diff --git a/docs/AI-for-security/ai-security-assistant.asciidoc b/docs/AI-for-security/ai-security-assistant.asciidoc index 147efe3f70..7df57be804 100644 --- a/docs/AI-for-security/ai-security-assistant.asciidoc +++ b/docs/AI-for-security/ai-security-assistant.asciidoc @@ -68,7 +68,7 @@ You can also chat with AI Assistant from several particular pages in {elastic-se * <>: Select the *Incompatible fields* tab, then click *Chat*. (This is only available for fields marked red, indicating they're incompatible). * <>: Select the *Security Assistant* tab. -NOTE: Each user's chat history and custom quick prompts are automatically saved, so you can leave ((elastic-sec)) and return to pick up a conversation later. +NOTE: Each user's chat history and custom quick prompts are automatically saved, so you can leave {elastic-sec} and return to pick up a conversation later. [discrete] [[interact-with-assistant]] @@ -96,8 +96,10 @@ Quick prompt availability varies based on context — for example, the **Alert s ** *Add to existing case* (image:images/icon-add-to-case.png[Add to case icon,19,16]): Add a comment to an existing case using the selected text. ** *Copy to clipboard* (image:images/icon-copy.png[Copy to clipboard icon,17,18]): Copy the text to clipboard to paste elsewhere. Also helpful for resubmitting a previous prompt. ** *Add to timeline* (image:images/icon-add-to-timeline.png[Add to timeline icon,17,18]): Add a filter or query to Timeline using the text. This button appears for particular queries in AI Assistant's responses. -+ -TIP: Be sure to specify which language you'd like AI Assistant to use when writing a query. For example: "Can you generate an Event Query Language query to find four failed logins followed by a successful login?" + +Be sure to specify which language you'd like AI Assistant to use when writing a query. For example: "Can you generate an Event Query Language query to find four failed logins followed by a successful login?" + +TIP: AI Assistant can remember particular information you tell it to remember. For example, you could tell it: "When anwering any question about srv-win-s1-rsa or an alert that references it, mention that this host is in the New York data center". This will cause it to remember the detail you highlighted. [discrete] [[configure-ai-assistant]] @@ -123,6 +125,12 @@ NOTE: To delete a custom prompt, open the *Name* drop-down menu, hover over the [[ai-assistant-anonymization]] === Anonymization +.Requirements +[sidebar] +-- +To modify Anonymization settings, you need the **Elastic AI Assistant: All** privilege, with **Customize sub-feature privileges** enabled. +-- + The **Anonymization** tab of the AI Assistant settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed** toggled on are included in events provided to AI Assistant. **Allowed** fields with **Anonymized** set to **Yes** are included, but with their values obfuscated. [role="screenshot"] @@ -139,7 +147,7 @@ When you include a particular event as context, such as an alert from the Alerts === Knowledge base beta::[] -The **Knowledge base** tab of the AI Assistant settings menu allows you to enable AI Assistant to answer questions about the Elastic Search Query Language ({esql}), and about alerts in your environment. +The **Knowledge base** tab of the AI Assistant settings menu allows you to enable AI Assistant to answer questions about the Elastic Search Query Language ({esql}), and about alerts in your environment. To use knowledge base, you must <>. [discrete] [[rag-for-esql]] @@ -153,12 +161,10 @@ IMPORTANT: {esql} queries generated by AI Assistant might require additional val When this feature is enabled, AI Assistant can help you write an {esql} query for a particular use case, or answer general questions about {esql} syntax and usage. To enable AI Assistant to answer questions about {esql}: -. Enable the Elastic Learned Sparse EncodeR (ELSER). This model provides additional context to the third-party LLM. To learn more, refer to {ml-docs}/ml-nlp-elser.html#download-deploy-elser[Configure ELSER]. -. Initialize the knowledge base by clicking *Initialize*. -. Turn on the *Knowledge Base* option. +. Turn on the knowledge base by clicking **Setup**. If the **Setup** button doesn't appear, knowledge base is already enabled. . Click *Save*. The knowledge base is now active. A quick prompt for {esql} queries becomes available, which provides a good starting point for your {esql} conversations and questions. -NOTE: To update AI Assistant so that it uses the most current {esql} documentation to answer your questions, click **Delete** next to **Knowledge Base**, and toggle the **Knowledge Base** slider off and then on. +NOTE: AI Assistant's knowledge base gets additional context from {ml-docs}/ml-nlp-elser.html#download-deploy-elser[Elastic Learned Sparse EncodeR (ELSER)]. [discrete] [[rag-for-alerts]] @@ -167,8 +173,8 @@ When this feature is enabled, AI Assistant will receive multiple alerts as conte To enable RAG for alerts: -. Turn on the **Alerts** setting. -. Use the slider to select the number of alerts to send to AI Assistant. +. Turn on the knowledge base by clicking **Setup**. If the **Setup** button doesn't appear, knowledge base is already enabled. +. Use the slider to select the number of alerts to send to AI Assistant. Click **Save**. + [role="screenshot"] image::images/knowledge-base-settings.png["AI Assistant's settings menu open to the Knowledge Base tab",75%] diff --git a/docs/AI-for-security/images/attck-disc-11-alerts-disc.png b/docs/AI-for-security/images/attck-disc-11-alerts-disc.png index 0075102604..0f2bf87bac 100644 Binary files a/docs/AI-for-security/images/attck-disc-11-alerts-disc.png and b/docs/AI-for-security/images/attck-disc-11-alerts-disc.png differ diff --git a/docs/AI-for-security/images/attck-disc-remediate-sodinokibi.gif b/docs/AI-for-security/images/attck-disc-remediate-sodinokibi.gif new file mode 100644 index 0000000000..f4fd2c9ed1 Binary files /dev/null and b/docs/AI-for-security/images/attck-disc-remediate-sodinokibi.gif differ diff --git a/docs/AI-for-security/images/attck-disc-translate-japanese.png b/docs/AI-for-security/images/attck-disc-translate-japanese.png new file mode 100644 index 0000000000..190efbb09e Binary files /dev/null and b/docs/AI-for-security/images/attck-disc-translate-japanese.png differ diff --git a/docs/AI-for-security/images/knowledge-base-settings.png b/docs/AI-for-security/images/knowledge-base-settings.png index abea9d3200..0f907cdf6f 100644 Binary files a/docs/AI-for-security/images/knowledge-base-settings.png and b/docs/AI-for-security/images/knowledge-base-settings.png differ diff --git a/docs/AI-for-security/llm-performance-matrix.asciidoc b/docs/AI-for-security/llm-performance-matrix.asciidoc index b4354cf41b..9cf6998a87 100644 --- a/docs/AI-for-security/llm-performance-matrix.asciidoc +++ b/docs/AI-for-security/llm-performance-matrix.asciidoc @@ -3,14 +3,13 @@ This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <> or <>. -[cols="1,1,1,1,1,1", options="header"] +[cols="1,1,1,1,1,1,1,1", options="header"] |=== -| *Feature* | *Model* | | | | -| | *Claude 3: Opus* | *Claude 3.5: Sonnet* | *Claude 3: Haiku* | *GPT-4o* | *GPT-4 Turbo* - -| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent -| *Assistant - {esql} generation*| Great | Great | Poor | Excellent | Poor -| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Poor -| *Attack discovery* | Excellent | Excellent | Poor | Poor | Good +| *Feature* | *Model* | | | | | | +| | *Claude 3: Opus* | *Claude 3.5: Sonnet* | *Claude 3: Haiku* | *GPT-4o* | *GPT-4 Turbo* | **Gemini 1.5 Pro ** | **Gemini 1.5 Flash** +| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent +| *Assistant - {esql} generation*| Great | Great | Poor | Excellent | Poor | Good | Poor +| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Poor | Excellent | Good +| *Attack discovery* | Excellent | Excellent | Poor | Poor | Good | Great | Poor |=== \ No newline at end of file diff --git a/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc b/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc index 9473c73862..427f7a03cf 100644 --- a/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc +++ b/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc @@ -23,7 +23,7 @@ Attack discovery can detect a wide range of threats by finding relationships amo image::images/attck-disc-11-alerts-disc.png[An Attack discovery card showing an attack with 11 related alerts,90%] -In the example above, Attack discovery found connections between eleven alerts, and used them to identify and describe an attack chain. +In the example above, Attack discovery found connections between nine alerts, and used them to identify and describe an attack chain. After Attack discovery outlines your threat landscape, use Elastic AI Assistant to quickly analyze a threat in detail. @@ -33,6 +33,8 @@ After Attack discovery outlines your threat landscape, use Elastic AI Assistant From a discovery on the Attack discovery page, click **View in AI Assistant** to start a chat that includes the discovery as context. +image::images/attck-disc-remediate-sodinokibi.gif[A dialogue with AI Assistant that has the attack discovery as context,90%] + AI Assistant can quickly compile essential data and provide suggestions to help you generate an incident report and plan an effective response. You can ask it to provide relevant data or answer questions, such as “How can I remediate this threat?” or “What {esql} query would isolate actions taken by this user?” image::images/attck-disc-esql-query-gen-example.png[An AI Assistant dialogue in which the user asks for a purpose-built {esql} query,90%] @@ -43,7 +45,7 @@ At any point in a conversation with AI Assistant, you can add data, narrative su [discrete] [[use-case-incident-reporting-create-a-case-using-ai-assistant]] -== Create a case using AI Assistant +== Generate reports From the AI Assistant dialog window, click **Add to case** (image:images/icon-add-to-case.png[Add to case icon,19,16]) next to a message to add the information in that message to a <>. Cases help centralize relevant details in one place for easy sharing with stakeholders. @@ -52,6 +54,9 @@ If you add a message that contains a discovery to a case, AI Assistant automatic [discrete] [[use-case-incident-reporting-translate]] == Translate incident information to a different human language using AI Assistant + +image::images/attck-disc-translate-japanese.png[An AI Assistant dialogue in which the assistant translates from English to Japanese,90%] + AI Assistant can translate its findings into other human languages, helping to enable collaboration among global security teams, and making it easier to operate within multilingual organizations. After AI Assistant provides information in one language, you can ask it to translate its responses. For example, if it provides remediation steps for an incident, you can instruct it to “Translate these remediation steps into Japanese.” You can then add the translated output to a case. This can help team members receive the same information and insights regardless of their primary language. diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc new file mode 100644 index 0000000000..d1d86c9688 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc @@ -0,0 +1,78 @@ +[[asset-criticality-api-bulk-upsert]] +=== Bulk upsert (create or update) asset criticality records + +Create or update asset criticality records for multiple entities. + +If asset criticality records already exist for the entities specified in the request, this API overwrites those records with the specified values. + +If asset criticality records don't exist for the specified entities, new records are created. + +==== Request URL + +`POST :/api/asset_criticality/bulk` + +==== Request body + +A JSON object defining the asset criticality records. + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required +|`records` |Array |Array of asset criticality records to be created or updated. The maximum number of records is 1000. +|Yes +|`records.id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. +|Yes +|`records.id_value` |String |The ID (host name or user name) of the entity specified in the `records.id_field` field. +|Yes +|`records.criticality_level` |String