From 09b1adcc9c8d493a751e2bfcebb460e80b67516f Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 24 Feb 2025 19:16:25 -0800 Subject: [PATCH 01/11] Post-migration: Cleans up cloud security section --- solutions/security/cloud/benchmarks-2.md | 59 ------------------- .../cloud-security-posture-dashboard-2.md | 2 +- .../cloud/cloud-security-posture-dashboard.md | 2 +- .../cloud-security-posture-dashboard.md | 2 +- .../get-started/elastic-security-ui.md | 2 +- solutions/toc.yml | 2 +- 6 files changed, 5 insertions(+), 64 deletions(-) delete mode 100644 solutions/security/cloud/benchmarks-2.md diff --git a/solutions/security/cloud/benchmarks-2.md b/solutions/security/cloud/benchmarks-2.md deleted file mode 100644 index 6b4c2f4a4f..0000000000 --- a/solutions/security/cloud/benchmarks-2.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -mapped_urls: - - https://www.elastic.co/guide/en/security/current/benchmark-rules.html - - https://www.elastic.co/guide/en/serverless/current/security-benchmark-rules-kspm.html ---- - -# Benchmarks - -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/benchmark-rules.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-benchmark-rules-kspm.md - -The Benchmarks page lets you view the cloud security posture (CSP) benchmark rules for the [Cloud security posture management](/solutions/security/cloud/cloud-security-posture-management.md) (CSPM) and [Kubernetes security posture management](/solutions/security/cloud/kubernetes-security-posture-management.md) (KSPM) integrations. - -:::{image} ../../../images/security-benchmark-rules.png -:alt: Benchmarks page -:class: screenshot -::: - - -## What are benchmark rules? [_what_are_benchmark_rules_2] - -Benchmark rules are used by the CSPM and KSPM integrations to identify configuration risks in your cloud infrastructure. Benchmark rules are based on the Center for Internet Security’s (CIS) [secure configuration benchmarks](https://www.cisecurity.org/cis-benchmarks/). - -Each benchmark rule checks to see if a specific type of resource is configured according to a CIS Benchmark. The names of rules describe what they check, for example: - -* `Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS` -* `Ensure the default namespace is not in use` -* `Ensure IAM policies that allow full "*:*" administrative privileges are not attached` -* `Ensure the default namespace is not in use` - -When benchmark rules are evaluated, the resulting [findings](/solutions/security/cloud/findings-page-2.md) data appears on the [Cloud Security Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md). - -::::{note} -Benchmark rules are not editable. -:::: - - - -## Review your benchmarks [_review_your_benchmarks_2] - -Find **Benchmarks** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). From there, you can click a benchmark’s name to view the benchmark rules associated with it. You can click a benchmark rule’s name to see details including information about how to remediate it, and related links. - -Benchmark rules are enabled by default, but you can disable some of them — at the benchmark level — to suit your environment. This means for example that if you have two integrations using the `CIS AWS` benchmark, disabling a rule for that benchmark affects both integrations. To enable or disable a rule, use the **Enabled** toggle on the right of the rules table. - -::::{note} -Disabling a benchmark rule automatically disables any associated detection rules and alerts. Re-enabling a benchmark rule **does not** automatically re-enable them. -:::: - - - -## How benchmark rules work [_how_benchmark_rules_work_2] - -1. When a security posture management integration is deployed, and every four hours after that, {{agent}} fetches relevant cloud resources. -2. After resources are fetched, they are evaluated against all applicable enabled benchmark rules. -3. Finding values of `pass` or `fail` indicate whether the standards defined by benchmark rules were met. diff --git a/solutions/security/cloud/cloud-security-posture-dashboard-2.md b/solutions/security/cloud/cloud-security-posture-dashboard-2.md index 2bfcd1c20b..9ea5f8c069 100644 --- a/solutions/security/cloud/cloud-security-posture-dashboard-2.md +++ b/solutions/security/cloud/cloud-security-posture-dashboard-2.md @@ -15,7 +15,7 @@ mapped_urls: % - [x] ./raw-migrated-files/security-docs/security/cloud-nat-sec-posture-dashboard.md % - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks-2.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). +The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). :::{image} ../../../images/security-cloud-sec-dashboard.png :alt: The cloud Security dashboard diff --git a/solutions/security/cloud/cloud-security-posture-dashboard.md b/solutions/security/cloud/cloud-security-posture-dashboard.md index 93d30531c4..e88a7777ec 100644 --- a/solutions/security/cloud/cloud-security-posture-dashboard.md +++ b/solutions/security/cloud/cloud-security-posture-dashboard.md @@ -15,7 +15,7 @@ mapped_urls: % - [x] ./raw-migrated-files/security-docs/security/cspm-posture-dashboard.md % - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks-2.md) defined by the Center for Internet Security (CIS). To get started monitoring your security posture, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). +The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To get started monitoring your security posture, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). :::{image} ../../../images/security-cloud-sec-dashboard.png :alt: The cloud Security dashboard diff --git a/solutions/security/dashboards/cloud-security-posture-dashboard.md b/solutions/security/dashboards/cloud-security-posture-dashboard.md index 7dcc813767..59712f5f1f 100644 --- a/solutions/security/dashboards/cloud-security-posture-dashboard.md +++ b/solutions/security/dashboards/cloud-security-posture-dashboard.md @@ -13,7 +13,7 @@ mapped_urls: % - [x] ./raw-migrated-files/security-docs/security/cloud-posture-dashboard.md % - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash.md -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks-2.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). +The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). :::{image} ../../../images/security-cloud-sec-dashboard.png :alt: The cloud Security dashboard diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md index 7c3f174ab3..aa37ac5343 100644 --- a/solutions/security/get-started/elastic-security-ui.md +++ b/solutions/security/get-started/elastic-security-ui.md @@ -116,7 +116,7 @@ Expand this section to access the following pages: :class: screenshot ::: -* [**Benchmarks**](/solutions/security/cloud/benchmarks-2.md): View, set up, or configure cloud security benchmarks. +* [**Benchmarks**](/solutions/security/cloud/benchmarks.md): View, set up, or configure cloud security benchmarks. :::{image} ../../../images/security-benchmark-rules.png :alt: Benchmark Integrations page diff --git a/solutions/toc.yml b/solutions/toc.yml index 96a8476fad..6a85e3ed31 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -492,7 +492,7 @@ toc: children: - file: security/cloud/get-started-with-kspm.md - file: security/cloud/findings-page-2.md - - file: security/cloud/benchmarks-2.md + - file: security/cloud/benchmarks.md - file: security/cloud/cloud-security-posture-dashboard-2.md - file: security/cloud/frequently-asked-questions-faq-2.md - file: security/cloud/cloud-native-vulnerability-management.md From 04bcbc4f5dd20d8be5168efdc69add3cb400a760 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 24 Feb 2025 20:04:27 -0800 Subject: [PATCH 02/11] updates env var capture pg and single-sources vuln management dashboard pg --- .vscode/settings.json | 2 + .../security-environment-variable-capture.md | 34 ------------ ...security-vuln-management-dashboard-dash.md | 45 ---------------- raw-migrated-files/toc.yml | 1 - .../cloud/capture-environment-variables.md | 14 ----- ...tive-vulnerability-management-dashboard.md | 52 ------------------- solutions/toc.yml | 2 +- 7 files changed, 3 insertions(+), 147 deletions(-) create mode 100644 .vscode/settings.json delete mode 100644 raw-migrated-files/docs-content/serverless/security-environment-variable-capture.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-vuln-management-dashboard-dash.md delete mode 100644 solutions/security/cloud/cloud-native-vulnerability-management-dashboard.md diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..7a73a41bfd --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/raw-migrated-files/docs-content/serverless/security-environment-variable-capture.md b/raw-migrated-files/docs-content/serverless/security-environment-variable-capture.md deleted file mode 100644 index 4112b9d0d2..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-environment-variable-capture.md +++ /dev/null @@ -1,34 +0,0 @@ -# Capture environment variables [security-environment-variable-capture] - -You can configure an {{agent}} policy to capture up to five environment variables (`env vars`). - -::::{note} -* Env var names must be no more than 63 characters, and env var values must be no more than 1023 characters. Values outside these limits are silently ignored. -* Env var names are case sensitive. - -:::: - - -To set up environment variable capture for an {{agent}} policy: - -1. Find **Policies** in the navigation menu or use the global search field. -2. Select an {{agent}} policy. -3. Click **Show advanced settings**. -4. Scroll down or search for `linux.advanced.capture_env_vars`, or `mac.advanced.capture_env_vars`. -5. Enter the names of env vars you want to capture, separated by commas. For example: `PATH,USER` -6. Click **Save**. - - -## Find captured environment variables [find-cap-env-vars] - -Captured environment variables are associated with process events, and appear in each event’s `process.env_vars` field. - -To view environment variables in the **Events** table: - -1. Click the **Events** tab on the **Hosts***, ***Network***, or ***Users** pages, then click **Fields** in the Events table. -2. Search for the `process.env_vars` field, select it, and click **Close**. A new column appears containing captured environment variable data. - -:::{image} ../../../images/serverless--cloud-native-security-env-var-capture-detail.png -:alt: The Events table with the "process.env_vars" column highlighted -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-vuln-management-dashboard-dash.md b/raw-migrated-files/docs-content/serverless/security-vuln-management-dashboard-dash.md deleted file mode 100644 index 2bfd1710b1..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-vuln-management-dashboard-dash.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -navigation_title: "Cloud Native Vulnerability Management dashboard" ---- - -# Cloud Native Vulnerability Management Dashboard [security-vuln-management-dashboard-dash] - - -The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview of vulnerabilities detected in your cloud infrastructure. - -:::{image} ../../../images/serverless--cloud-native-security-vuln-management-dashboard.png -:alt: The CNVM dashboard -:class: screenshot -::: - -::::{admonition} Requirements -:class: note - -* To collect this data, install the [Cloud Native Vulnerability Management](../../../solutions/security/cloud/get-started-with-cnvm.md) integration. - -:::: - - - -## CNVM dashboard UI [CNVM-dashboard-UI-dash] - -The summary cards at the top of the dashboard display the number of monitored cloud accounts, scanned virtual machines (VMs), and vulnerabilities (grouped by severity). - -The **Trend by severity** bar graph complements the summary cards by displaying the number of vulnerabilities found on your infrastructure over time, sorted by severity. It has a maximum time scale of 30 days. - -::::{admonition} Graph tips -:class: note - -* Click the severity levels legend on its right to hide/show each severity level. -* To display data from specific cloud accounts, select the account names from the **Accounts** drop-down menu. - -:::: - - -The page also includes three tables: - -* **Top 10 vulnerable resources** shows your VMs with the highest number of vulnerabilities. -* **Top 10 patchable vulnerabilities** shows the most common vulnerabilities in your environment that can be fixed by a software update. -* **Top 10 vulnerabilities** shows the most common vulnerabilities in your environment, with additional details. - -Click **View all vulnerabilities** at the bottom of a table to open the [Vulnerabilities Findings](../../../solutions/security/cloud/findings-page-3.md) page, where you can view additional details. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 0acc3f4186..d830ad22ac 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -187,7 +187,6 @@ toc: - file: cloud/cloud/ec-upgrade-deployment.md - file: docs-content/serverless/index.md children: - - file: docs-content/serverless/_cloud_native_vulnerability_management_dashboard.md - file: docs-content/serverless/ai-assistant-knowledge-base.md - file: docs-content/serverless/attack-discovery.md - file: docs-content/serverless/connect-to-byo-llm.md diff --git a/solutions/security/cloud/capture-environment-variables.md b/solutions/security/cloud/capture-environment-variables.md index 80dea7db6e..2a0475ffe3 100644 --- a/solutions/security/cloud/capture-environment-variables.md +++ b/solutions/security/cloud/capture-environment-variables.md @@ -6,20 +6,6 @@ mapped_urls: # Capture environment variables -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/environment-variable-capture.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-environment-variable-capture.md - -::::{admonition} Requirements -* This feature requires {{stack}} version 8.6 or higher. -* In {{stack}} version 8.6, this feature is only available for Linux. - -:::: - - You can configure an {{agent}} policy to capture up to five environment variables (`env vars`). ::::{note} diff --git a/solutions/security/cloud/cloud-native-vulnerability-management-dashboard.md b/solutions/security/cloud/cloud-native-vulnerability-management-dashboard.md deleted file mode 100644 index cb3869221a..0000000000 --- a/solutions/security/cloud/cloud-native-vulnerability-management-dashboard.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -mapped_urls: - - https://www.elastic.co/guide/en/security/current/vuln-management-dashboard.html - - https://www.elastic.co/guide/en/serverless/current/_cloud_native_vulnerability_management_dashboard.html ---- - -# Cloud Native Vulnerability Management Dashboard - -% What needs to be done: Align serverless/stateful - -% Scope notes: Duplicate of Cloud Native Vulnerability Management dashboard page in Dashboards section. Consider removing this page and keeping the one in Dashboards. - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/vuln-management-dashboard.md -% - [ ] ./raw-migrated-files/docs-content/serverless/_cloud_native_vulnerability_management_dashboard.md - -The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview of vulnerabilities detected in your cloud infrastructure. - -:::{image} ../../../images/security-vuln-management-dashboard.png -:alt: The CNVM dashboard -::: - -::::{admonition} Requirements -* To collect this data, install the [Cloud Native Vulnerability Management](/solutions/security/cloud/get-started-with-cnvm.md) integration. -* The CNVM dashboard is available to all Elastic Cloud users. For on-premises deployments, it requires an [Enterprise subscription](https://www.elastic.co/pricing). - -:::: - - - -## CNVM dashboard UI [CNVM-dashboard-UI] - -The summary cards at the top of the dashboard display the number of monitored cloud accounts, scanned virtual machines (VMs), and vulnerabilities (grouped by severity). - -The **Trend by severity** bar graph complements the summary cards by displaying the number of vulnerabilities found on your infrastructure over time, sorted by severity. It has a maximum time scale of 30 days. - -::::{admonition} Graph tips -* Click the severity levels legend on its right to hide/show each severity level. -* To display data from specific cloud accounts, select the account names from the **Accounts** drop-down menu. - -:::: - - -The page also includes three tables: - -* **Top 10 vulnerable resources** shows your VMs with the highest number of vulnerabilities. -* **Top 10 patchable vulnerabilities** shows the most common vulnerabilities in your environment that can be fixed by a software update. -* **Top 10 vulnerabilities** shows the most common vulnerabilities in your environment, with additional details. - -Click **View all vulnerabilities** at the bottom of a table to open the [Vulnerabilities Findings](/solutions/security/cloud/findings-page-3.md) page, where you can view additional details. - diff --git a/solutions/toc.yml b/solutions/toc.yml index 6a85e3ed31..3433139cc7 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -499,7 +499,7 @@ toc: children: - file: security/cloud/get-started-with-cnvm.md - file: security/cloud/findings-page-3.md - - file: security/cloud/cloud-native-vulnerability-management-dashboard.md + - file: security/dashboards/cloud-native-vulnerability-management-dashboard.md - file: security/cloud/frequently-asked-questions-faq-3.md - file: security/cloud/cloud-workload-protection-for-kubernetes.md children: From 44d921d2db6aac0251f53049a83649daf44a3fd9 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 24 Feb 2025 20:26:04 -0800 Subject: [PATCH 03/11] Single sources cnvm dashboard page and edits cnvm landing page. removes raw files --- .../security-vuln-management-overview.md | 38 ----------- raw-migrated-files/toc.yml | 3 - .../cloud-native-vulnerability-management.md | 11 --- .../cloud-security-posture-dashboard-2.md | 67 ------------------- .../cloud/cloud-security-posture-dashboard.md | 67 ------------------- .../cloud-security-posture-management.md | 2 +- .../ingest-third-party-cloud-security-data.md | 2 +- .../kubernetes-security-posture-management.md | 6 +- ...tive-vulnerability-management-dashboard.md | 7 -- solutions/toc.yml | 4 +- 10 files changed, 7 insertions(+), 200 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-vuln-management-overview.md delete mode 100644 solutions/security/cloud/cloud-security-posture-dashboard-2.md delete mode 100644 solutions/security/cloud/cloud-security-posture-dashboard.md diff --git a/raw-migrated-files/docs-content/serverless/security-vuln-management-overview.md b/raw-migrated-files/docs-content/serverless/security-vuln-management-overview.md deleted file mode 100644 index 5f567c432c..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-vuln-management-overview.md +++ /dev/null @@ -1,38 +0,0 @@ -# Cloud native vulnerability management [security-vuln-management-overview] - -Elastic’s Cloud Native Vulnerability Management (CNVM) feature helps you identify known vulnerabilities in your cloud workloads. - -Setup uses infrastructure as code. For instructions, refer to [Get started with Cloud Native Vulnerability Management](../../../solutions/security/cloud/get-started-with-cnvm.md). - -::::{note} -CNVM currently only supports AWS EC2 Linux workloads. - -:::: - - -::::{admonition} Requirements -:class: note - -* CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work. -* To view vulnerability scan findings, you need the appropriate user role to read the following indices: - - * `logs-cloud_security_posture.vulnerabilities-*` - * `logs-cloud_security_posture.vulnerabilities_latest-*` - - -:::: - - - -## How CNVM works [vuln-management-overview-how-it-works] - -During setup, you will use an infrastructure as code provisioning template to create a new virtual machine (VM) in the cloud region you wish to scan. This VM installs {{agent}} and the Cloud Native Vulnerability Management (CNVM) integration, and conducts all vulnerability scanning. - -The CNVM integration uses [Trivy](https://github.com/aquasecurity/trivy), a comprehensive open-source security scanner, to scan cloud workloads and identify security vulnerabilities. During each scan, the VM running the integration takes a snapshot of all cloud workloads in its region using the snapshot APIs of the cloud service provider, and analyzes them for vulnerabilities using Trivy. Therefore, scanning does not use resources on the VMs being scanned. All resource usage occurs on the VM installed during CNVM setup. - -The scanning process begins immediately upon deployment, then repeats every twenty-four hours. After each scan, the integration sends the discovered vulnerabilities to {{es}}, where they appear in the **Vulnerabilities** tab of the [Findings page](../../../solutions/security/cloud/findings-page-3.md). - -::::{note} -Environments with more VMs take longer to scan. - -:::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index d830ad22ac..063fdfe275 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -267,7 +267,6 @@ toc: - file: docs-content/serverless/security-detections-requirements.md - file: docs-content/serverless/security-endpoint-management-req.md - file: docs-content/serverless/security-endpoints-page.md - - file: docs-content/serverless/security-environment-variable-capture.md - file: docs-content/serverless/security-ers-requirements.md - file: docs-content/serverless/security-event-filters.md - file: docs-content/serverless/security-examine-osquery-results.md @@ -318,10 +317,8 @@ toc: - file: docs-content/serverless/security-view-alert-details.md - file: docs-content/serverless/security-visual-event-analyzer.md - file: docs-content/serverless/security-visualize-alerts.md - - file: docs-content/serverless/security-vuln-management-dashboard-dash.md - file: docs-content/serverless/security-vuln-management-faq.md - file: docs-content/serverless/security-vuln-management-get-started.md - - file: docs-content/serverless/security-vuln-management-overview.md - file: docs-content/serverless/spaces.md - file: docs-content/serverless/what-is-observability-serverless.md - file: elasticsearch-hadoop/elasticsearch-hadoop/index.md diff --git a/solutions/security/cloud/cloud-native-vulnerability-management.md b/solutions/security/cloud/cloud-native-vulnerability-management.md index c8acfc9951..24eea054c0 100644 --- a/solutions/security/cloud/cloud-native-vulnerability-management.md +++ b/solutions/security/cloud/cloud-native-vulnerability-management.md @@ -6,17 +6,6 @@ mapped_urls: # Cloud native vulnerability management -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/vuln-management-overview.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-vuln-management-overview.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$vuln-management-overview-how-it-works$$$ - Elastic’s Cloud Native Vulnerability Management (CNVM) feature helps you identify known vulnerabilities in your cloud workloads. Setup uses infrastructure as code. For instructions, refer to [Get started with Cloud Native Vulnerability Management](/solutions/security/cloud/get-started-with-cnvm.md). diff --git a/solutions/security/cloud/cloud-security-posture-dashboard-2.md b/solutions/security/cloud/cloud-security-posture-dashboard-2.md deleted file mode 100644 index 9ea5f8c069..0000000000 --- a/solutions/security/cloud/cloud-security-posture-dashboard-2.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -mapped_urls: - - https://www.elastic.co/guide/en/security/current/cloud-nat-sec-posture-dashboard.html - - https://www.elastic.co/guide/en/serverless/current/security-cloud-posture-dashboard-dash-kspm.html ---- - -# Cloud Security Posture dashboard - -% What needs to be done: Align serverless/stateful - -% Scope notes: Duplicate of Cloud Security Posture dashboard page in Dashboards section. Consider removing this page and keeping the one in Dashboards. - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cloud-nat-sec-posture-dashboard.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md - -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). - -:::{image} ../../../images/security-cloud-sec-dashboard.png -:alt: The cloud Security dashboard -:class: screenshot -::: - -The Cloud Security Posture dashboard shows: - -* Configuration risk metrics for all monitored cloud accounts and Kubernetes clusters -* Configuration risk metrics grouped by the applicable benchmark, for example, CIS GCP, CIS Azure, CIS Kubernetes, or CIS EKS -* Configuration risks grouped by CIS section (security guideline category) - -::::{admonition} Requirements -* The Cloud Security Posture dashboard is available to all Elastic Cloud users. For on-prem deployments, it requires an [Enterprise subscription](https://www.elastic.co/pricing). - -:::: - - - -## Cloud Security Posture dashboard UI [cloud-nat-sec-posture-dashboard-UI] - -At the top of the dashboard, you can switch between the cloud accounts and Kubernetes cluster views. - -The top section of either view summarizes your overall cloud security posture (CSP) by aggregating data from all monitored resources. The summary cards on the left show the number of cloud accounts or clusters evaluated, and the number of resources evaluated. You can click **Enroll more accounts** or **Enroll more clusters** to deploy to additional cloud assets. Click **View all resources** to open the [Findings page](/solutions/security/cloud/findings-page-2.md). - -The remaining summary cards show your overall compliance score, and your compliance score for each CIS section. Click **View all failed findings** to view all failed findings, or click a CIS section name to view failed findings from only that section on the Findings page. - -Below the summary section, each row shows the CSP for a benchmark that applies to your monitored cloud resources. For example, if you are monitoring EKS and Kubernetes clusters, a row appears for CIS EKS and another appears for CIS Kubernetes. Each row shows the CIS benchmark, the number of clusters it applies to, its overall compliance score, and its compliance score grouped by CIS section. - -:::{image} ../../../images/security-cloud-sec-dashboard-individual-row.png -:alt: A row representing a single cluster in the Cloud Security Posture dashboard -:class: screenshot -::: - - -## FAQ (Frequently Asked Questions) [cloud-nat-sec-posture-dashboard-faq] - -::::{dropdown} When do newly-enrolled assets appear on the dashboard? -It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing before a newly-enrolled AWS account or Kubernetes cluster appears on the dashboard. - -:::: - - -::::{dropdown} When do unenrolled clusters disappear from the dashboard? -A cluster will disappear as soon as your integration fetches data while that cluster is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled cluster can take a maximum of four hours to disappear from the dashboard. - -:::: - - diff --git a/solutions/security/cloud/cloud-security-posture-dashboard.md b/solutions/security/cloud/cloud-security-posture-dashboard.md deleted file mode 100644 index e88a7777ec..0000000000 --- a/solutions/security/cloud/cloud-security-posture-dashboard.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -mapped_urls: - - https://www.elastic.co/guide/en/security/current/cspm-posture-dashboard.html - - https://www.elastic.co/guide/en/serverless/current/security-cloud-posture-dashboard-dash-cspm.html ---- - -# Cloud Security Posture dashboard - -% What needs to be done: Align serverless/stateful - -% Scope notes: Duplicate of Cloud Security Posture dashboard page in Dashboards section. Consider removing this page and keeping the one in Dashboards. - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cspm-posture-dashboard.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md - -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To get started monitoring your security posture, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). - -:::{image} ../../../images/security-cloud-sec-dashboard.png -:alt: The cloud Security dashboard -:class: screenshot -::: - -The Cloud Security Posture dashboard shows: - -* Configuration risk metrics for all monitored cloud accounts and Kubernetes clusters -* Configuration risk metrics grouped by the applicable benchmark, for example CIS GCP, CIS Azure, CIS Kubernetes, or CIS EKS -* Configuration risks grouped by CIS section (security guideline category) - -::::{admonition} Requirements -* The Cloud Security Posture dashboard is available to all Elastic Cloud users. For on-prem deployments, it requires an [Enterprise subscription](https://www.elastic.co/pricing). - -:::: - - - -## Cloud Security Posture dashboard UI [cspm-posture-dashboard-UI] - -At the top of the dashboard, you can switch between the cloud accounts and Kubernetes cluster views. - -The top section of either view summarizes your overall cloud security posture (CSP) by aggregating data from all monitored resources. The summary cards on the left show the number of cloud accounts or clusters evaluated, and the number of resources evaluated. You can click **Enroll more accounts** or **Enroll more clusters** to deploy to additional cloud assets. Click **View all resources** to open the [Findings page](/solutions/security/cloud/findings-page-2.md). - -The remaining summary cards show your overall compliance score, and your compliance score for each CIS section. Click **View all failed findings** to view all failed findings, or click a CIS section name to view failed findings from only that section on the Findings page. - -Below the summary section, each row shows the CSP for a benchmark that applies to your monitored cloud resources. For example, if you are monitoring GCP and Azure cloud accounts, a row appears for CIS GCP and another appears for CIS Azure. Each row shows the CIS benchmark, the number of cloud accounts it applies to, its overall compliance score, and its compliance score grouped by CIS section. - -:::{image} ../../../images/security-cloud-sec-dashboard-individual-row.png -:alt: A row representing a single cluster in the Cloud Security Posture dashboard -:class: screenshot -::: - - -## FAQ (Frequently Asked Questions) [cspm-posture-dashboard-faq] - -::::{dropdown} When do newly-enrolled assets appear on the dashboard? -It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing before a newly-enrolled AWS account or Kubernetes cluster appears on the dashboard. - -:::: - - -::::{dropdown} When do unenrolled accounts disappear from the dashboard? -An account will disappear as soon as your integration fetches data while that account is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled account can take a maximum of four hours to disappear from the dashboard. - -:::: - - diff --git a/solutions/security/cloud/cloud-security-posture-management.md b/solutions/security/cloud/cloud-security-posture-management.md index 46b983506d..ff22b292c5 100644 --- a/solutions/security/cloud/cloud-security-posture-management.md +++ b/solutions/security/cloud/cloud-security-posture-management.md @@ -41,7 +41,7 @@ This feature currently supports agentless and agent-based deployments on Amazon ## How CSPM works [cspm-how-it-works] -Using the read-only credentials you will provide during the setup process, it will evaluate the configuration of resources in your environment every 24 hours. After each evaluation, the integration sends findings to Elastic. A high-level summary of the findings appears on the [Cloud Security Posture dashboard](/solutions/security/cloud/cloud-security-posture-dashboard-2.md), and detailed findings appear on the [Findings page](/solutions/security/cloud/findings-page-2.md). +Using the read-only credentials you will provide during the setup process, it will evaluate the configuration of resources in your environment every 24 hours. After each evaluation, the integration sends findings to Elastic. A high-level summary of the findings appears on the [Cloud Security Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and detailed findings appear on the [Findings page](/solutions/security/cloud/findings-page-2.md). diff --git a/solutions/security/cloud/ingest-third-party-cloud-security-data.md b/solutions/security/cloud/ingest-third-party-cloud-security-data.md index 59f5457775..d1ef4a311d 100644 --- a/solutions/security/cloud/ingest-third-party-cloud-security-data.md +++ b/solutions/security/cloud/ingest-third-party-cloud-security-data.md @@ -27,7 +27,7 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th ## Ingest third-party security posture and vulnerability data [_ingest_third_party_security_posture_and_vulnerability_data] -You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](/solutions/security/cloud/findings-page.md) page, on the [Cloud Posture dashboard](/solutions/security/cloud/cloud-security-posture-dashboard.md), and in the entity details flyouts for [alerts](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout). +You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](/solutions/security/cloud/findings-page.md) page, on the [Cloud Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and in the entity details flyouts for [alerts](/solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout). * Learn to [ingest cloud security posture data from AWS Security Hub](/solutions/security/cloud/ingest-aws-security-hub-data.md). * Learn to [ingest cloud security posture and vulnerability data from Wiz](/solutions/security/cloud/ingest-wiz-data.md). diff --git a/solutions/security/cloud/kubernetes-security-posture-management.md b/solutions/security/cloud/kubernetes-security-posture-management.md index 27a213b689..fe6a6c096b 100644 --- a/solutions/security/cloud/kubernetes-security-posture-management.md +++ b/solutions/security/cloud/kubernetes-security-posture-management.md @@ -32,7 +32,7 @@ This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setu 1. When you add a KSPM integration, it generates a Kubernetes manifest. When applied to a cluster, the manifest deploys an {{agent}} as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset) to ensure all nodes are evaluated. 