[Serverless] Adds entity store docs

elastic · Nov 26, 2024 · a2d498e · a2d498e
1 parent 4d1c727
commit a2d498e
Show file tree

Hide file tree

Showing 8 changed files with 157 additions and 27 deletions.
diff --git a/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc
@@ -28,6 +28,8 @@ We recommend that you prioritize <<security-analyze-risk-score-data-alert-triagi
 
 From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page.
 
+If you have enabled the <<entity-store, entity store>>, the dashboard also displays the <<entity-entities, **Entities** section>>, where you can view all hosts and users along with their risk and asset criticality data.
+
 [role="screenshot"]
 image::images/detection-entity-dashboard/-dashboards-entity-dashboard.png[Entity Analytics dashboard]
 

diff --git a/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc b/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc
@@ -7,7 +7,7 @@
 .Requirements
 [NOTE]
 ====
-To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <<security-ers-requirements,Entity risk scoring prerequisites>>.
+To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <<security-ers-requirements,Entity risk scoring requirements>>.
 ====
 
 The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.
@@ -49,6 +49,11 @@ image::images/asset-criticality/-assign-asset-criticality-host-flyout.png[Assign
 [role="screenshot"]
 image::images/asset-criticality/-assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline]
 
+If you have enabled the <<entity-store, entity store>>, you can also view asset criticality assignments in the <<entity-entities, **Entities** section>> of the Entity Analytics dashboard:
+
+[role="screenshot"]
+image::images/detection-entity-dashboard/-entities-section.png[Entities section]
+
 [discrete]
 [[security-asset-criticality-bulk-assign-asset-criticality]]
 === Bulk assign asset criticality

diff --git a/docs/serverless/advanced-entity-analytics/entity-store.asciidoc b/docs/serverless/advanced-entity-analytics/entity-store.asciidoc
@@ -0,0 +1,53 @@
+[[entity-store]]
+= Entity store
+
+preview::[]
+
+.Requirements
+[sidebar]
+--
+To use the entity store, you must have the appropriate privileges. For more information, refer to <<security-ers-requirements, Entity risk scoring requirements>>.
+--
+
+The entity store allows you to query, reconcile, maintain, and persist entity metadata such as:
+
+* Ingested log data
+* Data from integrated identity providers (such as Active Directory, EntraID, and Okta)
+* Data from internal and external alerts
+* External asset repository data
+* Asset criticality data
+* Entity risk score data
+
+The entity store can hold any entity type observed by {elastic-sec}. It allows you to view and query select entities represented in your indices  without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <<default-data-view-security, default data view>>.
+
+When the entity store is enabled, the following resources are generated for each entity type (hosts and users):
+
+* {es} resources, such as transforms, ingest pipelines, and enrich policies.
+* Data and fields for each entity.
+* The `.entities.v1.latest.security_user_<space-id>` and `.entities.v1.latest.security_host_<space-id>` indices, which contain field mappings for hosts and users respectively. You can query these indices to see a list of fields that are mapped in the entity store.
+
+[discrete]
+[[enable-entity-store]]
+== Enable entity store
+
+To enable the entity store:
+
+. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. On the **Entity Store** page, turn the toggle on. 
+
+Once you enable the entity store, the Entity Analytics dashboard displays the <<entity-entities, **Entities**>> section.
+
+[discrete]
+[[clear-entity-store]]
+== Clear entity store data
+
+Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name` or `host.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis.
+
+Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments.
+
+CAUTION: Clearing entity store data permanently deletes persisted user and host records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone.
+
+To clear entity data:
+
+. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. On the **Entity Store** page, select **Clear**.
diff --git a/docs/serverless/advanced-entity-analytics/ers-req.asciidoc b/docs/serverless/advanced-entity-analytics/ers-req.asciidoc
@@ -4,9 +4,9 @@
 // :description: Requirements for using entity risk scoring and asset criticality.
 // :keywords: serverless, security, reference, manage
 
-To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete <<elasticsearch-manage-project,project feature>>.
+To use entity risk scoring, asset criticality, and entity store, you need the appropriate user roles. These features require the Security Analytics Complete <<elasticsearch-manage-project,project feature>>.
 