a|The asset criticality level to assign, which must be one of the following: + +* `low_impact` +* `medium_impact` +* `high_impact` +* `extreme_impact` + +For example, you can assign `extreme_impact` to business-critical entities, or `low_impact` to entities that pose minimal risk to your security posture. +|Yes +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +POST /api/asset_criticality/bulk +{ + "records": [ + { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "medium_impact" + }, + { + "id_field": "host.name", + "id_value": "my_other_host", + "criticality_level": "low_impact" + } + ] +} +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. + +==== Example response + +Successful response + +[source,json] +-------------------------------------------------- +{ + "errors": [], + "stats": { + "successful": 2, + "failed": 0, + "total": 2 + } +} +-------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc new file mode 100644 index 0000000000..6604b2db28 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc @@ -0,0 +1,64 @@ +[[delete-criticality-api-delete]] +=== Delete asset criticality record + +Delete a single asset criticality record by ID field and ID value. + +==== Request URL + +`DELETE :/api/asset_criticality` + +==== URL query parameters + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. +|Yes +|`id_value` |String |The ID (host name or user name) of the entity specified in the `id_field` field. +|Yes + +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +DELETE /api/asset_criticality?id_field=host.name&id_value=my_host + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. Check the response body to see if the record was deleted. + +==== Example responses + +*Example 1* + +If the record was deleted. + +[source,json] +-------------------------------------------------- +{ + "deleted": true, + "record": { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "medium_impact", + "@timestamp": "2024-08-05T09:42:11.240Z" + } +} +-------------------------------------------------- + +*Example 2* + +If the record was not found and could not be deleted. + +[source,json] +-------------------------------------------------- +{ + "deleted": false +} +-------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc new file mode 100644 index 0000000000..1cb4752b7f --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc @@ -0,0 +1,48 @@ +[[asset-criticality-api-get]] +=== Get asset criticality record + +Retrieve a single asset criticality record by ID field and ID value. + +==== Request URL + +`GET :/api/asset_criticality` + +==== URL query parameters + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. +|Yes +|`id_value` |String |The ID (host name or user name) of the entity specified in the `id_field` field. +|Yes + +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +GET /api/asset_criticality?id_field=host.name&id_value=my_host + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. +`404`:: + Indicates the criticality record was not found. + +==== Example response + +[source,json] +-------------------------------------------------- +{ + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", + "@timestamp": "2024-08-02T11:15:34.290Z" +} +-------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-index.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-index.asciidoc new file mode 100644 index 0000000000..8f6448e023 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-index.asciidoc @@ -0,0 +1,11 @@ +include::asset-criticality-api-overview.asciidoc[] + +include::asset-criticality-api-upsert.asciidoc[] + +include::asset-criticality-api-bulk-upsert.asciidoc[] + +include::asset-criticality-api-get.asciidoc[] + +include::asset-criticality-api-list.asciidoc[] + +include::asset-criticality-api-delete.asciidoc[] diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc new file mode 100644 index 0000000000..67dc37f549 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc @@ -0,0 +1,72 @@ +[[asset-criticality-api-list]] +=== List asset criticality records + +Retrieve a list of asset criticality records. + +Use the query parameters to filter and sort the results as needed. By default, the first page is returned, with 10 results per page. + +==== Request URL + +`GET :/api/asset_criticality/list` + +==== URL query parameters + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`sort_field` |String a|The field to sort the results by, which must be one of the following: + +* `id_value` +* `id_field` +* `criticality_level` +* `@timestamp` + +|No +|`sort_direction` |String |The order to sort the results in, which must be either `asc` or `desc`. +|No +|`page` |Number | The page number to return, which must be at least 1. Defaults to `1`. +|No +|`per_page` |Number |The number of results to return per page, which must be between 1 and 1000. Defaults to `10`. +|No +|`kuery` |String a|A KQL query to filter results by, for example `criticality_level:low_impact OR criticality_level:medium_impact` +|No +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +GET api/asset_criticality/list?kuery=criticality_level:high_impact%20OR%20criticality_level:medium_impact + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. + +==== Example response + +[source,json] +-------------------------------------------------- +{ + "records": [ + { + "id_field": "host.name", + "id_value": "my_other_host", + "criticality_level": "medium_impact", + "@timestamp": "2024-08-02T14:40:35.705Z" + }, + { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", + "@timestamp": "2024-08-02T11:15:34.290Z" + } + ], + "total": 2, + "page": 1, + "per_page": 10 +} +-------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc new file mode 100644 index 0000000000..22c657b031 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc @@ -0,0 +1,5 @@ +[[asset-criticality-api-overview]] +[role="xpack"] +== Asset criticality API + +You can manage <> records through the API. To use this API, you must first turn on the `securitySolution:enableAssetCriticality` <>. \ No newline at end of file diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc new file mode 100644 index 0000000000..17e248da5a --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc @@ -0,0 +1,63 @@ +[[asset-criticality-api-upsert]] +=== Upsert (create or update) asset criticality record + +Create or update an asset criticality record. + +If an asset criticality record already exists for the entity specified in the request, this API overwrites that record with the specified value. + +If an asset criticality record doesn't exist for the specified entity, a new record is created. + +==== Request URL + +`POST :/api/asset_criticality` + +==== Request body + +A JSON object defining the asset criticality record. + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required +|`id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. +|Yes +|`id_value` |String |The ID (host name or user name) of the entity specified in the `id_field` field. +|Yes +|`criticality_level` |String a|The asset criticality level to assign, which must be one of the following: + +* `low_impact` +* `medium_impact` +* `high_impact` +* `extreme_impact` + +For example, you can assign `extreme_impact` to business-critical entities, or `low_impact` to entities that pose minimal risk to your security posture. +|Yes +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +POST /api/asset_criticality +{ + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact" +} +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. + +==== Example response + +[source,json] +-------------------------------------------------- +{ + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", + "@timestamp": "2024-08-02T11:15:34.290Z" +} +-------------------------------------------------- \ No newline at end of file diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc index 40f52656e7..111b0d5561 100644 --- a/docs/advanced-entity-analytics/asset-criticality.asciidoc +++ b/docs/advanced-entity-analytics/asset-criticality.asciidoc @@ -26,7 +26,7 @@ For example, you can assign **Extreme impact** to business-critical entities, or [discrete] == View and assign asset criticality -Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or <> it to multiple entities by importing a text file. +Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or <> it to multiple entities by importing a text file. Alternatively, you can assign and manage asset criticality records through the <>. When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated. diff --git a/docs/detections/images/available-action-types.png b/docs/detections/images/available-action-types.png index c90828c60d..197cd30d5d 100644 Binary files a/docs/detections/images/available-action-types.png and b/docs/detections/images/available-action-types.png differ diff --git a/docs/detections/images/available-response-actions.png b/docs/detections/images/available-response-actions.png index afd8ce6d15..25c459ef0c 100644 Binary files a/docs/detections/images/available-response-actions.png and b/docs/detections/images/available-response-actions.png differ diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 5897da6b85..2217305bdd 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -233,7 +233,13 @@ This query does the following: + TIP: When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. -NOTE: An error message displays when the query bar is empty. +[NOTE] +====== + +* An error message displays when the query bar is empty. +* When specifying data sources for an {esql} query, autocomplete doesn't suggest hidden indices, such as `.alerts-*`. You must manually enter the index name or pattern. + +====== - Click the help icon (image:images/esql-help-ref-button.png[Click the ES|QL reference button,20,20]) on the far right side of the query editor to open the in-product reference documentation for all {esql} commands and functions. - Visualize query results using {kibana-ref}/discover.html[Discover] functionality. diff --git a/docs/getting-started/automatic-import.asciidoc b/docs/getting-started/automatic-import.asciidoc new file mode 100644 index 0000000000..d44f6df768 --- /dev/null +++ b/docs/getting-started/automatic-import.asciidoc @@ -0,0 +1,72 @@ +[[automatic-import]] +[chapter] += Automatic import + +:frontmatter-description: Accelerate threat identification by triaging alerts with a large language model. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [overview] +:frontmatter-tags-user-goals: [get-started] + +WARNING: This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features. + +Automatic Import helps you quickly parse, ingest, and create https://www.elastic.co/elasticsearch/common-schema[ECS mappings] for data from sources that don't yet have prebuilt Elastic integrations. This can accelerate your migration to {elastic-sec}, and help you quickly add new data sources to an existing SIEM solution in {elastic-sec}. Automatic Import uses a large language model (LLM) with specialized instructions to quickly analyze your source data and create a custom integration. + +While Elastic has 400+ {integrations-docs}[prebuilt data integrations], Automatic Import helps you extend data coverage to other security-relevant technologies and applications. Elastic integrations (including those created by Automatic Import) normalize data to {ecs-ref}/ecs-reference.html[the Elastic Common Schema (ECS)], which creates uniformity across dashboards, search, alerts, machine learning, and more. + + +TIP: Click https://elastic.navattic.com/automatic-import[here] to access an interactive demo that shows the feature in action, before setting it up yourself. + +.Requirements +[sidebar] +-- +- A working <>. Automatic Import currently works with all variants of Claude 3. Other models are not supported in this technical preview, but will be supported in future versions. +- An https://www.elastic.co/pricing[Enterprise] subscription. +- A sample of the data you want to import, in JSON or NDJSON format. +-- + +IMPORTANT: Using Automatic Import allows users to create new third-party data integrations through the use of third-party generative AI models (“GAI models”). Any third-party GAI models that you choose to use are owned and operated by their respective providers. Elastic does not own or control these third-party GAI models, nor does it influence their design, training, or data-handling practices. Using third-party GAI models with Elastic solutions, and using your data with third-party GAI models is at your discretion. Elastic bears no responsibility or liability for the content, operation, or use of these third-party GAI models, nor for any potential loss or damage arising from their use. Users are advised to exercise caution when using GAI models with personal, sensitive, or confidential information, as data submitted may be used to train the models or for other purposes. Elastic recommends familiarizing yourself with the development practices and terms of use of any third-party GAI models before use. You are responsible for ensuring that your use of Automatic Import complies with the terms and conditions of any third-party platform you connect with. + +[discrete] +== Create a new custom integration + +1. In {elastic-sec}, click **Add integrations**. +2. Under **Can't find an integration?** click **Create new integration**. ++ +image::images/auto-import-create-new-integration-button.png[The Integrations page with the Create new integration button highlighted] ++ +3. Click **Create integration**. +4. Select an <>. +5. Define how your new integration will appear on the Integrations page by providing a **Title**, **Description**, and **Logo**. Click **Next**. +6. Define your integration's package name, which will prefix the imported event fields. +7. Define your **Data stream title**, **Data stream description**, and **Data stream name**. These fields appear on the integration's configuration page to help identify the data stream it writes to. +8. Select your {filebeat-ref}/configuration-filebeat-options.html[**Data collection method**]. This determines how your new integration will ingest the data (for example, from an S3 bucket, an HTTP endpoint, or a file stream). +9. Upload a sample of your data in JSON or NDJSON format. Make sure to include all the types of events that you want the new integration to handle. ++ +.Best practices for sample data +[sidebar] +-- +- The file extension (`.JSON` or `.NDJSON`) must match the file format. +- Only the first 10 events in the sample are analyzed. In this technical preview, additional data is truncated. +- Ensure each JSON or NDJSON object represents an event, and avoid deeply nested object structures. +- The more variety in your sample, the more accurate the pipeline will be (for example, include 10 unique log entries instead of the same type of entry 10 times). +- Ideally, each field name should describe what the field does. +-- ++ +10. Click **Analyze logs**, then wait for processing to complete. This may take several minutes. +11. After processing is complete, the pipeline's field mappings appear, including ECS and custom fields. ++ +image::images/auto-import-review-integration-page.png[The Automatic Import Review page showing proposed field mappings] ++ +12. (Optional) After reviewing the proposed pipeline, you can fine-tune it by clicking **Edit pipeline**. Refer to the <> to learn more about formatting field mappings. When you're satisfied with your changes, click **Save**. ++ +image::images/auto-import-edit-pipeline.gif[A gif showing the user clicking the edit pipeline button and viewing the ingest pipeline flyout] ++ +13. Click **Add to Elastic**. After the **Success** message appears, your new integration will be available on the Integrations page. ++ +image::images/auto-import-success-message.png[The automatic import success message] ++ +14. Click **Add to an agent** to deploy your new integration and start collecting data, or click **View integration** to view detailed information about your new integration. + +NOTE: Once you've added an integration, you can't edit any details other than the ingest pipeline, which you can edit by going to **Stack Management → Ingest Pipelines**. + +TIP: You can use the <> to check the health of your data ingest pipelines and field mappings. \ No newline at end of file diff --git a/docs/getting-started/images/auto-import-create-new-integration-button.png b/docs/getting-started/images/auto-import-create-new-integration-button.png new file mode 100644 index 0000000000..976898beb2 Binary files /dev/null and b/docs/getting-started/images/auto-import-create-new-integration-button.png differ diff --git a/docs/getting-started/images/auto-import-edit-pipeline.gif b/docs/getting-started/images/auto-import-edit-pipeline.gif new file mode 100644 index 0000000000..1008fb345b Binary files /dev/null and b/docs/getting-started/images/auto-import-edit-pipeline.gif differ diff --git a/docs/getting-started/images/auto-import-review-integration-page.png b/docs/getting-started/images/auto-import-review-integration-page.png new file mode 100644 index 0000000000..97ea0ee831 Binary files /dev/null and b/docs/getting-started/images/auto-import-review-integration-page.png differ diff --git a/docs/getting-started/images/auto-import-success-message.png b/docs/getting-started/images/auto-import-success-message.png new file mode 100644 index 0000000000..d7ef0a8530 Binary files /dev/null and b/docs/getting-started/images/auto-import-success-message.png differ diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 997f0bed55..a3f669e27a 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -17,6 +17,7 @@ include::endgame-sensor-FDA-ven.asciidoc[leveloffset=+2] include::ingest-data.asciidoc[leveloffset=+1] include::threat-intel-integrations.asciidoc[leveloffset=+2] +include::automatic-import.asciidoc[leveloffset=+2] include::security-spaces.asciidoc[leveloffset=+1] diff --git a/docs/getting-started/install-endpoint.asciidoc b/docs/getting-started/install-endpoint.asciidoc index 8173c574fb..d571fa71f7 100644 --- a/docs/getting-started/install-endpoint.asciidoc +++ b/docs/getting-started/install-endpoint.asciidoc @@ -19,6 +19,8 @@ Like other Elastic integrations, {elastic-defend} is integrated into the {agent} If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> if you're installing the {elastic-endpoint} or <> for more information. +NOTE: {elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes. + [discrete] [[add-security-integration]] == Add the {elastic-defend} integration diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index 3a53338b53..2dc920c781 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -1,6 +1,8 @@ [[allowlist-endpoint-3rd-party-av-apps]] = Allowlist Elastic Endpoint in third-party antivirus apps +NOTE: If you use other antivirus (AV) software along with {elastic-defend}, you may need to add the other system as a trusted application in the {security-app}. Refer to <> for more information. + Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index 90845a03e6..06fde46542 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -36,12 +36,18 @@ For example, in the KQL search bar, enter the following query to find endpoint n -- + [role="screenshot"] -image::images/event-filter.png[] +image::images/event-filter.png[Add event filter flyout, 80%] . Fill in these fields in the **Details** section: .. `Name`: Enter a name for the event filter. .. `Description`: Enter a filter description (optional). . In the **Conditions** section, depending which page you're using to create the filter, either modify the pre-populated conditions or add new conditions to define how {elastic-sec} will filter events. Use these settings: .. `Select operating system`: Select the appropriate operating system. + .. Select which kind of event filter you'd like to create: added:[8.15.0,Coming to {serverless-full}.] + * `Events`: Create a generic event filter that can match any event type. All matching events are excluded. + * `Process Descendants`: Create a filter that suppresses the descendant activity of a specified process. Events from the matched process will be ingested, but events from its descendant processes will be excluded. ++ +This option adds the condition `event.category is process` to narrow the filter to process-type events. You can add more conditions to identify the process whose descendants you want to exclude. + .. `Field`: Select a field to identify the event being filtered. .. `Operator`: Select an operator to define the condition. Available options are: * `is` diff --git a/docs/management/admin/images/event-filter.png b/docs/management/admin/images/event-filter.png index 27546be716..9937fff516 100644 Binary files a/docs/management/admin/images/event-filter.png and b/docs/management/admin/images/event-filter.png differ diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc index 735f6c81b3..d64e2826b9 100644 --- a/docs/management/admin/response-actions-config.asciidoc +++ b/docs/management/admin/response-actions-config.asciidoc @@ -6,15 +6,14 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [manage] -Endpoint response actions involving third-party systems require additional configuration. This page explains the high-level steps you'll need to take to enable these response actions. +preview::[] -[discrete] -[[configure-sentinelone-response-actions]] -== Configure SentinelOne response actions +You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems: -You can direct SentinelOne to perform response actions on protected hosts, such as isolating a suspicious endpoint from your network, without needing to leave the {elastic-sec} UI. +* CrowdStrike +* SentinelOne -preview::[] +Check out <> to learn which response actions are supported for each system. .Prerequisites [sidebar] @@ -25,30 +24,75 @@ preview::[] * <>: **All** for the response action features, such as **Host Isolation**, that you want to perform. -* Endpoints must have actively running SentinelOne agents installed. +* Endpoints must have actively running third-party agents installed. -- -Configuration requires the following general steps. Expand the steps and follow the links for detailed instructions: +Expand a section below for your endpoint security system: -. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. +.**Set up CrowdStrike response actions** +[%collapsible] +==== +// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything +// in this section, apply the change to the other sections, too. + +. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions. ++ +- Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client. +- Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike. + +. **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] + collects and ingests logs into {elastic-sec}. ++ +.. Go to **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**. +.. Configure the integration with an **Integration name** and optional **Description**. +.. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**: + - **Client ID**: Client ID for the API client used to read CrowdStrike data. + - **Client Secret**: Client secret allowing you access to CrowdStrike. + - **URL**: The base URL of the CrowdStrike API. +.. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**. +.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. +.. Click **Save and continue**. +.. Select **Add {agent} to your hosts** and continue with the <> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from CrowdStrike and sending it back to {elastic-sec}. + +. **Create a CrowdStrike connector.** Elastic's {kibana-ref}/crowdstrike-action-type.html[CrowdStrike connector] enables {elastic-sec} to perform actions on CrowdStrike-enrolled hosts. ++ +IMPORTANT: Do not create more than one CrowdStrike connector. ++ +.. Go to **Stack Management** → **Connectors**, then select **Create connector**. +.. Select the CrowdStrike connector. +.. Enter the configuration information: + - **Connector name**: A name to identify the connector. + - **CrowdStrike API URL**: The base URL of the CrowdStrike API. + - **CrowdStrike Client ID**: Client ID for the API client used to perform actions in CrowdStrike. + - **Client Secret**: Client secret allowing you access to CrowdStrike. +.. Click **Save**. + +. **Create and enable detection rules to generate {elastic-sec} alerts.** (Optional) Create <> to generate {elastic-sec} alerts based on CrowdStrike events and data. The {integrations-docs}/crowdstrike[CrowdStrike integration docs] list the available ingested logs and fields you can use to build a rule query. + -.Expand for details +This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. +==== + + +.**Set up SentinelOne response actions** [%collapsible] ==== -Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them: +// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything +// in this section, apply the change to the other sections, too. +. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. ++ +Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them: ++ +-- - SentinelOne integration: Permission to read SentinelOne data. -- SentinelOne connector: Permission to read SentinelOne data and perform actions on SentinelOne-protected hosts (for example, isolating and releasing an endpoint). - +- SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint). +-- ++ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or SentinelOne's docs for details on generating API tokens. -==== . **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}. + -.Expand for details -[%collapsible] -==== -.. In {kib}, go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. +.. Go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. .. Configure the integration with an **Integration name** and optional **Description**. .. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**: - **URL**: The SentinelOne console URL. @@ -56,35 +100,29 @@ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or S .. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. .. Click **Save and continue**. .. Select *Add {agent} to your hosts* and continue with the <> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from SentinelOne and sending it to {elastic-sec}. -==== -. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-protected hosts. +. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-enrolled hosts. + -.Expand for details -[%collapsible] -==== IMPORTANT: Do not create more than one SentinelOne connector. -.. In {kib}, go to **Stack Management** → **Connectors**, then select **Create connector**. +.. Go to **Stack Management** → **Connectors**, then select **Create connector**. .. Select the **SentinelOne** connector. .. Enter the configuration information: - **Connector name**: A name to identify the connector. - **SentinelOne tenant URL**: The SentinelOne tenant URL. - - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on SentinelOne-protected hosts. + - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts. .. Click **Save**. -==== . **Create and enable a rule to generate {elastic-sec} alerts.** Create a <> to generate {elastic-sec} alerts whenever SentinelOne generates alerts. + -.Expand for details -[%collapsible] -==== Use these settings when creating the custom query rule to target the data collected from SentinelOne: - ++ +-- - **Index patterns**: `logs-sentinel_one.alert*` - **Custom query**: `observer.serial_number:*` - +-- ++ NOTE: Do not include any other index patterns or query parameters. - -This rule will give you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. -==== ++ +This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout. +==== \ No newline at end of file diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index dd2b10ff20..7c807d8777 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -111,12 +111,7 @@ Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. -[NOTE] -==== -Files retrieved from third-party-protected hosts require a different password. Refer to the following: - -* <> -==== +NOTE: Files retrieved from third-party-protected hosts require a different password. Refer to <> for your system's password. You must include the following parameter to specify the file's location on the host: diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc index a544666a75..4daea36693 100644 --- a/docs/management/admin/third-party-actions.asciidoc +++ b/docs/management/admin/third-party-actions.asciidoc @@ -1,26 +1,43 @@ [[third-party-actions]] = Third-party response actions -:frontmatter-description: Perform response actions on hosts protected by third-party endpoint security systems. +:frontmatter-description: Respond to threats on hosts enrolled in third-party security systems. :frontmatter-tags-products: [security] :frontmatter-tags-content-type: [reference] :frontmatter-tags-user-goals: [manage] preview::[] -[discrete] -[[sentinelone-response-actions]] -== SentinelOne response actions - -You can direct SentinelOne to perform response actions on protected hosts without leaving the {elastic-sec} UI. Prior <> is required to connect {elastic-sec} with SentinelOne. +You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {elastic-sec} UI. .Requirements [sidebar] -- -Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription], and each response action type has its own user role privilege requirements. Refer to <> for more information. +* Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription]. + +* Each response action type has its own user role privilege requirements. Find an action's role requirements at <>. -- -The following response actions and related features are supported for SentinelOne-protected hosts: +[discrete] +[[crowdstrike-response-actions]] +== CrowdStrike response actions + +These response actions are supported for CrowdStrike-enrolled hosts: + +* **Isolate and release a host** using any of these methods: ++ +-- +** From a detection alert +** From the response console +-- ++ +Refer to the instructions on <> and <> hosts for more details. + +[discrete] +[[sentinelone-response-actions]] +== SentinelOne response actions + +These response actions are supported for SentinelOne-enrolled hosts: * **Isolate and release a host** using any of these methods: + @@ -33,6 +50,6 @@ Refer to the instructions on <> and <>. + -NOTE: For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file. +NOTE: For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file. * **View past response action activity** in the <> log. diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index c4d3becfd8..57dc0869fc 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -2,6 +2,8 @@ [chapter, role="xpack"] = Trusted applications +NOTE: If you use {elastic-defend} along with other antivirus (AV) software, you might need to configure the other system to trust {elastic-endpoint}. Refer to <> for more information. + You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {elastic-defend} integration. .Requirements diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index bdbe757457..1e3b81d224 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> @@ -61,6 +62,7 @@ This section summarizes the changes in each release. * <> * <> +include::release-notes/8.15.asciidoc[] include::release-notes/8.14.asciidoc[] include::release-notes/8.13.asciidoc[] include::release-notes/8.12.asciidoc[] diff --git a/docs/release-notes/8.10.asciidoc b/docs/release-notes/8.10.asciidoc index bf15a30606..dbf02b90d5 100644 --- a/docs/release-notes/8.10.asciidoc +++ b/docs/release-notes/8.10.asciidoc @@ -86,7 +86,8 @@ There are no user-facing changes in 8.10.2. [discrete] [[breaking-changes-8.10.0]] ==== Breaking changes -There are no breaking changes in 8.10.0. +* {elastic-defend} no longer supports deployment within an {agent} DaemonSet in Kubernetes. + [discrete] [[features-8.10.0]] diff --git a/docs/release-notes/8.15.asciidoc b/docs/release-notes/8.15.asciidoc new file mode 100644 index 0000000000..76c4a52530 --- /dev/null +++ b/docs/release-notes/8.15.asciidoc @@ -0,0 +1,95 @@ +[[release-notes-header-8.15.0]] +== 8.15 + +[discrete] +[[release-notes-8.15.0]] +=== 8.15.0 + +[discrete] +[[known-issue-8.15.0]] +==== Known issues + +// tag::known-issue-189676[] +[discrete] +.Tags appear in Elastic AI Assistant's responses +[%collapsible] +==== +*Details* + +On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `` tags, for example `` ({kibana-pull}189676[#189676]). + + +==== +// end::known-issue-189676[] + + +[discrete] +[[breaking-changes-8.15.0]] +==== Breaking changes + +* If you previously created any user-defined quick prompts for Elastic AI Assistant, they will no longer appear after you upgrade to 8.15. To resolve this, copy your existing quick prompts prior to upgrading, then add them again after upgrading. Additionally, in 8.15, quick prompts are shared by all users in your deployment, rather than saved at the user level ({kibana-pull}187040[#187040]). + +[discrete] +[[features-8.15.0]] +==== New features + +* Introduces Automatic Import, a feature that helps you to quickly parse, ingest, and create ECS mappings for data from sources that don't yet have prebuilt Elastic integrations ({kibana-pull}186304[#186304]). +* Creates an LLM connector for Google Gemini ({kibana-pull}183668[#183668]). +* Adds an API for Elastic AI Assistant ({kibana-pull}184485[#184485]). +* Adds the `scan` action to the response console, which allows you to scan a specific file or directory on a host for malware ({kibana-pull}184723[#184723]). +* Adds an {elastic-defend} integration policy option in Advanced Settings that allows you to opt out of registry event filtering ({kibana-pull}186564[#186564]). +* Allows you to specify additional file and registry paths to monitor for read access ({kibana-pull}181361[#181361]). +* Allows you to use {elastic-sec} to isolate and release hosts running a CrowdStrike agent ({kibana-pull}186801[#186801]). +* Allows you to retrieve files from SentinelOne-enrolled hosts ({kibana-pull}181162[#181162]). +* Allows you to create an event filter that excludes the descendant events of a specific process ({kibana-pull}184947[#184947]). +* Recalculates entity risk scores when asset criticality changes on an individual entity ({kibana-pull}182234[#182234]). +* Adds an **Asset criticality** column to user and host data tables. If asset criticality levels are assigned to your users and hosts, this information appears in the **Asset criticality** column ({kibana-pull}186375[#186375], {kibana-pull}186456[#186456]). +* Adds an API that allows you to perform paginated KQL searches through asset criticality records ({kibana-pull}186568[#186568]). +* Adds public APIs for managing asset criticality ({kibana-pull}186169[#186169]). +* Allows you to edit the `max_signals`, `related_integrations`, and `required_fields` fields for custom rules ({kibana-pull}179680[#179680], {kibana-pull}178295[#178295], {kibana-pull}180682[#180682]). +* Provides help from AI Assistant when you're correcting rule query errors ({kibana-pull}179091[#179091]). +* Allows you to bulk update custom highlighted fields for rules ({kibana-pull}179312[#179312]). +* Adds alert suppression for {ml} and {esql} rules ({kibana-pull}181926[#181926], {kibana-pull}180927[#180927]). +* Provides previews of hosts, users, and alerts that you're examining in the alert details flyout ({kibana-pull}186850[#186850], {kibana-pull}186857[#186857]). +* Enhances Timeline’s data exploration experience by incorporating components from Discover, such as the sidebar and table, which allow you to quickly find fields of interest. Timeline’s overall performance is also improved ({kibana-pull}176064[#176064]). +* Adds an option for toggling row renderers on and off, and moves notes to a new flyout in Timeline ({kibana-pull}186948[#186948]). +* Revamps the Dashboards landing page ({kibana-pull}186465[#186465]). + +[discrete] +[[enhancements-8.15.0]] +==== Enhancements + +* Allows Attack discovery generation to continue when you navigate to another page, and allows you to run Attack discovery with multiple connectors simultaneously. ({kibana-pull}184949[#184949]). +* Adds notifications to the connector dropdown menu on the Attack discovery page so you know when other connectors have new discoveries ({kibana-pull}186903[#186903], {kibana-pull}187209[#187209]). +* Improves AI Assistant's responses across multiple connectors and in multiple scenarios for streaming and non-streaming use cases ({kibana-pull}182041[#182041], {kibana-pull}187183[#187183]). +* Enables AI Assistant to remember information you ask it to remember ({kibana-pull}184554[#184554], https://github.com/elastic/security-docs/issues/5670[#5670]). +* Updates the default Gemini version to `gemini-1.5-pro-001` and the default Bedrock version to `anthropic.claude-3-5-sonnet-20240620-v1:0` ({kibana-pull}186671[#186671]). +* Simplifies how you enable AI Assistant's knowledge base ({kibana-pull}182763[#182763]). +* Unifies