2. Upon deployment, the integration immediately assesses the security posture of your Kubernetes resources. The evaluation process repeats every four hours. -3. After each evaluation, the integration sends findings to {{es}}. Findings appear on the [Cloud Security Posture dashboard](/solutions/security/cloud/cloud-security-posture-dashboard-2.md) and the [findings](/solutions/security/cloud/findings-page-2.md) page. +3. After each evaluation, the integration sends findings to {{es}}. Findings appear on the [Cloud Security Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md) and the [findings](/solutions/security/cloud/findings-page-2.md) page. ## Use cases [kspm-use-cases] @@ -48,7 +48,7 @@ The KSPM integration helps you to: To identify and remediate failed failed findings: -1. Go to the [Cloud Security Posture dashboard](/solutions/security/cloud/cloud-security-posture-dashboard-2.md). +1. Go to the [Cloud Security Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md). 2. Click **View all failed findings**, either for an individual cluster or for all monitored clusters. 3. Click a failed finding. The findings flyout opens. 4. Follow the steps under **Remediation** to correct the misconfiguration. @@ -72,7 +72,7 @@ To identify the Kubernetes resources generating the most failed findings: To identify risks in particular CIS sections: -1. Go to the [Cloud Security Posture dashboard](/solutions/security/cloud/cloud-security-posture-dashboard-2.md). +1. Go to the [Cloud Security Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md). 2. In the Failed findings by CIS section widget, click the name of a CIS section to view all failed findings for that section. Alternatively: diff --git a/solutions/security/dashboards/cloud-native-vulnerability-management-dashboard.md b/solutions/security/dashboards/cloud-native-vulnerability-management-dashboard.md index 7435501f9b..5153689355 100644 --- a/solutions/security/dashboards/cloud-native-vulnerability-management-dashboard.md +++ b/solutions/security/dashboards/cloud-native-vulnerability-management-dashboard.md @@ -6,13 +6,6 @@ mapped_urls: # Cloud Native Vulnerability Management Dashboard -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/vuln-management-dashboard-dash.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-vuln-management-dashboard-dash.md - The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview of vulnerabilities detected in your cloud infrastructure. :::{image} ../../../images/security-vuln-management-dashboard.png diff --git a/solutions/toc.yml b/solutions/toc.yml index 3433139cc7..e0e1066e4f 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -486,14 +486,14 @@ toc: - file: security/cloud/cspm-privilege-requirements.md - file: security/cloud/findings-page.md - file: security/cloud/benchmarks.md - - file: security/cloud/cloud-security-posture-dashboard.md + - file: security/dashboards/cloud-security-posture-dashboard.md - file: security/cloud/frequently-asked-questions-faq.md - file: security/cloud/kubernetes-security-posture-management.md children: - file: security/cloud/get-started-with-kspm.md - file: security/cloud/findings-page-2.md - file: security/cloud/benchmarks.md - - file: security/cloud/cloud-security-posture-dashboard-2.md + - file: security/dashboards/cloud-security-posture-dashboard.md - file: security/cloud/frequently-asked-questions-faq-2.md - file: security/cloud/cloud-native-vulnerability-management.md children: From 27e62564d0f2e7480ff38eadd69e037391b7dde8 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 26 Feb 2025 10:43:37 -0800 Subject: [PATCH 04/11] findings and faq pages --- .../serverless/cspm-required-permissions.md | 60 -------------- .../security-cloud-workload-protection.md | 18 ----- .../security-cspm-findings-page-kspm-kspm.md | 79 ------------------ .../serverless/security-cspm-findings-page.md | 79 ------------------ .../security-cspm-security-posture-faq.md | 69 ---------------- .../docs-content/serverless/security-cspm.md | 28 ------- .../serverless/security-posture-faq.md | 67 ---------------- raw-migrated-files/toc.yml | 7 -- .../cloud-security-posture-management.md | 25 +----- ...=> cnvm-frequently-asked-questions-faq.md} | 9 --- ...=> cspm-frequently-asked-questions-faq.md} | 7 -- .../cloud/cspm-privilege-requirements.md | 7 -- .../cloud/enable-cloud-security-features.md | 17 ++-- solutions/security/cloud/findings-page-2.md | 29 +++---- solutions/security/cloud/findings-page-3.md | 2 +- solutions/security/cloud/findings-page.md | 24 +++--- .../cloud/frequently-asked-questions-faq-2.md | 80 ------------------- solutions/toc.yml | 6 +- 18 files changed, 31 insertions(+), 582 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/cspm-required-permissions.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cloud-workload-protection.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cspm-findings-page-kspm-kspm.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cspm-findings-page.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cspm-security-posture-faq.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cspm.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-posture-faq.md rename solutions/security/cloud/{frequently-asked-questions-faq-3.md => cnvm-frequently-asked-questions-faq.md} (92%) rename solutions/security/cloud/{frequently-asked-questions-faq.md => cspm-frequently-asked-questions-faq.md} (93%) delete mode 100644 solutions/security/cloud/frequently-asked-questions-faq-2.md diff --git a/raw-migrated-files/docs-content/serverless/cspm-required-permissions.md b/raw-migrated-files/docs-content/serverless/cspm-required-permissions.md deleted file mode 100644 index b8716371ab..0000000000 --- a/raw-migrated-files/docs-content/serverless/cspm-required-permissions.md +++ /dev/null @@ -1,60 +0,0 @@ -# CSPM privilege requirements [cspm-required-permissions] - -This page lists required privilges for {{elastic-sec}}'s CSPM features. There are three access levels: read, write, and manage. Each access level and its requirements are described below. - - -## Read [_read] - -Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard. - - -### {{es}} index privileges [_es_index_privileges] - -`Read` privileges for the following {{es}} indices: - -* `logs-cloud_security_posture.findings_latest-*` -* `logs-cloud_security_posture.scores-*` - - -### {{kib}} privileges [_kib_privileges] - -* `Security: Read` - - -## Write [_write] - -Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard, create detection rules from the findings details flyout, and enable or disable benchmark rules. - - -### {{es}} index privileges [_es_index_privileges_2] - -`Read` privileges for the following {{es}} indices: - -* `logs-cloud_security_posture.findings_latest-*` -* `logs-cloud_security_posture.scores-*` - - -### {{kib}} privileges [_kib_privileges_2] - -* `Security: All` - - -## Manage [_manage] - -Users with these minimum permissions can view data on the **Findings** page and the Cloud Posture dashboard, create detection rules from the findings details flyout, enable or disable benchmark rules, and install, update, or uninstall CSPM integrations and assets. - - -### {{es}} index privileges [_es_index_privileges_3] - -`Read` privileges for the following {{es}} indices: - -* `logs-cloud_security_posture.findings_latest-*` -* `logs-cloud_security_posture.scores-*` - - -### {{kib}} privileges [_kib_privileges_3] - -* `Security: All` -* `Spaces: All` -* `Fleet: All` -* `Integrations: All` diff --git a/raw-migrated-files/docs-content/serverless/security-cloud-workload-protection.md b/raw-migrated-files/docs-content/serverless/security-cloud-workload-protection.md deleted file mode 100644 index 14486b6a44..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cloud-workload-protection.md +++ /dev/null @@ -1,18 +0,0 @@ -# Cloud workload protection for VMs [security-cloud-workload-protection] - -Cloud workload protection helps you monitor and protect your Linux VMs. It uses the [{{elastic-defend}}](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md) integration to capture cloud workload telemetry containing process, file, and network activity. - -Use this telemetry with out-of-the-box detection rules and machine learning models to automate processes that identify cloud threats. - - -## Use cases [security-cloud-workload-protection-use-cases] - -* **Runtime monitoring of cloud workloads:** Provides visibility into cloud workloads, context for detected threats, and the historical data needed for retroactive threat investigations. -* **Cloud-native threat detection and prevention:** Provides security coverage for Linux, containers, and serverless applications. Protects against known and unknown threats using on-host detections and protections against malicious behavior, memory threats, and malware. -* **Reducing the time to detect and remediate runtime threats:** Helps you resolve potential threats by showing alerts in context, making the data necessary for further investigations readily available, and providing remediation options. - -To continue setting up your cloud workload protection, learn more about: - -* [**Getting started with {{elastic-defend}}**](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md): configure {{elastic-defend}} to protect your hosts. Be sure to select one of the "Cloud workloads" presets if you want to collect session data by default, including process, file, and network telemetry. -* [**Session view**](../../../solutions/security/investigate/session-view.md): examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. Use it to monitor and investigate session activity, and to understand user and service behavior on your Linux infrastructure. -* [**Environment variable capture**](../../../solutions/security/cloud/capture-environment-variables.md): Capture the environment variables associated with process events, such as `PATH`, `LD_PRELOAD`, or `USER`. diff --git a/raw-migrated-files/docs-content/serverless/security-cspm-findings-page-kspm-kspm.md b/raw-migrated-files/docs-content/serverless/security-cspm-findings-page-kspm-kspm.md deleted file mode 100644 index 607f0ee17f..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cspm-findings-page-kspm-kspm.md +++ /dev/null @@ -1,79 +0,0 @@ -# Findings page [security-cspm-findings-page-kspm-kspm] - -The **Misconfigurations** tab on the **Findings** page displays the configuration risks identified by the [CSPM](../../../solutions/security/cloud/cloud-security-posture-management.md) and [KSPM](../../../solutions/security/cloud/kubernetes-security-posture-management.md) integrations, as well as data from [third-party integrations](../../../solutions/security/cloud/ingest-third-party-cloud-security-data.md). - -:::{image} ../../../images/serverless--cloud-native-security-findings-page.png -:alt: Findings page -:class: screenshot -::: - - -## What are CSPM and KSPM findings? [cspm-findings-page-what-are-findings-kspm] - -CSPM and KSPM findings indicate whether a given resource passed or failed evaluation against a specific security guideline. Each finding includes metadata about the resource evaluated and the security guideline used to evaluate it. Each finding’s result (`pass` or `fail`) indicates whether a particular part of your infrastructure meets a security guideline. - - -## Group and filter findings [cspm-findings-page-group-filter-kspm] - -By default, the Findings page lists all findings, without grouping or filtering. - - -### Group findings [security-cspm-findings-page-group-findings-kspm] - -Click **Group findings by** to group your data by a field. Select one of the suggested fields or **Custom field** to choose your own. You can select up to three group fields at once. - -* When grouping is turned on, click a group to expand it and examine all sub-groups or findings within that group. -* To turn off grouping, click **Group findings by** and select **None**. - -::::{note} -Multiple groupings apply to your data in the order you selected them. For example, if you first select **Cloud account**, then select **Resource***, the top-level grouping will be based on ***Cloud account**, and its subordinate grouping will be based on **Resource**. - -:::: - - - -### Filter findings [cspm-findings-page-filter-findings-kspm] - -You can filter findings data in two ways: - -* **KQL search bar**: For example, search for `result.evaluation : failed` to view all failed findings. -* **In-table value filters**: Hover over a finding to display available inline actions. Use the **Filter In** (plus) and **Filter Out** (minus) buttons. - - -## Customize the Findings table [security-cspm-findings-page-customize-the-findings-table-kspm] - -You can use the toolbar buttons in the upper-left of the Findings table to select which columns appear: - -* **Columns**: Select the left-to-right order in which columns appear. -* **Sort fields**: Sort the table by one or more columns, or turn sorting off. -* **Fields**: Select which fields to display for each finding. Selected fields appear in the table and the **Columns** menu. - -::::{tip} -You can also click a column’s name to open a menu that allows you to perform multiple actions on the column. - -:::: - - - -## Remediate failed findings [cspm-findings-page-remediate-findings-kspm] - -To remediate failed findings and reduce your attack surface: - -1. First, [filter for failed findings](../../../solutions/security/cloud/findings-page-2.md#cspm-findings-page-filter-findings-kspm). -2. Click the arrow to the left of a failed finding to open the findings flyout. -3. Follow the steps under **Remediation**. - - ::::{note} - Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. - - :::: - - - -## Generate alerts for failed Findings [cspm-create-rule-from-finding-kspm] - -You can create detection rules that detect specific failed findings directly from the Findings page. - -1. Click the arrow to the left of a Finding to open the findings flyout. -2. Click **Take action**, then **Create a detection rule**. This automatically creates a detection rule that creates alerts when the associated benchmark rule generates a failed finding. -3. To review or customize the new rule, click **View rule**. diff --git a/raw-migrated-files/docs-content/serverless/security-cspm-findings-page.md b/raw-migrated-files/docs-content/serverless/security-cspm-findings-page.md deleted file mode 100644 index 2a5ecae1f1..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cspm-findings-page.md +++ /dev/null @@ -1,79 +0,0 @@ -# Findings page [security-cspm-findings-page] - -The **Misconfigurations** tab on the **Findings** page displays the configuration risks identified by the [CSPM](../../../solutions/security/cloud/cloud-security-posture-management.md) and [KSPM](../../../solutions/security/cloud/kubernetes-security-posture-management.md) integrations, as well as data from [third-party integrations](../../../solutions/security/cloud/ingest-third-party-cloud-security-data.md). - -:::{image} ../../../images/serverless--cloud-native-security-findings-page.png -:alt: Findings page -:class: screenshot -::: - - -## What are CSPM and KSPM findings? [cspm-findings-page-what-are-findings] - -CSPM and KSPM findings indicate whether a given resource passed or failed evaluation against a specific security guideline. Each finding includes metadata about the resource evaluated and the security guideline used to evaluate it. Each finding’s result (`pass` or `fail`) indicates whether a particular part of your infrastructure meets a security guideline. - - -## Group and filter findings [cspm-findings-page-group-filter] - -By default, the Findings page lists all findings, without grouping or filtering. - - -### Group findings [security-cspm-findings-page-group-findings] - -Click **Group findings by** to group your data by a field. Select one of the suggested fields or **Custom field** to choose your own. You can select up to three group fields at once. - -* When grouping is turned on, click a group to expand it and examine all sub-groups or findings within that group. -* To turn off grouping, click **Group findings by** and select **None**. - -::::{note} -Multiple groupings apply to your data in the order you selected them. For example, if you first select **Cloud account**, then select **Resource***, the top-level grouping will be based on ***Cloud account**, and its subordinate grouping will be based on **Resource**. - -:::: - - - -### Filter findings [cspm-findings-page-filter-findings] - -You can filter findings data in two ways: - -* **KQL search bar**: For example, search for `result.evaluation : failed` to view all failed findings. -* **In-table value filters**: Hover over a finding to display available inline actions. Use the **Filter In** (plus) and **Filter Out** (minus) buttons. - - -## Customize the Findings table [security-cspm-findings-page-customize-the-findings-table] - -You can use the toolbar buttons in the upper-left of the Findings table to select which columns appear: - -* **Columns**: Select the left-to-right order in which columns appear. -* **Sort fields**: Sort the table by one or more columns, or turn sorting off. -* **Fields**: Select which fields to display for each finding. Selected fields appear in the table and the **Columns** menu. - -::::{tip} -You can also click a column’s name to open a menu that allows you to perform multiple actions on the column. - -:::: - - - -## Remediate failed findings [cspm-findings-page-remediate-findings] - -To remediate failed findings and reduce your attack surface: - -1. First, [filter for failed findings](../../../solutions/security/cloud/findings-page.md#cspm-findings-page-filter-findings). -2. Click the arrow to the left of a failed finding to open the findings flyout. -3. Follow the steps under **Remediation**. - - ::::{note} - Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. - - :::: - - - -## Generate alerts for failed Findings [cspm-create-rule-from-finding] - -You can create detection rules that detect specific failed findings directly from the Findings page. - -1. Click the arrow to the left of a Finding to open the findings flyout. -2. Click **Take action**, then **Create a detection rule**. This automatically creates a detection rule that creates alerts when the associated benchmark rule generates a failed finding. -3. To review or customize the new rule, click **View rule**. diff --git a/raw-migrated-files/docs-content/serverless/security-cspm-security-posture-faq.md b/raw-migrated-files/docs-content/serverless/security-cspm-security-posture-faq.md deleted file mode 100644 index 7fcd4812c3..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cspm-security-posture-faq.md +++ /dev/null @@ -1,69 +0,0 @@ -# Frequently asked questions (FAQ) [security-cspm-security-posture-faq] - - -## CSPM FAQ [cspm-security-posture-faq] - -Frequently asked questions about the Cloud Security Posture Management (CSPM) integration and features. - -**How often is my cloud security posture evaluated?** - -Cloud accounts are evaluated when you first deploy the CSPM integration and every 24 hours afterward. - -**Can I onboard multiple accounts at one time?** - -Yes. Follow the onboarding instructions in the getting started guides for AWS, GCP, or Azure. - -**When do newly enrolled cloud accounts appear on the dashboard?** - -After you deploy the CSPM integration, it can take up to 10 minutes for resource fetching, evaluation, and data processing before a newly enrolled account appears on the Cloud Security Posture dashboard. - -**When do unenrolled cloud accounts disappear from the dashboard?** - -Newly unenrolled cloud accounts can take a maximum of 24 hours to disappear from the Cloud Security Posture dashboard. - - -## KSPM FAQ [security-cspm-security-posture-faq-kspm-faq] - -Frequently asked questions about the Kubernetes Security Posture Management (KSPM) integration and features. - -**What versions of Kubernetes are supported?** - -For self-managed/vanilla clusters, Kubernetes version 1.23 is supported. - -For EKS clusters, all Kubernetes versions available at the time of cluster deployment are supported. - -**Do benchmark rules support multiple Kubernetes deployment types?** Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to [Get started with KSPM](../../../solutions/security/cloud/get-started-with-kspm.md) for more information about setting up each deployment type. - -**Can I evaluate the security posture of my Amazon EKS clusters?** Yes. KSPM currently supports the security posture evaluation of Amazon EKS and unmanaged Kubernetes clusters. - -**How often is my cluster’s security posture evaluated?** Clusters are evaluated when you deploy a KSPM integration, and every four hours after that. - -**When do newly-enrolled clusters appear on the dashboard?** It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing to complete before a newly-enrolled cluster appears on the dashboard. - -**When do unenrolled clusters disappear from the dashboard?** A cluster will disappear as soon as the KSPM integration fetches data while that cluster is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled cluster can take a maximum of four hours to disappear from the dashboard. - - -## Findings page [security-cspm-security-posture-faq-findings-page] - -**Are all the findings page current?** Yes. Only the most recent findings appear on the Findings page. - -**Can I build custom visualizations and dashboards that incorporate findings data?** Yes, you can use custom visualization capabilities with findings data. To learn more, refer to [Dashboards and visualizations](../../../explore-analyze/dashboards.md). - -**Where is Findings data saved?** You can access findings data using the following index patterns: - -* **Current findings:** `logs-cloud_security_posture.findings_latest-*` -* **Historical findings:** `logs-cloud_security_posture.findings-*` - - -## Benchmark rules [security-cspm-security-posture-faq-benchmark-rules] - -**How often are my resources evaluated against benchmark rules?** Resources are fetched and evaluated against benchmark rules when a security posture management integration is deployed. After that, the CSPM integration evaluates every 24 hours, and the KSPM integration evaluates every four hours. - -**Can I configure an integration’s fetch cycle?** No, the four-hour fetch cycle is not configurable. - -**Can I contribute to the CSP ruleset?** You can’t directly edit benchmark rules. The rules are defined [in this repository](https://github.com/elastic/csp-security-policies), where you can raise issues with certain rules. They are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). - -**How can I tell which specific version of the CIS benchmarks is in use?** Refer to the `rule.benchmark.name` and `rule.benchmark.version` fields for documents in these datastreams: - -* `logs-cloud_security_posture.findings-default` -* `logs-cloud_security_posture.findings_latest-default` diff --git a/raw-migrated-files/docs-content/serverless/security-cspm.md b/raw-migrated-files/docs-content/serverless/security-cspm.md deleted file mode 100644 index 4f10bcf162..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cspm.md +++ /dev/null @@ -1,28 +0,0 @@ -# Cloud security posture management [security-cspm] - -The Cloud Security Posture Management (CSPM) feature discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the [Center for Internet Security](https://www.cisecurity.org/) (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data. - -This feature currently supports agentless and agent-based deployments on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. For step-by-step getting started guides, refer to [Get started with CSPM for AWS](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md), [Get started with CSPM for GCP](../../../solutions/security/cloud/get-started-with-cspm-for-gcp.md), or [Get started with CSPM for Azure](../../../solutions/security/cloud/get-started-with-cspm-for-azure.md). - -::::{admonition} Requirements -:class: note - -* CSPM only works in the `Default` {{kib}} space. Installing the CSPM integration on a different {{kib}} space will not work. -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported ([request support](https://github.com/elastic/kibana/issues/new/choose)). - -:::: - - - -## How CSPM works [cspm-how-it-works] - -Using the read-only credentials you will provide during the setup process, it will evaluate the configuration of resources in your environment every 24 hours. After each evaluation, the integration sends findings to Elastic. A high-level summary of the findings appears on the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md), and detailed findings appear on the [Findings page](../../../solutions/security/cloud/findings-page.md). - - - - - - - - - diff --git a/raw-migrated-files/docs-content/serverless/security-posture-faq.md b/raw-migrated-files/docs-content/serverless/security-posture-faq.md deleted file mode 100644 index 65126c1ef6..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-posture-faq.md +++ /dev/null @@ -1,67 +0,0 @@ -# Frequently asked questions (FAQ) [security-posture-faq] - - -## CSPM FAQ [cspm-faq] - -Frequently asked questions about the Cloud Security Posture Management (CSPM) integration and features. - -**How often is my cloud security posture evaluated?** - -Cloud accounts are evaluated when you first deploy the CSPM integration and every 24 hours afterward. - -**Can I onboard multiple accounts at one time?** - -Yes. Follow the onboarding instructions in the getting started guides for AWS, GCP, or Azure. - -**When do newly enrolled cloud accounts appear on the dashboard?** - -After you deploy the CSPM integration, it can take up to 10 minutes for resource fetching, evaluation, and data processing before a newly enrolled account appears on the Cloud Security Posture dashboard. - -**When do unenrolled cloud accounts disappear from the dashboard?** - -Newly unenrolled cloud accounts can take a maximum of 24 hours to disappear from the Cloud Security Posture dashboard. - - -## KSPM FAQ [kspm-faq] - -Frequently asked questions about the Kubernetes Security Posture Management (KSPM) integration and features. - -**What versions of Kubernetes are supported?** - -For self-managed/vanilla clusters, Kubernetes version 1.23 is supported. - -**Do benchmark rules support multiple Kubernetes deployment types?** Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to [Get started with KSPM](../../../solutions/security/cloud/get-started-with-kspm.md) for more information about setting up each deployment type. - -**Can I evaluate the security posture of my Amazon EKS clusters?** Yes. KSPM currently supports the security posture evaluation of Amazon EKS and unmanaged Kubernetes clusters. - -**How often is my cluster’s security posture evaluated?** Clusters are evaluated when you deploy a KSPM integration, and every four hours after that. - -**When do newly-enrolled clusters appear on the dashboard?** It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing to complete before a newly-enrolled cluster appears on the dashboard. - -**When do unenrolled clusters disappear from the dashboard?** A cluster will disappear as soon as the KSPM integration fetches data while that cluster is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled cluster can take a maximum of four hours to disappear from the dashboard. - - -## Findings page [security-posture-faq-findings-page] - -**Are all the findings page current?** Yes. Only the most recent findings appear on the Findings page. - -**Can I build custom visualizations and dashboards that incorporate findings data?** Yes. You can use {{kib}}'s custom visualization capabilities with findings data. To learn more, refer to [Dashboards and visualizations](../../../explore-analyze/dashboards.md). - -**Where is Findings data saved?** You can access findings data using the following index patterns: - -* **Current findings:** `logs-cloud_security_posture.findings_latest-*` -* **Historical findings:** `logs-cloud_security_posture.findings-*` - - -## Benchmark rules [security-posture-faq-benchmark-rules] - -**How often are my resources evaluated against benchmark rules?** Resources are fetched and evaluated against benchmark rules when a security posture management integration is deployed. After that, the CSPM integration evaluates every 24 hours, and the KSPM integration evaluates every four hours. - -**Can I configure an integration’s fetch cycle?