diff --git a/docs/AI-for-security/attack-discovery.asciidoc b/docs/AI-for-security/attack-discovery.asciidoc index 4b2c109d17..d04eb22f7f 100644 --- a/docs/AI-for-security/attack-discovery.asciidoc +++ b/docs/AI-for-security/attack-discovery.asciidoc @@ -88,7 +88,7 @@ image::images/attck-disc-example-disc.png[Attack Discovery detail view] There are several ways you can incorporate discoveries into your {elastic-sec} workflows: -* Click an entity's name to open the user or host details flyout and view more details that may be relevant to your investigation. +* Click an entity's name to open the entity details flyout and view more details that may be relevant to your investigation. * Hover over an entity's name to either add the entity to Timeline (image:images/icon-add-to-timeline.png[Add to timeline icon,17,18]) or copy its field name and value to the clipboard (image:images/icon-copy.png[Copy to clipboard icon,17,18]). * Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a <>. This makes it easy to share the information with your team and other stakeholders. * Click **Investigate in timeline** to explore the discovery in <>. diff --git a/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc b/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc index 0e88474fb4..7f0999dddc 100644 --- a/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc +++ b/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc @@ -1,7 +1,7 @@ [[advanced-entity-analytics-overview]] = Advanced Entity Analytics -Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's {ml} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts and users. +Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's {ml} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts, users, and services. Advanced Entity Analytics provides two key capabilities: @@ -11,6 +11,7 @@ Advanced Entity Analytics provides two key capabilities: include::entity-risk-scoring.asciidoc[leveloffset=+1] include::ers-req.asciidoc[leveloffset=+2] include::turn-on-risk-engine.asciidoc[leveloffset=+2] +include::view-entity-details.asciidoc[leveloffset=+2] include::asset-criticality.asciidoc[leveloffset=+2] include::entity-store.asciidoc[leveloffset=+2] include::analyze-risk-score-data.asciidoc[leveloffset=+2] diff --git a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc index 33418d4403..0aaa5850e5 100644 --- a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc +++ b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc @@ -8,7 +8,7 @@ The {security-app} provides several options to monitor the change in the risk po * <> * <> * <> -* <> +* <> TIP: We recommend that you prioritize <> to identify anomalies or abnormal behavior patterns. @@ -18,10 +18,7 @@ TIP: We recommend that you prioritize <> to iden From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. -If you have enabled the <>, the dashboard also displays the <>, where you can view all hosts and users along with their risk and asset criticality data. - -[role="screenshot"] -image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard] +If you have enabled the <>, the dashboard also displays the <>, where you can view all hosts, users, and services along with their risk and asset criticality data. [discrete] [[alert-triaging]] @@ -34,15 +31,15 @@ You can prioritize alert triaging to analyze alerts associated with risky or bus Use the Alerts table to investigate and analyze: -* Host and user risk levels -* Host and user risk scores +* Host, user, and service risk levels +* Host, user, and service risk scores * Asset criticality To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following: -* `user.risk.calculated_level` or `host.risk.calculated_level` -* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm` -* `user.asset.criticality` or `host.asset.criticality` +* `user.risk.calculated_level`, `host.risk.calculated_level`, or `service.risk.calculated_level` +* `user.risk.calculated_score_norm`, `host.risk.calculated_score_norm`, or `service.risk.calculated_score_norm` +* `user.asset.criticality`, `host.asset.criticality`, or `service.asset.criticality` Learn more about <>. @@ -59,24 +56,24 @@ NOTE: If you change the entity's criticality level after an alert is generated, * Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, <> to filter by: -** `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level: +** `user.risk.calculated_level`, `host.risk.calculated_level`, or `service.risk.calculated_level` for entity risk level: + [role="screenshot"] image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level] -** `user.asset.criticality` or `host.asset.criticality` for asset criticality level: +** `user.asset.criticality`, `host.asset.criticality`, or `service.asset.criticality` for asset criticality level: + [role="screenshot"] image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level] * To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for: -** `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level: +** `host.risk.calculated_level`, `user.risk.calculated_level`, or `service.risk.calculated_level` for entity risk level: + [role="screenshot"] image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels] -** `host.asset.criticality` or `user.asset.criticality` for asset criticality level: +** `host.asset.criticality`, `user.asset.criticality`, or `service.asset.criticality` for asset criticality level: + [role="screenshot"] image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels] @@ -87,7 +84,7 @@ image::images/group-by-asset-criticality.png[Alerts grouped by entity asset crit ... Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**). ... Select **Sort fields** → **Pick fields to sort by**. ... Select fields in the following order: -.... `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low** +.... `host.risk.calculated_score_norm`, `user.risk.calculated_score_norm` or `service.risk.calculated_score_norm`: **High-Low** .... `Risk score`: **High-Low** .... `@timestamp`: **New-Old** -- @@ -137,10 +134,10 @@ image::images/host-details-overview.png[Host risk data in the Overview section o image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page] [discrete] -[[host-and-user-details-flyouts]] -=== Host and user details flyouts +[[entity-details-flyouts]] +=== Entity details flyouts -In the host details and user details flyouts, you can access the risk score data in the risk summary section: +In the entity details flyouts, you can access the risk score data in the risk summary section: [role="screenshot"] image::images/risk-summary.png[Host risk data in the Host risk summary section] diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc index 6c75940ed7..e615955650 100644 --- a/docs/advanced-entity-analytics/asset-criticality.asciidoc +++ b/docs/advanced-entity-analytics/asset-criticality.asciidoc @@ -34,12 +34,12 @@ You can view, assign, change, or unassign asset criticality from the following p [role="screenshot"] image::images/assign-asset-criticality-host-details.png[Assign asset criticality from the host details page] -* The <> and <>: +* The <>: + [role="screenshot"] image::images/assign-asset-criticality-host-flyout.png[Assign asset criticality from the host details flyout] -* The host details flyout and user details flyout in <>: +* The entity details flyout in <>: + [role="screenshot"] image::images/assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline] @@ -57,8 +57,8 @@ You can bulk assign asset criticality to multiple entities by importing a CSV, T The file must contain three columns, with each entity record listed on a separate row: -. The first column should indicate whether the entity is a `host` or a `user`. -. The second column should specify the entity's `host.name` or `user.name`. +. The first column should indicate whether the entity is a `host`, `user`, or `service`. +. The second column should specify the entity's `host.name`, `user.name`, or `service.name`. . The third column should specify one of the following asset criticality levels: ** `extreme_impact` ** `high_impact` @@ -74,6 +74,7 @@ File structure example: user,user-001,low_impact user,user-002,medium_impact host,host-001,extreme_impact +service,service-001,extreme_impact -------------------------------------------------- To import a file: @@ -112,7 +113,7 @@ The risk scoring engine dynamically factors in an entity's asset criticality, al To view the impact of asset criticality on an entity's risk score, follow these steps: -. Open the <> or <>. The risk summary section shows asset criticality's contribution to the overall risk score. +. Open the <>. The risk summary section shows asset criticality's contribution to the overall risk score. . Click **View risk contributions** to open the flyout's left panel. . In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated. diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc index 724c4b2eb6..bad597e9be 100644 --- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -8,7 +8,7 @@ If you’ve installed the original user and host risk score modules, refer to {s Entity risk scoring is an advanced {elastic-sec} analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response. -Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days. +Entity risk scoring allows you to monitor risk score changes of hosts, users, and services in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host, user, and service risk scores from the last 30 days. It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated. @@ -38,7 +38,7 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne + NOTE: When <>, you can choose to also include `Closed` alerts in risk scoring calculations. -. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <>. +. The engine groups alerts by `host.name`, `user.name`, or `service.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <>. . The engine then verifies the entity's <>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary. + diff --git a/docs/advanced-entity-analytics/entity-store.asciidoc b/docs/advanced-entity-analytics/entity-store.asciidoc index 2539ffd8d5..1b40565c16 100644 --- a/docs/advanced-entity-analytics/entity-store.asciidoc +++ b/docs/advanced-entity-analytics/entity-store.asciidoc @@ -18,11 +18,11 @@ The entity store allows you to query, reconcile, maintain, and persist entity me The entity store can hold any entity type observed by {elastic-sec}. It allows you to view and query select entities represented in your indices without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <>. -When the entity store is enabled, the following resources are generated for each entity type (hosts and users): +When the entity store is enabled, the following resources are generated for each entity type (hosts, users, and services): * {es} resources, such as transforms, ingest pipelines, and enrich policies. * Data and fields for each entity. -* The `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices, which contain field mappings for hosts and users respectively. You can query these indices to see a list of fields that are mapped in the entity store. +* The `.entities.v1.latest.security_user_`, `.entities.v1.latest.security_host_`, and `.entities.v1.latest.security_services_` indices, which contain field mappings for hosts, users, and services respectively. You can query these indices to see a list of fields that are mapped in the entity store. [discrete] [[enable-entity-store]] @@ -39,13 +39,19 @@ Once you enable the entity store, the Entity Analytics dashboard displays the << [[clear-entity-store]] == Clear entity store data -Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name` or `host.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis. +Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name`, `host.name`, or `service.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis. Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments. -CAUTION: Clearing entity store data permanently deletes persisted user and host records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone. +CAUTION: Clearing entity store data permanently deletes persisted user, host, and service records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone. To clear entity data: . Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. On the **Entity Store** page, select **Clear**. \ No newline at end of file +. On the **Entity Store** page, select **Clear**. + +[discrete] +[[verify-engine-status]] +== Verify engine status + +Once the entity store is enabled, the **Entity Store** page displays the **Engine Status** tab, where you can verify which engines are installed and their statuses. This tab shows a list of installed resources for each installed entity. Click the resource link to navigate to the resource page and view more information. \ No newline at end of file diff --git a/docs/advanced-entity-analytics/ers-req.asciidoc b/docs/advanced-entity-analytics/ers-req.asciidoc index 1b3e37d67a..7d17030596 100644 --- a/docs/advanced-entity-analytics/ers-req.asciidoc +++ b/docs/advanced-entity-analytics/ers-req.asciidoc @@ -40,7 +40,7 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v [discrete] === Known limitations -The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores. +The risk scoring engine uses an internal user role to score all hosts, users, and services, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host, user, and service risk scores. [discrete] == Asset criticality diff --git a/docs/advanced-entity-analytics/images/preview-risky-entities.png b/docs/advanced-entity-analytics/images/preview-risky-entities.png deleted file mode 100644 index ce345d40e4..0000000000 Binary files a/docs/advanced-entity-analytics/images/preview-risky-entities.png and /dev/null differ diff --git a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc index d9f0583695..ef2af3b88d 100644 --- a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc +++ b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc @@ -6,15 +6,12 @@ IMPORTANT: To use entity risk scoring, your role must have the appropriate privi [discrete] == Preview risky entities -You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker. +You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts, users, and services found in the 1000 sampled entities during the time frame selected in the date picker. NOTE: The preview is limited to two risk scores per {kib} instance. To preview risky entities, find **Entity Risk Score** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -[role="screenshot"] -image::images/preview-risky-entities.png[Preview of risky entities] - [discrete] == Turn on the latest risk engine diff --git a/docs/advanced-entity-analytics/view-entity-details.asciidoc b/docs/advanced-entity-analytics/view-entity-details.asciidoc new file mode 100644 index 0000000000..39c58ea7dc --- /dev/null +++ b/docs/advanced-entity-analytics/view-entity-details.asciidoc @@ -0,0 +1,80 @@ +[[view-entity-details]] += View entity details + +You can lean more about an entity (host, user, or service) from the entity details flyout, which is available throughout the {elastic-sec} app. To access this flyout, click on an entity name in places such as: + +* The Alerts table +* The Entity Analytics dashboard +* The **Users** and user details pages +* The **Hosts** and host details pages + +[discrete] +[[entity-details-flyout]] +== Entity details flyout + +The entity details flyout includes the following sections: + +* <>, which displays entity risk data and inputs. +* <>, which allows you to view and assign asset criticality. +* <>, which displays vulnerabilities or misconfiguration findings for the entity. +* <>, which displays entity details. + +[role="screenshot"] +image::images/host-details-flyout.png[Host details flyout] + +[discrete] +[[entity-risk-summary]] +=== Entity risk summary + +.Requirements +[sidebar] +-- +The entity risk summary section is only available if the <>. +-- + +The entity risk summary section contains a risk summary visualization and table. + +The risk summary visualization shows the entity risk score and risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. + +The risk summary table shows the category, score, and number of risk inputs that determine the entity risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table's queries. + +To expand the entity risk summary section, click **View risk contributions**. The left panel displays additional details about the entity's risk inputs: + +* The asset criticality level and contribution score from the latest risk scoring calculation. +* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score. + +If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. + +[role="screenshot"] +image::images/host-risk-inputs.png[Host