom field** and search for `host.risk.calculated_level` or `user.risk.calculated_level`.
+
[role="screenshot"]
image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels]

** You can further sort the grouped alerts by highest entity risk score:
+
--
... Expand a risk level group, for example **High**.
... Select **Sort fields** → **Pick fields to sort by**.
... Select fields in the following order:
.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
.... `Risk score`: **High-Low**
.... `@timestamp`: **New-Old**
--
+
[role="screenshot"]
image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score]

[discrete]
[[triage-alerts-associated-with-business-critical-entities]]
==== Triage alerts associated with business-critical entities

To analyze alerts associated with business-critical entities, you can filter or group them by entity asset criticality.

NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level.

* Use the drop-down filter controls to filter alerts by asset criticality level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.asset.criticality` or `host.asset.criticality`:
+
[role="screenshot"]
image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level]

* To group alerts by asset criticality level, select **Group alerts by**, then select **Custom field** and search for `host.asset.criticality` or `user.asset.criticality`.
+
[role="screenshot"]
image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels]

** You can further sort the grouped alerts by highest entity risk score:
+
--
... Expand an asset criticality group, for example **high_impact**.
... Select **Sort fields** → **Pick fields to sort by**.
... Select fields in the following order:
.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
.... `Risk score`: **High-Low**
.... `@timestamp`: **New-Old**
--
+
[role="screenshot"]
image::images/ac-sort-by-host-risk-score.png[High-impact alerts sorted by host risk score]

[discrete]
[[alert-details-flyout]]
=== Alert details flyout
Expand Down Expand Up @@ -78,4 +147,13 @@ image::images/host-details-overview.png[Host risk data in the Overview section o
* On the **Host risk** or **User risk** tab:
+
[role="screenshot"]
image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page]
image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page]

[discrete]
[[host-and-user-details-flyouts]]
=== Host and user details flyouts

In the host details and user details flyouts, you can access the risk score data in the risk summary section:

[role="screenshot"]
image::images/risk-summary.png[Host risk data in the Host risk summary section]
77 changes: 77 additions & 0 deletions docs/advanced-entity-analytics/asset-criticality.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
[[asset-criticality]]
= Asset criticality

.Requirements
[sidebar]
--
To view and assign asset criticality, you must:

* Have the appropriate user role.
* Turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.

For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
--

The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.

You can assign one of the following asset criticality levels to your entities, based on their impact:

* Low impact
* Medium impact
* High impact
* Extreme impact

For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture.

[discrete]
== View and assign asset criticality

Entities do not have a default asset criticality level. You can view, assign, and change asset criticality from the following places in the {elastic-sec} app:

* The <<host-details-page, host details page>> and <<user-details-page, user details page>>:
+
[role="screenshot"]
image::images/assign-asset-criticality-host-details.png[Assign asset criticality from the host details page]

* The <<host-details-flyout, host details flyout>> and <<user-details-flyout, user details flyout>>:
+
[role="screenshot"]
image::images/assign-asset-criticality-host-flyout.png[Assign asset criticality from the host details flyout]

* The host details flyout and user details flyout in <<timelines-ui, Timeline>>:
+
[role="screenshot"]
image::images/assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline]

[discrete]
== Improve your security operations

With asset criticality, you can improve your security operations by:

* <<prioritize-open-alerts, Prioritizing open alerts>>
* <<monitor-entity-risk, Monitoring an entity's risk>>

[discrete]
[[prioritize-open-alerts]]
=== Prioritize open alerts

You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities.

Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <<triage-alerts-associated-with-business-critical-entities, prioritize alerts associated with high-impact entities>>.

[discrete]
[[monitor-entity-risk]]
=== Monitor an entity's risk

The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to <<how-is-risk-score-calculated, calculate the entity's overall risk score>>. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats.

To view the impact of asset criticality on an entity's risk score, follow these steps:

. Open the <<host-details-flyout, host details flyout>> or <<user-details-flyout, user details flyout>>. The risk summary section shows asset criticality's contribution to the overall risk score.
. Click **View risk contributions** to open the flyout's left panel.
. In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated.

NOTE: The risk summary and **Risk contributions** sections display an entity's asset criticality from the latest risk scoring execution. If you change the asset criticality level, subsequent risk calculations will automatically factor in the newest criticality level.

[role="screenshot"]
image::images/asset-criticality-impact.png[View asset criticality impact on host risks core]
82 changes: 82 additions & 0 deletions docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,87 @@ Entity risk scoring allows you to monitor risk score changes of hosts and users

It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated.

[discrete]
== Risk scoring inputs

Entity risk scores are determined by the following risk inputs:

* <<alerts-ui-manage, Alerts>>, stored in the `.alerts-security.alerts-<space-id>` index alias
* <<asset-criticality, Asset criticality level>>, stored in the `.asset-criticality.asset-criticality-<space-id>` index alias

The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.

[NOTE]
======
* Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
======

[discrete]
[[how-is-risk-score-calculated]]
== How is risk score calculated?

The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. It groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.

