diff --git a/docs/serverless/cloud-native-security/aws-securityhub.asciidoc b/docs/serverless/cloud-native-security/aws-securityhub.asciidoc new file mode 100644 index 0000000000..f7daf55ed1 --- /dev/null +++ b/docs/serverless/cloud-native-security/aws-securityhub.asciidoc @@ -0,0 +1,18 @@ +[[ingest-aws-securityhub-data]] += Ingest AWS Security Hub data + +In order to enrich your {elastic-sec} workflows with third-party cloud security posture data collected by AWS Security Hub: + +* Follow the steps to {integrations-docs}/aws/securityhub[set up the AWS Security Hub integration]. + +* Make sure the integration version is at least 2.31.1. + +* Ensure you have `read` privileges for the `security_solution-*.misconfiguration_latest` index. + +* While configuring the AWS Security Hub integration, turn on **Collect AWS Security Hub Findings from AWS**. We recommend you also set the **Initial Interval** value to `2160h` (equivalent to 90 days) to ingest existing logs. + +image::images/aws-config-finding-logs.png[AWS Security Hub integration settings showing the findings toggle] + +After you've completed these steps, AWS Security Hub data will appear on the **Misconfigurations** tab of the <> page. + +Any available findings data will also appear in the entity details flyouts for related <>. If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the <>, and <> flyouts. \ No newline at end of file diff --git a/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc b/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc index 835c96fb05..05facdc6d0 100644 --- a/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc +++ b/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc @@ -10,7 +10,7 @@ preview:[] -The **Misconfigurations** tab on the Findings page displays the configuration risks identified by the <> and <> integrations. +The **Misconfigurations** tab on the **Findings** page displays the configuration risks identified by the <> and <> integrations, as well as data from <>. [role="screenshot"] image::images/findings-page/-cloud-native-security-findings-page.png[Findings page] diff --git a/docs/serverless/cloud-native-security/falco-setup.asciidoc b/docs/serverless/cloud-native-security/falco-setup.asciidoc new file mode 100644 index 0000000000..17980a3233 --- /dev/null +++ b/docs/serverless/cloud-native-security/falco-setup.asciidoc @@ -0,0 +1,114 @@ +[[ingest-falco]] += Ingest CNCF Falco data + +CNCF Falco is an open-source runtime security tool that detects anomalous activity in Linux hosts, containers, Kubernetes, and cloud environments. You can ingest Falco alerts into {es} to view them on {elastic-sec}'s **Alerts** page and incorporate them into your security workflows by using Falcosidekick, a proxy forwarder that can send alerts from your Falco deployments to {es}. + +First, you'll need to configure {elastic-sec} to receive data from Falco, then you'll need to configure Falco and Falcosidekick to send data to {es}. + +[discrete] +[[ingest-falco-setup-kibana]] +== Configure {elastic-sec} to receive Falco data + +In {elastic-sec}: + +. Click **Add integrations**. +. Search the **Integrations** page for `Falco`, then select it. +. Go to the Falco integration's **Settings** tab. +. Click **Install Falco**, then confirm by clicking **Install Falco** again. Installation should take less than a minute. + +{elastic-sec} is now ready to receive data from Falco. The Falco integration page now has an **Assets** tab where you can inspect the newly installed assets that help to ingest Falco data. + +Next, to make alerts from Falco appear on {elastic-sec}'s **Alerts** page: + +. Find the **Detection rules (SIEM)** page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Search for a rule named `External Alerts`. Install it if necessary, and enable it. + + +[discrete] +[[ingest-falco-setup-falco]] +== Configure Falco and Falcosidekick + +You can either: + +* <>; or, +* <>. + +[discrete] +[[ingest-falco-setup-falco-vm]] +=== Configure Falco and Falcosidekick for VMs + +Multiple methods for configuring Falco to send data from VMs to {es} are available. This guide uses the https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md[Falco sidekick on Docker using environment variables] method. + +[discrete] +=== Configure Falco for VMs: + +. Refer to Falco's documentation to https://falco.org/docs/setup/packages/[install Falco on the Linux VMs you wish to monitor]. +. Once Falco is installed, update `/etc/falco/falco.yaml` as follows: +.. Enable JSON output: `json_output: true` +.. Enable HTTP output: under `http_output`, for the `url` value, enter