risk inputs] + +[discrete] +[[entity-asset-criticality-section]] +=== Asset Criticality + +The **Asset Criticality** section displays the selected entity's <>. Asset criticality contributes to the overall <>. The criticality level defines how impactful the entity is when calculating the risk score. + +[role="screenshot"] +image::images/host-asset-criticality.png[Asset criticality] + +Click **Assign** to assign a criticality level to the selected entity, or **Change** to change the currently assigned criticality level. + +[discrete] +[[entity-details-insights]] +=== Insights + +The **Insights** section displays <> for the host or <> for the user. Click **Vulnerabilities** or **Misconfigurations** to expand the flyout and view this data. + +image::images/-host-details-insights-expanded.png[Host details flyout with the Vulnerabilities section expanded, 85%] + +[discrete] +[[entity-observed-data]] +=== Observed data + +This section displays details such as the entity ID, when the entity was first and last seen, and the associated IP addresses and operating system. + +[role="screenshot"] +image::images/host-observed-data.png[Host observed data] + + + diff --git a/docs/cloud-native-security/aws-securityhub.asciidoc b/docs/cloud-native-security/aws-securityhub.asciidoc index 292346058e..344a509d8a 100644 --- a/docs/cloud-native-security/aws-securityhub.asciidoc +++ b/docs/cloud-native-security/aws-securityhub.asciidoc @@ -15,4 +15,4 @@ image::images/aws-config-finding-logs.png[AWS Security Hub integration settings After you've completed these steps, AWS Security Hub data will appear on the Misconfigurations tab of the <> page. -Any available findings data will also appear in the entity details flyouts for related <>. If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the <>, and <> flyouts. \ No newline at end of file +Any available findings data will also appear in the <> for related alerts. If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the <>. \ No newline at end of file diff --git a/docs/cloud-native-security/ingest-cncf-data.asciidoc b/docs/cloud-native-security/ingest-cncf-data.asciidoc index 9a77fc1834..c849bda49b 100644 --- a/docs/cloud-native-security/ingest-cncf-data.asciidoc +++ b/docs/cloud-native-security/ingest-cncf-data.asciidoc @@ -15,7 +15,7 @@ You can ingest third-party cloud security alerts into {elastic-sec} to view them [discrete] == Ingest third-party security posture and vulnerability data -You can ingest third-party data into {elastic-sec} to review and investigate it alongside data collected by {elastic-sec}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the <> page, on the <>, and in the entity details flyouts for <>, <>, and <>. +You can ingest third-party data into {elastic-sec} to review and investigate it alongside data collected by {elastic-sec}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the <> page, on the <>, and in the <> and <> flyouts. * Learn to <>. diff --git a/docs/cloud-native-security/wiz.asciidoc b/docs/cloud-native-security/wiz.asciidoc index a64303b238..785da98849 100644 --- a/docs/cloud-native-security/wiz.asciidoc +++ b/docs/cloud-native-security/wiz.asciidoc @@ -19,5 +19,5 @@ After you've completed these steps, Wiz data will appear on the <>. If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the <>, and <> flyouts. +Any available findings data will also appear in the <> for related alerts. If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the <>. diff --git a/docs/dashboards/entity-dashboard.asciidoc b/docs/dashboards/entity-dashboard.asciidoc index cf3d1c57db..660a4569b6 100644 --- a/docs/dashboards/entity-dashboard.asciidoc +++ b/docs/dashboards/entity-dashboard.asciidoc @@ -17,12 +17,10 @@ The dashboard includes the following sections: * <> * <> * <> +* <> * <> * <> -[role="screenshot"] -image::images/entity-dashboard.png[Entity dashboard] - [[entity-kpis]] [float] == Entity KPIs (key performance indicators) @@ -47,7 +45,7 @@ image::images/user-score-data.png[User risk table] Interact with the table to filter data, view more details, and take action: * Select the *User risk level* menu to filter the chart by the selected level. -* Click a user name link to open the user details flyout. +* Click a user name link to open the entity details flyout. * Hover over a user name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. * Click *View all* in the upper-right to display all user risk information on the Users page. * Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated user name value. @@ -73,13 +71,37 @@ image::images/host-score-data.png[Host risk scores table] Interact with the table to filter data, view more details, and take action: * Select the *Host risk level* menu to filter the chart by the selected level. -* Click a host name link to open the host details flyout. +* Click a host name link to open the entity details flyout. * Hover over a host name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the host name value for you to paste later. * Click *View all* in the upper-right to display all host risk information on the Hosts page. * Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated host name value. For more information about host risk scores, refer to <>. +[[entity-service-risk-scores]] +[float] +== Service Risk Scores + +.Requirements +[sidebar] +-- +To display service risk scores, you must <>. +-- + +Displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). + +[role="screenshot"] +image::images/service-risk-scores.png[Service risk scores table] + +Interact with the table to filter data, view more