[DOCS] Risk score enhancements #2580
Conversation
jmikell821
added
Team: Threat Hunting
|
Documentation previews: |
|
Thanks for writing the doc! This is super helpful! As in Kibana UI, we always point users to this page including the cases of installation / upgrade error. Could we still include some brief intro to trouble shooting for installation / upgrade and no data scenario and refer them to the relevant page? |
|
Hi @jmikell821 we have validated this shared preview links and found one issue apart from that all doc details are complete and good to go. Build Details: Issue: #2585 |
|
@jmikell821 , thanks so much for the update, please apply the change above to user rick score as well. Could we also include this topic installation / upgrade error message and manually delete the module in this page? As we point users to this page if there's error occurs during their installation / upgrade process. |
stephmilovic
left a comment
stephmilovic
left a comment
There was a problem hiding this comment.
LGTM, thank you for your attention to detail!
ajosh0504
left a comment
ajosh0504
left a comment
There was a problem hiding this comment.
Thank you @jmikell821 for getting this done- lots has changed this time!
Left some comments/questions on the host risk score doc. The same apply to user risk score.
| NOTE: To enable the host risk score feature, you must have alerts in your environment. If you previously enabled host risk score and are upgrading the {stack} to 8.5 or newer, refer to <<upgrade-host-risk-score>> in this topic. | ||
|
|
||
| To deploy the host risk score framework in your environment: | ||
| You can enable host risk score from the following places in the {security-app}: |
There was a problem hiding this comment.
@angorayc @SourinPaul Do we want to have multiple places for users to enable host risk score? I was under the impression that we were switching over to only enabling via the centralized EA page starting 8.6.
There was a problem hiding this comment.
We share the same UI of enabling / upgrading across all the pages, so it's true that in 8.5 users can enable risk score from multiple pages.
| * The *Host risk* tab on the Hosts page | ||
| * The *Host risk* tab on a host's details page | ||
|
|
||
| Or, in {kib}, you can enable host risk score in Console. |
There was a problem hiding this comment.
@angorayc @SourinPaul Do we still want to point users to the Dev Tools installation?
There was a problem hiding this comment.
@ajosh0504 Only keep this as a reference in the documentation for 8.5. If I recall, @angorayc suggestion was to retain this as a backup mechanism given the dashboard enablement is just introduced and we dont have any data from real-life enablement.
I think there is no harm in retaining it unless we are confident of the onboarding process and then remove it from the documentation as well.
There was a problem hiding this comment.
I remember in our previous discussion that we wanted to keep enable via dev tools in the doc, but I'm totally agree if we want to remove it in the future.
|
|
||
| After this is done, you can proceed with upgrading the host risk score feature from any of the following places in the {security-app}: | ||
|
|
||
| * The Entity Analytics dashboard |
There was a problem hiding this comment.
@angorayc @SourinPaul Same question as above- do we want upgrades to happen from multiple places?
There was a problem hiding this comment.
I think @machadoum has already removed the ability to enable risk scores from the Host/ User pages https://github.com/elastic/security-team/issues/5093#issuecomment-1274544910. Maybe the change has not been incorporated in the docs yet. @machadoum @ferenrigue please confirm,
There was a problem hiding this comment.
In 8.5, we introduced an empty table state that allows users to Enable/Upgrade. It is displayed on Entity Analytics, Host, and User page and gives more opportunities for the user to engage with the Risk Score feature.
There was a problem hiding this comment.
If I understand it correctly, the issue above is to remove the callout banner, so users are still be able to enable / upgrade risk score from multiple pages in 8.5
|
@elasticmachine run elasticsearch-ci/docs |
1 similar comment
|
@elasticmachine run elasticsearch-ci/docs |
|
|
||
| After this is done, you can proceed with upgrading the host risk score feature from any of the following places in the {security-app}: | ||
|
|
||
| * The Entity Analytics dashboard |
There was a problem hiding this comment.
I think @machadoum has already removed the ability to enable risk scores from the Host/ User pages https://github.com/elastic/security-team/issues/5093#issuecomment-1274544910. Maybe the change has not been incorporated in the docs yet. @machadoum @ferenrigue please confirm,
joepeeples
left a comment
joepeeples
left a comment
There was a problem hiding this comment.
Looks good, just added a few small edits and fixed the URL for Platinum subscription
benironside
left a comment
benironside
left a comment
There was a problem hiding this comment.
This looks good. I left some suggestions for your consideration mostly on the Hosts version, not the Users version. If you decide to incorporate them, many of them apply in both places. We might want to consider getting a histogram screenshot for the Host risk scores page that has more data in it — the one bar in the histogram is pretty minimal.
| "count": 1, | ||
| "transforms": [ | ||
| { | ||
| "id": "ml_hostriskscore_pivot_transform_default", |
There was a problem hiding this comment.
The response id will be the same as what user put on line 182:
GET transform/ml_hostriskscore_pivot_transform_/stats?human=true
In this case is ml_hostriskscore_pivot_transform
and space-id depends on which space users are in
* Edits to host risk score enhancements. Will do user risk score in a second commit. * Added several edits to host/user risk score docs. * Edits to console commands. * Merging feedback. * Slight feedback commit. (cherry picked from commit 5cc3284)
* Edits to host risk score enhancements. Will do user risk score in a second commit. * Added several edits to host/user risk score docs. * Edits to console commands. * Merging feedback. * Slight feedback commit. (cherry picked from commit 5cc3284) Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
Resolves part of #2477
Resolves #2585
Previews: