diff --git a/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc index 040cc16723..12472a101c 100644 --- a/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc +++ b/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc @@ -28,6 +28,8 @@ We recommend that you prioritize <>, the dashboard also displays the <>, where you can view all hosts and users along with their risk and asset criticality data. + [role="screenshot"] image::images/detection-entity-dashboard/-dashboards-entity-dashboard.png[Entity Analytics dashboard] diff --git a/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc b/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc index 21ef9565a6..b9a73475ad 100644 --- a/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc +++ b/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc @@ -7,7 +7,7 @@ .Requirements [NOTE] ==== -To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <>. +To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <>. ==== The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. @@ -49,6 +49,11 @@ image::images/asset-criticality/-assign-asset-criticality-host-flyout.png[Assign [role="screenshot"] image::images/asset-criticality/-assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline] +If you have enabled the <>, you can also view asset criticality assignments in the <> of the Entity Analytics dashboard: + +[role="screenshot"] +image::images/detection-entity-dashboard/-entities-section.png[Entities section] + [discrete] [[security-asset-criticality-bulk-assign-asset-criticality]] === Bulk assign asset criticality diff --git a/docs/serverless/advanced-entity-analytics/entity-store.asciidoc b/docs/serverless/advanced-entity-analytics/entity-store.asciidoc new file mode 100644 index 0000000000..fff800a269 --- /dev/null +++ b/docs/serverless/advanced-entity-analytics/entity-store.asciidoc @@ -0,0 +1,53 @@ +[[entity-store]] += Entity store + +preview::[] + +.Requirements +[sidebar] +-- +To use the entity store, you must have the appropriate privileges. For more information, refer to <>. +-- + +The entity store allows you to query, reconcile, maintain, and persist entity metadata such as: + +* Ingested log data +* Data from integrated identity providers (such as Active Directory, EntraID, and Okta) +* Data from internal and external alerts +* External asset repository data +* Asset criticality data +* Entity risk score data + +The entity store can hold any entity type observed by {elastic-sec}. It allows you to view and query select entities represented in your indices without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <>. + +When the entity store is enabled, the following resources are generated for each entity type (hosts and users): + +* {es} resources, such as transforms, ingest pipelines, and enrich policies. +* Data and fields for each entity. +* The `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices, which contain field mappings for hosts and users respectively. You can query these indices to see a list of fields that are mapped in the entity store. + +[discrete] +[[enable-entity-store]] +== Enable entity store + +To enable the entity store: + +. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. On the **Entity Store** page, turn the toggle on. + +Once you enable the entity store, the Entity Analytics dashboard displays the <> section. + +[discrete] +[[clear-entity-store]] +== Clear entity store data + +Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name` or `host.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis. + +Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments. + +CAUTION: Clearing entity store data permanently deletes persisted user and host records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone. + +To clear entity data: + +. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. On the **Entity Store** page, select **Clear**. \ No newline at end of file diff --git a/docs/serverless/advanced-entity-analytics/ers-req.asciidoc b/docs/serverless/advanced-entity-analytics/ers-req.asciidoc index 95b6866580..e50c528cfc 100644 --- a/docs/serverless/advanced-entity-analytics/ers-req.asciidoc +++ b/docs/serverless/advanced-entity-analytics/ers-req.asciidoc @@ -4,9 +4,9 @@ // :description: Requirements for using entity risk scoring and asset criticality. // :keywords: serverless, security, reference, manage -To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete <>. +To use entity risk scoring, asset criticality, and entity store, you need the appropriate user roles. These features require the Security Analytics Complete <>. -This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations. +This page covers the requirements for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations. [discrete] [[security-ers-requirements-entity-risk-scoring]] @@ -90,3 +90,28 @@ Custom roles need the following privileges for the `.asset-criticality.asset-cri | Unassign asset criticality | `delete` |=== + +[discrete] +== Entity store + +[discrete] +=== User roles + +To use the entity store, you need either the appropriate <> or a <> with the right privileges: + +**Predefined roles** + +* Platform engineer +* Detections admin +* Admin + +**Custom role privileges** + +|=== +| Cluster | Index | {kib} + +a| * `manage_index_templates` +* `manage_transform` +| `all` privilege for `risk-score.risk-score-*` +| **Read** for the **Security** feature +|=== diff --git a/docs/serverless/dashboards/detection-entity-dashboard.asciidoc b/docs/serverless/dashboards/detection-entity-dashboard.asciidoc index 26fc3aaabc..b8caa8475e 100644 --- a/docs/serverless/dashboards/detection-entity-dashboard.asciidoc +++ b/docs/serverless/dashboards/detection-entity-dashboard.asciidoc @@ -11,18 +11,13 @@ The Entity Analytics dashboard provides a centralized view of emerging insider threats - including host risk, user risk, and anomalies from within your network. Use it to triage, investigate, and respond to these emerging threats. -.Requirements -[NOTE] -==== -To display host and user risk scores, you must <>. -==== - The dashboard includes the following sections: -* <> -* <> -* <> -* <> +* <> +* <> +* <> +* <> +* <> [role="screenshot"] image::images/detection-entity-dashboard/-dashboards-entity-dashboard.png[Entity dashboard] @@ -31,12 +26,43 @@ image::images/detection-entity-dashboard/-dashboards-entity-dashboard.png[Entity [[entity-kpis]] == Entity KPIs (key performance indicators) -Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the Host risk table, User risk table, or Anomalies table. +Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or **Anomalies** table. + +[discrete] +[[entity-user-risk-scores]] +== User Risk Scores + +.Requirements +[sidebar] +-- +To display user risk scores, you must <>. +-- + +Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). + +[role="screenshot"] +image::images/detection-entity-dashboard/-dashboards-user-score-data.png[User risk table] + +Interact with the table to filter data, view more details, and take action: + +* Select the **User risk level** menu to filter the chart by the selected level. +* Click a user name link to open the user details flyout. +* Hover over a user name link to display inline actions: **Add to timeline**, which adds the selected value to Timeline, and **Copy to Clipboard**, which copies the user name value for you to paste later. +* Click **View all** in the upper-right to display all user risk information on the Users page. +* Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** (image:images/icons/timeline.svg[Timeline]) to launch Timeline with a query that includes the associated user name value. + +For more information about user risk scores, refer to <>. [discrete] [[entity-host-risk-scores]] == Host Risk Scores +.Requirements +[sidebar] +-- +To display host risk scores, you must <>. +-- + Displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). [role="screenshot"] @@ -52,24 +78,42 @@ Interact with the table to filter data, view more details, and take action: For more information about host risk scores, refer to <>. -[discrete] -[[entity-user-risk-scores]] -== User Risk Scores +[[entity-entities]] +[float] +== Entities -Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). +preview::[] + +.Requirements +[sidebar] +-- +To display the **Entities** section, you must <>. +-- + +The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities from the <>, which meet any of the following criteria: + +* Have been observed by {elastic-sec} +* Have an asset criticality assignment +* Have been added to {elastic-sec} through an integration, such Active Directory or Okta + +NOTE: The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices to see all the fields for each entity in the entity store. [role="screenshot"] -image::images/detection-entity-dashboard/-dashboards-user-score-data.png[User risk table] +image::images/detection-entity-dashboard/-entities-section.png[Entities section] -Interact with the table to filter data, view more details, and take action: +Entity data from different sources appears in the **Entities** section based on the following timelines: -* Select the **User risk level** menu to filter the chart by the selected level. -* Click a user name link to open the user details flyout. -* Hover over a user name link to display inline actions: **Add to timeline**, which adds the selected value to Timeline, and **Copy to Clipboard**, which copies the user name value for you to paste later. -* Click **View all** in the upper-right to display all user risk information on the Users page. -* Click the number link in the **Alerts** column to view the alerts on the Alerts page. Hover over the number and select **Investigate in timeline** (image:images/icons/timeline.svg[Timeline]) to launch Timeline with a query that includes the associated user name value. +* When you first enable the entity store, only data stored in the last 24 hours is processed. After that, data is processed continuously. +* Observed events from the {elastic-sec} default data view are processed in near real-time. +* Entity Analytics data, such as entity risk scores and asset criticality (including bulk asset criticality upload), is also processed in near real-time. +* The availability of entities extracted from Entity Analytics integrations depends on the specific integration. Refer to {integrations-docs}/entityanalytics_ad[Active Directory Entity Analytics], {integrations-docs}/entityanalytics_entra_id[Microsoft Entra ID Entity Analytics], and {integrations-docs}/entityanalytics_okta[Okta Entity Analytics] for more details. -For more information about user risk scores, refer to <>. +Interact with the table to filter data and view more details: + +* Select the **Risk level** dropdown to filter the table by the selected user or host risk level. +* Select the **Criticality** dropdown to filter the table by the selected asset criticality level. +* Select the **Source** dropdown to filter the table by the data source. +* Click the **View details** icon (image:images/icons/expand.svg[View details]) to open the entity details flyout. [discrete] [[entity-anomalies]] diff --git a/docs/serverless/images/detection-entity-dashboard/-dashboards-entity-dashboard.png b/docs/serverless/images/detection-entity-dashboard/-dashboards-entity-dashboard.png index e529976aac..56479b9f1e 100644 Binary files a/docs/serverless/images/detection-entity-dashboard/-dashboards-entity-dashboard.png and b/docs/serverless/images/detection-entity-dashboard/-dashboards-entity-dashboard.png differ diff --git a/docs/serverless/images/detection-entity-dashboard/-entities-section.png b/docs/serverless/images/detection-entity-dashboard/-entities-section.png new file mode 100644 index 0000000000..9bb4c5338d Binary files /dev/null and b/docs/serverless/images/detection-entity-dashboard/-entities-section.png differ diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc index f8612c0168..8d8f3484b9 100644 --- a/docs/serverless/index.asciidoc +++ b/docs/serverless/index.asciidoc @@ -162,8 +162,9 @@ include::./alerts/alert-schema.asciidoc[leveloffset=+3] include::./advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc[leveloffset=+2] include::./advanced-entity-analytics/entity-risk-scoring.asciidoc[leveloffset=+3] include::./advanced-entity-analytics/ers-req.asciidoc[leveloffset=+4] -include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4] include::./advanced-entity-analytics/turn-on-risk-engine.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/entity-store.asciidoc[leveloffset=+4] include::./advanced-entity-analytics/analyze-risk-score-data.asciidoc[leveloffset=+4] include::./advanced-entity-analytics/advanced-behavioral-detections.asciidoc[leveloffset=+3] include::./advanced-entity-analytics/ml-requirements.asciidoc[leveloffset=+4]