the AI Assistant's settings view ({kibana-pull}184678[#184678]). +* Introduces a new {elastic-endpoint} policy setting that allows you to control whether the kernel reports Windows network events that happened on a local loopback interface ({kibana-pull}181753[#181753]). +* Improves how failure messages for the `scan` action appear in the response console ({kibana-pull}186284[#186284]). +* Improves the risk engine's performance. Now, after you turn on the engine, risk data is available sooner ({kibana-pull}184797[#184797]). +* Enhances the risk engine's normalization accuracy ({kibana-pull}184638[#184638]). +* Updates the copy for bulk assigning asset criticality to multiple entities ({kibana-pull}181390[#181390]). +* Improves visual and logic issues in the Findings table ({kibana-pull}184185[#184185]). +* Enables the expandable alert details flyout by default and replaces the `securitySolution:enableExpandableFlyout` advanced setting with a feature flag that allows you to revert to the old flyout version ({kibana-pull}184169[#184169]). +* Improves the UI design and copy of various places in the alert details flyout ({kibana-pull}187430[#187430], {kibana-pull}187920[#187920]). +* Updates the MITRE ATT&CK framework to version 15.1 ({kibana-pull}183463[#183463]). +* Improves the warning message about rule actions being unavailable after a rule ran ({kibana-pull}182741[#182741]). +* Enables the `xMatters` and `Server Log connectors` rule actions ({kibana-pull}172933[#172933]). + +[discrete] +[[bug-fixes-8.15.0]] +==== Bug fixes + +* Fixes a bug that prevented Timeline from properly retrieving results after upgrading to 8.14.1 ({kibana-pull}189031[#189031]). +* Fixes a bug that showed that Timeline had been changed, even if it hadn't been ({kibana-pull}188106[#188106]). +* Removes the option to investigate suppressed alerts in Timeline when you're previewing alert details from a rule preview ({kibana-pull}188385[#188385]). +* Fixes the alignment of the page selector dropdown menu on the Shared Exception Lists page ({kibana-pull}187956[#187956]). +* Fixes a rule execution error that occurred when {esql} rules queried source documents with non-ECS compliant sub-fields under the `event.action` field ({kibana-pull}187549[#187549]). +* Fixes a bug that caused the `Enable entity risk scoring` option to display even when you didn't have the correct requirements ({kibana-pull}183517[#183517]). +* Prevents `maxClauseCount` errors from occurring for indicator match rules ({kibana-pull}179748[#179748]). +* Fixes a bug that prevented threat intelligence fields from correctly rendering in the alert details flyout if they had flattened fields ({kibana-pull}179395[#179395]). +* Removes references in the UI that directed users to outdated documentation for the risk scoring feature ({kibana-pull}187585[#187585]). +* Fixes a bug on the Get started page that prevented the correct username from being displayed in the greeting message ({kibana-pull}180670[#180670]). +* Fixes a bug that caused the pagination menu from appearing in the correct place for the Uncommon processes table ({kibana-pull}189201[#189201]). +* Fixes a bug that affected the panel showing the last command details in the Uncommon processes table ({kibana-pull}187848[#187848]). \ No newline at end of file diff --git a/docs/serverless/AI-for-security/ai-assistant.mdx b/docs/serverless/AI-for-security/ai-assistant.mdx index 50fed82fa0..30d7c49165 100644 --- a/docs/serverless/AI-for-security/ai-assistant.mdx +++ b/docs/serverless/AI-for-security/ai-assistant.mdx @@ -95,10 +95,11 @@ Use these features to adjust and act on your conversations with AI Assistant: * **Copy to clipboard** (): Copy the text to clipboard to paste elsewhere. Also helpful for resubmitting a previous prompt. * **Add to timeline** (): Add a filter or query to Timeline using the text. This button appears for particular queries in AI Assistant's responses. - - Be sure to specify which language you'd like AI Assistant to use when writing a query. For example: "Can you generate an Event Query Language query to find four failed logins followed by a successful login?" - + Be sure to specify which language you'd like AI Assistant to use when writing a query. For example: "Can you generate an Event Query Language query to find four failed logins followed by a successful login?" + +AI Assistant can remember particular information you tell it to remember. For example, you could tell it: "When anwering any question about srv-win-s1-rsa or an alert that references it, mention that this host is in the New York data center". This will cause it to remember the detail you highlighted. +
@@ -124,6 +125,7 @@ The **Settings** menu has the following tabs: ### Anonymization + The **Anonymization** tab of the AI Assistant settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed** toggled on are included in events provided to AI Assistant. **Allowed** fields with **Anonymized** set to **Yes** are included, but with their values obfuscated. ![AI Assistant's settings menu, open to the Anonymization tab](../images/ai-assistant/-assistant-assistant-anonymization-menu.png) @@ -138,7 +140,7 @@ When you include a particular event as context, such as an alert from the Alerts -The **Knowledge base** tab of the AI Assistant settings menu allows you to enable AI Assistant to answer questions about the Elastic Search Query Language ((esql)), and about alerts in your environment. +The **Knowledge base** tab of the AI Assistant settings menu allows you to enable AI Assistant to answer questions about the Elastic Search Query Language (((esql))), and about alerts in your environment. To use it, you must , ### Knowledge base for ((esql)) @@ -148,13 +150,11 @@ The **Knowledge base** tab of the AI Assistant settings menu allows you to enabl When this feature is enabled, AI Assistant can help you write an ((esql)) query for a particular use case, or answer general questions about ((esql)) syntax and usage. To enable AI Assistant to answer questions about ((esql)): -* Enable the Elastic Learned Sparse EncodeR (ELSER). This model provides additional context to the third-party LLM. To learn more, refer to [Configure ELSER](((ml-docs))/ml-nlp-elser.html#download-deploy-elser). -* Initialize the knowledge base by clicking **Initialize**. -* Turn on the **Knowledge Base** option. +* Turn on the knowledge base by clicking **Setup**. If the **Setup** button doesn't appear, knowledge base is already enabled. * Click **Save**. The knowledge base is now active. A quick prompt for ((esql)) queries becomes available, which provides a good starting point for your ((esql)) conversations and questions. -To update AI Assistant so that it uses the most current ((esql)) documentation to answer your questions, click **Delete** next to **Knowledge Base**, and toggle the **Knowledge Base** slider off and then on. +AI Assistant's knowledge base gets additional context from [Elastic Learned Sparse EncodeR (ELSER)](((ml-docs))/ml-nlp-elser.html#download-deploy-elser). ### Knowledge base for alerts @@ -163,8 +163,8 @@ When this feature is enabled, AI Assistant will receive multiple alerts as conte To enable RAG for alerts: -1. Turn on the **Alerts** setting. -1. Use the slider to select the number of alerts to send to AI Assistant. +* Turn on the knowledge base by clicking **Setup**. If the **Setup** button doesn't appear, knowledge base is already enabled. +* Use the slider to select the number of alerts to send to AI Assistant. Click **Save**. ![AI Assistant's settings menu, open to the Knowledge base tab](../images/ai-assistant/assistant-kb-menu.png) diff --git a/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png b/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png index 0075102604..0f2bf87bac 100644 Binary files a/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png and b/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-remediate-sodinokibi.gif b/docs/serverless/AI-for-security/images/attck-disc-remediate-sodinokibi.gif new file mode 100644 index 0000000000..f4fd2c9ed1 Binary files /dev/null and b/docs/serverless/AI-for-security/images/attck-disc-remediate-sodinokibi.gif differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-translate-japanese.png b/docs/serverless/AI-for-security/images/attck-disc-translate-japanese.png new file mode 100644 index 0000000000..190efbb09e Binary files /dev/null and b/docs/serverless/AI-for-security/images/attck-disc-translate-japanese.png differ diff --git a/docs/serverless/AI-for-security/llm-performance-matrix.mdx b/docs/serverless/AI-for-security/llm-performance-matrix.mdx index 0162428d48..3964277163 100644 --- a/docs/serverless/AI-for-security/llm-performance-matrix.mdx +++ b/docs/serverless/AI-for-security/llm-performance-matrix.mdx @@ -8,11 +8,11 @@ status: in review This table describes the performance of various large language models (LLMs) for different use cases in ((elastic-sec)), based on our internal testing. To learn more about these use cases, refer to or . -| **Feature** | **Model** | | | | | -|-------------------------------|-----------------------|--------------------|--------------------|------------|-----------------| -| | **Claude 3: Opus** | **Claude 3.5: Sonnet** | **Claude 3: Haiku** | **GPT-4o** | **GPT-4 Turbo** | -| **Assistant: general** | Excellent | Excellent | Excellent | Excellent | Excellent | -| **Assistant: ((esql)) generation** | Great | Great | Poor | Excellent | Poor | -| **Assistant: alert questions** | Excellent | Excellent | Excellent | Excellent | Poor | -| **Attack discovery** | Excellent | Excellent | Poor | Poor | Good | +| **Feature** | **Model** | | | | | | | +|-------------------------------|-----------------------|--------------------|--------------------|------------|-----------------|------------------|-----------| +| | **Claude 3: Opus** | **Claude 3.5: Sonnet** | **Claude 3: Haiku** | **GPT-4o** | **GPT-4 Turbo** | Gemini 1.5 Pro | Gemini 1.5 Flash | +| **Assistant: general** | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | +| **Assistant: ((esql)) generation** | Great | Great | Poor | Excellent | Poor | Good | Poor | +| **Assistant: alert questions** | Excellent | Excellent | Excellent | Excellent | Poor | Excellent | Good | +| **Attack discovery** | Excellent | Excellent | Poor | Poor | Good | Great | Poor | diff --git a/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.mdx b/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.mdx index b9104ee812..ce164a6dbd 100644 --- a/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.mdx +++ b/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.mdx @@ -22,7 +22,7 @@ Attack discovery can detect a wide range of threats by finding relationships amo -In the example above, Attack discovery found connections between eleven alerts, and used them to identify and describe an attack chain. +In the example above, Attack discovery found connections between nine alerts, and used them to identify and describe an attack chain. After Attack discovery outlines your threat landscape, use Elastic AI Assistant to quickly analyze a threat in detail. @@ -31,8 +31,10 @@ After Attack discovery outlines your threat landscape, use Elastic AI Assistant From a discovery on the Attack discovery page, click **View in AI Assistant** to start a chat that includes the discovery as context. -AI Assistant can quickly compile essential data and provide suggestions to help you generate an incident report and plan an effective response. You can ask it to provide relevant data or answer questions, such as “How can I remediate this threat?” or “What ((esql)) query would isolate actions taken by this user?” + + +AI Assistant can quickly compile essential data and provide suggestions to help you generate an incident report and plan an effective response. You can ask it to provide relevant data or answer questions, such as “How can I remediate this threat?” or “What ((esql)) query would isolate actions taken by this user?” @@ -41,7 +43,7 @@ The image above shows an ((esql)) query generated by AI Assistant in response to At any point in a conversation with AI Assistant, you can add data, narrative summaries, and other information from its responses to ((elastic-sec))'s case management system to generate incident reports.
-## Create a case using AI Assistant +## Generate reports From the AI Assistant dialog window, click **Add to case** () next to a message to add the information in that message to a . Cases help centralize relevant details in one place for easy sharing with stakeholders. @@ -49,6 +51,10 @@ If you add a message that contains a discovery to a case, AI Assistant automatic
## Translate incident information to a different human language using AI Assistant + + + + AI Assistant can translate its findings into other human languages, helping to enable collaboration among global security teams, and making it easier to operate within multilingual organizations. After AI Assistant provides information in one language, you can ask it to translate its responses. For example, if it provides remediation steps for an incident, you can instruct it to “Translate these remediation steps into Japanese.” You can then add the translated output to a case. This can help team members receive the same information and insights regardless of their primary language. diff --git a/docs/serverless/edr-install-config/install-elastic-defend.mdx b/docs/serverless/edr-install-config/install-elastic-defend.mdx index 0758bb46f6..16595de04c 100644 --- a/docs/serverless/edr-install-config/install-elastic-defend.mdx +++ b/docs/serverless/edr-install-config/install-elastic-defend.mdx @@ -29,6 +29,10 @@ Like other Elastic integrations, ((elastic-defend)) is integrated into the ((age If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to requirements for ((elastic-endpoint)) if you're installing the ((elastic-endpoint)) or requirements for the Endgame sensor for more information. + +((elastic-defend)) does not support deployment within an ((agent)) DaemonSet in Kubernetes. + +
## Add the ((elastic-defend)) integration diff --git a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx new file mode 100644 index 0000000000..992d8ac5d7 --- /dev/null +++ b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx @@ -0,0 +1,69 @@ +--- +slug: /serverless/security/allowlist-endpoint +title: Allowlist ((elastic-endpoint)) in third-party antivirus apps +description: Add ((elastic-endpoint)) as a trusted application in third-party antivirus (AV) software. +tags: [ 'serverless', 'security', 'overview' ] +status: in review +--- + + + + +If you use other antivirus (AV) software along with ((elastic-defend)), you may need to add the other system as a trusted application in the ((security-app)). Refer to for more information. + + +Third-party antivirus (AV) applications may identify the expected behavior of ((elastic-endpoint)) as a potential threat. Add ((elastic-endpoint))'s digital signatures and file paths to your AV software's allowlist to ensure ((elastic-endpoint)) continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. + + +Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. + + +## Allowlist ((elastic-endpoint)) on Windows + +File paths: + +* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` +* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` +* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` + + + The executable runs as `elastic-endpoint.exe`. + + +Digital signatures: + +* `Elasticsearch, Inc.` +* `Elasticsearch B.V.` + +For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software). + +## Allowlist ((elastic-endpoint)) on macOS + +File paths: + +* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` + + + The system extension runs as `co.elastic.systemextension`. + + +* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` + + + The executable runs as `elastic-endpoint`. + + +Digital signatures: + +* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` +* Team ID: `2BT3HPN62Z` + +## Allowlist ((elastic-endpoint)) on Linux + +File path: + +* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` + + + The executable runs as `elastic-endpoint`. + \ No newline at end of file diff --git a/docs/serverless/edr-manage/trusted-apps-ov.mdx b/docs/serverless/edr-manage/trusted-apps-ov.mdx index 359b6db2be..2576a17d41 100644 --- a/docs/serverless/edr-manage/trusted-apps-ov.mdx +++ b/docs/serverless/edr-manage/trusted-apps-ov.mdx @@ -9,6 +9,10 @@ status: in review
+ +If you use ((elastic-defend)) along with other antivirus (AV) software, you might need to configure the other system to trust ((elastic-endpoint)). Refer to for more information. + + On the **Trusted applications** page (**Assets** → **Trusted applications**), you can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the ((elastic-defend)) integration. diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.mdx b/docs/serverless/endpoint-response-actions/response-actions-config.mdx index ed49021ffc..1d3db67f6e 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-config.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions-config.mdx @@ -3,79 +3,121 @@ slug: /serverless/security/response-actions-config title: Configure third-party response actions description: Configure ((elastic-sec)) to perform response actions on hosts protected by third-party systems. tags: ["serverless","security","how-to","configure"] -status: in review --- -
-Endpoint response actions involving third-party systems require additional configuration. This page explains the high-level steps you'll need to take to enable these response actions. + -
+
-## Configure SentinelOne response actions +You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the ((elastic-sec)) UI. This page explains the configuration steps needed to enable response actions for these third-party systems: -You can direct SentinelOne to perform response actions on protected hosts, such as isolating a suspicious endpoint from your network, without needing to leave the ((elastic-sec)) UI. +* CrowdStrike +* SentinelOne - +Check out to learn which response actions are supported for each system. * Project features add-on: Endpoint Protection Complete * User roles: **SOC manager** or **Endpoint operations analyst** -* Endpoints must have actively running SentinelOne agents installed. +* Endpoints must have actively running third-party agents installed. -Configuration requires the following general steps. Expand the steps and follow the links for detailed instructions: +Select a tab below for your endpoint security system: -1. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow ((elastic-sec)) to collect data and perform actions in SentinelOne. + + + {/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything + in this tab, apply the change to the other tabs, too. */} + To configure response actions for CrowdStrike-enrolled hosts: - - Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them: - - SentinelOne integration: Permission to read SentinelOne data. - - SentinelOne connector: Permission to read SentinelOne data and perform actions on SentinelOne-protected hosts (for example, isolating and releasing an endpoint). - - Refer to the [SentinelOne integration docs](((integrations-docs))/sentinel_one) or SentinelOne's docs for details on generating API tokens. - + 1. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions. + + - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client. -1. **Install the SentinelOne integration and ((agent)).** Elastic's [SentinelOne integration docs](((integrations-docs))/sentinel_one) collects and ingests logs into ((elastic-sec)). + - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike.

- - 1. In ((kib)), go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. + 1. **Install the CrowdStrike integration and ((agent)).** Elastic's [CrowdStrike integration](((integrations-docs))/crowdstrike) collects and ingests logs into ((elastic-sec)). + 1. Go to **Project Settings** → **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**. 1. Configure the integration with an **Integration name** and optional **Description**. - 1. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**: - - **URL**: The SentinelOne console URL. - - **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data. + 1. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**: + - **Client ID**: Client ID for the API client used to read CrowdStrike data. + - **Client Secret**: Client secret allowing you access to CrowdStrike. + - **URL**: The base URL of the CrowdStrike API. + 1. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**. 1. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on ((agent)) configuration settings, refer to [((agent)) policies](((fleet-guide))/agent-policy.html). 1. Click **Save and continue**. - 1. Select **Add ((agent)) to your hosts** and continue with the ((agent)) installation steps to install ((agent)) on a resource in your network (such as a server or VM). ((agent)) will act as a bridge collecting data from SentinelOne and sending it back to ((elastic-sec)). - + 1. Select **Add ((agent)) to your hosts** and continue with the ((agent)) installation steps to install ((agent)) on a resource in your network (such as a server or VM). ((agent)) will act as a bridge collecting data from CrowdStrike and sending it back to ((elastic-sec)).

-1. **Create a SentinelOne connector.** Elastic's [SentinelOne connector](((kibana-ref))/sentinelone-action-type.html) enables ((elastic-sec)) to perform actions on SentinelOne-protected hosts. + 1. **Create a CrowdStrike connector.** Elastic's [CrowdStrike connector](((kibana-ref))/crowdstrike-action-type.html) enables ((elastic-sec)) to perform actions on CrowdStrike-enrolled hosts. - - Do not create more than one SentinelOne connector. + Do not create more than one CrowdStrike connector. - 1. In ((kib)), go to **Stack Management** → **Connectors**, then select **Create connector**. - 1. Select the **SentinelOne** connector. + 1. Go to **Stack Management** → **Connectors**, then select **Create connector**. + 1. Select the **CrowdStrike** connector. 1. Enter the configuration information: - **Connector name**: A name to identify the connector. - - **SentinelOne tenant URL**: The SentinelOne tenant URL. - - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on SentinelOne-protected hosts. - 1. Click **Save**. - + - **CrowdStrike API URL**: The base URL of the CrowdStrike API. + - **CrowdStrike Client ID**: Client ID for the API client used to perform actions in CrowdStrike. + - **Client Secret**: Client secret allowing you access to CrowdStrike. + 1. Click **Save**.

+ + 1. **Create and enable detection rules to generate ((elastic-sec)) alerts.** (Optional) Create detection rules to generate ((elastic-sec)) alerts based on CrowdStrike events and data. The [CrowdStrike integration docs](((integrations-docs))/crowdstrike) list the available ingested logs and fields you can use to build a rule query. + + This gives you visibility into CrowdStrike without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. + -1. **Create and enable a rule to generate ((elastic-sec)) alerts.** Create a custom query detection rule to generate ((elastic-sec)) alerts whenever SentinelOne generates alerts. + + {/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything + in this tab, apply the change to the other tabs, too. */} + To configure response actions for SentinelOne-enrolled hosts: - - Use these settings when creating the custom query rule to target the data collected from SentinelOne: - - **Index patterns**: `logs-sentinel_one.alert*` - - **Custom query**: `observer.serial_number:*` + 1. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow ((elastic-sec)) to collect data and perform actions in SentinelOne. - - Do not include any other index patterns or query parameters. - + Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them: + - SentinelOne integration: Permission to read SentinelOne data. + - SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint).

+ + Refer to the [SentinelOne integration docs](((integrations-docs))/sentinel_one) or SentinelOne's docs for details on generating API tokens.

+ + 1. **Install the SentinelOne integration and ((agent)).** Elastic's [SentinelOne integration](((integrations-docs))/sentinel_one) collects and ingests logs into ((elastic-sec)). + + 1. Go to **Project Settings** → **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. + 1. Configure the integration with an **Integration name** and optional **Description**. + 1. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**: + - **URL**: The SentinelOne console URL. + - **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data. + 1. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on ((agent)) configuration settings, refer to [((agent)) policies](((fleet-guide))/agent-policy.html). + 1. Click **Save and continue**. + 1. Select **Add ((agent)) to your hosts** and continue with the ((agent)) installation steps to install ((agent)) on a resource in your network (such as a server or VM). ((agent)) will act as a bridge collecting data from SentinelOne and sending it back to ((elastic-sec)).

+ + 1. **Create a SentinelOne connector.** Elastic's [SentinelOne connector](((kibana-ref))/sentinelone-action-type.html) enables ((elastic-sec)) to perform actions on SentinelOne-enrolled hosts. + + + Do not create more than one SentinelOne connector. + + + 1. Go to **Stack Management** → **Connectors**, then select **Create connector**. + 1. Select the **SentinelOne** connector. + 1. Enter the configuration information: + - **Connector name**: A name to identify the connector. + - **SentinelOne tenant URL**: The SentinelOne tenant URL. + - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts. + 1. Click **Save**.

+ + 1. **Create and enable a rule to generate ((elastic-sec)) alerts.** (Optional) Create a custom query detection rule to generate ((elastic-sec)) alerts whenever SentinelOne generates alerts. + + Use these settings when creating the custom query rule to target the data collected from SentinelOne: + - **Index patterns**: `logs-sentinel_one.alert*` + - **Custom query**: `observer.serial_number:*`

+ + + Do not include any other index patterns or query parameters. + - This gives you visibility into SentinelOne without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. - \ No newline at end of file + This gives you visibility into SentinelOne without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout. + + diff --git a/docs/serverless/endpoint-response-actions/response-actions.mdx b/docs/serverless/endpoint-response-actions/response-actions.mdx index 0229a22c5e..5c1f7c8b18 100644 --- a/docs/serverless/endpoint-response-actions/response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions.mdx @@ -112,9 +112,7 @@ Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. -Files retrieved from third-party-protected hosts require a different password. Refer to the following: - -- SentinelOne response actions +Files retrieved from third-party-protected hosts require a different password. Refer to for your system's password. You must include the following parameter to specify the file's location on the host: diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx index f2874aece6..7ff2c49d68 100644 --- a/docs/serverless/endpoint-response-actions/third-party-actions.mdx +++ b/docs/serverless/endpoint-response-actions/third-party-actions.mdx @@ -1,35 +1,55 @@ --- slug: /serverless/security/third-party-actions title: Third-party response actions -description: Perform response actions on hosts protected by third-party endpoint security systems. +description: Respond to threats on hosts enrolled in third-party security systems. tags: ["serverless","security","defend","reference","manage"] --- -
+ -## SentinelOne response actions +
-You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior configuration is required to connect ((elastic-sec)) with SentinelOne. +You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the ((elastic-sec)) UI. -Third-party response actions require the Endpoint Protection Complete , and each response action type has its own user role privilege requirements. Refer to for more information. +* Third-party response actions require the Endpoint Protection Complete . + +* Each response action type has its own user role privilege requirements. Find an action's role requirements at . -The following response actions and related features are supported for SentinelOne-protected hosts: +## Supported systems and response actions + +The following third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with ((elastic-sec)). + + + + These response actions are supported for CrowdStrike-enrolled hosts: + + - **Isolate and release a host** using any of these methods: + - From a detection alert + - From the response console

+ + Refer to the instructions on isolating and releasing hosts for more details. + + + + These response actions are supported for SentinelOne-enrolled hosts: -- **Isolate and release a host** using any of these methods: - - From a detection alert - - From the response console + - **Isolate and release a host** using any of these methods: + - From a detection alert + - From the response console

- Refer to the instructions on isolating and releasing hosts for more details. + Refer to the instructions on isolating and releasing hosts for more details.

