diff --git a/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc b/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc index 9cbc09753b..0e88474fb4 100644 --- a/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc +++ b/docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc @@ -10,8 +10,9 @@ Advanced Entity Analytics provides two key capabilities: include::entity-risk-scoring.asciidoc[leveloffset=+1] include::ers-req.asciidoc[leveloffset=+2] -include::asset-criticality.asciidoc[leveloffset=+2] include::turn-on-risk-engine.asciidoc[leveloffset=+2] +include::asset-criticality.asciidoc[leveloffset=+2] +include::entity-store.asciidoc[leveloffset=+2] include::analyze-risk-score-data.asciidoc[leveloffset=+2] include::advanced-behavioral-detections.asciidoc[leveloffset=+1] include::ml-req.asciidoc[leveloffset=+2] diff --git a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc index 97ba3a4c41..33418d4403 100644 --- a/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc +++ b/docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc @@ -18,6 +18,8 @@ TIP: We recommend that you prioritize <> to iden From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. +If you have enabled the <>, the dashboard also displays the <>, where you can view all hosts and users along with their risk and asset criticality data. + [role="screenshot"] image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard] diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc index 55437a3c56..d4f522685f 100644 --- a/docs/advanced-entity-analytics/asset-criticality.asciidoc +++ b/docs/advanced-entity-analytics/asset-criticality.asciidoc @@ -4,7 +4,7 @@ .Requirements [sidebar] -- -To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <>. +To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <>. -- The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. @@ -44,6 +44,11 @@ image::images/assign-asset-criticality-host-flyout.png[Assign asset criticality [role="screenshot"] image::images/assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline] +If you have enabled the <>, you can also view asset criticality assignments in the <> of the Entity Analytics dashboard: + +[role="screenshot"] +image::dashboards/images/entities-section.png[Entities section] + [discrete] [[bulk-assign-asset-criticality]] === Bulk assign asset criticality diff --git a/docs/advanced-entity-analytics/entity-store.asciidoc b/docs/advanced-entity-analytics/entity-store.asciidoc new file mode 100644 index 0000000000..8505c0f88f --- /dev/null +++ b/docs/advanced-entity-analytics/entity-store.asciidoc @@ -0,0 +1,53 @@ +[[entity-store]] += Entity store + +preview::[] + +.Requirements +[sidebar] +-- +To use the entity store, you must have the appropriate privileges. For more information, refer to <>. +-- + +The entity store allows you to query, reconcile, maintain, and persist entity metadata such as: + +* Ingested log data +* Data from integrated identity providers (such as Active Directory, EntraID, and Okta) +* Data from internal and external alerts +* External asset repository data +* Asset criticality data +* Entity risk score data + +The entity store can hold any entity type observed by {elastic-sec}. It allows you to view and query select entities represented in your indices without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <>. + +When the entity store is enabled, the following resources are generated for each entity type (hosts and users): + +* {es} resources, such as transforms, ingest pipelines, and enrich policies. +* Data and fields for each entity. +* The `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices, which contain field mappings for hosts and users respectively. You can query these indices to see a list of fields that are mapped in the entity store. + +[discrete] +[[enable-entity-store]] +== Enable entity store + +To enable the entity store: + +. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. On the **Entity Store** page, turn the toggle on. + +Once you enable the entity store, the Entity Analytics dashboard displays the <> section. + +[discrete] +[[clear-entity-store]] +== Clear entity store data + +Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name` or `host.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis. + +Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments. + +CAUTION: Clearing entity store data permanently deletes persisted user and host records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone. + +To clear entity data: + +. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. On the **Entity Store** page, select **Clear**. \ No newline at end of file diff --git a/docs/advanced-entity-analytics/ers-req.asciidoc b/docs/advanced-entity-analytics/ers-req.asciidoc index 35f0a0a588..1b3e37d67a 100644 --- a/docs/advanced-entity-analytics/ers-req.asciidoc +++ b/docs/advanced-entity-analytics/ers-req.asciidoc @@ -1,9 +1,9 @@ [[ers-requirements]] = Entity risk scoring requirements -To use entity risk scoring and asset criticality, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher. +To use entity risk scoring, asset criticality, and entity store, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher. -This page covers the requirements and guidelines for using the entity risk scoring and asset criticality features, as well as their known limitations. +This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations. [discrete] == Entity risk scoring @@ -65,4 +65,33 @@ To use asset criticality, you need the following privileges for the `.asset-crit | Unassign asset criticality | `delete` +|============================================== + +[discrete] +== Entity store + +[discrete] +=== Privileges + +To use the entity store, you need the following privileges: + +[discrete] +[width="100%",options="header"] +|============================================== + +| Cluster | Index | {kib} +a| +* `manage_enrich` +* `manage_index_templates` +* `manage_ingest_pipelines` +* `manage_transform` + +a| +* `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*` +* `read` and `manage` for `risk-score.risk-score-*` +* `read` and `manage` for `.entities.v1.latest.