the `url:port` where Falcosidekick will listen. For example, if Falcosidekick is running on localhost: ++ +``` +http_output: + enabled: true + url: "http://0.0.0.0:2801/" +``` + +[discrete] +[[falco-config-falco-for-vms]] +=== Configure Falcosidekick for VMs: + +. Refer to Falcosidekick's documentation to https://github.com/falcosecurity/falcosidekick?tab=readme-ov-file#installation[install Falcosidekick]. +. Use the https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md[Falcosidekick on Docker using environment variables] method and set your environment variables as follows: +.. `ELASTICSEARCH_HOSTPORT`: Your {es} endpoint URL, which can be found under **Connection details** on the upper right of the **Integrations** page in {kib}. +.. `ELASTICSEARCH_INDEX`: The {es} index where you want to store Falco logs. ++ +IMPORTANT: Your `ELASTICSEARCH_INDEX` value must match `logs-falco.alerts-*`. ++ +.. `ELASTICSEARCH_SUFFIX`: The frequency with which you want the {es} index suffix to change. Either `daily`, `monthly`, `annually`, or `none`. +.. `ELASTICSEARCH_APIKEY`: The recommended way to authenticate to {es}, by providing an {kibana-ref}/api-keys.html[API key]. Note that support for this environment variable starts with Falcosidekick version 2.30. You can access the latest version on Falcosidekick's https://hub.docker.com/r/falcosecurity/falcosidekick[Docker Hub]. +.. `ELASTICSEARCH_USERNAME` and `ELASTICSEARCH_PASSWORD`: The username and password for an account on your {es} instance. Authentication using these environment variables is not supported on {ecloud} Serverless. +.. `ELASTICSEARCH_MUTUALTLS` and `ELASTICSEARCH_CHECKCERT`: For security reasons, we recommend setting these to `true`. + +For example: + +``` +docker run -d -p 2801:2801 + -e ELASTICSEARCH_HOSTPORT=https://test-falco.es.us-west2.gcp.elastic-cloud.com + -e ELASTICSEARCH_INDEX=logs-falco.alerts-all + -e ELASTICSEARCH_SUFFIX=none + -e ELASTICSEARCH_APIKEY=XXXXXXXXXXXXX + -e ELASTICSEARCH_MUTUALTLS=true + -e ELASTICSEARCH_CHECKCERT=true falcosecurity/falcosidekick +``` + +IMPORTANT: The {es} account used to authenticate Falcosidekick only needs sufficient privileges to create and write to new indices. We recommend following the principle of least privilege when provisioning this account. + +After installing and configuring Falcosidekick, restart Falco with `sudo systemctl restart falco`. Falcosidekick should start sending alerts to {es}. + + +[discrete] +[[ingest-falco-setup-falco-kubernetes]] +== Configure Falco and Falcosidekick for Kubernetes + +1. Add the Falco https://github.com/falcosecurity/charts/blob/master/README.md[Helm charts]: ++ +``` +helm repo add falcosecurity https://falcosecurity.github.io/charts +helm repo update +``` ++ +2. Next, install Falco and Falcosidekick using the `falcosecurity/falco` Helm chart with https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md[appropriate values] for each of the `falcosidekick.config.elasticsearch.*` fields: ++ +``` +helm install falco falcosecurity/falco \ + --set falcosidekick.enabled=true \ + --set tty=true \ + --set driver.kind=modern_ebpf \ + --set collectors.kubernetes.enabled=true \ + --set falcosidekick.config.elasticsearch.hostport="https://" \ + --set falcosidekick.config.elasticsearch.username="" \ + --set falcosidekick.config.elasticsearch.password="" \ + --set falcosidekick.config.elasticsearch.index="logs-falco.alerts-all" \ + --set falcosidekick.config.elasticsearch.suffix="none" +``` + diff --git a/docs/serverless/cloud-native-security/images/aws-config-finding-logs.png b/docs/serverless/cloud-native-security/images/aws-config-finding-logs.png new file mode 100644 index 0000000000..ad83affa75 Binary files /dev/null and b/docs/serverless/cloud-native-security/images/aws-config-finding-logs.png differ diff --git a/docs/serverless/cloud-native-security/images/wiz-config-finding-logs.png b/docs/serverless/cloud-native-security/images/wiz-config-finding-logs.png new file mode 100644 index 0000000000..26043a862d Binary files /dev/null and b/docs/serverless/cloud-native-security/images/wiz-config-finding-logs.png differ diff --git a/docs/serverless/cloud-native-security/images/wiz-config-vuln-logs.png b/docs/serverless/cloud-native-security/images/wiz-config-vuln-logs.png new file mode 100644 index 0000000000..714f40a377 Binary files /dev/null and b/docs/serverless/cloud-native-security/images/wiz-config-vuln-logs.png differ diff --git a/docs/serverless/cloud-native-security/images/wiz-findings.png b/docs/serverless/cloud-native-security/images/wiz-findings.png new file mode 100644 index 