-This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations.
+This page covers the requirements for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
 
 [discrete]
 [[security-ers-requirements-entity-risk-scoring]]
@@ -90,3 +90,28 @@ Custom roles need the following privileges for the `.asset-criticality.asset-cri
 | Unassign asset criticality
 | `delete`
 |===
+
+[discrete]
+== Entity store
+
+[discrete]
+=== User roles
+
+To use the entity store, you need either the appropriate <<general-assign-user-roles,predefined Security user role>> or a <<custom-roles,custom role>> with the right privileges:
+
+**Predefined roles**
+
+* Platform engineer
+* Detections admin
+* Admin
+
+**Custom role privileges**
+
+|===
+| Cluster | Index | {kib}
+
+a| * `manage_index_templates`
+* `manage_transform`
+| `all` privilege for `risk-score.risk-score-*`
+| **Read** for the **Security** feature
+|===
diff --git a/docs/serverless/dashboards/detection-entity-dashboard.asciidoc b/docs/serverless/dashboards/detection-entity-dashboard.asciidoc
@@ -11,18 +11,13 @@
 
 The Entity Analytics dashboard provides a centralized view of emerging insider threats - including host risk, user risk, and anomalies from within your network. Use it to triage, investigate, and respond to these emerging threats.
 
-.Requirements
-[NOTE]
-====
-To display host and user risk scores, you must <<security-turn-on-risk-engine,turn on the risk scoring engine>>.
-====
-
 The dashboard includes the following sections:
 
-* <<entity-kpis,Entity KPIs (key performance indicators)>>
-* <<entity-host-risk-scores,Host Risk Scores>>
-* <<entity-user-risk-scores,User Risk Scores>>
-* <<entity-anomalies,Anomalies>>
+* <<entity-kpis>>
+* <<entity-user-risk-scores>>
+* <<entity-host-risk-scores>>
+* <<entity-anomalies>>
+* <<entity-entities>>
 
 [role="screenshot"]
 image::images/detection-entity-dashboard/-dashboards-entity-dashboard.png[Entity dashboard]
@@ -31,12 +26,43 @@ image::images/detection-entity-dashboard/-dashboards-entity-dashboard.png[Entity
 [[entity-kpis]]
 == Entity KPIs (key performance indicators)
 
-Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the Host risk table, User risk table, or Anomalies table.
+Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or **Anomalies** table.
+
+[discrete]
+[[entity-user-risk-scores]]
+== User Risk Scores
+
+.Requirements
+[sidebar]
+-- 
+To display user risk scores, you must <<security-turn-on-risk-engine, turn on the risk scoring engine>>.
+-- 
+
+Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+
+[role="screenshot"]
+image::images/detection-entity-dashboard/-dashboards-user-score-data.png[User risk table]
+
+Interact with the table to filter data, view more details, and take action:
+
+* Select the **User risk level** menu to filter the chart by the selected level.
+* Click a user name link to open the user details flyout.
+* Hover over a user name link to display inline actions: **Add to timeline**, which adds the selected value to Timeline, and **Copy to Clipboard**, which copies the user name value for you to paste later.
+* Click **View all** in the upper-right to display all user risk information on the Users page.
+* Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** (image:images/icons/timeline.svg[Timeline]) to launch Timeline with a query that includes the associated user name value.
+
+For more information about user risk scores, refer to <<security-entity-risk-scoring,Entity risk scoring>>.
 
 [discrete]
 [[entity-host-risk-scores]]
 == Host Risk Scores
 
+.Requirements
+[sidebar]
+-- 
+To display host risk scores, you must <<security-turn-on-risk-engine, turn on the risk scoring engine>>.
+-- 
+
 Displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 [role="screenshot"]
@@ -52,24 +78,42 @@ Interact with the table to filter data, view more details, and take action:
 
 For more information about host risk scores, refer to <<security-entity-risk-scoring,Entity risk scoring>>.
 