-- **Retrieve a file from a host** with the `get-file` response action. - - For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file. - + - **Retrieve a file from a host** with the `get-file` response action. + + For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file. + -- **View past response action activity** in the response actions history log. + - **View past response action activity** in the response actions history log. + + diff --git a/docs/serverless/images/ai-assistant/assistant-kb-menu.png b/docs/serverless/images/ai-assistant/assistant-kb-menu.png index abea9d3200..0f907cdf6f 100644 Binary files a/docs/serverless/images/ai-assistant/assistant-kb-menu.png and b/docs/serverless/images/ai-assistant/assistant-kb-menu.png differ diff --git a/docs/serverless/ingest/auto-import.mdx b/docs/serverless/ingest/auto-import.mdx new file mode 100644 index 0000000000..b6f9b49879 --- /dev/null +++ b/docs/serverless/ingest/auto-import.mdx @@ -0,0 +1,87 @@ +--- +slug: /serverless/security/automatic-import +title: Automatic Import +description: Use Automatic Import to quickly normalize and ingest third-party data. +tags: [ 'serverless', 'security', 'how-to' ] +status: in review +--- + + + + +This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features. + + +Automatic Import helps you quickly parse, ingest, and create [ECS mappings](https://www.elastic.co/elasticsearch/common-schema) for data from sources that don't yet have prebuilt Elastic integrations. This can accelerate your migration to ((elastic-sec)), and help you quickly add new data sources to an existing SIEM solution in ((elastic-sec)). Automatic Import uses a large language model (LLM) with specialized instructions to quickly analyze your source data and create a custom integration. + +While Elastic has 400+ [prebuilt data integrations](((integrations-docs))), Automatic Import helps you extend data coverage to other security-relevant technologies and applications. Elastic integrations (including those created by Automatic Import) normalize data to [the Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html), which creates uniformity across dashboards, search, alerts, machine learning, and more. + + + +Click [here](https://elastic.navattic.com/automatic-import) to access an interactive demo that shows the feature in action, before setting it up yourself. + + + + +- A working . Automatic Import currently works with all variants of Claude 3. Other models are not supported in this technical preview, but will be supported in future versions. +- A [Security Analytics Complete](https://www.elastic.co/pricing/serverless-security) subscription. +- A sample of the data you want to import, in JSON or NDJSON format. + + + + +Using Automatic Import allows users to create new third-party data integrations through the use of third-party generative AI models (“GAI models”). Any third-party GAI models that you choose to use are owned and operated by their respective providers. Elastic does not own or control these third-party GAI models, nor does it influence their design, training, or data-handling practices. Using third-party GAI models with Elastic solutions, and using your data with third-party GAI models is at your discretion. Elastic bears no responsibility or liability for the content, operation, or use of these third-party GAI models, nor for any potential loss or damage arising from their use. Users are advised to exercise caution when using GAI models with personal, sensitive, or confidential information, as data submitted may be used to train the models or for other purposes. Elastic recommends familiarizing yourself with the development practices and terms of use of any third-party GAI models before use. + +You are responsible for ensuring that your use of Automatic Import complies with the terms and conditions of any third-party platform you connect with. + + + +## Create a new custom integration + +1. In ((elastic-sec)), click **Add integrations**. +2. Under **Can't find an integration?** click **Create new integration**. + + + +3. Click **Create integration**. +4. Select an . +5. Define how your new integration will appear on the Integrations page by providing a **Title**, **Description**, and **Logo**. Click **Next**. +6. Define your integration's package name, which will prefix the imported event fields. +7. Define your **Data stream title**, **Data stream description**, and **Data stream name**. These fields appear on the integration's configuration page to help identify the data stream it writes to. +8. Select your [**Data collection method**](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html). This determines how your new integration will ingest the data (for example, from an S3 bucket, an HTTP endpoint, or a file stream). +9. Upload a sample of your data in JSON or NDJSON format. Make sure to include all the types of events that you want the new integration to handle. + +- The file extension (`.JSON` or `.NDJSON`) must match the file format. +- Only the first 10 events in the sample are analyzed. In this technical preview, additional data is truncated. +- Ensure each JSON or NDJSON object represents an event, and avoid deeply nested object structures. +- The more variety in your sample, the more accurate the pipeline will be (for example, include 10 unique log entries instead of the same type of entry 10 times). +- Ideally, each field name should describe what the field does. + +10. Click **Analyze logs**, then wait for processing to complete. This may take several minutes. +11. After processing is complete, the pipeline's field mappings appear, including ECS and custom fields. + + + +12. (Optional) After reviewing the proposed pipeline, you can fine-tune it by clicking **Edit pipeline**. Refer to the [((elastic-sec)) ECS reference](https://www.elastic.co/guide/en/security/current/siem-field-reference.html) to learn more about formatting field mappings. When you're satisfied with your changes, click **Save**. + + + +13. Click **Add to Elastic**. After the **Success** message appears, your new integration will be available on the Integrations page. + + + +14. Click **Add to an agent** to deploy your new integration and start collecting data, or click **View integration** to view detailed information about your new integration. + + +Once you've added an integration, you can't edit any details other than the ingest pipeline, which you can edit by going to **Project Settings → Stack Management → Ingest Pipelines**. + + + +You can use the to check the health of your data ingest pipelines and field mappings. + + + + + + + diff --git a/docs/serverless/ingest/images/auto-import-create-new-integration-button.png b/docs/serverless/ingest/images/auto-import-create-new-integration-button.png new file mode 100644 index 0000000000..976898beb2 Binary files /dev/null and b/docs/serverless/ingest/images/auto-import-create-new-integration-button.png differ diff --git a/docs/serverless/ingest/images/auto-import-edit-pipeline.gif b/docs/serverless/ingest/images/auto-import-edit-pipeline.gif new file mode 100644 index 0000000000..1008fb345b Binary files /dev/null and b/docs/serverless/ingest/images/auto-import-edit-pipeline.gif differ diff --git a/docs/serverless/ingest/images/auto-import-review-integration-page.png b/docs/serverless/ingest/images/auto-import-review-integration-page.png new file mode 100644 index 0000000000..97ea0ee831 Binary files /dev/null and b/docs/serverless/ingest/images/auto-import-review-integration-page.png differ diff --git a/docs/serverless/ingest/images/auto-import-success-message.png b/docs/serverless/ingest/images/auto-import-success-message.png new file mode 100644 index 0000000000..d7ef0a8530 Binary files /dev/null and b/docs/serverless/ingest/images/auto-import-success-message.png differ diff --git a/docs/serverless/investigate/timelines-ui.mdx b/docs/serverless/investigate/timelines-ui.mdx index 1353023776..c0988953b6 100644 --- a/docs/serverless/investigate/timelines-ui.mdx +++ b/docs/serverless/investigate/timelines-ui.mdx @@ -236,7 +236,10 @@ You can use ((esql)) in Timeline by opening the **((esql))** tab. From there, yo - An error message displays when the query bar is empty. + + * An error message displays when the query bar is empty. + * When specifying data sources for an ((esql)) query, autocomplete doesn't suggest hidden indices, such as `.alerts-*`. You must manually enter the index name or pattern. + - Click the help icon () on the far right side of the query editor to open the in-product reference documentation for all ((esql)) commands and functions. diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json index 03ab7630e8..d9ce5b5803 100644 --- a/docs/serverless/serverless-security.docnav.json +++ b/docs/serverless/serverless-security.docnav.json @@ -76,6 +76,9 @@ { "slug": "/serverless/security/threat-intelligence", "classic-sources": [ "enSecurityEsThreatIntelIntegrations" ] + }, + { + "slug": "/serverless/security/automatic-import" } ] }, @@ -628,6 +631,9 @@ "slug": "/serverless/security/optimize-edr", "classic-sources": [ "enSecurityEndpointArtifacts" ] }, + { + "slug": "/serverless/security/allowlist-endpoint" + }, { "slug": "/serverless/security/troubleshoot-endpoints", "classic-sources": [ "enSecurityTsManagement" ] diff --git a/docs/siem-apis.asciidoc b/docs/siem-apis.asciidoc index e46158fb6b..3eccfba5b7 100644 --- a/docs/siem-apis.asciidoc +++ b/docs/siem-apis.asciidoc @@ -13,6 +13,7 @@ NOTE: Console supports sending requests to {kib} APIs. Prepend any {kib} API end * <>: Create source event value lists for use with rule exceptions * <>: Import and export timelines * <>: Open and manage cases +* <>: Create and manage asset criticality records Additionally, the {kib} <> is partially documented to enable opening and updating cases in external ticketing systems. @@ -105,5 +106,7 @@ include::management/api/management-api-index.asciidoc[] include::AI-for-security/api/ai-for-security-index.asciidoc[] +include::advanced-entity-analytics/api/asset-criticality-api-index.asciidoc[] + NOTE: For the {fleet} APIs, see the {fleet-guide}/fleet-api-docs.html[Fleet API Documentation]. diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 9ebc9787d8..93a6735891 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -4,7 +4,7 @@ Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. -Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | +Other versions: {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | {security-guide-all}/7.9/whats-new.html[7.9] // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. @@ -13,114 +13,145 @@ Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide [float] == Generative AI enhancements +[float] +=== Manage Elastic AI Assistant using API + +You can now interact with and manage {security-guide}/security-assistant.html[Elastic AI Assistant] using the Elastic AI Assistant API. +// add link to Elastic AI Assistant API page when available: {security-guide}/assistant-api-overview.html[Elastic AI Assistant API] [float] -=== Attack Discovery +=== Create new third-party data integrations using Automatic Import -{security-guide}/attack-discovery.html[Attack discovery] is a new AI-powered tool that identifies potential attacks and maps connections between alerts to the MITRE ATT&CK® matrix, helping you to fight alert fatigue and reduce your mean time to respond. +preview:[] {security-guide}/automatic-import.html[Automatic Import] uses AI to create integrations for your custom data sources. [role="screenshot"] -image::whats-new/images/8.14/attack-discovery-full-card.png[Attack discovery detail view] +image::whats-new/images/8.15/auto-import-success-message.png[The Automatic Import success message, 80%] [float] -=== Redesigned Elastic AI Assistant UI - -{security-guide}/security-assistant.html[Elastic AI Assistant] for {elastic-sec} has a redesigned user interface that uses a flyout instead of a popup, aligning it with standard {kib} design patterns. Also, when using OpenAI models, AI Assistant can now "stream" responses, rendering word-by-word rather than appearing as complete text blocks, providing a more conversational experience. +== Entity Analytics enhancements [float] -== Entity Analytics enhancements +=== Automatic recalculation of entity risk score +{security-guide}/entity-risk-scoring.html[Entity risk score] is now automatically recalculated when you assign, change, or unassign an individual entity's {security-guide}/asset-criticality.html[asset criticality] level. [float] -=== Asset criticality file upload +=== Manage asset criticality using API -You can {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] to multiple entities at a time by importing a text file from your asset management tools. This feature allows you to quickly and easily import a list of entities and their asset criticality levels into the {security-app}. +You can now manage {security-guide}/asset-criticality.html[asset criticality] using the {security-guide}/asset-criticality-api-overview.html[asset criticality API]. -[role="screenshot"] -image::whats-new/images/8.14/asset-criticality-file-upload.gif[Animation of asset criticality file upload,90%] +[float] +== Detection rules and alerts enhancements [float] -=== Unassign asset criticality +=== Edit fields for detection rules + +You can now edit these fields for user-created {security-guide}/rules-ui-create.html[custom rules]: + +* **Max alerts per run**: Specify the maximum number of alerts a rule can create each time it runs. ++ +[role="screenshot"] +image::whats-new/images/8.15/max-alerts-per-run.png[The Max alerts per run field highlighted in the Create new rule UI] -You can unassign {security-guide}/asset-criticality.html[asset criticality] from a host or user if the criticality level is no longer known, or the currently assigned level is incorrect. +* **Required fields**: Create an informational list of fields that a rule requires to function. +* **Related integrations**: Create an informational list of one or more Elastic integrations associated with a rule. ++ [role="screenshot"] -image::whats-new/images/8.14/unassign-criticality.png[Unassign asset criticality, 50%] +image::whats-new/images/8.15/required-fields-related-integrations.png[The Required fields and Related integrations fields highlighted in the Create new rule UI] [float] -=== Risk scoring engine processes up to 10,000 alerts per entity +=== Suppress alerts for {ml} and {esql} rules -When calculating {security-guide}/entity-risk-scoring.html[entity risk scores], the risk scoring engine now takes into account a maximum of 10,000 alerts per entity. This ensures that the engine remains operational in environments with extremely large data volume. +{security-guide}/alert-suppression.html[Alert suppression] now supports the {ml} and {esql} rule types. You can use it to reduce the number of repeated or duplicate detection alerts generated from {ml} and {esql} rules. [float] -=== Access the entity details flyout from the Entity Analytics dashboard +=== Use AI Assistant when writing rule queries -Clicking on a specific host or user name in the {security-guide}/detection-entity-dashboard.html[Entity Analytics dashboard] now opens the host or user details flyout instead of the host or user details page. This allows you to access entity metadata and risk score information without navigating away from the dashboard. +When creating rules, you can now use AI Assistant to improve rule queries or to quickly correct them. [float] -=== Entity details flyout shows contribution scores per alert +=== Bulk update custom highlighted fields for rules -The **Risk contributions** section of the {security-guide}/hosts-overview.html#host-details-flyout[entity details flyout] now shows the top 10 alerts that contributed to the latest risk scoring calculation and each alert's contribution score. This makes each entity's risk score easier to understand and gives better insight into which alerts you should investigate at the entity level. +Bulk add or remove {security-guide}/rules-ui-create.html#rule-ui-advanced-params[custom highlighted fields] for multiple detection rules. -[role="screenshot"] -image::whats-new/images/8.14/contribution-scores-per-alert.png[Contribution scores for top 10 alerts, 90%] +[float] +=== Preview entities and alerts in the alert details flyout + +You can now preview host and user details from the **Insights** tab of the {security-guide}/view-alert-details.html[alert details flyout] instead of going to the **Hosts** or **Users** pages for more information. From the **Correlations** tab in the flyout, you can also preview alerts that are related to each other instead of leaving the flyout to access them. [float] -== Detection rules and alerts enhancements +=== Expandable alert details flyout enabled by default +The expandable alert details flyout is now enabled by default in multiple places throughout the {security-app}. [float] -=== Value list improvements +== Improvements to the Timeline data exploration experience -You can now {security-guide}/value-lists-exceptions.html#edit-value-lists[edit value lists] from the UI, wherever you use them. For example, you can now add items to a value list while creating a rule exception that references that value list. +Several improvements have been made to enhance your data exploration experience in Timeline: +- Multiple components from Discover have been incorporated, such as the sidebar and table, which allow you to quickly find fields of interest. ++ [role="screenshot"] -image::whats-new/images/8.14/edit-value-lists.png[Edit items in a value list, 90%] +image::whats-new/images/8.15/timeline-sidebar-and-table.png[Example Timeline with the sidebar highlighted] -[float] -=== Add ES|QL fields as custom highlighted fields +- You can now toggle row renderers, which allow you to easily add or remove context from events. ++ +[role="screenshot"] +image::whats-new/images/8.15/timeline-ui-renderer.png[Example Timeline with the event renderer highlighted] -When adding custom highlighted fields to an {esql} rule, you can now {security-guide}/rules-ui-create.html#custom-highlighted-esql-fields[specify any fields returned by the rule's query]. This allows you to surface fields that contain useful information for investigating alerts. +- Notes are easier to add and track from the new Notes flyout. ++ +[role="screenshot"] +image::whats-new/images/8.15/timeline-notes-flyout.png[Example Timeline with the notes flyout highlighted] [float] -=== Editable setup guide field for detection rules +== Response actions enhancements -You can now {security-guide}/rules-ui-create.html#rule-ui-advanced-params[edit the **Setup guide** field] for user-created custom rules. Use this informational field to list rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. +[float] +=== Scan files and folders for malware -[role="screenshot"] -image::whats-new/images/8.14/setup-guide-field.png[Setup guide field] +{elastic-defend}'s new {security-guide}/response-actions.html#_scan[`scan` response action] lets you perform on-demand malware scans of a specific file or directory on a host. Scans are based on the malware protection settings configured in your {elastic-defend} integration policy. [float] -=== Alert suppression improvements +=== Isolate and release CrowdStrike-enrolled hosts + +Using Elastic's CrowdStrike integration and connector, you can now perform {security-guide}/third-party-actions.html#crowdstrike-response-actions[response actions] on hosts enrolled in CrowdStrike's endpoint protection system. These actions are available in this release: -In 8.14, we've moved {security-guide}/alert-suppression.html[alert suppression] for custom query rules from technical preview to generally available. We've also added alert suppression to event correlation rules (non-sequence queries only) and new terms rules. +* Isolate a host from the network +* Release an isolated host [float] -== {elastic-defend} enhancements +=== Retrieve files from SentinelOne-enrolled hosts +Using Elastic's SentinelOne integration and connector, you can now {security-guide}/third-party-actions.html#sentinelone-response-actions[retrieve files] from SentinelOne-enrolled hosts and download them through {elastic-sec}. [float] -=== New malware file scanning options +== Filter out process descendants -When configuring {security-guide}/configure-endpoint-integration-policy.html#malware-protection[malware protection], you can choose whether {elastic-defend} scans files when they're modified or executed. This can improve performance on hosts where files are frequently modified, while continuing to identify malware as it attempts to run. +Create an {security-guide}/event-filters.html[event filter] that excludes the descendant events of a specific process, but still includes the primary process itself. This can help you limit the amount of events ingested into {elastic-sec}. [role="screenshot"] -image::whats-new/images/8.14/malware-protection.png[Malware protection section, 80%] +image::whats-new/images/8.15/event-filter-process-descendants.png[Add event filter flyout, 70%] + +[float] +== Cases enhancements [float] -=== Automatically register {elastic-defend} as antivirus +=== Introducing case templates -If you're using {elastic-defend}'s malware protection, you can now automatically {security-guide}/configure-endpoint-integration-policy.html#register-as-antivirus[register {elastic-defend} as the antivirus software] for Windows endpoints. +preview:[] {kib} cases offer a new powerful capability to enhance your analyst teams' efficiency with {security-guide}/cases-manage-settings.html#cases-templates[templates]. You can manage multiple templates, each of which can be used to auto-populate values in a case with pre-defined knowledge. This streamlines the investigative process and significantly reduces resolution time. [role="screenshot"] -image::whats-new/images/8.14/register-as-antivirus.png[Register as antivirus section, 80%] +image::whats-new/images/8.15/cases-add-template.png[Add a template in case settings, 80%] [float] -== Cloud Security Posture Management support for AWS GovCloud - -Elastic's {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports AWS GovCloud so you can monitor and track how your GovCloud clusters perform against security benchmarks. +=== Case custom fields generally available +In 8.11, {security-guide}/cases-manage-settings.html#cases-ui-custom-fields[custom fields] were added to cases, and they are now moving from technical preview to general availability. You can set custom field values in your templates to enhance consistency across cases. +[role="screenshot"] +image::whats-new/images/8.15/cases-add-custom-field.png[Add a custom field in case settings] // end::notable-highlights[] diff --git a/docs/whats-new/images/8.15/auto-import-success-message.png b/docs/whats-new/images/8.15/auto-import-success-message.png new file mode 100644 index 0000000000..d7ef0a8530 Binary files /dev/null and b/docs/whats-new/images/8.15/auto-import-success-message.png differ diff --git a/docs/whats-new/images/8.15/cases-add-custom-field.png b/docs/whats-new/images/8.15/cases-add-custom-field.png new file mode 100644 index 0000000000..134ea000a8 Binary files /dev/null and b/docs/whats-new/images/8.15/cases-add-custom-field.png differ diff --git a/docs/whats-new/images/8.15/cases-add-template.png b/docs/whats-new/images/8.15/cases-add-template.png new file mode 100644 index 0000000000..29075ec9f2 Binary files /dev/null and b/docs/whats-new/images/8.15/cases-add-template.png differ diff --git a/docs/whats-new/images/8.15/event-filter-process-descendants.png b/docs/whats-new/images/8.15/event-filter-process-descendants.png new file mode 100644 index 0000000000..f41c2fa9f8 Binary files /dev/null and b/docs/whats-new/images/8.15/event-filter-process-descendants.png differ diff --git a/docs/whats-new/images/8.15/max-alerts-per-run.png b/docs/whats-new/images/8.15/max-alerts-per-run.png new file mode 100644 index 0000000000..d1109318aa Binary files /dev/null and b/docs/whats-new/images/8.15/max-alerts-per-run.png differ diff --git a/docs/whats-new/images/8.15/required-fields-related-integrations.png b/docs/whats-new/images/8.15/required-fields-related-integrations.png new file mode 100644 index 0000000000..b41f4424c8 Binary files /dev/null and b/docs/whats-new/images/8.15/required-fields-related-integrations.png differ diff --git a/docs/whats-new/images/8.15/timeline-notes-flyout.png b/docs/whats-new/images/8.15/timeline-notes-flyout.png new file mode 100644 index 0000000000..2b46de2658 Binary files /dev/null and b/docs/whats-new/images/8.15/timeline-notes-flyout.png differ diff --git a/docs/whats-new/images/8.15/timeline-sidebar-and-table.png b/docs/whats-new/images/8.15/timeline-sidebar-and-table.png new file mode 100644 index 0000000000..3f26511421 Binary files /dev/null and b/docs/whats-new/images/8.15/timeline-sidebar-and-table.png differ diff --git a/docs/whats-new/images/8.15/timeline-ui-renderer.png b/docs/whats-new/images/8.15/timeline-ui-renderer.png new file mode 100644 index 0000000000..e799fe2236 Binary files /dev/null and b/docs/whats-new/images/8.15/timeline-ui-renderer.png differ