0000000000..4a5c2ea60b Binary files /dev/null and b/docs/serverless/cloud-native-security/images/wiz-findings.png differ diff --git a/docs/serverless/cloud-native-security/ingest-cncf-data.asciidoc b/docs/serverless/cloud-native-security/ingest-cncf-data.asciidoc new file mode 100644 index 0000000000..e7260430a5 --- /dev/null +++ b/docs/serverless/cloud-native-security/ingest-cncf-data.asciidoc @@ -0,0 +1,22 @@ +[[ingest-third-party-cloud-security-data]] += Ingest third-party cloud security data + +This section describes how to ingest cloud security data from third-party tools into {es}. Once ingested, this data can provide additional context and enrich your {elastic-sec} workflows. + +You can ingest both third-party cloud workload protection data and third-party security posture and vulnerability data. + +[discrete] +== Ingest third-party workload protection data + +You can ingest third-party cloud security alerts into {elastic-sec} to view them on the <> and incorporate them into your triage and threat hunting workflows. + +* Learn to <>. + +[discrete] +== Ingest third-party security posture and vulnerability data + +You can ingest third-party data into {elastic-sec} to review and investigate it alongside data collected by {elastic-sec}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the <> page and in the entity details flyouts for <>, <>, and <> flyouts. + +* Learn to <>. + +* Learn to <>. \ No newline at end of file diff --git a/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc b/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc index 60b56f909e..1bd4e6a319 100644 --- a/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc +++ b/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc @@ -6,7 +6,7 @@ preview:[] -The **Vulnerabilities** tab on the Findings page displays the vulnerabilities detected by the <>. +The **Vulnerabilities** tab on the Findings page displays the vulnerabilities detected by the <>, as well as those detected by <>. [role="screenshot"] image::images/vuln-management-findings/-cloud-native-security-cnvm-findings-page.png[The Vulnerabilities tab of the Findings page] diff --git a/docs/serverless/cloud-native-security/wiz.asciidoc b/docs/serverless/cloud-native-security/wiz.asciidoc new file mode 100644 index 0000000000..fc580412e2 --- /dev/null +++ b/docs/serverless/cloud-native-security/wiz.asciidoc @@ -0,0 +1,22 @@ +[[ingest-wiz-data]] += Ingest Wiz data + +In order to enrich your {elastic-sec} workflows with third-party cloud security posture and vulnerability data collected by Wiz: + +* Follow the steps to {integrations-docs}/wiz[set up the Wiz integration]. + +* Make sure the integration version is at least 2.0.1. + +* Ensure you have `read` privileges for the following indices: `security_solution-*.misconfiguration_latest`, `security_solution-*.vulnerability_latest`. + +* While configuring the Wiz integration, turn on **Cloud Configuration Finding logs** and **Vulnerability logs**. We recommend you also set the **Initial Interval** values for both settings to `2160h` (equivalent to 90 days) to ingest existing logs. + +image::images/wiz-config-finding-logs.png[Wiz integration settings showing the findings toggle] + +image::images/wiz-config-vuln-logs.png[Wiz integration settings showing the vulnerabilities toggle] + +After you've completed these steps, Wiz data will appear on the **<> and <> tabs of the **Findings** page. + +image::images/wiz-findings.png[Wiz data on the Findings page] + +Any available findings data will also appear in the entity details flyouts for related <>. If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the <>, and <> flyouts. \ No newline at end of file diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc index 615e553f14..7d9c07fe80 100644 --- a/docs/serverless/index.asciidoc +++ b/docs/serverless/index.asciidoc @@ -107,6 +107,10 @@ include::./cloud-native-security/d4c-policy-guide.asciidoc[leveloffset=+4] include::./cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc[leveloffset=+4] include::./cloud-native-security/cloud-workload-protection.asciidoc[leveloffset=+3] include::./cloud-native-security/environment-variable-capture.asciidoc[leveloffset=+4] +include::./cloud-native-security/ingest-cncf-data.asciidoc[leveloffset=+3] +include::./cloud-native-security/falco-setup.asciidoc[leveloffset=+4] +include::./cloud-native-security/aws-securityhub.asciidoc[leveloffset=+4] +include::./cloud-native-security/wiz.asciidoc[leveloffset=+4] include::./explore/explore-your-data.asciidoc[leveloffset=+2] include::./explore/hosts-overview.asciidoc[leveloffset=+3]