details, and take action: + +* Select the *Service risk level* menu to filter the chart by the selected level. +* Click a service name link to open the service details flyout. +* Hover over a service name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the service name value for you to paste later. +* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated service name value. + +For more information about service risk scores, refer to <>. + [[entity-entities]] [float] == Entities @@ -90,13 +112,13 @@ For more information about host risk scores, refer to <>. To display the **Entities** section, you must <>. -- -The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities from the <>, which meet any of the following criteria: +The **Entities** section provides a centralized view of all hosts, users, and services in your environment. It displays entities from the <>, which meet any of the following criteria: * Have been observed by {elastic-sec} * Have an asset criticality assignment * Have been added to {elastic-sec} through an integration, such Active Directory or Okta -NOTE: The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices to see all the fields for each entity in the entity store. +NOTE: The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_`, `.entities.v1.latest.security_host_`, and `.entities.v1.latest.security_service_` indices to see all the fields for each entity in the entity store. [role="screenshot"] image::images/entities-section.png[Entities section] @@ -110,7 +132,7 @@ Entity data from different sources appears in the **Entities** section based on Interact with the table to filter data and view more details: -* Select the **Risk level** dropdown to filter the table by the selected user or host risk level. +* Select the **Risk level** dropdown to filter the table by the selected user, host, or service risk level. * Select the **Criticality** dropdown to filter the table by the selected asset criticality level. * Select the **Source** dropdown to filter the table by the data source. * Click the **View details** icon (image:detections/images/view-details-icon.png[View details icon,16,15]) to open the entity details flyout. diff --git a/docs/dashboards/images/entity-dashboard.png b/docs/dashboards/images/entity-dashboard.png deleted file mode 100644 index 56479b9f1e..0000000000 Binary files a/docs/dashboards/images/entity-dashboard.png and /dev/null differ diff --git a/docs/dashboards/images/service-risk-scores.png b/docs/dashboards/images/service-risk-scores.png new file mode 100644 index 0000000000..1f02905960 Binary files /dev/null and b/docs/dashboards/images/service-risk-scores.png differ diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index 96eac3e0e6..16ec6c6a7a 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -24,7 +24,7 @@ image::images/view-alert-details.png[View details button, 200] * View the rule that created an alert. Click a name in the *Rule* column to open the rule's details. -* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the <>, or a user name to open the <>. +* View the details of the entity associated with the alert. In the Alerts table, click an entity name to open the <>. * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices. diff --git a/docs/getting-started/images/users/user-asset-criticality.png b/docs/getting-started/images/users/user-asset-criticality.png deleted file mode 100644 index 72e4e34ca1..0000000000 Binary files a/docs/getting-started/images/users/user-asset-criticality.png and /dev/null differ diff --git a/docs/getting-started/images/users/user-observed-data.png b/docs/getting-started/images/users/user-observed-data.png deleted file mode 100644 index 0f2ec3f9f4..0000000000 Binary files a/docs/getting-started/images/users/user-observed-data.png and /dev/null differ diff --git a/docs/getting-started/images/users/user-risk-inputs.png b/docs/getting-started/images/users/user-risk-inputs.png deleted file mode 100644 index f6ec9c0ce6..0000000000 Binary files a/docs/getting-started/images/users/user-risk-inputs.png and /dev/null differ diff --git a/docs/getting-started/users-page.asciidoc b/docs/getting-started/users-page.asciidoc index ce32c701a9..4818761408 100644 --- a/docs/getting-started/users-page.asciidoc +++ b/docs/getting-started/users-page.asciidoc @@ -46,78 +46,3 @@ The user details page includes the following sections: [role="screenshot"] image::images/users/user-details-pg.png[User details page] - -[discrete] -[[user-details-flyout]] -== User details flyout - -In addition to the user details page, relevant user information is also available in the user details flyout throughout the {elastic-sec} app. You can access this flyout from the following places: - -* The Alerts page, by clicking on a user name in the Alerts table -* The Entity Analytics dashboard, by clicking on a user name in the User Risk Scores table -* The **Events** tab on the Users and user details pages, by clicking on a user name in the Events table -* The **User risk** tab on the user details page, by clicking on a user name in the Top risk score contributors table -* The **Events** tab on the Hosts and host details pages, by clicking on a user name in the Events table -* The **Host risk** tab on the host details page, by clicking on a user name in the Top risk score contributors table - -The user details flyout includes the following sections: - -* <>, which displays user risk data and inputs. -* <>, which allows you to view and assign asset criticality. -* <>, which displays misconfiguration findings for the user. -* <>, which displays user