diff --git a/docs/cases/cases-index.asciidoc b/docs/cases/cases-index.asciidoc index 51e53a4ac1..243a0908d8 100644 --- a/docs/cases/cases-index.asciidoc +++ b/docs/cases/cases-index.asciidoc @@ -3,3 +3,5 @@ include::cases-overview.asciidoc[leveloffset=+1] include::cases-manage.asciidoc[leveloffset=+2] include::cases-ui-integrations.asciidoc[] + +include::indicators-of-compromise.asciidoc[leveloffset=+1] diff --git a/docs/cases/indicators-of-compromise.asciidoc b/docs/cases/indicators-of-compromise.asciidoc new file mode 100644 index 0000000000..510f1b892a --- /dev/null +++ b/docs/cases/indicators-of-compromise.asciidoc @@ -0,0 +1,94 @@ +[[indicators-of-compromise]] += Indicators of compromise + +The Indicators page (*Intelligence -> Indicators*) collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs. + +.Requirements +[sidebar] +-- +You must have _one_ of the following installed on the hosts you want to monitor: + +* *{agent}* - Install a {fleet-guide}/install-fleet-managed-elastic-agent.html[{fleet}-managed {agent}] and ensure the agent's status is `Healthy`. Refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} Troubleshooting] if it isn't. +* *{filebeat}* - Install {filebeat-ref}/filebeat-installation-configuration.html[{filebeat}] version 8.x or later. Earlier {filebeat} versions are incompatible with ECS and will prevent indicator data from displaying in the Indicators table. +-- + +[role="screenshot"] +image::images/indicators-table.png[Shows the Indicators page] + +[discrete] +[[ti-indicators]] +== Threat intelligence and indicators +Threat intelligence is a research function that analyzes current and emerging threats and recommends appropriate actions to strengthen a company's security posture. Threat intelligence requires proactivity to be useful, such as gathering, analyzing, and investigating various threat and vulnerability data sources. + +An indicator, also referred to as an IoC, is a piece of information associated with a known threat or reported vulnerability. There are many types of indicators, including URLs, files, domains, email addresses, and more. Within SOC teams, threat intelligence analysts use indicators to detect, assess, and respond to threats. + +[discrete] +[[setup-indicators-page]] +== Set up the Indicators page + +Install a threat intelligence integration to add indicators to the Indicators page. + + +. Choose one of the following: +* From the {security-app} main menu, go to *Intelligence* -> *Indicators* -> *Add Integrations*. +* From the {kib} main menu, click *Add integrations*. Scroll down the list of integration categories and select *Threat Intelligence* to filter by threat intelligence integrations. +. Select a threat intelligence integration, then complete the integration's guided installation. ++ +NOTE: For more information about available fields, go to the https://docs.elastic.co/integrations[Elastic integration documentation] and search for a specific threat intelligence integration. + +. Return to the Indicators page in {elastic-sec}. Refresh the page if indicator data isn't displaying. + +[discrete] +[[troubleshoot-indicators-page]] +=== Troubleshooting +If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration: + +* Verify that the index storing indicator documents is included in the <> (`securitySolution:defaultIndex`). The index storing indicator documents will differ based on the way you're collecting indicator data: +** *{agent} integrations* - `logs_ti*` +** *{filebeat} integrations* - `filebeat-*` +* Ensure the indicator data you're ingesting is mapped to {ecs-ref}[Elastic Common Schema (ECS)]. + +[discrete] +[[intelligence-page-ui]] +== Indicators page UI + +After you add indicators to the Indicators page, you can <>, search, filter, and take action on indicator data. Indicators also appear in the Trend view, which shows the occurrence of indicators over time. + +[role="screenshot"] +image::images/interact-with-indicators-table.gif[width=90%][height=90%][Shows how to interact with the Intelligence page] + +[discrete] +[[examine-indicator-details]] +=== Examine indicator details +Learn more about an indicator by clicking *View details*, then opening the Indicator details flyout. The flyout contains these informational tabs: + +* *Overview*: A summary of the indicator, including the indicator's name, the threat intelligence feed it came from, the indicator type, and additional relevant data. ++ +NOTE: Some threat intelligence feeds provide https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience[Traffic Light Protocol (TLP) markings]. The `TLP Marking` and `Confidence` fields will be empty if the feed doesn't provide that data. + +* *Table*: The indicator data in table format. +* *JSON*: The indicator data in JSON format. ++ +[role="screenshot"] +image::images/indicator-details-flyout.png[Shows the Indicator details flyout, 600] + +[discrete] +[[find-related-sec-events]] +== Find related security events + +Investigating an indicator in <> helps you find related security events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout. + +[role="screenshot"] +image::images/indicator-in-timeline.png[Shows the results of an indicator being investigated in Timeline] + +When you add an indicator to Timeline, a new Timeline opens with a pre-populated KQL query. The query contains the indicator field-value pair that you selected plus the field-value pair of the mapped source event. + +For example, imagine you've added this file hash indicator to Timeline: + +`threat.indicator.file.hash.sha256 : c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba` + +A new Timeline opens with an automatically populated KQL query. The query contains the indicator field-value pair (mentioned previously) and the mapped source event field-value pair, which is: + +`file.hash.sha256 : c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba`. + +Using a KQL query that includes both the indicator and source event allows Timeline to find all events and alerts that have matching field-value pairs. diff --git a/docs/events/images/indicator-details-flyout.png b/docs/events/images/indicator-details-flyout.png new file mode 100644 index 0000000000..8754ae0919 Binary files /dev/null and b/docs/events/images/indicator-details-flyout.png differ diff --git a/docs/events/images/indicator-in-timeline.png b/docs/events/images/indicator-in-timeline.png new file mode 100644 index 0000000000..ce3e7a0028 Binary files /dev/null and b/docs/events/images/indicator-in-timeline.png differ diff --git a/docs/events/images/indicators-table.png b/docs/events/images/indicators-table.png new file mode 100644 index 0000000000..01e2f6f8e5 Binary files /dev/null and b/docs/events/images/indicators-table.png differ diff --git a/docs/events/images/interact-with-indicators-table.gif b/docs/events/images/interact-with-indicators-table.gif new file mode 100644 index 0000000000..1802cd58da Binary files /dev/null and b/docs/events/images/interact-with-indicators-table.gif differ diff --git a/docs/events/index.asciidoc b/docs/events/index.asciidoc index 1e77d15bfe..ec8c95c59d 100644 --- a/docs/events/index.asciidoc +++ b/docs/events/index.asciidoc @@ -2,7 +2,7 @@ = Investigate -The following sections describe how to use Timelines and the Timeline graphical interface to investigate events, and how to use cases to open and track security issues directly in the {security-app}. +The following sections describe tools for investigating security events and tracking security issues directly in the {security-app}. include::timeline-ui-overview.asciidoc[leveloffset=+1] include::timeline-templates.asciidoc[leveloffset=+1] diff --git a/docs/getting-started/security-ui.asciidoc b/docs/getting-started/security-ui.asciidoc index 7b2f8d8e0b..7f2b9bc5ef 100644 --- a/docs/getting-started/security-ui.asciidoc +++ b/docs/getting-started/security-ui.asciidoc @@ -99,6 +99,14 @@ image::images/network-ui.png[Shows the Network page] [role="screenshot"] image::images/users/users-page.png[Shows the Users page] +[float] +=== Intelligence + +The Intelligence section contains the Indicators page, which collects data from enabled threat intelligence feeds and provides a centralized view of indicators of compromise (IoCs). Refer to <> to learn more. + +[role="screenshot"] +image::images/indicators-table.png[Shows the Indicators page] + [float] === Get started