-[discrete]
-[[entity-user-risk-scores]]
-== User Risk Scores
+[[entity-entities]]
+[float]
+== Entities
 
-Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+preview::[]
+
+.Requirements
+[sidebar]
+-- 
+To display the **Entities** section, you must <<enable-entity-store,enable the entity store>>.
+-- 
+
+The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities from the <<entity-store, entity store>>, which meet any of the following criteria:
+
+* Have been observed by {elastic-sec}
+* Have an asset criticality assignment
+* Have been added to {elastic-sec} through an integration, such Active Directory or Okta
+
+NOTE: The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_<space-id>` and `.entities.v1.latest.security_host_<space-id>` indices to see all the fields for each entity in the entity store.
 
 [role="screenshot"]
-image::images/detection-entity-dashboard/-dashboards-user-score-data.png[User risk table]
+image::images/detection-entity-dashboard/-entities-section.png[Entities section]
 
-Interact with the table to filter data, view more details, and take action:
+Entity data from different sources appears in the **Entities** section based on the following timelines:
 
-* Select the **User risk level** menu to filter the chart by the selected level.
-* Click a user name link to open the user details flyout.
-* Hover over a user name link to display inline actions: **Add to timeline**, which adds the selected value to Timeline, and **Copy to Clipboard**, which copies the user name value for you to paste later.
-* Click **View all** in the upper-right to display all user risk information on the Users page.
-* Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** (image:images/icons/timeline.svg[Timeline]) to launch Timeline with a query that includes the associated user name value.
+* When you first enable the entity store, only data stored in the last 24 hours is processed. After that, data is processed continuously.
+* Observed events from the {elastic-sec} default data view are processed in near real-time.
+* Entity Analytics data, such as entity risk scores and asset criticality (including bulk asset criticality upload), is also processed in near real-time.
+* The availability of entities extracted from Entity Analytics integrations depends on the specific integration. Refer to {integrations-docs}/entityanalytics_ad[Active Directory Entity Analytics], {integrations-docs}/entityanalytics_entra_id[Microsoft Entra ID Entity Analytics], and {integrations-docs}/entityanalytics_okta[Okta Entity Analytics] for more details.
 
-For more information about user risk scores, refer to <<security-entity-risk-scoring,Entity risk scoring>>.
+Interact with the table to filter data and view more details:
+
+* Select the **Risk level** dropdown to filter the table by the selected user or host risk level.
+* Select the **Criticality** dropdown to filter the table by the selected asset criticality level.
+* Select the **Source** dropdown to filter the table by the data source.
+* Click the **View details** icon (image:images/icons/expand.svg[View details]) to open the entity details flyout.
 
 [discrete]
 [[entity-anomalies]]

diff --git a/docs/serverless/images/detection-entity-dashboard/-dashboards-entity-dashboard.png b/docs/serverless/images/detection-entity-dashboard/-dashboards-entity-dashboard.png
diff --git a/docs/serverless/images/detection-entity-dashboard/-entities-section.png b/docs/serverless/images/detection-entity-dashboard/-entities-section.png
diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc
@@ -162,8 +162,9 @@ include::./alerts/alert-schema.asciidoc[leveloffset=+3]
 include::./advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc[leveloffset=+2]
 include::./advanced-entity-analytics/entity-risk-scoring.asciidoc[leveloffset=+3]
 include::./advanced-entity-analytics/ers-req.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4]
 include::./advanced-entity-analytics/turn-on-risk-engine.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/entity-store.asciidoc[leveloffset=+4]
 include::./advanced-entity-analytics/analyze-risk-score-data.asciidoc[leveloffset=+4]
 include::./advanced-entity-analytics/advanced-behavioral-detections.asciidoc[leveloffset=+3]
 include::./advanced-entity-analytics/ml-requirements.asciidoc[leveloffset=+4]