details. - -[role="screenshot"] -image::images/users/user-details-flyout.png[User details flyout] - -[discrete] -[[user-risk-summary]] -=== User risk summary - -.Requirements -[sidebar] --- -The **User risk summary** section is only available if the <>. --- - -The **User risk summary** section contains a risk summary visualization and table. - -The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. - -The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table's queries. - -To expand the **User risk summary** section, click **View risk contributions**. The left panel displays additional details about the user's risk inputs: - -* The asset criticality level and contribution score from the latest risk scoring calculation. -* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score. - -If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. - -[role="screenshot"] -image::images/users/user-risk-inputs.png[User risk inputs] - -[discrete] -[[user-asset-criticality-section]] -=== Asset Criticality - -The **Asset Criticality** section displays the selected user's <>. Asset criticality contributes to the overall <>. The criticality level defines how impactful the user is when calculating the risk score. - -[role="screenshot"] -image::images/users/user-asset-criticality.png[Asset criticality] - -Click **Assign** to assign a criticality level to the selected user, or **Change** to change the currently assigned criticality level. - -[discrete] -[[user-insights]] -=== Insights - -The **Insights** section displays <> for the user. Click **Misconfigurations** to expand the flyout and view this data. - -[discrete] -[[user-observed-data]] -=== Observed data - -This section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system. - -[role="screenshot"] -image::images/users/user-observed-data.png[User observed data] diff --git a/docs/management/hosts/hosts-overview.asciidoc b/docs/management/hosts/hosts-overview.asciidoc index 3773b4f438..999b31fc3a 100644 --- a/docs/management/hosts/hosts-overview.asciidoc +++ b/docs/management/hosts/hosts-overview.asciidoc @@ -49,80 +49,3 @@ The host details page includes the following sections: [role="screenshot"] image::images/hosts-detail-pg.png[Host's details page] - -[discrete] -[[host-details-flyout]] -== Host details flyout - -In addition to the host details page, relevant host information is also available in the host details flyout throughout the {elastic-sec} app. You can access this flyout from the following places: - -* The Alerts page, by clicking on a host name in the Alerts -* The Entity Analytics dashboard, by clicking on a host name in the Host Risk Scores table -* The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table -* The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table -* The **Events** tab on the Hosts and host details pages, by clicking on a host name in the Events table -* The **Host risk** tab on the host details page, by clicking on a host name in the Top risk score contributors table - -The host details flyout includes the following sections: - -* <>, which displays host risk data and inputs. -* <>, which allows you to view and assign asset criticality. -* <>, which displays vulnerabilities findings for the host. -* <>, which displays host details. - -[role="screenshot"] -image::images/host-details-flyout.png[Host details flyout] - -[discrete] -[[host-risk-summary]] -=== Host risk summary - -.Requirements -[sidebar] --- -The **Host risk summary** section is only available if the <>. --- - -The **Host risk summary** section contains a risk summary visualization and table. - -The risk summary visualization shows the host risk score and host risk level. Hover over the visualization to display the **Options** menu. Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. - -The risk summary table shows the category, score, and number of risk inputs that determine the host risk score. Hover over the table to display the **Inspect** button, which allows you to inspect the table's queries. - -To expand the **Host risk summary** section, click **View risk contributions**. The left panel displays additional details about the host's risk inputs: - -* The asset criticality level and contribution score from the latest risk scoring calculation. -* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score. - -If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. - -[role="screenshot"] -image::images/host-risk-inputs.png[Host risk inputs] - -[discrete] -[[host-asset-criticality-section]] -=== Asset Criticality - -The **Asset Criticality** section displays the selected host's <>. Asset criticality contributes to the overall <>. The criticality level defines how impactful the host is when calculating the risk score. - -[role="screenshot"] -image::images/host-asset-criticality.png[Asset criticality] - -Click **Assign** to assign a criticality level to the selected host, or **Change** to change the currently assigned criticality level. - -[discrete] -[[host-details-insights]] -=== Insights - -The **Insights** section displays <> for the host. Click **Vulnerabilities** to expand the flyout and view this data. - -image::images/-host-details-insights-expanded.png[Host details flyout with the Vulnerabilities section expanded, 85%] - -[discrete] -[[host-observed-data]] -=== Observed data - -This section displays details such as the host ID, when the host was first and last seen, the associated IP addresses and operating system, and the relevant Endpoint integration policy information. - -[role="screenshot"] -image::images/host-observed-data.png[Host observed data]