*` +* `read` and `view_index_metadata` for all {elastic-sec} indices + +| **All** for the **Security** and **Saved Objects Management** features + |============================================== \ No newline at end of file diff --git a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc index 5391c71fad..f1365aee9f 100644 --- a/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc +++ b/docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc @@ -3,7 +3,7 @@ beta[] -IMPORTANT: To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to <>. +IMPORTANT: To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to <>. [discrete] == Preview risky entities diff --git a/docs/dashboards/entity-dashboard.asciidoc b/docs/dashboards/entity-dashboard.asciidoc index 7e32a3365e..f971156046 100644 --- a/docs/dashboards/entity-dashboard.asciidoc +++ b/docs/dashboards/entity-dashboard.asciidoc @@ -8,18 +8,17 @@ The Entity Analytics dashboard provides a centralized view of emerging insider t [sidebar] -- -* A https://www.elastic.co/pricing/[Platinum subscription] or higher is required. -* To display host and user risk scores, you must <>. +A https://www.elastic.co/pricing/[Platinum subscription] or higher is required. -- The dashboard includes the following sections: * <> -* <> * <> -* <> - +* <> +* <> +* <> [role="screenshot"] image::images/entity-dashboard.png[Entity dashboard] @@ -28,12 +27,43 @@ image::images/entity-dashboard.png[Entity dashboard] [float] == Entity KPIs (key performance indicators) -Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the Host risk table, User risk table, or Anomalies table. +Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or **Anomalies** table. + +[[entity-user-risk-scores]] +[float] +== User Risk Scores + +.Requirements +[sidebar] +-- +To display user risk scores, you must <>. +-- + +Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). + +[role="screenshot"] +image::images/user-score-data.png[User risk table] + +Interact with the table to filter data, view more details, and take action: + +* Select the *User risk level* menu to filter the chart by the selected level. +* Click a user name link to open the user details flyout. +* Hover over a user name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. +* Click *View all* in the upper-right to display all user risk information on the Users page. +* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated user name value. + +For more information about user risk scores, refer to <>. [[entity-host-risk-scores]] [float] == Host Risk Scores +.Requirements +[sidebar] +-- +To display host risk scores, you must <>. +-- + Displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). [role="screenshot"] @@ -50,24 +80,42 @@ Interact with the table to filter data, view more details, and take action: For more information about host risk scores, refer to <>. -[[entity-user-risk-scores]] +[[entity-entities]] [float] -== User Risk Scores +== Entities -Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). +preview::[] + +.Requirements +[sidebar] +-- +To display the **Entities** section, you must <>. +-- + +The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities from the <>, which meet any of the following criteria: + +* Have been observed by {elastic-sec} +* Have an asset criticality assignment +* Have been added to {elastic-sec} through an integration, such Active Directory or Okta + +NOTE: The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_` and `.entities.v1.latest.security_host_` indices to see all the fields for each entity in the entity store. [role="screenshot"] -image::images/user-score-data.png[User risk table] +image::images/entities-section.png[Entities section] -Interact with the table to filter data, view more details, and take action: +Entity data from different sources appears in the **Entities** section based on the following timelines: -* Select the *User risk level* menu to filter the chart by the selected level. -* Click a user name link to open the user details flyout. -* Hover over a user name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. -* Click *View all* in the upper-right to display all user risk information on the Users page. -* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated user name value. +* When you first enable the entity store, only data stored in the last 24 hours is processed. After that, data is processed continuously. +* Observed events from the {elastic-sec} default data view are processed in near real-time. +* Entity Analytics data, such as entity risk scores and asset criticality (including bulk asset criticality upload), is also processed in near real-time. +* The availability of entities extracted from Entity Analytics integrations depends on the specific integration. Refer to {integrations-docs}/entityanalytics_ad[Active Directory Entity Analytics], {integrations-docs}/entityanalytics_entra_id[Microsoft Entra ID Entity Analytics], and {integrations-docs}/entityanalytics_okta[Okta Entity Analytics] for more details. -For more information about user risk scores, refer to <>. +Interact with the table to filter data and view more details: + +* Select the **Risk level** dropdown to filter the table by the selected user or host risk level. +* Select the **Criticality** dropdown to filter the table by the selected asset criticality level. +* Select the **Source** dropdown to filter the table by the data source. +* Click the **View details** icon (image:detections/images/view-details-icon.png[View details icon,16,15]) to open the entity details flyout. [[entity-anomalies]] [float] diff --git a/docs/dashboards/images/entities-section.png b/docs/dashboards/images/entities-section.png new file mode 100644 index 0000000000..9bb4c5338d Binary files /dev/null and b/docs/dashboards/images/entities-section.png differ diff --git a/docs/dashboards/images/entity-dashboard.png b/docs/dashboards/images/entity-dashboard.png index e529976aac..56479b9f1e 100644 Binary files a/docs/dashboards/images/entity-dashboard.png and b/docs/dashboards/images/entity-dashboard.png differ