** No, the fetch cycle’s timing is not configurable. - -**Can I contribute to the CSP ruleset?** You can’t directly edit benchmark rules. The rules are defined [in this repository](https://github.com/elastic/csp-security-policies), where you can raise issues with certain rules. They are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). - -**How can I tell which specific version of the CIS benchmarks is in use?** Refer to the `rule.benchmark.name` and `rule.benchmark.version` fields for documents in these datastreams: - -* `logs-cloud_security_posture.findings-default` -* `logs-cloud_security_posture.findings_latest-default` diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 063fdfe275..5df5db4c77 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -190,7 +190,6 @@ toc: - file: docs-content/serverless/ai-assistant-knowledge-base.md - file: docs-content/serverless/attack-discovery.md - file: docs-content/serverless/connect-to-byo-llm.md - - file: docs-content/serverless/cspm-required-permissions.md - file: docs-content/serverless/detections-logsdb-index-mode-impact.md - file: docs-content/serverless/elasticsearch-dev-tools.md - file: docs-content/serverless/elasticsearch-differences.md @@ -245,19 +244,14 @@ toc: - file: docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md - file: docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md - file: docs-content/serverless/security-cloud-posture-dashboard-dash.md - - file: docs-content/serverless/security-cloud-workload-protection.md - file: docs-content/serverless/security-configure-endpoint-integration-policy.md - file: docs-content/serverless/security-connect-to-azure-openai.md - file: docs-content/serverless/security-connect-to-bedrock.md - file: docs-content/serverless/security-connect-to-google-vertex.md - file: docs-content/serverless/security-connect-to-openai.md - - file: docs-content/serverless/security-cspm-findings-page-kspm-kspm.md - - file: docs-content/serverless/security-cspm-findings-page.md - file: docs-content/serverless/security-cspm-get-started-azure.md - file: docs-content/serverless/security-cspm-get-started-gcp.md - file: docs-content/serverless/security-cspm-get-started.md - - file: docs-content/serverless/security-cspm-security-posture-faq.md - - file: docs-content/serverless/security-cspm.md - file: docs-content/serverless/security-dashboards-overview.md - file: docs-content/serverless/security-data-quality-dash.md - file: docs-content/serverless/security-data-views-in-sec.md @@ -289,7 +283,6 @@ toc: - file: docs-content/serverless/security-osquery-response-action.md - file: docs-content/serverless/security-overview-dashboard.md - file: docs-content/serverless/security-policies-page.md - - file: docs-content/serverless/security-posture-faq.md - file: docs-content/serverless/security-posture-management.md - file: docs-content/serverless/security-prebuilt-rules-management.md - file: docs-content/serverless/security-query-alert-indices.md diff --git a/solutions/security/cloud/cloud-security-posture-management.md b/solutions/security/cloud/cloud-security-posture-management.md index ff22b292c5..210d653e4a 100644 --- a/solutions/security/cloud/cloud-security-posture-management.md +++ b/solutions/security/cloud/cloud-security-posture-management.md @@ -6,39 +6,18 @@ mapped_urls: # Cloud security posture management -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cspm.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cspm.md - The Cloud Security Posture Management (CSPM) feature discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the [Center for Internet Security](https://www.cisecurity.org/) (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data. This feature currently supports agentless and agent-based deployments on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. For step-by-step getting started guides, refer to [Get started with CSPM for AWS](/solutions/security/cloud/get-started-with-cspm-for-aws.md), [Get started with CSPM for GCP](/solutions/security/cloud/get-started-with-cspm-for-gcp.md), or [Get started with CSPM for Azure](/solutions/security/cloud/get-started-with-cspm-for-azure.md). ::::{admonition} Requirements -* CSPM is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). -* {{stack}} version 8.10 or greater. +* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](/solutions/security/cloud/cspm-privilege-requirements.md). +* The CSPM integration is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). * CSPM only works in the `Default` {{kib}} space. Installing the CSPM integration on a different {{kib}} space will not work. * CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. [Click here to request support](https://github.com/elastic/kibana/issues/new/choose). -* `Read` privileges for the following {{es}} indices: - - * `logs-cloud_security_posture.findings_latest-*` - * `logs-cloud_security_posture.scores-*` - -* The following {{kib}} privileges: - - * Security: `Read` - * Integrations: `Read` - * Saved Objects Management: `Read` - * Fleet: `All` - :::: - - ## How CSPM works [cspm-how-it-works] Using the read-only credentials you will provide during the setup process, it will evaluate the configuration of resources in your environment every 24 hours. After each evaluation, the integration sends findings to Elastic. A high-level summary of the findings appears on the [Cloud Security Posture dashboard](/solutions/security/dashboards/cloud-security-posture-dashboard.md), and detailed findings appear on the [Findings page](/solutions/security/cloud/findings-page-2.md). diff --git a/solutions/security/cloud/frequently-asked-questions-faq-3.md b/solutions/security/cloud/cnvm-frequently-asked-questions-faq.md similarity index 92% rename from solutions/security/cloud/frequently-asked-questions-faq-3.md rename to solutions/security/cloud/cnvm-frequently-asked-questions-faq.md index 3c0eb16db8..00e023ef99 100644 --- a/solutions/security/cloud/frequently-asked-questions-faq-3.md +++ b/solutions/security/cloud/cnvm-frequently-asked-questions-faq.md @@ -6,15 +6,6 @@ mapped_pages: # Frequently asked questions (FAQ) -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/vuln-management-faq.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-vuln-management-faq.md - - - Frequently asked questions about the Cloud Native Vulnerability Management (CNVM) integration and features. **Which security data sources does the CNVM integration use to identify vulnerabilities?** diff --git a/solutions/security/cloud/frequently-asked-questions-faq.md b/solutions/security/cloud/cspm-frequently-asked-questions-faq.md similarity index 93% rename from solutions/security/cloud/frequently-asked-questions-faq.md rename to solutions/security/cloud/cspm-frequently-asked-questions-faq.md index e215879521..ae2def012d 100644 --- a/solutions/security/cloud/frequently-asked-questions-faq.md +++ b/solutions/security/cloud/cspm-frequently-asked-questions-faq.md @@ -6,13 +6,6 @@ mapped_urls: # Frequently asked questions (FAQ) -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cspm-security-posture-faq.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cspm-security-posture-faq.md - ## CSPM FAQ [_cspm_faq] diff --git a/solutions/security/cloud/cspm-privilege-requirements.md b/solutions/security/cloud/cspm-privilege-requirements.md index e5fe2be1e5..b92a219bc1 100644 --- a/solutions/security/cloud/cspm-privilege-requirements.md +++ b/solutions/security/cloud/cspm-privilege-requirements.md @@ -6,13 +6,6 @@ mapped_urls: # CSPM privilege requirements -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cspm-required-permissions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/cspm-required-permissions.md - This page lists required privileges for {{elastic-sec}}'s CSPM features. There are three access levels: read, write, and manage. Each access level and its requirements are described below. diff --git a/solutions/security/cloud/enable-cloud-security-features.md b/solutions/security/cloud/enable-cloud-security-features.md index 7c7cb97251..79f9948380 100644 --- a/solutions/security/cloud/enable-cloud-security-features.md +++ b/solutions/security/cloud/enable-cloud-security-features.md @@ -3,26 +3,19 @@ mapped_pages: - https://www.elastic.co/guide/en/serverless/current/security-enable-cloudsec.html --- -# Enable cloud security features [security-enable-cloudsec] +# Enable cloud security features in serverless [security-enable-cloudsec] -To use cloud security features in your {{elastic-sec}} project, you must have the `Cloud Protection Essentials` or `Cloud Protection Complete` options enabled for your project. +applies_to: + serverless: all + +To use cloud security features in your {{serverless-full}} project, you must have the `Cloud Protection Essentials` or `Cloud Protection Complete` options enabled for your project. To enable these options or check their current status: 1. Click your project name in the upper-left corner of {{kib}}. Select **Manage project**. - :::{image} ../../../images/serverless-manage-project.png - :alt: The project menu with the manage project button highlighted - :class: screenshot - ::: - 2. To the right of **Project features**, select **Edit**. - :::{image} ../../../images/serverless-project-features-edit.png - :alt: The project menu with the manage project button highlighted - :class: screenshot - ::: - 3. Enable the necessary options, then click **Save**. Continue with cloud security setup. diff --git a/solutions/security/cloud/findings-page-2.md b/solutions/security/cloud/findings-page-2.md index 3e688f7f99..cfd9d324cd 100644 --- a/solutions/security/cloud/findings-page-2.md +++ b/solutions/security/cloud/findings-page-2.md @@ -6,16 +6,6 @@ mapped_urls: # Findings page -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/findings-page.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cspm-findings-page-kspm-kspm.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$cspm-findings-page-filter-findings-kspm$$$ The **Misconfigurations** tab on the Findings page displays the configuration risks identified by the [CSPM](/solutions/security/cloud/cloud-security-posture-management.md) and [KSPM](/solutions/security/cloud/kubernetes-security-posture-management.md) integrations. @@ -37,13 +27,14 @@ By default, the Findings page lists all findings, without grouping or filtering. ### Group findings [_group_findings_2] -1. Click **Group findings by** to group your data by a field. Select one of the suggested fields or **Custom field** to choose your own. You can select up to three group fields at once. -2. When grouping is turned on, click a group to expand it and examine all sub-groups or findings within that group. -3. To turn off grouping, click **Group findings by** and select **None**. +Click **Group findings by** to group your data by a field. Select one of the suggested fields or **Custom field** to choose your own. You can select up to three group fields at once. -::::{note} -Multiple groupings apply to your data in the order you selected them. For example, if you first select **Kubernetes cluster**, then select **Resource***, the top-level grouping will be based on ***Kubernetes cluster**, and its subordinate grouping will be based on **Resource**. -:::: +* When grouping is turned on, click a group to expand it and examine all sub-groups or findings within that group. +* To turn off grouping, click **Group findings by** and select **None**. + + ::::{note} + Multiple groupings apply to your data in the order you selected them. For example, if you first select **Cloud account**, then select **Resource**, the top-level grouping will be based on **Cloud account**, and its subordinate grouping will be based on **Resource**. + :::: @@ -77,9 +68,9 @@ To remediate failed findings and reduce your attack surface: 2. Click the arrow to the left of a failed finding to open the findings flyout. 3. Follow the steps under **Remediation**. - ::::{note} - Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. - :::: + ::::{note} + Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. + :::: diff --git a/solutions/security/cloud/findings-page-3.md b/solutions/security/cloud/findings-page-3.md index 715f4104e1..a0ec1fcac1 100644 --- a/solutions/security/cloud/findings-page-3.md +++ b/solutions/security/cloud/findings-page-3.md @@ -34,7 +34,7 @@ Click **Group vulnerabilities by** to group your data by a field. Select one of * To turn off grouping, click **Group vulnerabilities by:** and select **None**. ::::{note} -Multiple groupings apply to your data in the order you selected them. For example, if you first select **Cloud account**, then select **Resource***, the top-level grouping will be based on ***Cloud account**, and its subordinate grouping will be based on **Resource**, as demonstrated in the following screenshot. +Multiple groupings apply to your data in the order you selected them. For example, if you first select **Cloud account**, then select **Resource**, the top-level grouping will be based on **Cloud account**, and its subordinate grouping will be based on **Resource**, as demonstrated in the following screenshot. :::: diff --git a/solutions/security/cloud/findings-page.md b/solutions/security/cloud/findings-page.md index 40339c262e..c97a3f9070 100644 --- a/solutions/security/cloud/findings-page.md +++ b/solutions/security/cloud/findings-page.md @@ -6,13 +6,6 @@ mapped_urls: # Findings page -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cspm-findings-page.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cspm-findings-page.md - % Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): $$$cspm-findings-page-filter-findings$$$ @@ -37,11 +30,14 @@ By default, the Findings page lists all findings, without grouping or filtering. ### Group findings [_group_findings] -Click **Group findings by** to group your data by a field. Select one of the suggested fields or **Custom field*** to choose your own. You can select up to three group fields at once. . When grouping is turned on, click a group to expand it and examine all sub-groups or findings within that group. . To turn off grouping, click ***Group findings by** and select **None**. +Click **Group findings by** to group your data by a field. Select one of the suggested fields or **Custom field** to choose your own. You can select up to three group fields at once. -::::{note} -Multiple groupings apply to your data in the order you selected them. For example, if you first select **Cloud account**, then select **Resource***, the top-level grouping will be based on ***Cloud account**, and its subordinate grouping will be based on **Resource**. -:::: +* When grouping is turned on, click a group to expand it and examine all sub-groups or findings within that group. +* To turn off grouping, click **Group findings by** and select **None**. + + ::::{note} + Multiple groupings apply to your data in the order you selected them. For example, if you first select **Cloud account**, then select **Resource**, the top-level grouping will be based on **Cloud account**, and its subordinate grouping will be based on **Resource**. + :::: @@ -75,9 +71,9 @@ To remediate failed findings and reduce your attack surface: 2. Click the arrow to the left of a failed finding to open the findings flyout. 3. Follow the steps under **Remediation**. - ::::{note} - Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. - :::: +::::{note} +Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. +:::: diff --git a/solutions/security/cloud/frequently-asked-questions-faq-2.md b/solutions/security/cloud/frequently-asked-questions-faq-2.md deleted file mode 100644 index 49147dd59a..0000000000 --- a/solutions/security/cloud/frequently-asked-questions-faq-2.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -mapped_urls: - - https://www.elastic.co/guide/en/security/current/security-posture-faq.html - - https://www.elastic.co/guide/en/serverless/current/security-posture-faq.html ---- - -# Frequently asked questions (FAQ) - -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/security-posture-faq.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-posture-faq.md - - -## CSPM FAQ [cspm-faq] - -Frequently asked questions about the Cloud Security Posture Management (CSPM) integration and features. - -**How often is my cloud security posture evaluated?** - -Cloud accounts are evaluated when you first deploy the CSPM integration and every 24 hours afterward. - -**Can I onboard multiple accounts at one time?** - -Yes. Follow the onboarding instructions in the getting started guides for AWS, GCP, or Azure. - -**When do newly enrolled cloud accounts appear on the dashboard?** - -After you deploy the CSPM integration, it can take up to 10 minutes for resource fetching, evaluation, and data processing before a newly enrolled account appears on the Cloud Security Posture dashboard. - -**When do unenrolled cloud accounts disappear from the dashboard?** - -Newly unenrolled cloud accounts can take a maximum of 24 hours to disappear from the Cloud Security Posture dashboard. - - -## KSPM FAQ [kspm-faq] - -Frequently asked questions about the Kubernetes Security Posture Management (KSPM) integration and features. - -**What versions of Kubernetes are supported?** - -For self-managed/vanilla and EKS clusters, Kubernetes version 1.23 is supported. - -**Do benchmark rules support multiple Kubernetes deployment types?** Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to [Get started with KSPM](/solutions/security/cloud/get-started-with-kspm.md) for more information about setting up each deployment type. - -**Can I evaluate the security posture of my Amazon EKS clusters?** Yes. KSPM currently supports the security posture evaluation of Amazon EKS and unmanaged Kubernetes clusters. - -**How often is my cluster’s security posture evaluated?** Clusters are evaluated when you deploy a KSPM integration, and every four hours after that. - -**When do newly-enrolled clusters appear on the dashboard?** It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing to complete before a newly-enrolled cluster appears on the dashboard. - -**When do unenrolled clusters disappear from the dashboard?** A cluster will disappear as soon as the KSPM integration fetches data while that cluster is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled cluster can take a maximum of four hours to disappear from the dashboard. - - -## Findings page [_findings_page_2] - -**Are all the findings page current?** Yes. Only the most recent findings appear on the Findings page. - -**Can I build custom visualizations and dashboards that incorporate findings data?** Yes. You can use {{kib}}'s custom visualization capabilities with findings data. To learn more, refer to [Dashboards and visualizations](/explore-analyze/dashboards.md). - -**Where is Findings data saved?** You can access findings data using the following index patterns: - -* **Current findings:** `logs-cloud_security_posture.findings_latest-*` -* **Historical findings:** `logs-cloud_security_posture.findings-*` - - -## Benchmark rules [_benchmark_rules_2] - -**How often are my resources evaluated against benchmark rules?** Resources are fetched and evaluated against benchmark rules when a security posture management integration is deployed. After that, the CSPM integration evaluates every 24 hours, and the KSPM integration evaluates every four hours. - -**Can I configure an integration’s fetch cycle?** No, the four-hour fetch cycle is not configurable. - -**Can I contribute to the CSP ruleset?** You can’t directly edit benchmark rules. The rules are defined [in this repository](https://github.com/elastic/csp-security-policies), where you can raise issues with certain rules. They are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/). - -**How can I tell which specific version of the CIS benchmarks is in use?** Refer to the `rule.benchmark.name` and `rule.benchmark.version` fields for documents in these datastreams: - -* `logs-cloud_security_posture.findings-default` -* `logs-cloud_security_posture.findings_latest-default` diff --git a/solutions/toc.yml b/solutions/toc.yml index e0e1066e4f..edf3d55d3b 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -487,20 +487,20 @@ toc: - file: security/cloud/findings-page.md - file: security/cloud/benchmarks.md - file: security/dashboards/cloud-security-posture-dashboard.md - - file: security/cloud/frequently-asked-questions-faq.md + - file: security/cloud/cspm-frequently-asked-questions-faq.md - file: security/cloud/kubernetes-security-posture-management.md children: - file: security/cloud/get-started-with-kspm.md - file: security/cloud/findings-page-2.md - file: security/cloud/benchmarks.md - file: security/dashboards/cloud-security-posture-dashboard.md - - file: security/cloud/frequently-asked-questions-faq-2.md + - file: security/cloud/cspm-frequently-asked-questions-faq.md - file: security/cloud/cloud-native-vulnerability-management.md children: - file: security/cloud/get-started-with-cnvm.md - file: security/cloud/findings-page-3.md - file: security/dashboards/cloud-native-vulnerability-management-dashboard.md - - file: security/cloud/frequently-asked-questions-faq-3.md + - file: security/cloud/cnvm-frequently-asked-questions-faq.md - file: security/cloud/cloud-workload-protection-for-kubernetes.md children: - file: security/cloud/get-started-with-cwp-for-kubernetes.md From 4f751baebb07d19ebd48ee9d79f00bbf8455bac5 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 26 Feb 2025 15:53:49 -0800 Subject: [PATCH 05/11] cspm, kspm, and cnvm get started pages --- .../security-benchmark-rules-kspm.md | 48 -- .../serverless/security-benchmark-rules.md | 48 -- .../security-cspm-get-started-azure.md | 180 -------- .../security-cspm-get-started-gcp.md | 186 -------- .../serverless/security-cspm-get-started.md | 352 --------------- .../security-get-started-with-kspm.md | 423 ------------------ .../docs-content/serverless/security-kspm.md | 75 ---- .../security-vuln-management-get-started.md | 79 ---- raw-migrated-files/toc.yml | 7 - .../security/cloud/get-started-with-cnvm.md | 18 +- .../cloud/get-started-with-cspm-for-aws.md | 61 +-- .../cloud/get-started-with-cspm-for-azure.md | 21 +- .../cloud/get-started-with-cspm-for-gcp.md | 9 +- .../security/cloud/get-started-with-kspm.md | 33 -- .../kubernetes-security-posture-management.md | 6 +- 15 files changed, 37 insertions(+), 1509 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-benchmark-rules-kspm.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-benchmark-rules.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cspm-get-started-azure.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cspm-get-started-gcp.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cspm-get-started.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-get-started-with-kspm.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-kspm.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-vuln-management-get-started.md diff --git a/raw-migrated-files/docs-content/serverless/security-benchmark-rules-kspm.md b/raw-migrated-files/docs-content/serverless/security-benchmark-rules-kspm.md deleted file mode 100644 index 7490285fa8..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-benchmark-rules-kspm.md +++ /dev/null @@ -1,48 +0,0 @@ -# Benchmarks [security-benchmark-rules-kspm] - -The Benchmarks page lets you view the cloud security posture (CSP) benchmarks for the [Cloud security posture management](../../../solutions/security/cloud/cloud-security-posture-management.md) (CSPM) and [Kubernetes security posture management](../../../solutions/security/cloud/kubernetes-security-posture-management.md) (KSPM) integrations. - -:::{image} ../../../images/serverless--cloud-native-security-benchmark-rules.png -:alt: Benchmark rules page -:class: screenshot -::: - - -## What are benchmarks? [security-benchmark-rules-what-are-benchmarks-kspm] - -Each benchmark contains benchmark rules which are used by the CSPM and KSPM integrations to identify configuration risks in your cloud infrastructure. There are different benchmarks for different cloud services, such as AWS, GCP, or Azure. They are based on the Center for Internet Security’s (CIS) [secure configuration benchmarks](https://www.cisecurity.org/cis-benchmarks/). - -Each benchmark rule checks to see if a specific type of resource is configured according to a CIS Benchmark. The names of rules describe what they check, for example: - -* `Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS` -* `Ensure the default namespace is not in use` -* `Ensure IAM policies that allow full "*:*" administrative privileges are not attached` -* `Ensure the default namespace is not in use` - -When benchmark rules are evaluated, the resulting [findings](../../../solutions/security/cloud/findings-page.md) data appears on the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md). - -::::{note} -Benchmark rules are not editable. - -:::: - - - -## Review your benchmarks [security-benchmark-rules-review-your-benchmarks-kspm] - -Find **Benchmarks** in the navigation menu or use the global search field. From there, you can click a benchmark’s name to view the benchmark rules associated with it. You can click a benchmark rule’s name to see details including information about how to remediate it, and related links. - -Benchmark rules are enabled by default, but you can disable some of them — at the benchmark level — to suit your environment. This means for example that if you have two CSPM integrations using the `CIS AWS` benchmark, disabling a rule for that benchmark affects both integrations. To enable or disable a rule, use the **Enabled** toggle on the right of the rules table. - -::::{note} -Disabling a benchmark rule automatically disables any associated detection rules and alerts. Re-enabling a benchmark rule **does not** automatically re-enable them. - -:::: - - - -## How benchmark rules work [security-benchmark-rules-how-benchmark-rules-work-kspm] - -1. When a security posture management integration is deployed, and every four hours after that, {{agent}} fetches relevant cloud resources. -2. After resources are fetched, they are evaluated against all applicable enabled benchmark rules. -3. Finding values of `pass` or `fail` indicate whether the standards defined by benchmark rules were met. diff --git a/raw-migrated-files/docs-content/serverless/security-benchmark-rules.md b/raw-migrated-files/docs-content/serverless/security-benchmark-rules.md deleted file mode 100644 index af1dade040..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-benchmark-rules.md +++ /dev/null @@ -1,48 +0,0 @@ -# Benchmarks [security-benchmark-rules] - -The Benchmarks page lets you view the cloud security posture (CSP) benchmarks for the [Cloud security posture management](../../../solutions/security/cloud/cloud-security-posture-management.md) (CSPM) and [Kubernetes security posture management](../../../solutions/security/cloud/kubernetes-security-posture-management.md) (KSPM) integrations. - -:::{image} ../../../images/serverless--cloud-native-security-benchmark-rules.png -:alt: Benchmark rules page -:class: screenshot -::: - - -## What are benchmarks? [security-benchmark-rules-what-are-benchmarks] - -Each benchmark contains benchmark rules which are used by the CSPM and KSPM integrations to identify configuration risks in your cloud infrastructure. There are different benchmarks for different cloud services, such as AWS, GCP, or Azure. They are based on the Center for Internet Security’s (CIS) [secure configuration benchmarks](https://www.cisecurity.org/cis-benchmarks/). - -Each benchmark rule checks to see if a specific type of resource is configured according to a CIS Benchmark. The names of rules describe what they check, for example: - -* `Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS` -* `Ensure the default namespace is not in use` -* `Ensure IAM policies that allow full "*:*" administrative privileges are not attached` -* `Ensure the default namespace is not in use` - -When benchmark rules are evaluated, the resulting [findings](../../../solutions/security/cloud/findings-page.md) data appears on the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md). - -::::{note} -Benchmark rules are not editable. - -:::: - - - -## Review your benchmarks [security-benchmark-rules-review-your-benchmarks] - -Find **Benchmarks** in the navigation menu or use the global search field. From there, you can click a benchmark’s name to view the benchmark rules associated with it. You can click a benchmark rule’s name to see details including information about how to remediate it, and related links. - -Benchmark rules are enabled by default, but you can disable some of them — at the benchmark level — to suit your environment. This means for example that if you have two CSPM integrations using the `CIS AWS` benchmark, disabling a rule for that benchmark affects both integrations. To enable or disable a rule, use the **Enabled** toggle on the right of the rules table. - -::::{note} -Disabling a benchmark rule automatically disables any associated detection rules and alerts. Re-enabling a benchmark rule **does not** automatically re-enable them. - -:::: - - - -## How benchmark rules work [security-benchmark-rules-how-benchmark-rules-work] - -1. When a security posture management integration is deployed, and every four hours after that, {{agent}} fetches relevant cloud resources. -2. After resources are fetched, they are evaluated against all applicable enabled benchmark rules. -3. Finding values of `pass` or `fail` indicate whether the standards defined by benchmark rules were met. diff --git a/raw-migrated-files/docs-content/serverless/security-cspm-get-started-azure.md b/raw-migrated-files/docs-content/serverless/security-cspm-get-started-azure.md deleted file mode 100644 index 68752f4cad..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cspm-get-started-azure.md +++ /dev/null @@ -1,180 +0,0 @@ -# Get started with CSPM for Azure [security-cspm-get-started-azure] - - -## Overview [cspm-overview-azure] - -This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. - -::::{admonition} Requirements -:class: note - -* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](../../../solutions/security/cloud/cspm-privilege-requirements.md). -* CSPM only works in the `Default` {{kib}} space. Installing the CSPM integration on a different {{kib}} space will not work. -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported ([request support](https://github.com/elastic/kibana/issues/new/choose)). -* The user who gives the CSPM integration permissions in Azure must be an Azure subscription `admin`. - -:::: - - - -## Set up CSPM for Azure [cspm-setup-azure] - -You can set up CSPM for Azure by by enrolling an Azure organization (management group) containing multiple subscriptions, or by enrolling a single subscription. Either way, first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](../../../solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. [Agent-based deployment](../../../solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. - - -## Agentless deployment [cspm-azure-agentless] - -[beta] - -1. Find **Integrations** in the navigation menu or use the global search field. -2. Search for `CSPM`, then click on the result. -3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Select **Azure**, then either **Azure Organization** to onboard your whole organization, or **Single Subscription** to onboard an individual subscription. -5. Give your integration a name that matches the purpose or team of the Azure subscription/organization you want to monitor, for example, `dev-azure-account`. -6. Click **Advanced options**, then select **Agentless (BETA)**. -7. Next, you’ll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](../../../solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-client-secret). -8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. - - -## Agent-based deployment [cspm-azure-agent-based] - - -### Add your CSPM integration [cspm-add-and-name-integration-azure] - -1. Find **Integrations** in the navigation menu or use the global search field. -2. Search for `CSPM`, then click on the result. -3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Under **Configure integration**, select **Azure***, then select either ***Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. -5. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. - - -### Set up cloud account access [cspm-set-up-cloud-access-section-azure] - -To set up CSPM for an Azure organization or subscription, you will need admin privileges for that organization or subscription. - -For most users, the simplest option is to use an Azure Resource Manager (ARM) template to automatically provision the necessary resources and permissions in Azure. If you prefer a more hands-on approach or require a specific configuration not supported by the ARM template, you can use one of the manual setup options described below. - - -### ARM template setup (recommended) [cspm-set-up-ARM] - -1. Under **Setup Access**, select **ARM Template**. -2. Under **Where to add this integration**: - - 1. Select **New Hosts**. - 2. Name the {{agent}} policy. Use a name that matches the resources you want to monitor, for example, `azure-dev-policy`. Click **Save and continue**. The **ARM Template deployment** window appears. - 3. In a new tab, log in to the Azure portal, then return to {{kib}} and click **Launch ARM Template**. This will open the ARM template in Azure. - 4. If you are deploying to an Azure organization, select the management group you want to monitor from the drop-down menu. Next, enter the subscription ID of the subscription where you want to deploy the VM that will scan your resources. - 5. Copy the `Fleet URL` and `Enrollment Token` that appear in {{kib}} to the corresponding fields in the ARM Template, then click **Review + create**. - 6. (Optional) Change the `Resource Group Name` parameter. Otherwise, the name of the resource group defaults to a timestamp prefixed with `cloudbeat-`. - -3. Return to {{kib}} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. - - -### Manual setup [cspm-set-up-manual-azure] - -For manual setup, multiple authentication methods are available: - -1. Managed identity (recommended) -2. Service principal with client secret -3. Service principal with client certificate - - -### Option 1: Managed identity (recommended) [cspm-azure-managed-identity-setup] - -This method involves creating an Azure VM (or using an existing one), giving it read access to the resources you want to monitor with CSPM, and installing {{agent}} on it. - -1. Go to the Azure portal to create a new Azure VM. -2. Follow the setup process, and make sure you enable **System assigned managed identity** under the **Management** tab. -3. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. -4. Go to **Access control (IAM)**, and select **Add Role Assignment**. -5. Select the `Reader` role, assign access to **Managed Identity**, then select your VM. - -After assigning the role: - -1. Return to the **Add CSPM** page in {{kib}}. -2. Under **Configure integration**, select **Azure***. Under ***Setup access**, select **Manual**. -3. Under **Where to add this integration**, select **New hosts**. -4. Click **Save and continue**, then follow the instructions to install {{agent}} on your Azure VM. - -Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. - - -### Option 2: Service principal with client secret [cspm-azure-client-secret] - -Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). - -1. On the **Add Cloud Security Posture Management (CSPM) integration** page, scroll to the **Setup access** section, then select **Manual**. -2. Under **Preferred manual method**, select **Service principal with Client Secret**. -3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). -4. Click on **New Registration**, name your app and click **Register**. -5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. -6. Return to the Azure portal. Select **Certificates & secrets**, then go to the **Client secrets** tab. Click **New client secret**. -7. Copy the new secret. Paste it into the corresponding field in {{kib}}. -8. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. -9. Go to **Access control (IAM)** and select **Add Role Assignment**. -10. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. -11. Return to the **Add CSPM** page in {{kib}}. -12. Under **Where to add this integration**, select **New hosts**. -13. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. - -Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. - - -### Option 3: Service principal with client certificate [cspm-azure-client-certificate] - -Before using this method, you must have set up a [Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in). - -1. On the **Add Cloud Security Posture Management (CSPM) integration** page, under **Setup access**, select **Manual**. -2. Under **Preferred manual method**, select **Service principal with client certificate**. -3. Go to the **Registered apps** section of [Microsoft Entra ID](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps). -4. Click on **New Registration**, name your app and click **Register**. -5. Copy your new app’s `Directory (tenant) ID` and `Application (client) ID`. Paste them into the corresponding fields in {{kib}}. -6. Return to Azure. Go to your Azure subscription list and select the subscription or management group you want to monitor with CSPM. -7. Go to **Access control (IAM)** and select **Add Role Assignment**. -8. Select the `Reader` function role, assign access to **User, group, or service principal**, and select your new app. - -Next, create a certificate. If you intend to use a password-protected certificate, you must use a pkcs12 certificate. Otherwise, you must use a pem certificate. - -Create a pkcs12 certificate, for example: - -```shell -# Create PEM file -openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes - -# Create pkcs12 bundle using legacy flag (CLI will ask for export password) -openssl pkcs12 -legacy -export -out bundle.p12 -inkey key.pem -in cert.pem -``` - -Create a PEM certificate, for example: - -```shell -# Generate certificate signing request (csr) and key -openssl req -new -newkey rsa:4096 -nodes -keyout cert.key -out cert.csr - -# Generate PEM and self-sign with key -openssl x509 -req -sha256 -days 365 -in cert.csr -signkey cert.key -out signed.pem - -# Create bundle -cat cert.key > bundle.pem -cat signed.pem >> bundle.pem -``` - -1. Return to Azure. -2. Navigate to the **Certificates & secrets** menu. Select the **Certificates** tab. -3. Click **Upload certificate**. - - 1. If you’re using a PEM certificate that was created using the example commands above, upload `signed.pem`. - 2. If you’re using a pkcs12 certificate that was created using the example commands above, upload `cert.pem`. - -4. Upload the certificate bundle to the VM where you will deploy {{agent}}. - - 1. If you’re using a PEM certificate that was created using the example commands above, upload `bundle.pem`. - 2. If you’re using a pkcs12 certificate that was created using the example commands above, upload `bundle.p12`. - -5. Return to the **Add CSPM** page in {{kib}}. -6. For **Client Certificate Path**, enter the full path to the certificate that you uploaded to the host where you will install {{agent}}. -7. If you used a pkcs12 certificate, enter its password under **Client Certificate Password**. -8. Under **Where to add this integration**, select **New hosts**. -9. Click **Save and continue**, then follow the instructions to install {{agent}} on your selected host. - -Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/raw-migrated-files/docs-content/serverless/security-cspm-get-started-gcp.md b/raw-migrated-files/docs-content/serverless/security-cspm-get-started-gcp.md deleted file mode 100644 index fbe4045c25..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cspm-get-started-gcp.md +++ /dev/null @@ -1,186 +0,0 @@ -# Get started with CSPM for GCP [security-cspm-get-started-gcp] - - -## Overview [cspm-overview-gcp] - -This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. - -::::{admonition} Requirements -:class: note - -* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](../../../solutions/security/cloud/cspm-privilege-requirements.md). -* CSPM only works in the `Default` {{kib}} space. Installing the CSPM integration on a different {{kib}} space will not work. -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported ([request support](https://github.com/elastic/kibana/issues/new/choose)). -* The user who gives the CSPM integration GCP permissions must be a GCP project `admin`. - -:::: - - - -## Set up CSPM for GCP [cspm-setup-gcp] - -You can set up CSPM for GCP either by enrolling a single project, or by enrolling an organization containing multiple projects. Either way, you need to first add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](../../../solutions/security/cloud/get-started-with-cspm-for-gcp.md#cspm-gcp-agentless) allows you to collect cloud posture data without having to manage the deployment of an agent in your cloud. [Agent-based deployment](../../../solutions/security/cloud/get-started-with-cspm-for-gcp.md#cspm-gcp-agent-based) requires you to deploy and manage an agent in the cloud account you want to monitor. - - -## Agentless deployment [cspm-gcp-agentless] - -[beta] - -1. Find **Integrations** in the navigation menu or use the global search field. -2. Search for `CSPM`, then click on the result. -3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Select **GCP**, then either **GCP Organization** to onboard your whole organization, or **Single Account** to onboard an individual account. -5. Give your integration a name that matches the purpose or team of the GCP subscription/organization you want to monitor, for example, `dev-gcp-account`. -6. Click **Advanced options**, then select **Agentless (BETA)**. -7. Next, you’ll need to authenticate to GCP. Expand the **Steps to Generate GCP Account Credentials** section, then follow the instructions that appear to automatically create the necessary credentials using Google Cloud Shell. -8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. - - -## Agent-based deployment [cspm-gcp-agent-based] - - -### Add your CSPM integration [cspm-add-and-name-integration-gcp] - -1. Find **Integrations** in the navigation menu or use the global search field. -2. Search for `CSPM`, then click on the result. -3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Under **Configure integration**, select **GCP***, then either ***GCP Organization** (recommended) or **Single Account**. -5. Give your integration a name that matches the purpose or team of the GCP account you want to monitor, for example, `dev-gcp-project`. - - -### Set up cloud account access [cspm-set-up-cloud-access-section-gcp] - -To set up CSPM for a GCP project, you need admin privileges for the project. - -For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described below. - - -## Cloud Shell script setup (recommended) [cspm-set-up-cloudshell] - -1. Under **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID. -2. Under **Where to add this integration**: - - 1. Select **New Hosts**. - 2. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. - 3. Click **Save and continue**, then **Add {{agent}} to your hosts**. The **Add agent** wizard appears and provides {{agent}} binaries, which you can download and deploy to a VM in your GCP account. - -3. Click **Save and continue**. -4. Copy the command that appears, then click **Launch Google Cloud Shell**. It opens in a new window. -5. Check the box to trust Elastic’s `cloudbeat` repo, then click **Confirm** - - :::{image} ../../../images/serverless--cloud-native-security-cspm-cloudshell-trust.png - :alt: The cloud shell confirmation popup - :class: screenshot - ::: - -6. In Google Cloud Shell, execute the command you copied. Once it finishes, return to {{kib}} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. - -::::{note} -During Cloud Shell setup, the CSPM integration adds roles to Google’s default service account, which enables custom role creation and attachment of the service account to a compute instance. After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account: [Project IAM Admin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin), [Role Administrator](https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin). - -:::: - - - -## Manual authentication (GCP organization) [cspm-manual-auth-org] - -To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. - -Use the following commands, after replacing `` with the name of your new service account, `` with your GCP organization’s ID, and `` with the GCP project ID of the project where you want to provision the compute instance that will run CSPM. - -Create a new service account: - -```shell -gcloud iam service-accounts create \ - --description="Elastic agent service account for CSPM" \ - --display-name="Elastic agent service account for CSPM" \ - --project= -``` - -Assign the necessary roles to the service account: - -```shell -gcloud organizations add-iam-policy-binding \ - --member=serviceAccount:@.iam.gserviceaccount.com \ - --role=roles/cloudasset.viewer - -gcloud organizations add-iam-policy-binding \ - --member=serviceAccount:@.iam.gserviceaccount.com \ - --role=roles/browser -``` - -The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. - -Download the credentials JSON (first, replace `` with the location where you want to save it): - -```shell -gcloud iam service-accounts keys create \ - --iam-account=@.iam.gserviceaccount.com -``` - -Keep the credentials JSON in a secure location; you will need it later. - -Provide credentials to the CSPM integration: - -1. On the CSPM setup screen under **Setup Access**, select **Manual**. -2. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run CSPM. -3. Select **Credentials JSON**, and enter the value you generated earlier. -4. Under **Where to add this integration**, select **New Hosts**. -5. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. -6. Click **Save and continue**, then follow the instructions to install {{agent}} in your chosen GCP project. - -Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. - - -## Manual authentication (GCP project) [cspm-manual-auth-proj] - -To authenticate manually to monitor an individual GCP project, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. - -Use the following commands, after replacing `` with the name of your new service account, and `` with your GCP project ID. - -Create a new service account: - -```shell -gcloud iam service-accounts create \ - --description="Elastic agent service account for CSPM" \ - --display-name="Elastic agent service account for CSPM" \ - --project= -``` - -Assign the necessary roles to the service account: - -```shell -gcloud projects add-iam-policy-binding \ - --member=serviceAccount:@.iam.gserviceaccount.com \ - --role=roles/cloudasset.viewer - -gcloud projects add-iam-policy-binding \ - --member=serviceAccount:@.iam.gserviceaccount.com \ - --role=roles/browser -``` - -::::{note} -The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. - -:::: - - -Download the credentials JSON (first, replace `` with the location where you want to save it): - -```shell -gcloud iam service-accounts keys create \ - --iam-account=@.iam.gserviceaccount.com -``` - -Keep the credentials JSON in a secure location; you will need it later. - -Provide credentials to the CSPM integration: - -1. On the CSPM setup screen under **Setup Access**, select **Manual**. -2. Enter your GCP **Project ID**. -3. Select **Credentials JSON**, and enter the value you generated earlier. -4. Under **Where to add this integration**, select **New Hosts**. -5. Name the policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. -6. Click **Save and continue**, then follow the instructions to install the agent in your chosen GCP project. - -Wait for the confirmation that Kibana received data from your new integration. Then you can click **View Assets** to see your data. diff --git a/raw-migrated-files/docs-content/serverless/security-cspm-get-started.md b/raw-migrated-files/docs-content/serverless/security-cspm-get-started.md deleted file mode 100644 index 3abcc1075c..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cspm-get-started.md +++ /dev/null @@ -1,352 +0,0 @@ -# Get started with CSPM for AWS [security-cspm-get-started] - - -## Overview [cspm-overview] - -This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. - -::::{admonition} Requirements -:class: note - -* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to [CSPM privilege requirements](../../../solutions/security/cloud/cspm-privilege-requirements.md). -* CSPM only works in the `Default` {{kib}} space. Installing the CSPM integration on a different {{kib}} space will not work. -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported ([request support](https://github.com/elastic/kibana/issues/new/choose)). -* The user who gives the CSPM integration AWS permissions must be an AWS account `admin`. - -:::: - - - -## Set up CSPM for AWS [cspm-setup] - -You can set up CSPM for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-aws-agentless) allows you to collect cloud posture data without having to manage the deployment of an {{agent}} in your cloud. [Agent-based deployment](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-aws-agent-based) requires you to deploy and manage an {{agent}} in the cloud account you want to monitor. - - -## Agentless deployment [cspm-aws-agentless] - -[beta] - -1. Find **Integrations** in the navigation menu or use the global search field. -2. Search for `CSPM`, then click on the result. -3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Select **AWS**, then either **AWS Organization** to onboard multiple accounts, or **Single Account** to onboard an individual account. -5. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. -6. Click **Advanced options**, then select **Agentless (BETA)**. -7. Next, you’ll need to authenticate to AWS. Two methods are available: - - 1. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method** select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. - - ::::{note} - If you don’t want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. - :::: - - 2. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for [Temporary keys](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-temp-credentials). - -8. Once you’ve selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. - - -## Agent-based deployment [cspm-aws-agent-based] - - -### Add the CSPM integration [cspm-add-and-name-integration] - -1. Find **Integrations** in the navigation menu or use the global search field. -2. Search for `CSPM`, then click on the result. -3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Select **AWS**, then either **AWS Organization** to onboard multiple accounts, or **Single Account** to onboard an individual account. -5. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. - - -### Set up cloud account access [cspm-set-up-cloud-access-section] - -The CSPM integration requires access to AWS’s built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.md#jf_security-auditor) in order to discover and evaluate resources in your cloud account. There are several ways to provide access. - -For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described below. - - -### CloudFormation (recommended) [cspm-set-up-cloudformation] - -1. In the **Add Cloud Security Posture Management (CSPM) integration** menu, under **Setup Access**, select **CloudFormation**. -2. In a new browser tab or window, log in as an admin to the AWS account or organization you want to onboard. -3. Return to your {{kib}} tab. Click **Save and continue** at the bottom of the page. -4. Review the information, then click **Launch CloudFormation**. -5. A CloudFormation template appears in a new browser tab. -6. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template’s `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under **AWS Organizations → AWS Accounts** (under each organization’s name). You can also use this field to specify which accounts in your organization to monitor, and which to skip. -7. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. -8. Tick the checkbox under **Capabilities** to authorize the creation of necessary resources. - - :::{image} ../../../images/serverless--cloud-native-security-cspm-cloudformation-template.png - :alt: The Add permissions screen in AWS - :class: screenshot - ::: - -9. At the bottom of the template, select **Create stack**. - -When you return to {{kib}}, click **View assets** to review the data being collected by your new integration. - - -### Manual authentication for organization-level onboarding [cspm-setup-organization-manual] - -::::{note} -If you’re onboarding a single account instead of an organization, skip this section. - -:::: - - -When using manual authentication to onboard at the organization level, you need to configure the necessary permissions using the AWS console for the organization where you want to deploy: - -* In the organization’s management account (root account), create an IAM role called `cloudbeat-root` (the name is important). The role needs several policies: - - * The following inline policy: - - ::::{dropdown} Click to expand policy - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "organizations:List*", - "organizations:Describe*" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Action": [ - "sts:AssumeRole" - ], - "Resource": "*", - "Effect": "Allow" - } - ] - } - ``` - - :::: - - * The following trust policy: - - ::::{dropdown} Click to expand policy - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::root" - }, - "Action": "sts:AssumeRole" - }, - { - "Effect": "Allow", - "Principal": { - "Service": "ec2.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } - ``` - - :::: - - * The AWS-managed `SecurityAudit` policy. - - -::::{important} -You must replace `` in the trust policy with your AWS account ID. - -:::: - - -* Next, for each account you want to scan in the organization, create an IAM role named `cloudbeat-securityaudit` with the following policies: - - * The AWS-managed `SecurityAudit` policy. - * The following trust policy: - - ::::{dropdown} Click to expand policy - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/cloudbeat-root" - }, - "Action": "sts:AssumeRole" - } - ] - } - ``` - - :::: - - -::::{important} -You must replace `` in the trust policy with your AWS account ID. - -:::: - - -After creating the necessary roles, authenticate using one of the manual authentication methods. - -::::{important} -When deploying to an organization using any of the authentication methods below, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-root` privileges. - -:::: - - - -### Manual authentication methods [cspm-set-up-manual] - -* [Default instance role (recommended)](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-instance-role) -* [Direct access keys](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-keys-directly) -* [Temporary security credentials](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-temp-credentials) -* [Shared credentials file](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-a-shared-credentials-file) -* [IAM role Amazon Resource Name (ARN)](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-iam-arn) - -::::{important} -Whichever method you use to authenticate, make sure AWS’s built-in [`SecurityAudit` IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.md#jf_security-auditor) is attached. - -:::: - - - -#### Option 1 - Default instance role [cspm-use-instance-role] - -::::{note} -If you are deploying to an AWS organization instead of an AWS account, you should already have [created a new role](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-setup-organization-manual), `cloudbeat-root`. Skip to step 2 "Attach your new IAM role to an EC2 instance", and attach this role. You can use either an existing or new EC2 instance. - -:::: - - -Follow AWS’s [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.md) documentation to create an IAM role using the IAM console, which automatically generates an instance profile. - -1. Create an IAM role: - - 1. In AWS, go to your IAM dashboard. Click **Roles**, then **Create role**. - 2. On the **Select trusted entity** page, under **Trusted entity type**, select **AWS service**. - 3. Under **Use case**, select **EC2**. Click **Next**. - - :::{image} ../../../images/serverless--cloud-native-security-cspm-aws-auth-1.png - :alt: The Select trusted entity screen in AWS - :class: screenshot - ::: - - 4. On the **Add permissions** page, search for and select `SecurityAudit`. Click **Next**. - - :::{image} ../../../images/serverless--cloud-native-security-cspm-aws-auth-2.png - :alt: The Add permissions screen in AWS - :class: screenshot - ::: - - 5. On the **Name, review, and create** page, name your role, then click **Create role**. - -2. Attach your new IAM role to an EC2 instance: - - 1. In AWS, select an EC2 instance. - 2. Select **Actions → Security → Modify IAM role**. - - :::{image} ../../../images/serverless--cloud-native-security-cspm-aws-auth-3.png - :alt: The EC2 page in AWS - :class: screenshot - ::: - - 3. On the **Modify IAM role** page, search for and select your new IAM role. - 4. Click **Update IAM role**. - 5. Return to {{kib}} and [finish manual setup](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-finish-manual). - - -::::{important} -Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in {{kib}}, in the **Setup Access** section, select **Assume role***. Leave ***Role ARN** empty for agentless deployments. For agent-based deployments, leave it empty unless you want to specify a role the {{agent}} should assume instead of the default role for your EC2 instance. Click **Save and continue**. - -:::: - - - -#### Option 2 - Direct access keys [cspm-use-keys-directly] - -Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. After you provide credentials, [finish manual setup](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-finish-manual). - -For more details, refer to [Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.md). - -::::{important} -You must select **Programmatic access** when creating the IAM user. - -:::: - - - -#### Option 3 - Temporary security credentials [cspm-use-temp-credentials] - -You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a session token, which is typically found using `GetSessionToken`. - -Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration’s configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss. - -::::{note} -IAM users with multi-factor authentication (MFA) enabled need to submit an MFA code when calling `GetSessionToken`. For more details, refer to AWS’s [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.md) documentation. - -:::: - - -You can use the AWS CLI to generate temporary credentials. For example, you could use the following command if you have MFA enabled: - -```console -sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 -``` - -The output from this command includes the following fields, which you should provide when configuring the KSPM integration: - -* `Access key ID`: The first part of the access key. -* `Secret Access Key`: The second part of the access key. -* `Session Token`: The required token when using temporary security credentials. - -After you provide credentials, [finish manual setup](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-finish-manual). - - -#### Option 4 - Shared credentials file [cspm-use-a-shared-credentials-file] - -If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS' [Shared Credentials Files](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.md) documentation. - -Instead of providing the `Access key ID` and `Secret Access Key` to the integration, provide the information required to locate the access keys within the shared credentials file: - -* `Credential Profile Name`: The profile name in the shared credentials file. -* `Shared Credential File`: The directory of the shared credentials file. - -If you don’t provide values for all configuration fields, the integration will use these defaults: - -* If `Access key ID`, `Secret Access Key`, and `ARN Role` are not provided, then the integration will check for `Credential Profile Name`. -* If there is no `Credential Profile Name`, the default profile will be used. -* If `Shared Credential File` is empty, the default directory will be used. - - * For Linux or Unix, the shared credentials file is located at `~/.aws/credentials`. - - -After providing credentials, [finish manual setup](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-finish-manual). - - -#### Option 5 - IAM role Amazon Resource Name (ARN) [cspm-use-iam-arn] - -An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role’s permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. - -To use an IAM role ARN, select **Assume role** under **Preferred manual method**, enter the ARN, and continue to Finish manual setup. - - -### Finish manual setup [cspm-finish-manual] - -Once you’ve provided AWS credentials, under **Where to add this integration**: - -If you want to monitor an AWS account or organization where you have not yet deployed {{agent}}: - -* Select **New Hosts**. -* Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-aws-account`. -* Click **Save and continue**, then **Add {{agent}} to your hosts**. The **Add agent** wizard appears and provides {{agent}} binaries, which you can download and deploy to your AWS account. - -If you want to monitor an AWS account or organization where you have already deployed {{agent}}: - -* Select **Existing hosts**. -* Select an agent policy that applies the AWS account you want to monitor. -* Click **Save and continue**. diff --git a/raw-migrated-files/docs-content/serverless/security-get-started-with-kspm.md b/raw-migrated-files/docs-content/serverless/security-get-started-with-kspm.md deleted file mode 100644 index 7d3ba86a11..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-get-started-with-kspm.md +++ /dev/null @@ -1,423 +0,0 @@ -# Get started with KSPM [security-get-started-with-kspm] - -This page explains how to configure the Kubernetes Security Posture Management (KSPM) integration. - -::::{admonition} Requirements -:class: note - -* KSPM only works in the `Default` {{kib}} space. Installing the KSPM integration on a different {{kib}} space will not work. -* KSPM is not supported on EKS clusters in AWS GovCloud ([request support](https://github.com/elastic/kibana/issues/new/choose)). -* To view posture data, ensure you have the appropriate user role to read the following {{es}} indices: -* `logs-cloud_security_posture.findings_latest-*` -* `logs-cloud_security_posture.scores-*` -* `logs-cloud_security_posture.findings` - -:::: - - -The instructions differ depending on whether you’re installing on EKS or on unmanaged clusters. - -* Install on EKS-managed clusters: - - 1. [Name your integration and select a Kubernetes deployment type](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-setup-eks-start) - 2. [Authenticate to AWS](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-setup-eks-auth) - 3. [Finish configuring the KSPM integration](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-setup-eks-finish) - 4. [Deploy the DaemonSet to your clusters](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-setup-eks-modify-deploy) - -* Install on unmanaged clusters: - - 1. [Configure the KSPM integration](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-setup-unmanaged) - 2. [Deploy the DaemonSet manifest to your clusters](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-setup-unmanaged-modify-deploy) - - - -## Set up KSPM for Amazon EKS clusters [kspm-setup-eks-start] - - -### Name your integration and select a Kubernetes Deployment type [security-get-started-with-kspm-name-your-integration-and-select-a-kubernetes-deployment-type] - -1. Find **Cloud Security Posture** in the navigation menu or use the global search field. -2. Click **Add a KSPM integration**. -3. Read the integration’s description to understand how it works. Then, click [*Add Kubernetes Security Posture Management*](https://docs.elastic.co/en/integrations/cloud_security_posture). -4. Name your integration. Use a name that matches the purpose or team of the cluster(s) you want to monitor, for example, `IT-dev-k8s-clusters`. -5. Select **EKS** from the **Kubernetes Deployment** menu. A new section for AWS credentials will appear. - - -### Authenticate to AWS [kspm-setup-eks-auth] - -There are several options for how to provide AWS credentials: - -* [Use Kubernetes Service Account to assume IAM role](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-irsa) -* [Use default instance role](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-instance-role) -* [Use access keys directly](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-keys-directly) -* [Use temporary security credentials](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-temp-credentials) -* [Use a shared credentials file](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-a-shared-credentials-file) -* [Use an IAM role ARN](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-iam-arn) - -Regardless of which option you use, you’ll need to grant the following permissions: - -```console -ecr:GetRegistryPolicy, -eks:ListTagsForResource -elasticloadbalancing:DescribeTags -ecr-public:DescribeRegistries -ecr:DescribeRegistry -elasticloadbalancing:DescribeLoadBalancerPolicyTypes -ecr:ListImages -ecr-public:GetRepositoryPolicy -elasticloadbalancing:DescribeLoadBalancerAttributes -elasticloadbalancing:DescribeLoadBalancers -ecr-public:DescribeRepositories -eks:DescribeNodegroup -ecr:DescribeImages -elasticloadbalancing:DescribeLoadBalancerPolicies -ecr:DescribeRepositories -eks:DescribeCluster -eks:ListClusters -elasticloadbalancing:DescribeInstanceHealth -ecr:GetRepositoryPolicy -``` - -If you are using the AWS visual editor to create and modify your IAM Policies, you can copy and paste this IAM policy JSON object: - -::::{dropdown} Click to view JSON object -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ecr:GetRegistryPolicy", - "eks:ListTagsForResource", - "elasticloadbalancing:DescribeTags", - "ecr-public:DescribeRegistries", - "ecr:DescribeRegistry", - "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", - "ecr:ListImages", - "ecr-public:GetRepositoryPolicy", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "ecr-public:DescribeRepositories", - "eks:DescribeNodegroup", - "ecr:DescribeImages", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "ecr:DescribeRepositories", - "eks:DescribeCluster", - "eks:ListClusters", - "elasticloadbalancing:DescribeInstanceHealth", - "ecr:GetRepositoryPolicy" - ], - "Resource": "*" - } - ] -} -``` - -:::: - - - -#### Option 1 - [Recommended] Use Kubernetes Service Account to assume IAM role [kspm-use-irsa] - -Follow AWS’s [EKS Best Practices](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#iam-roles-for-service-accounts-irsa) documentation to use the [IAM Role to Kubernetes Service-Account](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.md) (IRSA) feature to get temporary credentials and scoped permissions. - -::::{important} -During setup, do not fill in any option in the "Setup Access" section. Click **Save and continue**. - -:::: - - - -#### Option 2 - Use default instance role [kspm-use-instance-role] - -Follow AWS’s [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.md) documentation to create an IAM role using the IAM console, which automatically generates an instance profile. - -::::{important} -During setup, do not fill in any option in the "Setup Access" section. Click **Save and continue**. - -:::: - - - -#### Option 3 - Use access keys directly [kspm-use-keys-directly] - -Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. - -For more details, refer to AWS' [Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.md) documentation. - -::::{important} -You must select "Programmatic access" when creating the IAM user. - -:::: - - - -#### Option 4 - Use temporary security credentials [kspm-use-temp-credentials] - -You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a security token, which is typically found using `GetSessionToken`. - -Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration’s configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss. - -::::{note} -IAM users with multi-factor authentication (MFA) enabled need to submit an MFA code when calling `GetSessionToken`. For more details, refer to AWS' [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.md) documentation. - -:::: - - -You can use the AWS CLI to generate temporary credentials. For example, you could use the following command if you have MFA enabled: - -```console -`sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456` -``` - -The output from this command includes the following fields, which you should provide when configuring the KSPM integration: - -* `Access key ID`: The first part of the access key. -* `Secret Access Key`: The second part of the access key. -* `Session Token`: A token required when using temporary security credentials. - - -#### Option 5 - Use a shared credentials file [kspm-use-a-shared-credentials-file] - -If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS' [Shared Credentials Files](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.md) documentation. - -Instead of providing the `Access key ID` and `Secret Access Key` to the integration, provide the information required to locate the access keys within the shared credentials file: - -* `Credential Profile Name`: The profile name in the shared credentials file. -* `Shared Credential File`: The directory of the shared credentials file. - -If you don’t provide values for all configuration fields, the integration will use these defaults: - -* If `Access key ID`, `Secret Access Key`, and `ARN Role` are not provided, then the integration will check for `Credential Profile Name`. -* If there is no `Credential Profile Name`, the default profile will be used. -* If `Shared Credential File` is empty, the default directory will be used. - - * For Linux or Unix, the shared credentials file is located at `~/.aws/credentials`. - - - -#### Option 6 - Use an IAM role Amazon Resource Name (ARN) [kspm-use-iam-arn] - -An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role’s permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. An IAM role’s ARN can be used to specify which AWS IAM role to use to generate temporary credentials. - -For more details, refer to AWS' [AssumeRole API](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.md) documentation. Follow AWS' instructions to [create an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.md), and define the IAM role’s permissions using the JSON permissions policy above. - -To use an IAM role’s ARN, you need to provide either a [credential profile](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-a-shared-credentials-file) or [access keys](../../../solutions/security/cloud/get-started-with-kspm.md#kspm-use-keys-directly) along with the `ARN role`. The `ARN Role` value specifies which AWS IAM role to use for generating temporary credentials. - -::::{note} -If `ARN Role` is present, the integration will check if `Access key ID` and `Secret Access Key` are present. If not, the package will check for a `Credential Profile Name`. If a `Credential Profile Name` is not present, the default credential profile will be used. - -:::: - - - -### Finish configuring the KSPM integration for EKS [kspm-setup-eks-finish] - -Once you’ve provided AWS credentials, finish configuring the KSPM integration: - -1. If you want to monitor Kubernetes clusters that aren’t yet enrolled in {{fleet}}, select **New Hosts** under “where to add this integration”. -2. Name the {{agent}} policy. Use a name that matches the purpose or team of the cluster(s) you want to monitor. For example, `IT-dev-k8s-clusters`. -3. Click **Save and continue**, then **Add agent to your hosts**. The **Add agent** wizard appears and provides a DaemonSet manifest `.yaml` file with pre-populated configuration information, such as the `Fleet ID` and `Fleet URL`. - - -### Deploy the KSPM integration to EKS clusters [kspm-setup-eks-modify-deploy] - -The **Add agent** wizard helps you deploy the KSPM integration on the Kubernetes clusters you wish to monitor. For each cluster: - -1. Download the manifest and make any necessary revisions to its configuration to suit the needs of your environment. -2. Apply the manifest using the `kubectl apply -f` command. For example: `kubectl apply -f elastic-agent-managed-kubernetes.yaml` - -After a few minutes, a message confirming the {{agent}} enrollment appears, followed by a message confirming that data is incoming. You can then click **View assets** to see where the newly-collected configuration information appears, including the [Findings page](../../../solutions/security/cloud/findings-page.md) and the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md). - - -## Set up KSPM for unmanaged Kubernetes clusters [kspm-setup-unmanaged] - -Follow these steps to deploy the KSPM integration to unmanaged clusters. Keep in mind credentials are NOT required for unmanaged deployments. - - -### Configure the KSPM integration [security-get-started-with-kspm-configure-the-kspm-integration] - -To install the integration on unmanaged clusters: - -1. Find **Connectors** in the navigation menu or use the global search field. -2. Click **Add a KSPM integration**. -3. Read the integration’s description to understand how it works. Then, click [*Add Kubernetes Security Posture Management*](https://docs.elastic.co/en/integrations/cloud_security_posture). -4. Name your integration. Use a name that matches the purpose or team of the cluster(s) you want to monitor, for example, `IT-dev-k8s-clusters`. -5. Select **Unmanaged Kubernetes** from the **Kubernetes Deployment** menu. -6. If you want to monitor Kubernetes clusters that aren’t yet enrolled in {{fleet}}, select **New Hosts** when choosing the {{agent}} policy. -7. Select the {{agent}} policy where you want to add the integration. -8. Click **Save and continue**, then **Add agent to your hosts**. The **Add agent** wizard appears and provides a DaemonSet manifest `.yaml` file with pre-populated configuration information, such as the `Fleet ID` and `Fleet URL`. - -:::{image} ../../../images/serverless--cloud-native-security-kspm-add-agent-wizard.png -:alt: The KSPM integration's Add agent wizard -:class: screenshot -::: - - -### Deploy the KSPM integration to unmanaged clusters [kspm-setup-unmanaged-modify-deploy] - -The **Add agent** wizard helps you deploy the KSPM integration on the Kubernetes clusters you wish to monitor. To do this, for each cluster: - -1. Download the manifest and make any necessary revisions to its configuration to suit the needs of your environment. -2. Apply the manifest using the `kubectl apply -f` command. For example: `kubectl apply -f elastic-agent-managed-kubernetes.yaml` - -After a few minutes, a message confirming the {{agent}} enrollment appears, followed by a message confirming that data is incoming. You can then click **View assets** to see where the newly-collected configuration information appears, including the [Findings page](../../../solutions/security/cloud/findings-page.md) and the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md). - - -### Set up KSPM on ECK deployments [kspm-eck] - -To run KSPM on an [ECK](/deploy-manage/deploy/cloud-on-k8s/deploy-an-orchestrator.md) deployment, you must edit the [Elastic Agent CRD](/deploy-manage/deploy/cloud-on-k8s/configuration-standalone.md) and [Elastic Agent Cluster-Role](/deploy-manage/deploy/cloud-on-k8s/configuration-standalone.md#k8s-elastic-agent-role-based-access-control) `.yaml` files. - -::::{dropdown} Patch Elastic Agent -Add `volumes` and `volumeMounts` to `podTemplate`: - -```yaml -podTemplate: - spec: - containers: - - name: agent - volumeMounts: - - name: proc - mountPath: /hostfs/proc - readOnly: true - - name: cgroup - mountPath: /hostfs/sys/fs/cgroup - readOnly: true - - name: varlibdockercontainers - mountPath: /var/lib/docker/containers - readOnly: true - - name: varlog - mountPath: /var/log - readOnly: true - - name: etc-full - mountPath: /hostfs/etc - readOnly: true - - name: var-lib - mountPath: /hostfs/var/lib - readOnly: true - - name: etc-mid - mountPath: /etc/machine-id - readOnly: true - volumes: - - name: proc - hostPath: - path: /proc - - name: cgroup - hostPath: - path: /sys/fs/cgroup - - name: varlibdockercontainers - hostPath: - path: /var/lib/docker/containers - - name: varlog - hostPath: - path: /var/log - - name: etc-full - hostPath: - path: /etc - - name: var-lib - hostPath: - path: /var/lib - # Mount /etc/machine-id from the host to determine host ID - # Needed for Elastic Security integration - - name: etc-mid - hostPath: - path: /etc/machine-id - type: File -``` - -:::: - - -::::{dropdown} Patch RBAC -Make sure that the `elastic-agent` service-account has the following Role and ClusterRole: - -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - namespace: default - name: elastic-agent -subjects: -- kind: ServiceAccount - name: elastic-agent - namespace: default -roleRef: - kind: Role - name: elastic-agent - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: elastic-agent - labels: - k8s-app: elastic-agent -rules: -- apiGroups: [""] - resources: - - nodes - - namespaces - - events - - pods - - services - - configmaps - - serviceaccounts - - persistentvolumes - - persistentvolumeclaims - verbs: ["get", "list", "watch"] -- apiGroups: ["extensions"] - resources: - - replicasets - verbs: ["get", "list", "watch"] -- apiGroups: ["apps"] - resources: - - statefulsets - - deployments - - replicasets - - daemonsets - verbs: ["get", "list", "watch"] -- apiGroups: - - "" - resources: - - nodes/stats - verbs: - - get -- apiGroups: [ "batch" ] - resources: - - jobs - - cronjobs - verbs: [ "get", "list", "watch" ] -- nonResourceURLs: - - "/metrics" - verbs: - - get -- apiGroups: ["rbac.authorization.k8s.io"] - resources: - - clusterrolebindings - - clusterroles - - rolebindings - - roles - verbs: ["get", "list", "watch"] -- apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: elastic-agent - namespace: default - labels: - k8s-app: elastic-agent -rules: - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: ["get", "create", "update"] -``` - -:::: diff --git a/raw-migrated-files/docs-content/serverless/security-kspm.md b/raw-migrated-files/docs-content/serverless/security-kspm.md deleted file mode 100644 index 6a2bc97d75..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-kspm.md +++ /dev/null @@ -1,75 +0,0 @@ -# Kubernetes security posture management [security-kspm] - - -## Overview [kspm-overview] - -The Kubernetes Security Posture Management (KSPM) integration allows you to identify configuration risks in the various components that make up your Kubernetes cluster. It does this by evaluating your Kubernetes clusters against secure configuration guidelines defined by the Center for Internet Security (CIS) and generating findings with step-by-step instructions for remediating potential security risks. - -This integration supports Amazon EKS and unmanaged Kubernetes clusters. For setup instructions, refer to [Get started with KSPM](../../../solutions/security/cloud/get-started-with-kspm.md). - -::::{admonition} Requirements -:class: note - -* KSPM only works in the `Default` {{kib}} space. Installing the KSPM integration on a different {{kib}} space will not work. -* KSPM is not supported on EKS clusters in AWS GovCloud ([request support](https://github.com/elastic/kibana/issues/new/choose)). -* To view posture data, ensure you have the appropriate user role to read the following {{es}} indices: -* `logs-cloud_security_posture.findings_latest-*` -* `logs-cloud_security_posture.scores-*` -* `logs-cloud_security_posture.findings` - -:::: - - - -## How KSPM works [kspm-how-kspm-works] - -1. When you add a KSPM integration, it generates a Kubernetes manifest. When applied to a cluster, the manifest deploys an {{agent}} as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset) to ensure all nodes are evaluated. -2. Upon deployment, the integration immediately assesses the security posture of your Kubernetes resources. The evaluation process repeats every four hours. -3. After each evaluation, the integration sends findings to {{es}}. Findings appear on the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md) and the [findings](../../../solutions/security/cloud/findings-page.md) page. - - -## Use cases [kspm-use-cases] - -The KSPM integration helps you to: - -* Identify and remediate `failed` findings -* Identify the most misconfigured resources -* Identify risks in particular CIS benchmark sections - - -### Identify and remediate failed findings [kspm-remediate-failed-findings] - -To identify and remediate failed failed findings: - -1. Go to the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md). -2. Click **View all failed findings**, either for an individual cluster or for all monitored clusters. -3. Click a failed finding. The findings flyout opens. -4. Follow the steps under **Remediation** to correct the misconfiguration. - - ::::{note} - Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. - - :::: - - - -### Identify the most misconfigured Kubernetes resources [kspm-identify-misconfigured-resources] - -To identify the Kubernetes resources generating the most failed findings: - -1. Go to the [Findings](../../../solutions/security/cloud/findings-page.md) page. -2. Click the **Group by** menu near the search box and select **Resource** to view a list of resources sorted by their total number of failed findings. -3. Click a resource ID to view the findings associated with that resource. - - -### Identify configuration risks by CIS section [kspm-identify-config-risks-by-section] - -To identify risks in particular CIS sections: - -1. Go to the [Cloud Security Posture dashboard](../../../solutions/security/dashboards/cloud-security-posture-dashboard.md). -2. In the Failed findings by CIS section widget, click the name of a CIS section to view all failed findings for that section. - -Alternatively: - -1. Go to the Findings page. -2. Filter by the `rule.section` field. For example, search for `rule.section : API Server` to view findings for benchmark rules in the API Server category. diff --git a/raw-migrated-files/docs-content/serverless/security-vuln-management-get-started.md b/raw-migrated-files/docs-content/serverless/security-vuln-management-get-started.md deleted file mode 100644 index 1dc77d8ee5..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-vuln-management-get-started.md +++ /dev/null @@ -1,79 +0,0 @@ -# Get started with CNVM [security-vuln-management-get-started] - -This page explains how to set up Cloud Native Vulnerability Management (CNVM). - -::::{admonition} Requirements -:class: note - -* CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work. -* Requires {{agent}} version 8.8 or higher. -* CNVM can only be deployed on ARM-based VMs. -* To view vulnerability scan findings, you need the appropriate user role to read the following indices: - - * `logs-cloud_security_posture.vulnerabilities-*` - * `logs-cloud_security_posture.vulnerabilities_latest-*` - -* You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances. - -:::: - - -::::{note} -CNVM currently only supports AWS EC2 Linux workloads. - -:::: - - - -## Set up CNVM for AWS [vuln-management-setup] - -To set up the CNVM integration for AWS, install the integration on a new {{agent}} policy, sign into the AWS account you want to scan, and run the [CloudFormation](https://docs.aws.amazon.com/cloudformation/index.md) template. - -::::{important} -Do not add the integration to an existing {{agent}} policy. It should always be added to a new policy since it should not run on VMs with existing workloads. For more information, refer to [How CNVM works](../../../solutions/security/cloud/cloud-native-vulnerability-management.md#vuln-management-overview-how-it-works). - -:::: - - - -### Step 1: Add the CNVM integration [vuln-management-setup-step-1] - -1. Find **Integrations** in the navigation menu or use the global search field. -2. Search for **Cloud Native Vulnerability Management**, then click on the result. -3. Click **Add Cloud Native Vulnerability Management**. -4. Give your integration a name that matches its purpose or the AWS account region you want to scan for vulnerabilities (for example, `uswest2-aws-account`.) - - :::{image} ../../../images/serverless--dashboards-cnvm-setup-1.png - :alt: The CNVM integration setup page - :class: screenshot - ::: - -5. Click **Save and continue**. The integration will create a new {{agent}} policy. -6. Click **Add {{agent}} to your hosts**. - - -### Step 2: Sign in to the AWS management console [vuln-management-setup-step-2] - -1. Open a new browser tab and use it to sign into your AWS management console. -2. Switch to the cloud region with the workloads that you want to scan for vulnerabilities. - -::::{important} -The integration will only scan VMs in the region you select. To scan multiple regions, repeat this setup process for each region. - -:::: - - - -### Step 3: Run the CloudFormation template [vuln-management-setup-step-3] - -1. Switch back to the tab with Elastic Security. -2. Click **Launch CloudFormation**. The CloudFormation page appears. - - :::{image} ../../../images/serverless--dashboards-cnvm-cloudformation.png - :alt: The cloud formation template - :class: screenshot - ::: - -3. Click **Create stack**. To avoid authentication problems, you can only make configuration changes to the VM InstanceType, which you could make larger to increase scanning speed. -4. Wait for the confirmation that {{agent}} was enrolled. -5. Your data will start to appear on the **Vulnerabilities** tab of the [Findings page](../../../solutions/security/cloud/findings-page-3.md). diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 5df5db4c77..5ed93df11c 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -232,7 +232,6 @@ toc: - file: docs-content/serverless/security-automated-response-actions.md - file: docs-content/serverless/security-automatic-import.md - file: docs-content/serverless/security-behavioral-detection-use-cases.md - - file: docs-content/serverless/security-benchmark-rules-kspm.md - file: docs-content/serverless/security-benchmark-rules.md - file: docs-content/serverless/security-blocklist.md - file: docs-content/serverless/security-building-block-rules.md @@ -249,9 +248,6 @@ toc: - file: docs-content/serverless/security-connect-to-bedrock.md - file: docs-content/serverless/security-connect-to-google-vertex.md - file: docs-content/serverless/security-connect-to-openai.md - - file: docs-content/serverless/security-cspm-get-started-azure.md - - file: docs-content/serverless/security-cspm-get-started-gcp.md - - file: docs-content/serverless/security-cspm-get-started.md - file: docs-content/serverless/security-dashboards-overview.md - file: docs-content/serverless/security-data-quality-dash.md - file: docs-content/serverless/security-data-views-in-sec.md @@ -264,7 +260,6 @@ toc: - file: docs-content/serverless/security-ers-requirements.md - file: docs-content/serverless/security-event-filters.md - file: docs-content/serverless/security-examine-osquery-results.md - - file: docs-content/serverless/security-get-started-with-kspm.md - file: docs-content/serverless/security-host-isolation-exceptions.md - file: docs-content/serverless/security-ingest-data.md - file: docs-content/serverless/security-install-edr.md @@ -273,7 +268,6 @@ toc: - file: docs-content/serverless/security-invest-guide-run-osquery.md - file: docs-content/serverless/security-investigate-events.md - file: docs-content/serverless/security-isolate-host.md - - file: docs-content/serverless/security-kspm.md - file: docs-content/serverless/security-linux-file-monitoring.md - file: docs-content/serverless/security-llm-connector-guides.md - file: docs-content/serverless/security-llm-performance-matrix.md @@ -311,7 +305,6 @@ toc: - file: docs-content/serverless/security-visual-event-analyzer.md - file: docs-content/serverless/security-visualize-alerts.md - file: docs-content/serverless/security-vuln-management-faq.md - - file: docs-content/serverless/security-vuln-management-get-started.md - file: docs-content/serverless/spaces.md - file: docs-content/serverless/what-is-observability-serverless.md - file: elasticsearch-hadoop/elasticsearch-hadoop/index.md diff --git a/solutions/security/cloud/get-started-with-cnvm.md b/solutions/security/cloud/get-started-with-cnvm.md index ced3448cef..9dec752ff9 100644 --- a/solutions/security/cloud/get-started-with-cnvm.md +++ b/solutions/security/cloud/get-started-with-cnvm.md @@ -6,12 +6,6 @@ mapped_urls: # Get started with CNVM -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/vuln-management-get-started.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-vuln-management-get-started.md This page explains how to set up Cloud Native Vulnerability Management (CNVM). @@ -53,9 +47,9 @@ Do not add the integration to an existing {{agent}} policy. It should always be 3. Click **Add Cloud Native Vulnerability Management**. 4. Give your integration a name that matches its purpose or the AWS account region you want to scan for vulnerabilities (for example, `uswest2-aws-account`.) - :::{image} ../../../images/security-cnvm-setup-1.png - :alt: The CNVM integration setup page - ::: + :::{image} ../../../images/security-cnvm-setup-1.png + :alt: The CNVM integration setup page + ::: 5. Click **Save and continue**. The integration will create a new {{agent}} policy. 6. Click **Add {{agent}} to your hosts**. @@ -77,9 +71,9 @@ The integration will only scan VMs in the region you select. To scan multiple re 1. Switch back to the tab where you have {{kib}} open. 2. Click **Launch CloudFormation**. The CloudFormation page appears. - :::{image} ../../../images/security-cnvm-cloudformation.png - :alt: The cloud formation template - ::: + :::{image} ../../../images/security-cnvm-cloudformation.png + :alt: The cloud formation template + ::: 3. Click **Create stack**. To avoid authentication problems, you can only make configuration changes to the VM InstanceType, which you could make larger to increase scanning speed. 4. Wait for the confirmation that {{agent}} was enrolled. diff --git a/solutions/security/cloud/get-started-with-cspm-for-aws.md b/solutions/security/cloud/get-started-with-cspm-for-aws.md index e128f9abe8..0ae122bc60 100644 --- a/solutions/security/cloud/get-started-with-cspm-for-aws.md +++ b/solutions/security/cloud/get-started-with-cspm-for-aws.md @@ -6,34 +6,6 @@ mapped_urls: # Get started with CSPM for AWS -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cspm-get-started.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cspm-get-started.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$cspm-aws-agent-based$$$ - -$$$cspm-aws-agentless$$$ - -$$$cspm-finish-manual$$$ - -$$$cspm-setup-organization-manual$$$ - -$$$cspm-use-a-shared-credentials-file$$$ - -$$$cspm-use-iam-arn$$$ - -$$$cspm-use-instance-role$$$ - -$$$cspm-use-keys-directly$$$ - -$$$cspm-use-temp-credentials$$$ - - ## Overview [cspm-overview] This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. @@ -71,14 +43,17 @@ This functionality is in beta and is subject to change. The design and code is l 1. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. - ::::{note} - If you don’t want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. - :::: + ::::{note} + If you don’t want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. + :::: 2. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for [temporary keys](/solutions/security/cloud/get-started-with-cspm-for-aws.md#cspm-use-temp-credentials). 8. Once you’ve selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. +::::{admonition} Important +Agentless deployment does not work if you are using [Traffic filtering](/deploy-manage/security/traffic-filtering.md). +:::: ## Agent-based deployment [cspm-aws-agent-based] @@ -110,9 +85,9 @@ For most use cases, the simplest option is to use AWS CloudFormation to automati 7. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. 8. Tick the checkbox under **Capabilities** to authorize the creation of necessary resources. - :::{image} ../../../images/security-cspm-cloudformation-template.png - :alt: The Add permissions screen in AWS - ::: + :::{image} ../../../images/security-cspm-cloudformation-template.png + :alt: The Add permissions screen in AWS + ::: 9. At the bottom of the template, select **Create stack**. @@ -262,15 +237,15 @@ Follow AWS’s [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/lat 2. On the **Select trusted entity** page, under **Trusted entity type**, select **AWS service**. 3. Under **Use case**, select **EC2**. Click **Next**. - :::{image} ../../../images/security-cspm-aws-auth-1.png - :alt: The Select trusted entity screen in AWS - ::: + :::{image} ../../../images/security-cspm-aws-auth-1.png + :alt: The Select trusted entity screen in AWS + ::: 4. On the **Add permissions** page, search for and select `SecurityAudit`. Click **Next**. - :::{image} ../../../images/security-cspm-aws-auth-2.png - :alt: The Add permissions screen in AWS - ::: + :::{image} ../../../images/security-cspm-aws-auth-2.png + :alt: The Add permissions screen in AWS + ::: 5. On the **Name, review, and create** page, name your role, then click **Create role**. @@ -279,9 +254,9 @@ Follow AWS’s [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/lat 1. In AWS, select an EC2 instance. 2. Select **Actions > Security > Modify IAM role**. - :::{image} ../../../images/security-cspm-aws-auth-3.png - :alt: The EC2 page in AWS - ::: + :::{image} ../../../images/security-cspm-aws-auth-3.png + :alt: The EC2 page in AWS + ::: 3. On the **Modify IAM role** page, search for and select your new IAM role. 4. Click **Update IAM role**. diff --git a/solutions/security/cloud/get-started-with-cspm-for-azure.md b/solutions/security/cloud/get-started-with-cspm-for-azure.md index f626fe9415..a90605c81b 100644 --- a/solutions/security/cloud/get-started-with-cspm-for-azure.md +++ b/solutions/security/cloud/get-started-with-cspm-for-azure.md @@ -6,22 +6,6 @@ mapped_urls: # Get started with CSPM for Azure -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cspm-get-started-azure.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cspm-get-started-azure.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$cspm-azure-agent-based$$$ - -$$$cspm-azure-agentless$$$ - -$$$cspm-azure-client-secret$$$ - - ## Overview [cspm-overview-azure] This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. @@ -58,6 +42,9 @@ This functionality is in beta and is subject to change. The design and code is l 7. Next, you’ll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to [Service principal with client secret](/solutions/security/cloud/get-started-with-cspm-for-azure.md#cspm-azure-client-secret). 8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. +::::{admonition} Important +Agentless deployment does not work if you are using [Traffic filtering](/deploy-manage/security/traffic-filtering.md). +:::: ## Agent-based deployment [cspm-azure-agent-based] @@ -67,7 +54,7 @@ This functionality is in beta and is subject to change. The design and code is l 1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Search for `CSPM`, then click on the result. 3. Click **Add Cloud Security Posture Management (CSPM)**. -4. Under **Configure integration**, select **Azure***, then select either ***Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. +4. Under **Configure integration**, select **Azure**, then select either **Azure Organization** or **Single Subscription**, depending on which resources you want to monitor. 5. Give your integration a name that matches the purpose or team of the Azure resources you want to monitor, for example, `azure-CSPM-dev-1`. diff --git a/solutions/security/cloud/get-started-with-cspm-for-gcp.md b/solutions/security/cloud/get-started-with-cspm-for-gcp.md index 18435e6b2f..62e03b2b43 100644 --- a/solutions/security/cloud/get-started-with-cspm-for-gcp.md +++ b/solutions/security/cloud/get-started-with-cspm-for-gcp.md @@ -56,6 +56,9 @@ This functionality is in beta and is subject to change. The design and code is l 7. Next, you’ll need to authenticate to GCP. Expand the **Steps to Generate GCP Account Credentials** section, then follow the instructions that appear to automatically create the necessary credentials using Google Cloud Shell. 8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. +::::{admonition} Important +Agentless deployment does not work if you are using [Traffic filtering](/deploy-manage/security/traffic-filtering.md). +:::: ## Agent-based deployment [cspm-gcp-agent-based] @@ -92,9 +95,9 @@ For most users, the simplest option is to use a Google Cloud Shell script to aut 4. Copy the command that appears, then click **Launch Google Cloud Shell**. It opens in a new window. 5. Check the box to trust Elastic’s `cloudbeat` repo, then click **Confirm** - :::{image} ../../../images/security-cspm-cloudshell-trust.png - :alt: The cloud shell confirmation popup - ::: +:::{image} ../../../images/security-cspm-cloudshell-trust.png +:alt: The cloud shell confirmation popup +::: 6. In Google Cloud Shell, execute the command you copied. Once it finishes, return to {{kib}} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. diff --git a/solutions/security/cloud/get-started-with-kspm.md b/solutions/security/cloud/get-started-with-kspm.md index be0acbc3b4..50f077db27 100644 --- a/solutions/security/cloud/get-started-with-kspm.md +++ b/solutions/security/cloud/get-started-with-kspm.md @@ -6,39 +6,6 @@ mapped_urls: # Get started with KSPM -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/get-started-with-kspm.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-get-started-with-kspm.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$kspm-setup-eks-start$$$ - -$$$kspm-setup-eks-auth$$$ - -$$$kspm-setup-eks-finish$$$ - -$$$kspm-setup-eks-modify-deploy$$$ - -$$$kspm-setup-unmanaged$$$ - -$$$kspm-setup-unmanaged-modify-deploy$$$ - -$$$kspm-use-irsa$$$ - -$$$kspm-use-instance-role$$$ - -$$$kspm-use-keys-directly$$$ - -$$$kspm-use-temp-credentials$$$ - -$$$kspm-use-a-shared-credentials-file$$$ - -$$$kspm-use-iam-arn$$$ - This page explains how to configure the Kubernetes Security Posture Management (KSPM) integration. ::::{admonition} Requirements diff --git a/solutions/security/cloud/kubernetes-security-posture-management.md b/solutions/security/cloud/kubernetes-security-posture-management.md index fe6a6c096b..3569b0b26b 100644 --- a/solutions/security/cloud/kubernetes-security-posture-management.md +++ b/solutions/security/cloud/kubernetes-security-posture-management.md @@ -53,9 +53,9 @@ To identify and remediate failed failed findings: 3. Click a failed finding. The findings flyout opens. 4. Follow the steps under **Remediation** to correct the misconfiguration. - ::::{note} - Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. - :::: + ::::{note} + Remediation steps typically include commands for you to execute. These sometimes contain placeholder values that you must replace before execution. + :::: From 97e543ae8adfc9d5d70a2a4bbf7eb54ecce0de2a Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 26 Feb 2025 16:15:22 -0800 Subject: [PATCH 06/11] fixes build error and removes D4C content --- raw-migrated-files/toc.yml | 1 - .../container-workload-protection-policies.md | 96 ------------------- .../get-started-with-cwp-for-kubernetes.md | 91 ------------------ .../security/cloud/kubernetes-dashboard.md | 71 -------------- .../dashboards/kubernetes-dashboard.md | 71 -------------- solutions/toc.yml | 5 - 6 files changed, 335 deletions(-) delete mode 100644 solutions/security/cloud/container-workload-protection-policies.md delete mode 100644 solutions/security/cloud/get-started-with-cwp-for-kubernetes.md delete mode 100644 solutions/security/cloud/kubernetes-dashboard.md delete mode 100644 solutions/security/dashboards/kubernetes-dashboard.md diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 5ed93df11c..210f249b1d 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -232,7 +232,6 @@ toc: - file: docs-content/serverless/security-automated-response-actions.md - file: docs-content/serverless/security-automatic-import.md - file: docs-content/serverless/security-behavioral-detection-use-cases.md - - file: docs-content/serverless/security-benchmark-rules.md - file: docs-content/serverless/security-blocklist.md - file: docs-content/serverless/security-building-block-rules.md - file: docs-content/serverless/security-cases-open-manage.md diff --git a/solutions/security/cloud/container-workload-protection-policies.md b/solutions/security/cloud/container-workload-protection-policies.md deleted file mode 100644 index 4d3c3e6f75..0000000000 --- a/solutions/security/cloud/container-workload-protection-policies.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/d4c-policy-guide.html ---- - -# Container workload protection policies [d4c-policy-guide] - -To unlock the full functionality of the Defend for Containers (D4C) integration, you’ll need to understand its policy syntax. This will enable you to construct policies that precisely allow expected container behaviors and prevent unexpected behaviors — thereby hardening your container workloads' security posture. - -D4C integration policies consist of *selectors* and *responses*. Each policy must contain at least one selector and one response. Currently, the system supports two types of selectors and responses: `file` and `process`. Selectors define which system operations to match and can include multiple conditions (grouped using a logical `AND`) to precisely select events. Responses define which actions to take when a system operation matches the conditions specified in an associated selector. - -The default policy described on this page provides an example that’s useful for understanding D4C policies in general. Following the description, you’ll find a comprehensive glossary of selector conditions, response fields, and actions. - - -## Default policies: [d4c-default-policies] - -The default D4C integration policy includes two selector-response pairs. It is designed to implement core container workload protection capabilities: - -* **Threat Detection:** The first selector-response pair is designed to stream process telemetry data to your {{es}} cluster so {{elastic-sec}} can evaluate it to detect threats. Both the selector and response are named `allProcesses`. The selector selects all fork and exec events. The associated response specifies that selected events should be logged. -* **Drift Detection & Prevention:** The second selector-response pair is designed to create alerts when container drift is detected. Both the selector and response are named `executableChanges`. The selector selects all `createExecutable` and `modifyExecutable` events. The associated response specifies that the selected events should create alerts, which will be sent to your {{es}} cluster. You can modify the response to block drift operations by setting it to block. - -:::{image} ../../../images/security-d4c-policy-editor.png -:alt: The defend for containers policy editor with the default policies -::: - - -## Selectors [d4c-selectors-glossary] - -A selector requires a name and at least one operation. It will select all events of the specified operation types, unless you also include *conditions* to narrow down the selection. Some conditions are available for both `file` and `process` selectors, while others only available for one type of selector. - - -### Common conditions [_common_conditions] - -These conditions are available for both `file` and `process` selectors. - -| Name | Description | -| --- | --- | -| containerImageFullName | A list of full container image names to match on. For example: `docker.io/nginx`. | -| containerImageName | A list of container image names to match on. For example: `nginx`. | -| containerImageTag | A list of container image tags to match on. For example: `latest`. | -| kubernetesClusterId | A list of Kubernetes cluster IDs to match on. For consistency with KSPM, the `kube-system` namespace’s UID is used as a cluster ID. | -| kubernetesClusterName | A list of Kubernetes cluster names to match on. | -| kubernetesNamespace | A list of Kubernetes namespaces to match on. | -| kubernetesPodName | A list of Kubernetes pod names to match on. Trailing wildcards supported. | -| kubernetesPodLabel | A list of resource labels. Trailing wildcards supported (value only), for example: `key1:val*`. | - - -### File-selector conditions [_file_selector_conditions] - -These conditions are available only for `file` selectors. - -| Name | Description | -| --- | --- | -| operation | The list of system operations to match on. Options include `createExecutable`, `modifyExecutable`, `createFile`, `modifyFile`, `deleteFile`. | -| ignoreVolumeMounts | If set, ignores file operations on *all* volume mounts. | -| ignoreVolumeFiles | If set, ignores operations on file mounts only. For example: mounted files, `configMaps`, and secrets. | -| targetFilePath | A list of file paths to include. Paths are absolute and wildcards are supported. The `*` wildcard matches any sequence of characters within a single directory, while the `**` wildcard matches any sequence of characters across multiple directories and subdirectories. | - -::::{note} -In order to ensure precise targeting of file integrity monitoring operations, a `TargetFilePath` is required whenever the `deleteFile`, `modifyFile`, or `createFile` operations are used within a selector. -:::: - - - -### Process-selector conditions [_process_selector_conditions] - -These conditions are available only for `process` selectors. - -| Name | Description | -| --- | --- | -| operation | The list of system operations to match on. Options include `fork` and `exec`. | -| processExecutable | A list of executables (full path included) to match on. For example: `/usr/bin/cat`. Wildcard support is same as targetFilePath above. | -| processName | A list of process names (executable basename) to match on. For example: `bash`, `vi`, `cat`. | -| sessionLeaderInteractive | If set to `true`, will only match on interactive sessions (defined as sessions with a controlling TTY). | - - -### Response fields [_response_fields] - -A policy can include one or more responses. Each response is comprised of the following fields: - -| Field | Description | -| --- | --- | -| match | An array of one or more selectors of the same type (`file` or `process`). | -| exclude | Optional. An array of one or more selectors to use as exclusions to everything in `match`. | -| actions | An array of actions to perform when at least one `match` selector matches and none of the `exclude` selectors match. Options include `log`, `alert`, and `block`. | - - -### Response actions [_response_actions] - -D4C responses can include the following actions: - -| Action | Description | -| --- | --- | -| log | Sends events to the `logs-cloud_defend.file-*` data stream for file responses, and the `logs-cloud_defend.process-*` data stream for process responses. | -| alert | Writes events (file or process) to the logs-cloud_defend.alerts-* data stream. | -| block | Prevents the system operation from proceeding. This blocking action happens prior to the execution of the event. It is required that the alert action be set if block is enabled.

**Note:** Currently, block is only supported on file operations.
| diff --git a/solutions/security/cloud/get-started-with-cwp-for-kubernetes.md b/solutions/security/cloud/get-started-with-cwp-for-kubernetes.md deleted file mode 100644 index fff1755209..0000000000 --- a/solutions/security/cloud/get-started-with-cwp-for-kubernetes.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/d4c-get-started.html ---- - -# Get started with CWP for Kubernetes [d4c-get-started] - -::::{warning} -This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. -:::: - - -This page describes how to set up Cloud Workload Protection (CWP) for Kubernetes. - -::::{admonition} Requirements -* Kubernetes node operating systems must have Linux kernels 5.10.16 or higher. -* {{stack}} version 8.8 or higher. - -:::: - - - -## Initial setup [_initial_setup] - -First, you’ll need to deploy Elastic’s Defend for Containers integration to the Kubernetes clusters you wish to monitor. - -1. Find **Container Workload Security** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Click **Add D4C Integration**. -2. Name the integration. The default name, which you can change, is `cloud_defend-1`. -3. Optional — make any desired changes to the integration’s policy by adjusting the **Selectors** and **Responses** sections. (For more information, refer to the [Defend for Containers policy guide](container-workload-protection-policies.md)). You can also change these later. -4. Under **Where to add this integration**, select an existing or new agent policy. -5. Click **Save & Continue**, then **Add {{agent}} to your hosts**. -6. On the {{agent}} policy page, click **Add agent** to open the Add agent flyout. -7. In the flyout, go to step 3 (**Install {{agent}} on your host**) and select the **Kubernetes** tab. -8. Download or copy the manifest (`elastic-agent-managed-kubernetes.yml`). -9. Open the manifest using your favorite editor, and uncomment the `#capabilities` section: - - ```console - #capabilities: - # add: - # - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps. - # - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations. - # - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock' - ``` - -10. From the directory where you saved the manifest, run the command `kubectl apply -f elastic-agent-managed-kubernetes.yml`. -11. Wait for the **Confirm agent enrollment** dialogue to show that data has started flowing from your newly-installed agent, then click **Close**. - - -## Get started with threat detection [d4c-get-started-threat] - -One of the [default D4C policies](container-workload-protection-policies.md#d4c-default-policies) sends process telemetry events (`fork` and `exec`) to {{es}}. - -In order to detect threats using this data, you’ll need active [detection rules](../detect-and-alert.md). Elastic has prebuilt detection rules designed for this data. (You can also create your own [custom rules](../detect-and-alert/create-detection-rule.md).) - -To install and enable the prebuilt rules: - -1. Find **Detection rules (SIEM)** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Click **Add Elastic rules**. -2. Click the **Tags** filter next to the search bar, and search for the `Data Source: Elastic Defend for Containers` tag. -3. Select all the displayed rules, then click **Install *x* selected rule(s)**. -4. Return to the **Rules** page. Click the **Tags** filter next to the search bar, and search for the `Data Source: Elastic Defend for Containers` tag. -5. Select all the rules with the tag, and then click **Bulk actions > Enable**. - - -## Get started with drift detection and prevention [d4c-get-started-drift] - -{{elastic-sec}} defines container drift as the creation or modification of an executable within a container. Blocking drift restricts the number of attack vectors available to bad actors by prohibiting them from using external tools. - -To enable drift detection, you can use the default D4C policy: - -1. Make sure the [default D4C policy](container-workload-protection-policies.md#d4c-default-policies) is active. -2. Make sure you enabled at least the "Container Workload Protection" rule, by following the steps to install prebuilt rules, above. - -To enable drift prevention, create a new policy: - -1. Find **Container Workload Security** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then select your integration. -2. Under **Selectors**, click **Add selector > File Selector**. By default, it selects the operations `createExecutable` and `modifyExecutable`. -3. Name the selector, for example: `blockDrift`. -4. Scroll down to the **Responses** section and click **Add response > File Response**. -5. Under **Match selectors**, add the name of your new selector, for example: `blockDrift`. -6. Select the **Alert** and **Block** actions. -7. Click **Save integration**. - -::::{important} -Before you enable blocking, we strongly recommend you observe a production workload that’s using the default D4C policy to ensure that the workload does not create or modify executables as part of its normal operation. -:::: - - - -## Policy validation [d4c-get-started-validation] - -To ensure the stability of your production workloads, you should test policy changes before implementing them in production workloads. We also recommend you test policy changes on a simulated environment with workloads similar to production. This approach allows you to test that policy changes prevent undesirable behavior without disrupting your production workloads. diff --git a/solutions/security/cloud/kubernetes-dashboard.md b/solutions/security/cloud/kubernetes-dashboard.md deleted file mode 100644 index 38a0dc5dac..0000000000 --- a/solutions/security/cloud/kubernetes-dashboard.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/cloud-nat-sec-kubernetes-dashboard.html ---- - -# Kubernetes dashboard [cloud-nat-sec-kubernetes-dashboard] - -The Kubernetes dashboard provides insight into Linux process data from your Kubernetes clusters. It shows sessions in detail and in the context of your monitored infrastructure. - -:::{image} ../../../images/security-kubernetes-dashboard.png -:alt: The Kubernetes dashboard -::: - -The numbered sections are described below: - -1. The charts at the top of the dashboard provide an overview of your monitored Kubernetes infrastructure. You can hide them by clicking **Hide charts**. -2. The tree navigation menu allows you to navigate through your deployments and select the scope of the sessions table to the right. You can select any item in the menu to show its sessions. In Logical view, the menu is organized by Cluster, Namespace, Pod, and Container image. In Infrastructure view, it is organized by Cluster, Node, Pod, and Container image. -3. The sessions table displays sessions collected from the selected element of your Kubernetes infrastructure. You can view it in fullscreen by selecting the button in the table’s upper right corner. You can sort the table by any of its fields. - -You can filter the data using the KQL search bar and date picker at the top of the page. - -From the sessions table’s Actions column, you can take the following investigative actions: - -* View details -* [Open in Timeline](../investigate/timeline.md) -* [Run Osquery](../investigate/run-osquery-from-alerts.md) -* [Analyze event](../investigate/visual-event-analyzer.md) -* [Open Session View](../investigate/session-view.md) - -Session View displays Kubernetes metadata under the **Metadata** tab of the Detail panel: - -:::{image} ../../../images/security-metadata-tab.png -:alt: The Detail panel's metadata tab -::: - -The **Metadata** tab is organized into these expandable sections: - -* **Metadata:** `hostname`, `id`, `ip`, `mac`, `name`, Host OS information -* **Cloud:** `instance.name`, `provider`, `region`, `account.id`, `project.id` -* **Container:** `id`, `name`, `image.name`, `image.tag`, `image.hash.all` -* **Orchestrator:** `resource.ip`, `resource.name`, `resource.type`, `namespace`, `cluster.id`, `cluster.name`, `parent.type` - - -## Setup [_setup] - -To get data for this dashboard, set up [Cloud Workload Protection for Kubernetes](get-started-with-cwp-for-kubernetes.md) for the clusters you want to display on the dashboard. - -::::{admonition} Requirements -* Kubernetes node operating systems must have Linux kernels 5.10.16 or higher. -* {{stack}} version 8.8 or higher. - -:::: - - -**Support matrix**: This feature is currently available on GKE and EKS using Linux hosts and Kubernetes versions that match the following specifications: - -| | | | -| --- | --- | --- | -| | EKS 1.24-1.26 (AL2022) | GKE 1.24-1.26 (COS) | -| Process event exports | ✓ | ✓ | -| Network event exports | ✓ | ✓ | -| File event exports | ✓ | ✓ | -| File blocking | ✓ | ✓ | -| Process blocking | ✓ | ✓ | -| Network blocking | ✗ | ✗ | -| Drift prevention | ✓ | ✓ | -| Mount point awareness | ✓ | ✓ | - -::::{important} -This dashboard uses data from the `logs-*` index pattern, which is included by default in the [`securitySolution:defaultIndex` advanced setting](../get-started/configure-advanced-settings.md). To collect data from multiple {{es}} clusters (as in a cross-cluster deployment), update `logs-*` to `*:logs-*`. -:::: diff --git a/solutions/security/dashboards/kubernetes-dashboard.md b/solutions/security/dashboards/kubernetes-dashboard.md deleted file mode 100644 index c20046c8f4..0000000000 --- a/solutions/security/dashboards/kubernetes-dashboard.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/kubernetes-dashboard.html ---- - -# Kubernetes dashboard [kubernetes-dashboard] - -The Kubernetes dashboard provides insight into Linux process data from your Kubernetes clusters. It shows sessions in detail and in the context of your monitored infrastructure. - -:::{image} ../../../images/security-kubernetes-dashboard.png -:alt: The Kubernetes dashboard -::: - -The numbered sections are described below: - -1. The charts at the top of the dashboard provide an overview of your monitored Kubernetes infrastructure. You can hide them by clicking **Hide charts**. -2. The tree navigation menu allows you to navigate through your deployments and select the scope of the sessions table to the right. You can select any item in the menu to show its sessions. In Logical view, the menu is organized by Cluster, Namespace, Pod, and Container image. In Infrastructure view, it is organized by Cluster, Node, Pod, and Container image. -3. The sessions table displays sessions collected from the selected element of your Kubernetes infrastructure. You can view it in fullscreen by selecting the button in the table’s upper right corner. You can sort the table by any of its fields. - -You can filter the data using the KQL search bar and date picker at the top of the page. - -From the sessions table’s Actions column, you can take the following investigative actions: - -* View details -* [Open in Timeline](../investigate/timeline.md) -* [Run Osquery](../investigate/run-osquery-from-alerts.md) -* [Analyze event](../investigate/visual-event-analyzer.md) -* [Open Session View](../investigate/session-view.md) - -Session View displays Kubernetes metadata under the **Metadata** tab of the Detail panel: - -:::{image} ../../../images/security-metadata-tab.png -:alt: The Detail panel's metadata tab -::: - -The **Metadata** tab is organized into these expandable sections: - -* **Metadata:** `hostname`, `id`, `ip`, `mac`, `name`, Host OS information -* **Cloud:** `instance.name`, `provider`, `region`, `account.id`, `project.id` -* **Container:** `id`, `name`, `image.name`, `image.tag`, `image.hash.all` -* **Orchestrator:** `resource.ip`, `resource.name`, `resource.type`, `namespace`, `cluster.id`, `cluster.name`, `parent.type` - - -## Setup [_setup_2] - -To get data for this dashboard, set up [Cloud Workload Protection for Kubernetes](../cloud/get-started-with-cwp-for-kubernetes.md) for the clusters you want to display on the dashboard. - -::::{admonition} Requirements -* Kubernetes node operating systems must have Linux kernels 5.10.16 or higher. -* {{stack}} version 8.8 or higher. - -:::: - - -**Support matrix**: This feature is currently available on GKE and EKS using Linux hosts and Kubernetes versions that match the following specifications: - -| | | | -| --- | --- | --- | -| | EKS 1.24-1.26 (AL2022) | GKE 1.24-1.26 (COS) | -| Process event exports | ✓ | ✓ | -| Network event exports | ✗ | ✗ | -| File event exports | ✓ | ✓ | -| File blocking | ✓ | ✓ | -| Process blocking | ✓ | ✓ | -| Network blocking | ✗ | ✗ | -| Drift prevention | ✓ | ✓ | -| Mount point awareness | ✓ | ✓ | - -::::{important} -This dashboard uses data from the `logs-*` index pattern, which is included by default in the [`securitySolution:defaultIndex` advanced setting](../get-started/configure-advanced-settings.md). To collect data from multiple {{es}} clusters (as in a cross-cluster deployment), update `logs-*` to `*:logs-*`. -:::: diff --git a/solutions/toc.yml b/solutions/toc.yml index edf3d55d3b..6fb5a4345f 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -501,11 +501,6 @@ toc: - file: security/cloud/findings-page-3.md - file: security/dashboards/cloud-native-vulnerability-management-dashboard.md - file: security/cloud/cnvm-frequently-asked-questions-faq.md - - file: security/cloud/cloud-workload-protection-for-kubernetes.md - children: - - file: security/cloud/get-started-with-cwp-for-kubernetes.md - - file: security/cloud/container-workload-protection-policies.md - - file: security/cloud/kubernetes-dashboard.md - file: security/cloud/cloud-workload-protection-for-vms.md children: - file: security/cloud/capture-environment-variables.md From 9cd2cc1dc94e641f53bf0e4dc8f0496d053acc34 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 26 Feb 2025 21:10:42 -0800 Subject: [PATCH 07/11] fixes build errors related to removing D4C docs --- ...loud-workload-protection-for-kubernetes.md | 63 ------------------- .../cloud-workload-protection-for-vms.md | 1 - .../security/investigate/session-view.md | 4 -- solutions/toc.yml | 1 - 4 files changed, 69 deletions(-) delete mode 100644 solutions/security/cloud/cloud-workload-protection-for-kubernetes.md diff --git a/solutions/security/cloud/cloud-workload-protection-for-kubernetes.md b/solutions/security/cloud/cloud-workload-protection-for-kubernetes.md deleted file mode 100644 index 4f85b8ecba..0000000000 --- a/solutions/security/cloud/cloud-workload-protection-for-kubernetes.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/d4c-overview.html ---- - -# Cloud workload protection for Kubernetes [d4c-overview] - -::::{warning} -This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. -:::: - - -Elastic Cloud Workload Protection (CWP) for Kubernetes provides cloud-native runtime protections for containerized environments by identifying and optionally blocking unexpected system behavior in Kubernetes containers. - - -## Use cases [d4c-use-cases] - - -### Threat detection & threat hunting [_threat_detection_threat_hunting] - -CWP for Kubernetes sends system events from your containers to {{es}}. {{elastic-sec}}'s prebuilt security rules include many designed to detect malicious behavior in container runtimes. These can help you detect events that should never occur in containers, such as reverse shell executions, privilege escalation, container escape attempts, and more. - - -### Drift detection & prevention [_drift_detection_prevention] - -Cloud-native containers should be immutable, meaning that their file systems should not change during normal operations. By leveraging this principle, security teams can detect unusual system behavior with a high degree of accuracy — without relying on more resource-intensive techniques like memory scanning or attack signature detection. Elastic’s Drift Detection mechanism has a low rate of false positives, so you can deploy it in most environments without worrying about creating excessive alerts. - - -### Workload protection policies [_workload_protection_policies] - -CWP for Kubernetes uses a flexible policy language to restrict container workloads to a set of allowlisted capabilities chosen by you. When employed with Drift and Threat Detection, this can provide multiple layers of defense. - - -## Support matrix: [_support_matrix] - -| | EKS 1.24-1.27 (AL2022) | GKE 1.24-1.27 (COS) | -| --- | --- | --- | -| Process event exports | ✓ | ✓ | -| Network event exports | ✓ | ✓ | -| File event exports | ✓ | ✓ | -| File blocking | ✓ | ✓ | -| Process blocking | ✓ | ✓ | -| Network blocking | ✗ | ✗ | -| Drift prevention | ✓ | ✓ | -| Mount point awareness | ✓ | ✓ | - - -## How CWP for Kubernetes works [_how_cwp_for_kubernetes_works] - -CWP for Kubernetes uses a lightweight integration, Defend for Containers (D4C). When you set up the D4C integration, it gets deployed by {{agent}}. Specifically, the {{agent}} is installed as a DaemonSet on your Kubernetes clusters, where it enables D4C to use eBPF Linux Security Modules ([LSM](https://docs.kernel.org/bpf/prog_lsm.md)) and tracepoint probes to record system events. Events are evaluated against LSM hook points, enabling {{agent}} to evaluate system activity against your policy before allowing it to proceed. - -Your D4C integration policy determines which system behaviors (for example, process execution or file creation or deletion) will result in which actions. *Selectors* and *responses* define each policy. Selectors define the conditions which cause the associated responses to run. Responses are associated with one or more selectors, and specify one or more actions (such as `log`, `alert`, or `block`) that will occur when the conditions defined in an associated selector are met. - -The default D4C policy sends data about all running processes to your {{es}} cluster. This data is used by {{elastic-sec}}'s prebuilt detection rules to detect malicious behavior in container workloads. - -::::{important} -To learn more about D4C policies, including how to create your own, refer to the [D4C policies guide](container-workload-protection-policies.md). -:::: - - - - - diff --git a/solutions/security/cloud/cloud-workload-protection-for-vms.md b/solutions/security/cloud/cloud-workload-protection-for-vms.md index ac8f6f9149..c2f82b17b9 100644 --- a/solutions/security/cloud/cloud-workload-protection-for-vms.md +++ b/solutions/security/cloud/cloud-workload-protection-for-vms.md @@ -28,5 +28,4 @@ To continue setting up your cloud workload protection, learn more about: * [**Getting started with {{elastic-defend}}**](/solutions/security/configure-elastic-defend/install-elastic-defend.md): configure {{elastic-defend}} to protect your hosts. Be sure to select one of the "Cloud workloads" presets if you want to collect session data by default, including process, file, and network telemetry. * [**Session view**](/solutions/security/investigate/session-view.md): examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. Use it to monitor and investigate session activity, and to understand user and service behavior on your Linux infrastructure. -* [**The Kubernetes dashboard**](/solutions/security/cloud/kubernetes-dashboard.md): Explore an overview of your protected Kubernetes clusters, and drill down into individual sessions within your Kubernetes infrastructure. * [**Environment variable capture**](/solutions/security/cloud/capture-environment-variables.md): Capture the environment variables associated with process events, such as `PATH`, `LD_PRELOAD`, or `USER`. diff --git a/solutions/security/investigate/session-view.md b/solutions/security/investigate/session-view.md index 83b1e7df3a..9afd22a388 100644 --- a/solutions/security/investigate/session-view.md +++ b/solutions/security/investigate/session-view.md @@ -34,10 +34,6 @@ Session View has the following features: * **Alerts:** Process, file, and network alerts in the context of the events which caused them. * **Terminal output:** Terminal output associated with each process in the session. -::::{note} -To view Linux session data from your Kubernetes infrastructure, you’ll need to set up the [Kubernetes dashboard](/solutions/security/dashboards/kubernetes-dashboard.md). -:::: - ## Enable Session View data [enable-session-view] diff --git a/solutions/toc.yml b/solutions/toc.yml index 6fb5a4345f..2d4041ce35 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -536,7 +536,6 @@ toc: children: - file: security/dashboards/overview-dashboard.md - file: security/dashboards/detection-response-dashboard.md - - file: security/dashboards/kubernetes-dashboard.md - file: security/dashboards/cloud-security-posture-dashboard.md - file: security/dashboards/entity-analytics-dashboard.md - file: security/dashboards/data-quality-dashboard.md From 86007e241967c38f6a1d0cba2a01b9fbe6ef5c8d Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 26 Feb 2025 21:35:01 -0800 Subject: [PATCH 08/11] finishes this PR! --- .../serverless/ingest-aws-securityhub-data.md | 16 --- .../docs-content/serverless/ingest-falco.md | 114 ------------------ .../ingest-third-party-cloud-security-data.md | 24 ---- .../serverless/ingest-wiz-data.md | 24 ---- ...security-cloud-native-security-overview.md | 41 ------- ...urity-cloud-posture-dashboard-dash-cspm.md | 49 -------- ...urity-cloud-posture-dashboard-dash-kspm.md | 49 -------- .../security-cloud-posture-dashboard-dash.md | 49 -------- .../serverless/security-posture-management.md | 43 ------- raw-migrated-files/toc.yml | 9 -- solutions/security/cloud.md | 14 --- .../cloud-workload-protection-for-vms.md | 6 - .../cloud/enable-cloud-security-features.md | 4 +- .../cloud/ingest-aws-security-hub-data.md | 7 -- .../security/cloud/ingest-cncf-falco-data.md | 21 +--- .../ingest-third-party-cloud-security-data.md | 7 -- solutions/security/cloud/ingest-wiz-data.md | 7 -- .../security-posture-management-overview.md | 8 -- .../cloud-security-posture-dashboard.md | 7 -- 19 files changed, 6 insertions(+), 493 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md delete mode 100644 raw-migrated-files/docs-content/serverless/ingest-falco.md delete mode 100644 raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md delete mode 100644 raw-migrated-files/docs-content/serverless/ingest-wiz-data.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cloud-native-security-overview.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-posture-management.md diff --git a/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md b/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md deleted file mode 100644 index d0b3b2efc4..0000000000 --- a/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md +++ /dev/null @@ -1,16 +0,0 @@ -# Ingest AWS Security Hub data [ingest-aws-securityhub-data] - -In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture data collected by AWS Security Hub: - -* Follow the steps to [set up the AWS Security Hub integration](https://docs.elastic.co/en/integrations/aws/securityhub). -* Make sure the integration version is at least 2.31.1. -* Ensure you have `read` privileges for the `security_solution-*.misconfiguration_latest` index. -* While configuring the AWS Security Hub integration, turn on **Collect AWS Security Hub Findings from AWS**. We recommend you also set the **Initial Interval** value to `2160h` (equivalent to 90 days) to ingest existing logs. - -:::{image} ../../../images/serverless-aws-config-finding-logs.png -:alt: AWS Security Hub integration settings showing the findings toggle -::: - -After you’ve completed these steps, AWS Security Hub data will appear on the **Misconfigurations** tab of the [**Findings**](../../../solutions/security/cloud/findings-page.md) page. - -Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. diff --git a/raw-migrated-files/docs-content/serverless/ingest-falco.md b/raw-migrated-files/docs-content/serverless/ingest-falco.md deleted file mode 100644 index 7be40874d7..0000000000 --- a/raw-migrated-files/docs-content/serverless/ingest-falco.md +++ /dev/null @@ -1,114 +0,0 @@ -# Ingest CNCF Falco data [ingest-falco] - -CNCF Falco is an open-source runtime security tool that detects anomalous activity in Linux hosts, containers, Kubernetes, and cloud environments. You can ingest Falco alerts into {{es}} to view them on {{elastic-sec}}'s **Alerts** page and incorporate them into your security workflows by using Falcosidekick, a proxy forwarder that can send alerts from your Falco deployments to {{es}}. - -First, you’ll need to configure {{elastic-sec}} to receive data from Falco, then you’ll need to configure Falco and Falcosidekick to send data to {{es}}. - - -## Configure {{elastic-sec}} to receive Falco data [ingest-falco-setup-kibana] - -In {{elastic-sec}}: - -1. Click **Add integrations**. -2. Search the **Integrations** page for `Falco`, then select it. -3. Go to the Falco integration’s **Settings** tab. -4. Click **Install Falco**, then confirm by clicking **Install Falco** again. Installation should take less than a minute. - -{{elastic-sec}} is now ready to receive data from Falco. The Falco integration page now has an **Assets** tab where you can inspect the newly installed assets that help to ingest Falco data. - -Next, to make alerts from Falco appear on {{elastic-sec}}'s **Alerts** page: - -1. Find the **Detection rules (SIEM)** page in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Search for a rule named `External Alerts`. Install it if necessary, and enable it. - - -## Configure Falco and Falcosidekick [ingest-falco-setup-falco] - -You can either: - -* [Send Falco data to {{es}} from virtual machines (VMs)](../../../solutions/security/cloud/ingest-cncf-falco-data.md#ingest-falco-setup-falco-vm); or, -* [Send Falco data to {{es}} from Kubernetes](../../../solutions/security/cloud/ingest-cncf-falco-data.md#ingest-falco-setup-falco-kubernetes). - - -### Configure Falco and Falcosidekick for VMs [ingest-falco-setup-falco-vm] - -Multiple methods for configuring Falco to send data from VMs to {{es}} are available. This guide uses the [Falco sidekick on Docker using environment variables](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md) method. - - -### Configure Falco for VMs: [_configure_falco_for_vms] - -1. Refer to Falco’s documentation to [install Falco on the Linux VMs you wish to monitor](https://falco.org/docs/setup/packages/). -2. Once Falco is installed, update `/etc/falco/falco.yaml` as follows: - - 1. Enable JSON output: `json_output: true` - 2. Enable HTTP output: under `http_output`, for the `url` value, enter the `url:port` where Falcosidekick will listen. For example, if Falcosidekick is running on localhost: - - ``` - http_output: - enabled: true - url: "http://0.0.0.0:2801/" - ``` - - - -### Configure Falcosidekick for VMs: [falco-config-falco-for-vms] - -1. Refer to Falcosidekick’s documentation to [install Falcosidekick](https://github.com/falcosecurity/falcosidekick?tab=readme-ov-file#installation). -2. Use the [Falcosidekick on Docker using environment variables](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md) method and set your environment variables as follows: - - 1. `ELASTICSEARCH_HOSTPORT`: Your {{es}} endpoint URL, which can be found under **Connection details** on the upper right of the **Integrations** page in {{kib}}. - 2. `ELASTICSEARCH_INDEX`: The {{es}} index where you want to store Falco logs. - - ::::{important} - Your `ELASTICSEARCH_INDEX` value must match `logs-falco.alerts-*`. - :::: - - 3. `ELASTICSEARCH_SUFFIX`: The frequency with which you want the {{es}} index suffix to change. Either `daily`, `monthly`, `annually`, or `none`. - 4. `ELASTICSEARCH_APIKEY`: The recommended way to authenticate to {{es}}, by providing an [API key](../../../deploy-manage/api-keys/elasticsearch-api-keys.md). Note that support for this environment variable starts with Falcosidekick version 2.30. You can access the latest version on Falcosidekick’s [Docker Hub](https://hub.docker.com/r/falcosecurity/falcosidekick). - 5. `ELASTICSEARCH_USERNAME` and `ELASTICSEARCH_PASSWORD`: The username and password for an account on your {{es}} instance. Authentication using these environment variables is not supported on {{ecloud}} Serverless. - 6. `ELASTICSEARCH_MUTUALTLS` and `ELASTICSEARCH_CHECKCERT`: For security reasons, we recommend setting these to `true`. - - -For example: - -``` -docker run -d -p 2801:2801 - -e ELASTICSEARCH_HOSTPORT=https://test-falco.es.us-west2.gcp.elastic-cloud.com - -e ELASTICSEARCH_INDEX=logs-falco.alerts-all - -e ELASTICSEARCH_SUFFIX=none - -e ELASTICSEARCH_APIKEY=XXXXXXXXXXXXX - -e ELASTICSEARCH_MUTUALTLS=true - -e ELASTICSEARCH_CHECKCERT=true falcosecurity/falcosidekick -``` - -::::{important} -The {{es}} account used to authenticate Falcosidekick only needs sufficient privileges to create and write to new indices. We recommend following the principle of least privilege when provisioning this account. -:::: - - -After installing and configuring Falcosidekick, restart Falco with `sudo systemctl restart falco`. Falcosidekick should start sending alerts to {{es}}. - - -## Configure Falco and Falcosidekick for Kubernetes [ingest-falco-setup-falco-kubernetes] - -1. Add the Falco [Helm charts](https://github.com/falcosecurity/charts/blob/master/README.md): - - ``` - helm repo add falcosecurity https://falcosecurity.github.io/charts - helm repo update - ``` - -2. Next, install Falco and Falcosidekick using the `falcosecurity/falco` Helm chart with [appropriate values](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md) for each of the `falcosidekick.config.elasticsearch.*` fields: - - ``` - helm install falco falcosecurity/falco \ - --set falcosidekick.enabled=true \ - --set tty=true \ - --set driver.kind=modern_ebpf \ - --set collectors.kubernetes.enabled=true \ - --set falcosidekick.config.elasticsearch.hostport="https://" \ - --set falcosidekick.config.elasticsearch.username="" \ - --set falcosidekick.config.elasticsearch.password="" \ - --set falcosidekick.config.elasticsearch.index="logs-falco.alerts-all" \ - --set falcosidekick.config.elasticsearch.suffix="none" - ``` diff --git a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md b/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md deleted file mode 100644 index 985fa76399..0000000000 --- a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md +++ /dev/null @@ -1,24 +0,0 @@ -# Ingest third-party cloud security data [ingest-third-party-cloud-security-data] - -This section describes how to ingest cloud security data from third-party tools into {{es}}. Once ingested, this data can provide additional context and enrich your {{elastic-sec}} workflows. - -You can ingest both third-party cloud workload protection data and third-party security posture and vulnerability data. - - -## Ingest third-party workload protection data [_ingest_third_party_workload_protection_data] - -You can ingest third-party cloud security alerts into {{elastic-sec}} to view them on the [Alerts page](../../../solutions/security/detect-and-alert/manage-detection-alerts.md) and incorporate them into your triage and threat hunting workflows. - -* Learn to [ingest alerts from Sysdig Falco](../../../solutions/security/cloud/ingest-cncf-falco-data.md). - - -## Ingest third-party security posture and vulnerability data [_ingest_third_party_security_posture_and_vulnerability_data] - -You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](../../../solutions/security/cloud/findings-page.md) page and in the entity details flyouts for [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. - -* Learn to [ingest cloud security posture data from AWS Security Hub](../../../solutions/security/cloud/ingest-aws-security-hub-data.md). -* Learn to [ingest cloud security posture and vulnerability data from Wiz](../../../solutions/security/cloud/ingest-wiz-data.md). - - - - diff --git a/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md b/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md deleted file mode 100644 index b307b87af2..0000000000 --- a/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md +++ /dev/null @@ -1,24 +0,0 @@ -# Ingest Wiz data [ingest-wiz-data] - -In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture and vulnerability data collected by Wiz: - -* Follow the steps to [set up the Wiz integration](https://docs.elastic.co/en/integrations/wiz). -* Make sure the integration version is at least 2.0.1. -* Ensure you have `read` privileges for the following indices: `security_solution-*.misconfiguration_latest`, `security_solution-*.vulnerability_latest`. -* While configuring the Wiz integration, turn on **Cloud Configuration Finding logs** and **Vulnerability logs**. We recommend you also set the **Initial Interval** values for both settings to `2160h` (equivalent to 90 days) to ingest existing logs. - -:::{image} ../../../images/serverless-wiz-config-finding-logs.png -:alt: Wiz integration settings showing the findings toggle -::: - -:::{image} ../../../images/serverless-wiz-config-vuln-logs.png -:alt: Wiz integration settings showing the vulnerabilities toggle -::: - -After you’ve completed these steps, Wiz data will appear on the **[**Misconfiguations**](../../../solutions/security/cloud/findings-page.md) and [**Vulnerabilities**](../../../solutions/security/cloud/findings-page-3.md) tabs of the **Findings** page. - -:::{image} ../../../images/serverless-wiz-findings.png -:alt: Wiz data on the Findings page -::: - -Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. diff --git a/raw-migrated-files/docs-content/serverless/security-cloud-native-security-overview.md b/raw-migrated-files/docs-content/serverless/security-cloud-native-security-overview.md deleted file mode 100644 index 59a209d5f4..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cloud-native-security-overview.md +++ /dev/null @@ -1,41 +0,0 @@ -# Cloud Security [security-cloud-native-security-overview] - -Elastic Security for Cloud helps you improve your cloud security posture by comparing your cloud configuration to best practices, and scanning for vulnerabilities. It also helps you monitor and investigate your cloud workloads inside and outside Kubernetes. - -This page describes what each solution does and provides links to more information. - - -## Cloud Security Posture Management (CSPM) [security-cloud-native-security-overview-cloud-security-posture-management-cspm] - -Discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the [Center for Internet Security](https://www.cisecurity.org/) (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data. - -[Read the CSPM docs](../../../solutions/security/cloud/cloud-security-posture-management.md). - - -## Kubernetes Security Posture Management (KSPM) [security-cloud-native-security-overview-kubernetes-security-posture-management-kspm] - -Allows you to identify configuration risks in the various components that make up your Kubernetes cluster. It does this by evaluating your Kubernetes clusters against secure configuration guidelines defined by the Center for Internet Security (CIS) and generating findings with step-by-step instructions for remediating potential security risks. - -[Read the KSPM docs](../../../solutions/security/cloud/kubernetes-security-posture-management.md). - - -## Cloud Native Vulnerability Management (CNVM) [security-cloud-native-security-overview-cloud-native-vulnerability-management-cnvm] - -Scans your cloud workloads for known vulnerabilities. When it finds a vulnerability, it supports your risk assessment by quickly providing information such as the vulnerability’s CVSS and severity, which software versions it affects, and whether a fix is available. - -[Read the CNVM docs](../../../solutions/security/cloud/cloud-native-vulnerability-management.md). - - -## Cloud Workload Protection for VMs [security-cloud-native-security-overview-cloud-workload-protection-for-vms] - -Helps you monitor and protect your Linux VMs. It uses {{elastic-defend}} to instantly detect and prevent malicious behavior and malware, and captures workload telemetry data for process, file, and network activity. You can use this data with Elastic’s out-of-the-box detection rules and {{ml}} models. These detections generate alerts that quickly help you identify and remediate threats. - -[Read the CWP for VMs docs](../../../solutions/security/cloud/cloud-workload-protection-for-vms.md). - - - - - - - - diff --git a/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md b/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md deleted file mode 100644 index 6339805a02..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -navigation_title: "Cloud Security Posture" ---- - -# Cloud Security Posture dashboard [security-cloud-posture-dashboard-dash-cspm] - - -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](../../../solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](../../../solutions/security/cloud/get-started-with-kspm.md). - -:::{image} ../../../images/serverless--dashboards-cloud-sec-dashboard.png -:alt: The cloud Security dashboard -:class: screenshot -::: - -The Cloud Security Posture dashboard shows: - -* Configuration risk metrics for all monitored cloud accounts and Kubernetes clusters -* Configuration risk metrics grouped by the applicable benchmark, for example, CIS GCP, CIS Azure, CIS Kubernetes, or CIS EKS -* Configuration risks grouped by CIS section (security guideline category) - - -## Cloud Security Posture dashboard UI [cloud-posture-dashboard-UI-cspm] - -At the top of the dashboard, you can switch between the Cloud accounts and Kubernetes cluster views. - -The top section of either view summarizes your overall cloud security posture (CSP) by aggregating data from all monitored resources. The summary cards on the left show the number of cloud accounts or clusters evaluated, and the number of resources evaluated. You can click **Enroll more accounts** or **Enroll more clusters** to deploy to additional cloud assets. Click **View all resources** to open the [Findings page](../../../solutions/security/cloud/findings-page.md). - -The remaining summary cards show your overall compliance score, and your compliance score for each CIS section. Click **View all failed findings** to view all failed findings, or click a CIS section name to view failed findings from only that section on the Findings page. - -Below the summary section, each row shows the CSP for a benchmark that applies to your monitored cloud resources. For example, if you are monitoring GCP and Azure cloud accounts, a row appears for CIS GCP and another appears for CIS Azure. Each row shows the CIS benchmark, the number of cloud accounts or Kubernetes clusters it applies to, its overall compliance score, and its compliance score grouped by CIS section. - -:::{image} ../../../images/serverless--dashboards-cloud-sec-dashboard-individual-row.png -:alt: A row representing a single cluster in the Cloud Security Posture dashboard -:class: screenshot -::: - - -## FAQ (Frequently Asked Questions) [cloud-posture-dashboard-faq-cspm] - -::::{dropdown} When do newly-enrolled clusters appear on the dashboard? -It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing before a newly-enrolled cluster appears on the dashboard. - -:::: - - -::::{dropdown} When do unenrolled clusters disappear from the dashboard? -A cluster will disappear as soon as the KSPM integration fetches data while that cluster is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled cluster can take a maximum of four hours to disappear from the dashboard. - -:::: diff --git a/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md b/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md deleted file mode 100644 index 87685ee9e4..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -navigation_title: "Cloud Security Posture" ---- - -# Cloud Security Posture dashboard [security-cloud-posture-dashboard-dash-kspm] - - -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](../../../solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](../../../solutions/security/cloud/get-started-with-kspm.md). - -:::{image} ../../../images/serverless--dashboards-cloud-sec-dashboard.png -:alt: The cloud Security dashboard -:class: screenshot -::: - -The Cloud Security Posture dashboard shows: - -* Configuration risk metrics for all monitored cloud accounts and Kubernetes clusters -* Configuration risk metrics grouped by the applicable benchmark, for example, CIS GCP, CIS Azure, CIS Kubernetes, or CIS EKS -* Configuration risks grouped by CIS section (security guideline category) - - -## Cloud Security Posture dashboard UI [cloud-posture-dashboard-UI-kspm] - -At the top of the dashboard, you can switch between the Cloud accounts and Kubernetes cluster views. - -The top section of either view summarizes your overall cloud security posture (CSP) by aggregating data from all monitored resources. The summary cards on the left show the number of cloud accounts or clusters evaluated, and the number of resources evaluated. You can click **Enroll more accounts** or **Enroll more clusters** to deploy to additional cloud assets. Click **View all resources** to open the [Findings page](../../../solutions/security/cloud/findings-page.md). - -The remaining summary cards show your overall compliance score, and your compliance score for each CIS section. Click **View all failed findings** to view all failed findings, or click a CIS section name to view failed findings from only that section on the Findings page. - -Below the summary section, each row shows the CSP for a benchmark that applies to your monitored cloud resources. For example, if you are monitoring GCP and Azure cloud accounts, a row appears for CIS GCP and another appears for CIS Azure. Each row shows the CIS benchmark, the number of cloud accounts or Kubernetes clusters it applies to, its overall compliance score, and its compliance score grouped by CIS section. - -:::{image} ../../../images/serverless--dashboards-cloud-sec-dashboard-individual-row.png -:alt: A row representing a single cluster in the Cloud Security Posture dashboard -:class: screenshot -::: - - -## FAQ (Frequently Asked Questions) [cloud-posture-dashboard-faq-kspm] - -::::{dropdown} When do newly-enrolled clusters appear on the dashboard? -It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing before a newly-enrolled cluster appears on the dashboard. - -:::: - - -::::{dropdown} When do unenrolled clusters disappear from the dashboard? -A cluster will disappear as soon as the KSPM integration fetches data while that cluster is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled cluster can take a maximum of four hours to disappear from the dashboard. - -:::: diff --git a/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash.md b/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash.md deleted file mode 100644 index 037253a99d..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -navigation_title: "Cloud Security Posture" ---- - -# Cloud Security Posture dashboard [security-cloud-posture-dashboard-dash] - - -The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](../../../solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](../../../solutions/security/cloud/get-started-with-kspm.md). - -:::{image} ../../../images/serverless--dashboards-cloud-sec-dashboard.png -:alt: The cloud Security dashboard -:class: screenshot -::: - -The Cloud Security Posture dashboard shows: - -* Configuration risk metrics for all monitored cloud accounts and Kubernetes clusters -* Configuration risk metrics grouped by the applicable benchmark, for example, CIS GCP, CIS Azure, CIS Kubernetes, or CIS EKS -* Configuration risks grouped by CIS section (security guideline category) - - -## Cloud Security Posture dashboard UI [cloud-posture-dashboard-UI] - -At the top of the dashboard, you can switch between the Cloud accounts and Kubernetes cluster views. - -The top section of either view summarizes your overall cloud security posture (CSP) by aggregating data from all monitored resources. The summary cards on the left show the number of cloud accounts or clusters evaluated, and the number of resources evaluated. You can click **Enroll more accounts** or **Enroll more clusters** to deploy to additional cloud assets. Click **View all resources** to open the [Findings page](../../../solutions/security/cloud/findings-page.md). - -The remaining summary cards show your overall compliance score, and your compliance score for each CIS section. Click **View all failed findings** to view all failed findings, or click a CIS section name to view failed findings from only that section on the Findings page. - -Below the summary section, each row shows the CSP for a benchmark that applies to your monitored cloud resources. For example, if you are monitoring GCP and Azure cloud accounts, a row appears for CIS GCP and another appears for CIS Azure. Each row shows the CIS benchmark, the number of cloud accounts or Kubernetes clusters it applies to, its overall compliance score, and its compliance score grouped by CIS section. - -:::{image} ../../../images/serverless--dashboards-cloud-sec-dashboard-individual-row.png -:alt: A row representing a single cluster in the Cloud Security Posture dashboard -:class: screenshot -::: - - -## FAQ (Frequently Asked Questions) [cloud-posture-dashboard-faq] - -::::{dropdown} When do newly-enrolled clusters appear on the dashboard? -It can take up to 10 minutes for deployment, resource fetching, evaluation, and data processing before a newly-enrolled cluster appears on the dashboard. - -:::: - - -::::{dropdown} When do unenrolled clusters disappear from the dashboard? -A cluster will disappear as soon as the KSPM integration fetches data while that cluster is not enrolled. The fetch process repeats every four hours, which means a newly unenrolled cluster can take a maximum of four hours to disappear from the dashboard. - -:::: diff --git a/raw-migrated-files/docs-content/serverless/security-posture-management.md b/raw-migrated-files/docs-content/serverless/security-posture-management.md deleted file mode 100644 index 3f0f227a3d..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-posture-management.md +++ /dev/null @@ -1,43 +0,0 @@ -# Security posture management overview [security-posture-management] - - -## Overview [_overview] - -Elastic’s [Cloud Security Posture Management](../../../solutions/security/cloud/cloud-security-posture-management.md) (CSPM) and [Kubernetes Security Posture Management](../../../solutions/security/cloud/kubernetes-security-posture-management.md) (KSPM) features help you discover and evaluate the services and resources in your cloud environment — like storage, compute, IAM, and more — against security guidelines defined by the Center for Internet Security (CIS). They help you identify and remediate configuration risks that could undermine the confidentiality, integrity, and availability of your cloud assets, such as publicly exposed storage buckets or overly permissive networking objects. - -The KSPM feature assesses the security of your Kubernetes assets, while the CSPM feature assesses the security of your AWS resources such as storage, compute, IAM, and more. - - -## Getting started [security-posture-management-get-started] - -For setup instructions, refer to: - -* [Get started with KSPM](../../../solutions/security/cloud/get-started-with-kspm.md) -* [Get started with CSPM](../../../solutions/security/cloud/get-started-with-cspm-for-aws.md) - - -## Use cases [security-posture-use-cases] - -Using the data generated by these features, you can: - -**Identify and secure misconfigured infrastructure:** - -1. Find **Cloud Security Posture** in the navigation menu or use the global search field. -2. Click **View all failed findings**, either for an individual resource or a group of resources. -3. Click a failed finding to open the Findings flyout. -4. Follow the steps under Remediation to fix the misconfiguration. - -**Identify the CIS Sections (security best practice categories) with which your resources are least compliant:** - -1. Find **Cloud Security Posture** in the navigation menu or use the global search field. -2. Do one of the following: - - 1. Under Failed findings by CIS section, click the name of a CIS section to view all failed findings from that section. - 2. Go to the **Findings** page and filter by the `rule.section` field. For example, search for `rule.section : API Server` to view findings from the API Server category. - - -**Identify your least compliant cloud resources** - -1. Go to the **Findings** page. -2. Click the **Group by** menu near the search box, and select **Resource** to sort resources by their number of failed findings. -3. Click a resource ID to view associated findings. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 210f249b1d..6d2484cc1a 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -203,10 +203,6 @@ toc: - file: docs-content/serverless/general-serverless-status.md - file: docs-content/serverless/general-sign-up-trial.md - file: docs-content/serverless/index-management.md - - file: docs-content/serverless/ingest-aws-securityhub-data.md - - file: docs-content/serverless/ingest-falco.md - - file: docs-content/serverless/ingest-third-party-cloud-security-data.md - - file: docs-content/serverless/ingest-wiz-data.md - file: docs-content/serverless/intro.md - file: docs-content/serverless/observability-ai-assistant.md - file: docs-content/serverless/observability-apm-get-started.md @@ -238,10 +234,6 @@ toc: - file: docs-content/serverless/security-cases-overview.md - file: docs-content/serverless/security-cases-requirements.md - file: docs-content/serverless/security-cases-settings.md - - file: docs-content/serverless/security-cloud-native-security-overview.md - - file: docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md - - file: docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md - - file: docs-content/serverless/security-cloud-posture-dashboard-dash.md - file: docs-content/serverless/security-configure-endpoint-integration-policy.md - file: docs-content/serverless/security-connect-to-azure-openai.md - file: docs-content/serverless/security-connect-to-bedrock.md @@ -276,7 +268,6 @@ toc: - file: docs-content/serverless/security-osquery-response-action.md - file: docs-content/serverless/security-overview-dashboard.md - file: docs-content/serverless/security-policies-page.md - - file: docs-content/serverless/security-posture-management.md - file: docs-content/serverless/security-prebuilt-rules-management.md - file: docs-content/serverless/security-query-alert-indices.md - file: docs-content/serverless/security-query-operating-systems.md diff --git a/solutions/security/cloud.md b/solutions/security/cloud.md index 146c6d9267..5db7b36b40 100644 --- a/solutions/security/cloud.md +++ b/solutions/security/cloud.md @@ -6,13 +6,6 @@ mapped_urls: # Cloud Security -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cloud-native-security-overview.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-native-security-overview.md - Elastic Security for Cloud helps you improve your cloud security posture by comparing your cloud configuration to best practices, and scanning for vulnerabilities. It also helps you monitor and investigate your cloud workloads inside and outside Kubernetes. This page describes what each solution does and provides links to more information. @@ -39,13 +32,6 @@ Scans your cloud workloads for known vulnerabilities. When it finds a vulnerabil [Read the CNVM docs](/solutions/security/cloud/cloud-native-vulnerability-management.md). -## Cloud Workload Protection for Kubernetes [_cloud_workload_protection_for_kubernetes] - -Provides cloud-native runtime protections for containerized environments by identifying and (optionally) blocking unexpected system behavior in Kubernetes containers. These capabilities are sometimes referred to as container drift detection and prevention. The solution also captures detailed process and file telemetry from monitored containers, allowing you to set up custom alerts and protection rules. - -[Read the CWP for Kubernetes docs](/solutions/security/cloud/cloud-workload-protection-for-kubernetes.md). - - ## Cloud Workload Protection for VMs [_cloud_workload_protection_for_vms] Helps you monitor and protect your Linux VMs. It uses {{elastic-defend}} to instantly detect and prevent malicious behavior and malware, and captures workload telemetry data for process, file, and network activity. You can use this data with Elastic’s out-of-the-box detection rules and {{ml}} models. These detections generate alerts that quickly help you identify and remediate threats. diff --git a/solutions/security/cloud/cloud-workload-protection-for-vms.md b/solutions/security/cloud/cloud-workload-protection-for-vms.md index c2f82b17b9..e41cecee8f 100644 --- a/solutions/security/cloud/cloud-workload-protection-for-vms.md +++ b/solutions/security/cloud/cloud-workload-protection-for-vms.md @@ -6,12 +6,6 @@ mapped_urls: # Cloud workload protection for VMs -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cloud-workload-protection.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-workload-protection.md Cloud workload protection helps you monitor and protect your Linux VMs. It uses the [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md) integration to capture cloud workload telemetry containing process, file, and network activity. diff --git a/solutions/security/cloud/enable-cloud-security-features.md b/solutions/security/cloud/enable-cloud-security-features.md index 79f9948380..231b1f091a 100644 --- a/solutions/security/cloud/enable-cloud-security-features.md +++ b/solutions/security/cloud/enable-cloud-security-features.md @@ -1,12 +1,12 @@ --- mapped_pages: - https://www.elastic.co/guide/en/serverless/current/security-enable-cloudsec.html +applies_to: + serverless: all --- # Enable cloud security features in serverless [security-enable-cloudsec] -applies_to: - serverless: all To use cloud security features in your {{serverless-full}} project, you must have the `Cloud Protection Essentials` or `Cloud Protection Complete` options enabled for your project. diff --git a/solutions/security/cloud/ingest-aws-security-hub-data.md b/solutions/security/cloud/ingest-aws-security-hub-data.md index 920f72544a..55e28383d7 100644 --- a/solutions/security/cloud/ingest-aws-security-hub-data.md +++ b/solutions/security/cloud/ingest-aws-security-hub-data.md @@ -6,13 +6,6 @@ mapped_urls: # Ingest AWS Security Hub data -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/ingest-aws-securityhub-data.md -% - [ ] ./raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md - In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture data collected by AWS Security Hub: * Follow the steps to [set up the AWS Security Hub integration](https://docs.elastic.co/en/integrations/aws/securityhub). diff --git a/solutions/security/cloud/ingest-cncf-falco-data.md b/solutions/security/cloud/ingest-cncf-falco-data.md index 396cd27eda..f5c3577afe 100644 --- a/solutions/security/cloud/ingest-cncf-falco-data.md +++ b/solutions/security/cloud/ingest-cncf-falco-data.md @@ -6,19 +6,6 @@ mapped_urls: # Ingest CNCF Falco data -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/ingest-falco.md -% - [ ] ./raw-migrated-files/docs-content/serverless/ingest-falco.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$ingest-falco-setup-falco-kubernetes$$$ - -$$$ingest-falco-setup-falco-vm$$$ - CNCF Falco is an open-source runtime security tool that detects anomalous activity in Linux hosts, containers, Kubernetes, and cloud environments. You can ingest Falco alerts into {{es}} to view them on {{elastic-sec}}'s Alerts page and incorporate them into your security workflows by using Falcosidekick, a proxy forwarder which can send alerts from your Falco deployments to {{es}}. First, you’ll need to configure {{elastic-sec}} to receive data from Falco, then you’ll need to configure Falco and Falcosidekick to send data to {{es}}. @@ -79,9 +66,9 @@ Multiple methods for configuring Falco to send data from VMs to {{es}} are avail 1. `ELASTICSEARCH_HOSTPORT`: Your {{es}} endpoint URL, which can be found under **Connection details** on the upper right of the **Integrations** page in {{kib}}. 2. `ELASTICSEARCH_INDEX`: The {{es}} index where you want to store Falco logs. - ::::{important} - Your `ELASTICSEARCH_INDEX` value must match `logs-falco.alerts-*`. - :::: + ::::{important} + Your `ELASTICSEARCH_INDEX` value must match `logs-falco.alerts-*`. + :::: 3. `ELASTICSEARCH_SUFFIX`: The frequency with which you want the {{es}} index suffix to change. Either `daily`, `monthly`, `annually`, or `none`. 4. `ELASTICSEARCH_APIKEY`: The recommended way to authenticate to {{es}}, by providing an [API key](/deploy-manage/api-keys/elasticsearch-api-keys.md). Note that support for this environment variable starts with Falcosidekick version 2.30. You can access the latest version on Falcosidekick’s [Docker Hub](https://hub.docker.com/r/falcosecurity/falcosidekick). @@ -113,7 +100,7 @@ After installing and configuring Falcosidekick, restart Falco with `sudo systemc 1. Add the Falco [Helm charts](https://github.com/falcosecurity/charts/blob/master/README.md): - ``` + ```bash helm repo add falcosecurity https://falcosecurity.github.io/charts helm repo update ``` diff --git a/solutions/security/cloud/ingest-third-party-cloud-security-data.md b/solutions/security/cloud/ingest-third-party-cloud-security-data.md index d1ef4a311d..ad66d2d690 100644 --- a/solutions/security/cloud/ingest-third-party-cloud-security-data.md +++ b/solutions/security/cloud/ingest-third-party-cloud-security-data.md @@ -6,13 +6,6 @@ mapped_urls: # Ingest third-party cloud security data -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/ingest-third-party-cloud-security-data.md -% - [ ] ./raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md - This section describes how to ingest cloud security data from third-party tools into {{es}}. Once ingested, this data can provide additional context and enrich your {{elastic-sec}} workflows. You can ingest both third-party cloud workload protection data and third-party security posture and vulnerability data. diff --git a/solutions/security/cloud/ingest-wiz-data.md b/solutions/security/cloud/ingest-wiz-data.md index 749964ed21..835bdd185f 100644 --- a/solutions/security/cloud/ingest-wiz-data.md +++ b/solutions/security/cloud/ingest-wiz-data.md @@ -6,13 +6,6 @@ mapped_urls: # Ingest Wiz data -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/ingest-wiz-data.md -% - [ ] ./raw-migrated-files/docs-content/serverless/ingest-wiz-data.md - In order to enrich your {{elastic-sec}} workflows with third-party cloud security posture and vulnerability data collected by Wiz: * Follow the steps to [set up the Wiz integration](https://docs.elastic.co/en/integrations/wiz). diff --git a/solutions/security/cloud/security-posture-management-overview.md b/solutions/security/cloud/security-posture-management-overview.md index 0e3b770074..c674735bbc 100644 --- a/solutions/security/cloud/security-posture-management-overview.md +++ b/solutions/security/cloud/security-posture-management-overview.md @@ -6,14 +6,6 @@ mapped_urls: # Security posture management overview -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/security-posture-management.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-posture-management.md - - ## Overview [_overview] Elastic’s [Cloud Security Posture Management](/solutions/security/cloud/cloud-security-posture-management.md) (CSPM) and [Kubernetes Security Posture Management](/solutions/security/cloud/kubernetes-security-posture-management.md) (KSPM) features help you discover and evaluate the services and resources in your cloud environment — like storage, compute, IAM, and more — against security guidelines defined by the Center for Internet Security (CIS). They help you identify and remediate configuration risks that could undermine the confidentiality, integrity, and availability of your cloud assets, such as publicly exposed storage buckets or overly permissive networking objects. diff --git a/solutions/security/dashboards/cloud-security-posture-dashboard.md b/solutions/security/dashboards/cloud-security-posture-dashboard.md index 59712f5f1f..20314d3057 100644 --- a/solutions/security/dashboards/cloud-security-posture-dashboard.md +++ b/solutions/security/dashboards/cloud-security-posture-dashboard.md @@ -6,13 +6,6 @@ mapped_urls: # Cloud Security Posture dashboard -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/cloud-posture-dashboard.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-cloud-posture-dashboard-dash.md - The Cloud Security Posture dashboard summarizes your cloud infrastructure’s overall performance against [security guidelines](/solutions/security/cloud/benchmarks.md) defined by the Center for Internet Security (CIS). To start collecting this data, refer to [Get started with Cloud Security Posture Management](/solutions/security/cloud/get-started-with-cspm-for-aws.md) or [Get started with Kubernetes Security Posture Management](/solutions/security/cloud/get-started-with-kspm.md). :::{image} ../../../images/security-cloud-sec-dashboard.png From a608d1541e523fb57730a1508abb9c2f5e193351 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 26 Feb 2025 21:45:30 -0800 Subject: [PATCH 09/11] removes final ref to cwp for kubernetes page --- solutions/security/get-started/elastic-security-ui.md | 1 - 1 file changed, 1 deletion(-) diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md index aa37ac5343..e54948f4f4 100644 --- a/solutions/security/get-started/elastic-security-ui.md +++ b/solutions/security/get-started/elastic-security-ui.md @@ -238,7 +238,6 @@ Expand this section to access and manage additional security features: * [**Host isolation exceptions**](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md): View and manage host isolation exceptions, which specify IP addresses that can communicate with your hosts even when those hosts are blocked from your network. * [**Blocklist**](/solutions/security/manage-elastic-defend/blocklist.md): View and manage the blocklist, which allows you to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. * [**Response actions history**](/solutions/security/endpoint-response-actions/response-actions-history.md): Find the history of response actions performed on hosts. -* [**Container Workload Protection**](/solutions/security/cloud/cloud-workload-protection-for-kubernetes.md): Identify and block unexpected system behavior in Kubernetes containers. :::{image} ../../../images/security-manage-pg.png :alt: Manage page From 35bea7efd2f508d0267d97e6fbd044f4c9251fe4 Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Date: Wed, 5 Mar 2025 09:36:21 -0800 Subject: [PATCH 10/11] Update solutions/security/cloud/enable-cloud-security-features.md Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- solutions/security/cloud/enable-cloud-security-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/cloud/enable-cloud-security-features.md b/solutions/security/cloud/enable-cloud-security-features.md index 231b1f091a..4856e31b22 100644 --- a/solutions/security/cloud/enable-cloud-security-features.md +++ b/solutions/security/cloud/enable-cloud-security-features.md @@ -5,7 +5,7 @@ applies_to: serverless: all --- -# Enable cloud security features in serverless [security-enable-cloudsec] +# Enable cloud security features in {{serverless-short}} [security-enable-cloudsec] To use cloud security features in your {{serverless-full}} project, you must have the `Cloud Protection Essentials` or `Cloud Protection Complete` options enabled for your project. From d02c314fd8d02706017a6922e0ba980f780dc41d Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Wed, 5 Mar 2025 10:50:37 -0800 Subject: [PATCH 11/11] fixes build error and removes extra file --- .vscode/settings.json | 2 - ...curity-interactive-investigation-guides.md | 124 ------------------ .../security-llm-connector-guides.md | 18 --- .../security-llm-performance-matrix.md | 37 ------ .../serverless/security-overview-dashboard.md | 64 --------- 5 files changed, 245 deletions(-) delete mode 100644 .vscode/settings.json delete mode 100644 raw-migrated-files/docs-content/serverless/security-interactive-investigation-guides.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-llm-connector-guides.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-llm-performance-matrix.md delete mode 100644 raw-migrated-files/docs-content/serverless/security-overview-dashboard.md diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 7a73a41bfd..0000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,2 +0,0 @@ -{ -} \ No newline at end of file diff --git a/raw-migrated-files/docs-content/serverless/security-interactive-investigation-guides.md b/raw-migrated-files/docs-content/serverless/security-interactive-investigation-guides.md deleted file mode 100644 index 9c5dd34a4e..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-interactive-investigation-guides.md +++ /dev/null @@ -1,124 +0,0 @@ -# Launch Timeline from investigation guides [security-interactive-investigation-guides] - -Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. For custom rules, you can create an interactive investigation guide that includes buttons for launching runtime queries in [Timeline](../../../solutions/security/investigate/timeline.md), using alert data and hard-coded literal values. This allows you to start detailed Timeline investigations directly from an alert using relevant data. - -:::{image} ../../../images/serverless--detections-ig-alert-flyout.png -:alt: Alert details flyout with interactive investigation guide -:class: screenshot -::: - -Under the Investigation section, click **Show investigation guide** to open the **Investigation** tab in the left panel of the alert details flyout. - -:::{image} ../../../images/serverless--detections-ig-alert-flyout-invest-tab.png -:alt: Alert details flyout with interactive investigation guide -:class: screenshot -::: - -The **Investigation** tab displays query buttons, and each query button displays the number of event documents found. Click the query button to automatically load the query in Timeline, based on configuration settings in the investigation guide. - -:::{image} ../../../images/serverless--detections-ig-timeline.png -:alt: Timeline with query pre-loaded from investigation guide action -:class: screenshot -::: - - -## Add investigation guide actions to a rule [add-ig-actions-rule] - -::::{note} -You can only create interactive investigation guides with custom rules because Elastic prebuilt rules can’t be edited. However, you can duplicate a prebuilt rule, then configure the investigation guide for the duplicated rule. - -:::: - - -You can configure an interactive investigation guide when you [create a new rule](../../../solutions/security/detect-and-alert/create-detection-rule.md) or [edit an existing rule](../../../solutions/security/detect-and-alert/manage-detection-rules.md#edit-rules-settings). - -1. When configuring the rule’s settings (the **About rule** step for a new rule, or the **About*** tab for an existing rule), expand the ***Advanced settings**, then scroll down to the **Investigation guide** Markdown editor. - - :::{image} ../../../images/serverless--detections-ig-investigation-guide-editor.png - :alt: Investigation guide editor field - :class: screenshot - ::: - -2. Place the editor cursor where you want to add the query button in the investigation guide, then select the Investigate icon in the toolbar. The **Add investigation query** builder form appears. - - ![Add investigation guide UI](../../../images/serverless--detections-ig-investigation-query-builder.png "") - -3. Complete the query builder form to create an investigation query: - - 1. **Label**: Enter the text to appear on the query button. - 2. **Description**: (Optional) Enter additional text to include with the button. - 3. **Filters**: Select fields, operators, and values to build the query. Click **OR** or **AND** to create multiple filters and define their relationships. - - To use a field value from the alert as a query parameter, enter the field name surrounded by double curly brackets — such as `{{kibana.alert.example}}` — as a custom option for the filter value. - - ![Add investigation guide UI](../../../images/serverless--detections-ig-filters-field-custom-value.png "") - - 4. **Relative time range**: (Optional) Select a time range to limit the query, relative to the alert’s creation time. - -4. Click **Save changes**. The syntax is added to the investigation guide editor. - - ::::{note} - If you need to change the query button’s configuration, you can either edit the syntax directly in the editor (refer to the [syntax reference](../../../solutions/security/detect-and-alert/launch-timeline-from-investigation-guides.md#query-button-syntax) below), or delete the syntax and use the query builder form to recreate the query. - - :::: - -5. Save and enable the rule. - - -### Query button syntax [query-button-syntax] - -The following syntax defines a query button in an interactive investigation guide. - -| Field | Description | -| --- | --- | -| `!{investigate{ }}` | The container object holding all the query button’s configuration attributes. | -| `label` | Identifying text on the button. | -| `description` | Additional text included with the button. | -| `providers` | A two-level nested array that defines the query to run in Timeline. Similar to the structure of queries in Timeline, items in the outer level are joined by an `OR` relationship, and items in the inner level are joined by an `AND` relationship.

Each item in `providers` corresponds to a filter created in the query builder UI and is defined by these attributes:

* `field`: The name of the field to query.
* `excluded`: Whether the query result is excluded (such as **is not one of**) or included (*is one of*).
* `queryType`: The query type used to filter events, based on the filter’s operator. For example, `phrase` or `range`.
* `value`: The value to search for. Either a hard-coded literal value, or the name of an alert field (in double curly brackets) whose value you want to use as a query parameter.
* `valueType`: The data type of `value`, such as `string` or `boolean`.
| -| `relativeFrom`, `relativeTo` | (Optional) The start and end, respectively, of the relative time range for the query. Times are relative to the alert’s creation time, represented as `now` in [date math](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/rest-apis/common-options.md#date-math) format. For example, selecting **Last 15 minutes** in the query builder form creates the syntax `"relativeFrom": "now-15m", "relativeTo": "now"`. | - -::::{note} -Some characters must be escaped with a backslash, such as `\"` for a quotation mark and `\\` for a literal backslash. Divide Windows paths with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. A clickable error icon (![Error](../../../images/serverless-error.svg "")) displays below the Markdown editor if there are any syntax errors. - -:::: - - - -### Example syntax [security-interactive-investigation-guides-example-syntax] - -```json -!{investigate{ - "label": "Test action", - "description": "Click to investigate.", - "providers": [ - [ - {"field": "event.id", "excluded": false, "queryType": "phrase", "value": "{{event.id}}", "valueType": "string"} - ], - [ - {"field": "event.action", "excluded": false, "queryType": "phrase", "value": "rename", "valueType": "string"}, - {"field": "process.pid", "excluded": false, "queryType": "phrase", "value": "{{process.pid}}", "valueType": "string"} - ] - ], - "relativeFrom": "now-15m", - "relativeTo": "now" -}} -``` - -This example creates the following Timeline query, as illustrated below: - -`(event.id : )` `OR (event.action : "rename" AND process.pid : )` - -:::{image} ../../../images/serverless--detections-ig-timeline-query.png -:alt: Timeline query -:class: screenshot -::: - - -### Timeline template fields [security-interactive-investigation-guides-timeline-template-fields] - -When viewing an interactive investigation guide in contexts unconnected to a specific alert (such a rule’s details page), queries open as [Timeline templates](../../../solutions/security/investigate/timeline-templates.md), and `parameter` fields are treated as Timeline template fields. - -:::{image} ../../../images/serverless--detections-ig-timeline-template-fields.png -:alt: Timeline template -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-llm-connector-guides.md b/raw-migrated-files/docs-content/serverless/security-llm-connector-guides.md deleted file mode 100644 index 244fdb4b0e..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-llm-connector-guides.md +++ /dev/null @@ -1,18 +0,0 @@ -# LLM connector guides [security-llm-connector-guides] - -This section contains instructions for setting up connectors for LLMs so you can use [Elastic AI Assistant](../../../solutions/security/ai/ai-assistant.md) and [Attack discovery](../../../solutions/security/ai/attack-discovery.md). - -Setup guides are available for the following LLM providers: - -* [Azure OpenAI](../../../solutions/security/ai/connect-to-azure-openai.md) -* [Amazon Bedrock](../../../solutions/security/ai/connect-to-amazon-bedrock.md) -* [OpenAI](../../../solutions/security/ai/connect-to-openai.md) -* [Google Vertex](../../../solutions/security/ai/connect-to-google-vertex.md) -* [LM Studio (custom local LLM)](../../../solutions/security/ai/connect-to-own-local-llm.md) - - - - - - - diff --git a/raw-migrated-files/docs-content/serverless/security-llm-performance-matrix.md b/raw-migrated-files/docs-content/serverless/security-llm-performance-matrix.md deleted file mode 100644 index 5783fe053f..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-llm-performance-matrix.md +++ /dev/null @@ -1,37 +0,0 @@ -# Large language model performance matrix [security-llm-performance-matrix] - -This page describes the performance of various large language models (LLMs) for different use cases in {{elastic-sec}}, based on our internal testing. To learn more about these use cases, refer to [Attack discovery](../../../solutions/security/ai/attack-discovery.md) or [AI Assistant](../../../solutions/security/ai/ai-assistant.md). - -::::{note} -`Excellent` is the best rating, followed by `Great`, then by `Good`, and finally by `Poor`. -:::: - - - -## Proprietary models [_proprietary_models] - -Models from third-party LLM providers. - -| **Feature** | | **Assistant - General** | **Assistant - {{esql}} generation** | **Assistant - Alert questions** | **Assistant - Knowledge retrieval** | **Attack Discovery** | -| --- | --- | --- | --- | --- | --- | --- | -| **Model** | **Claude 3: Opus** | Excellent | Excellent | Excellent | Good | Great | -| | **Claude 3.5: Sonnet v2** | Excellent | Excellent | Excellent | Excellent | Great | -| | **Claude 3.5: Sonnet** | Excellent | Excellent | Excellent | Excellent | Excellent | -| | **Claude 3.5: Haiku** | Excellent | Excellent | Excellent | Excellent | Poor | -| | **Claude 3: Haiku** | Excellent | Excellent | Excellent | Excellent | Poor | -| | **GPT-4o** | Excellent | Excellent | Excellent | Excellent | Great | -| | **GPT-4o-mini** | Excellent | Great | Great | Great | Poor | -| | **Gemini 1.5 Pro 002** | Excellent | Excellent | Excellent | Excellent | Excellent | -| | **Gemini 1.5 Flash 002** | Excellent | Poor | Good | Excellent | Poor | - - -## Open-source models [_open_source_models] - -Models you can [deploy yourself](../../../solutions/security/ai/connect-to-own-local-llm.md). - -| **Feature** | | **Assistant - General** | **Assistant - {{esql}} generation** | **Assistant - Alert questions** | **Assistant - Knowledge retrieval** | **Attack Discovery** | -| --- | --- | --- | --- | --- | --- | --- | -| **Model** | **Mistral Nemo** | Good | Good | Great | Good | Poor | -| | **LLama 3.2** | Good | Poor | Good | Poor | Poor | -| | **LLama 3.1 405b** | Good | Great | Good | Good | Poor | -| | **LLama 3.1 70b** | Good | Good | Poor | Poor | Poor | diff --git a/raw-migrated-files/docs-content/serverless/security-overview-dashboard.md b/raw-migrated-files/docs-content/serverless/security-overview-dashboard.md deleted file mode 100644 index 82e4710988..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-overview-dashboard.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -navigation_title: "Overview" ---- - -# Overview dashboard [security-overview-dashboard] - - -The Overview dashboard provides a high-level snapshot of alerts and events. It helps you assess overall system health and find anomalies that may require further investigation. - -:::{image} ../../../images/serverless--dashboards-overview-pg.png -:alt: Overview dashboard -:class: screenshot -::: - - -## Live feed [security-overview-dashboard-live-feed] - -The live feed on the Overview dashboard helps you quickly access recently created cases, favorited Timelines, and the latest {{elastic-sec}} news. - -::::{tip} -The **Security news** section provides the latest {{elastic-sec}} news to help you stay informed of new developments, learn about {{elastic-sec}} features, and more. - -:::: - - -:::{image} ../../../images/serverless--dashboards-live-feed-ov-page.png -:alt: Overview dashboard with live feed section highlighted -:class: screenshot -::: - - -## Histograms [security-overview-dashboard-histograms] - -Time-based histograms show the number of detections, alerts, and events that have occurred within the selected time range. To focus on a particular time, click and drag to select a time range, or choose a preset value. The **Stack by** menu lets you select which field is used to organize the data. For example, in the Alert trend histogram, stack by `kibana.alert.rule.name` to display alert counts by rule name within the specified time frame. - -Hover over histograms, graphs, and tables to display an **Inspect** button (![Inspect](../../../images/serverless-inspect.svg "")) or options menu (![More actions](../../../images/serverless-boxesHorizontal.svg "")). Click to inspect the visualization’s {{es}} queries, add it to a new or existing case, or open it in Lens for customization. - - -## Host and network events [security-overview-dashboard-host-and-network-events] - -View event and host counts grouped by data source, such as **Auditbeat** or **{{elastic-defend}}**. Expand a category to view specific counts of host or network events from the selected source. - -:::{image} ../../../images/serverless--getting-started-events-count.png -:alt: Host and network events on the Overview dashboard -:class: screenshot -::: - - -## Threat Intelligence [security-overview-dashboard-threat-intelligence] - -The Threat Intelligence view on the Overview dashboard provides streamlined threat intelligence data for threat detection and matching. - -The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To learn more about the ingested indicator data, click **View indicators**. - -::::{note} -For more information about connecting to threat intelligence sources, visit [Enable threat intelligence integrations](../../../solutions/security/get-started/enable-threat-intelligence-integrations.md). - -:::: - - -:::{image} ../../../images/getting-started-threat-intelligence-view.png -:alt: Threat Intelligence view on the Overview dashboard -:class: screenshot -:::