The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level:

[width="100%",options="header"]
|==============================================
|Asset criticality level |Default risk weight

|Low impact |0.5
|Medium impact |1
|High impact |1.5
|Extreme impact |2

|==============================================

NOTE: Asset criticality levels and default risk weights are subject to change.

The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.

Based on the two risk inputs, the risk scoring engine generates a single numeric value, normalized to a 0-100 range, as the entity risk score. It assigns a risk level by mapping the normalized risk score to one of these levels:

[width="100%",options="header"]
|==============================================
|Risk level |Risk score

|Unknown |< 20
|Low |20-40
|Moderate |40-70
|High |70-90
|Critical |> 90

|==============================================

.Click for a risk score calculation example
[%collapsible]
====
This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**.
There are 5 open alerts associated with `User_A`:
* Alert 1 with alert risk score 21
* Alert 2 with alert risk score 45
* Alert 3 with alert risk score 21
* Alert 4 with alert risk score 70
* Alert 5 with alert risk score 21
To calculate the user risk score, the risk scoring engine:
. Sorts the associated alerts in descending order of alert risk score:
** Alert 4 with alert risk score 70
** Alert 2 with alert risk score 45
** Alert 1 with alert risk score 21
** Alert 3 with alert risk score 21
** Alert 5 with alert risk score 21
. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category.
. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**.
. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95.
. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level.
If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.
====

Learn how to <<turn-on-risk-engine, turn on the latest risk scoring engine>>.

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/advanced-entity-analytics/images/alerts-table-rs.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
14 changes: 0 additions & 14 deletions docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,6 @@ beta[]

IMPORTANT: To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.

The latest risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` <<alerts-ui-manage, alerts>> from the last 30 days, and assigns risk score to the host or user. It then aggregates the individual risk scores and normalizes them to a 0-100 range. The engine assigns a risk level by mapping the normalized risk score to one of these levels:

[width="100%",options="header"]
|==============================================
|Risk level |Risk score

|Unknown |< 20
|Low |20-40
|Moderate |40-70
|High | 70-90
|Critical | > 90

|==============================================

[discrete]
== Preview risky entities

Expand Down
2 changes: 2 additions & 0 deletions docs/detections/alerts-ui-manage.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ image::images/view-alert-details.png[View details button, 200]

* View the rule that created an alert. Click a name in the *Rule* column to open the rule's details page.

* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the <<host-details-flyout, host details flyout>>, or a user name to open the <<user-details-flyout, user details flyout>>.

* Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices.

* Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours.
Expand Down
5 changes: 5 additions & 0 deletions docs/getting-started/advanced-setting.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,11 @@ retrieved.

The `securitySolution:enableExpandableFlyout` setting enables the expandable alert details flyout on the Alerts page. This setting is turned on by default. Turn it off to apply the simplified alert details flyout design that was used in {elastic-sec} 8.9 and earlier.

[discrete]
[[enable-asset-criticality]]
== Enable asset criticality workflows
The `securitySolution:enableAssetCriticality` setting determines whether asset criticality is included as a risk input to entity risk scoring. This setting is turned off by default. Turn it on to enable asset criticality workflows and to use asset criticality as part of entity risk scoring.

[discrete]
[[exclude-cold-frozen-tiers]]
== Exclude cold and frozen tier data from analyzer queries
Expand Down
30 changes: 25 additions & 5 deletions docs/getting-started/ers-req.asciidoc
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
[[ers-requirements]]
= Entity risk scoring prerequisites

To use entity risk scoring, your role must have certain cluster, index, and {kib} privileges. This feature requires a https://www.elastic.co/pricing[Platinum subscription] or higher.
To use entity risk scoring and asset criticality, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher.

This page covers the requirements and guidelines for using the entity risk scoring feature, as well as its known limitations.
This page covers the requirements and guidelines for using the entity risk scoring and asset criticality features, as well as their known limitations.

[discrete]
== Privileges
== Entity risk scoring

[discrete]
=== Privileges

To turn on the risk scoring engine, you need the following privileges:

Expand All @@ -26,7 +29,7 @@ a|
|==============================================

[discrete]
== {es} resource guidelines
=== {es} resource guidelines

Follow these guidelines to ensure clusters have adequate memory to handle data volume:

Expand All @@ -35,8 +38,25 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
* With 1GB of JVM heap, the risk scoring engine can safely process around 20 million documents, or 30 days of risk data with an ingest rate of around 450 documents per minute.

[discrete]
== Known limitations
=== Known limitations

* You can only enable the risk scoring engine in a single {kib} space within a cluster.

* The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores.

[discrete]
== Asset criticality

To use the asset criticality feature, turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.

[discrete]
=== Privileges

* To view an entity's asset criticality, you need the `read` privilege for the `.asset-criticality.asset-criticality-<space-id>` index.

* To view, assign, or change an entity's asset criticality, you need the `read` and `write` privileges for the `.asset-criticality.asset-criticality-<space-id>` index.
jaredburgettelastic marked this conversation as resolved.
Show resolved Hide resolved

[discrete]
=== Known limitations

* You cannot disable asset criticality as a risk input. Once assigned, an asset criticality level can be changed but not unassigned.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/getting-started/images/users/user-details-pg.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading