diff --git a/docs/assistant/images/add-alert-context.gif b/docs/assistant/images/add-alert-context.gif new file mode 100644 index 00000000000..4c404fc0e01 Binary files /dev/null and b/docs/assistant/images/add-alert-context.gif differ diff --git a/docs/assistant/images/assistant-anonymization-menu.png b/docs/assistant/images/assistant-anonymization-menu.png new file mode 100644 index 00000000000..4dc281fef5d Binary files /dev/null and b/docs/assistant/images/assistant-anonymization-menu.png differ diff --git a/docs/assistant/images/assistant-settings-menu.png b/docs/assistant/images/assistant-settings-menu.png new file mode 100644 index 00000000000..2b0b60475a6 Binary files /dev/null and b/docs/assistant/images/assistant-settings-menu.png differ diff --git a/docs/assistant/images/assistant.gif b/docs/assistant/images/assistant.gif index b5249d12bee..f5b4484387d 100644 Binary files a/docs/assistant/images/assistant.gif and b/docs/assistant/images/assistant.gif differ diff --git a/docs/assistant/images/icon-settings.png b/docs/assistant/images/icon-settings.png index 2b10a06a788..ead584f0465 100644 Binary files a/docs/assistant/images/icon-settings.png and b/docs/assistant/images/icon-settings.png differ diff --git a/docs/assistant/images/quick-prompts.png b/docs/assistant/images/quick-prompts.png index 75a13071535..09e33eb0e3c 100644 Binary files a/docs/assistant/images/quick-prompts.png and b/docs/assistant/images/quick-prompts.png differ diff --git a/docs/assistant/images/system-prompt.gif b/docs/assistant/images/system-prompt.gif index 86a39dc5fa2..3463225fbff 100644 Binary files a/docs/assistant/images/system-prompt.gif and b/docs/assistant/images/system-prompt.gif differ diff --git a/docs/assistant/security-assistant.asciidoc b/docs/assistant/security-assistant.asciidoc index d9fc344372f..7a1a2cca03f 100644 --- a/docs/assistant/security-assistant.asciidoc +++ b/docs/assistant/security-assistant.asciidoc @@ -1,67 +1,65 @@ [[security-assistant]] [chapter] -= Security Assistant += AI Assistant -:frontmatter-description: The Elastic Security Assistant is a generative AI open-code chat assistant. +:frontmatter-description: The Elastic AI Assistant is a generative AI open-code chat assistant. :frontmatter-tags-products: [security] :frontmatter-tags-content-type: [overview] :frontmatter-tags-user-goals: [get-started] -The Elastic Security Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {elastic-sec} for tasks such as alert investigation, incident response, and query generation or conversion using natural language and much more. +The Elastic AI Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {elastic-sec} for tasks such as alert investigation, incident response, and query generation or conversion using natural language and much more. -A connector for OpenAI and Azure OpenAI Service powers the Security Assistant. +A connector for OpenAI or Azure OpenAI Service powers AI Assistant. [role="screenshot"] -image::images/assistant.gif[Animation of the Security Assistant chat window,90%] +image::images/assistant.gif[Animation of AI Assistant chat window,90%] [IMPORTANT] ==== -This is an initial release of the Elastic Security Assistant. While designed to enhance your analysis with smart dialogues, its capabilities are still developing. Users should leverage it sensibly as the reliability of its responses might vary. Your insights, patience, and feedback help us calibrate this feature for optimal use. Always cross-verify any returned advice for accurate threat detection and response, insights, and query generation. - -Also, the data you provide to the Security Assistant is _not_ anonymized, and is stored and processed by the third-party AI provider. This includes any data used in conversations for analysis or context, such as alert or event data, detection rule configurations, and queries. Therefore, be careful about sharing any confidential or sensitive details while using this feature. +This is an initial release of the Elastic AI Assistant, designed to enhance your analysis with smart dialogues. Its capabilities are still developing. Users should exercise caution as the quality of its responses might vary. Your insights and feedback will help us improve this feature. Always cross-verify AI-generated advice for accuracy. ==== .Requirements [sidebar] -- -* The Elastic Security Assistant and Generative AI connector are available in {stack} version 8.8.1 and later. +* The Elastic AI Assistant and Generative AI connector are available in {stack} version 8.8.1 and later. * This feature requires an https://www.elastic.co/pricing[Enterprise subscription]. -* You must have an account with a third-party generative AI provider, which the Security Assistant uses to generate responses. Supported providers are OpenAI (`gpt-3.5-turbo` model) and Azure OpenAI Service (any model). +* You must have an account with a third-party generative AI provider, which AI Assistant uses to generate responses. Supported providers are OpenAI and Azure OpenAI Service. -- +[discrete] +[[data-information]] +== Your data and AI Assistant + +Elastic does not store or examine prompts or results used by AI Assistant, or use this data for model training. This includes anything you send the model, such as alert or event data, detection rule configurations, queries, and prompts. However, any data you provide to AI Assistant will be processed by the third-party provider you chose when setting up the Generative AI connector as part of the assistant setup. + +Elastic does not control third-party tools, and assumes no responsibility or liability for their content, operation, or use, nor for any loss or damage that may arise from your using such tools. Please exercise caution when using AI tools with personal, sensitive, or confidential information. Any data you submit may be used by the provider for AI training or other purposes. There is no guarantee that the provider will keep any information you provide secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. + +NOTE: Elastic can automatically anonymize event data that you provide to AI Assistant as context. To learn more, refer to <>. + + [discrete] [[set-up-ai-assistant]] -== Set up the Security Assistant +== Set up AI Assistant -You must complete these steps before you can use the Security Assistant: +You must complete these steps before you can use AI Assistant: -. Create an API key with your AI provider to authenticate requests from the Security Assistant. You'll use this in a later step. Refer to the provider's documentation for generating API keys: +. Create an API key with your AI provider to authenticate requests from AI Assistant. You'll use this in the next step. Refer to the provider's documentation for generating API keys: + * https://platform.openai.com/docs/api-reference[OpenAI] * https://learn.microsoft.com/en-us/azure/cognitive-services/openai/reference[Azure OpenAI Service] -. Add the following feature flag to {kib}'s configuration settings: -+ -`xpack.securitySolution.enableExperimental: ['assistantEnabled']` -+ -The configuration method depends on your deployment type: -+ -* *Self-managed (on-premises) deployments*: Add the feature flag to the `kibana.yml` file, which is used to {kibana-ref}/settings.html[configure {kib}], then restart {kib}. -* *{ecloud} deployments*: Use the YAML editor in the {ecloud} console to add the feature flag to {cloud}/ec-manage-kibana-settings.html[{kib} user settings]. - -. Create a {kibana-ref}/gen-ai-action-type.html[Generative AI connector] using the AI provider's API key and URL to configure communication between {elastic-sec} and the provider. You can do this in {kib} from *Stack Management* -> *Connectors*, or from within the Security Assistant. -+ -NOTE: The Generative AI connector type requires the `assistantEnabled` feature flag for use. +. Create a {kibana-ref}/gen-ai-action-type.html[Generative AI connector] using the AI provider's API key and URL to authenticate communication between {elastic-sec} and the provider. You can do this in {kib} from *Stack Management* -> *Connectors*, or from within AI Assistant. [discrete] [[start-chatting]] == Start chatting -To open the Security Assistant, press *Cmd + ;* (or *Ctrl + ;* in Windows) from anywhere in the {security-app}. This opens the *Welcome* chat interface, where you can ask general questions about {elastic-sec}. +To open AI Assistant, press *Cmd + ;* (or *Ctrl + ;* on Windows) from anywhere in the {security-app}. This opens the *Welcome* chat interface, where you can ask general questions about {elastic-sec}. -You can also chat with the Security Assistant from several areas in {elastic-sec}, and context-specific data and prompts will populate your conversation. +You can also chat with AI Assistant from several particular pages in {elastic-sec} where you can easily send context-specific data and prompts to AI Assistant. * <> or Event details flyout: Click *Chat* while viewing the details of an alert or event. * <>: Select one or more rules, then click the magic wand icon (🪄✨) at the top of the page next to the *Rules* title. @@ -72,29 +70,60 @@ NOTE: All chat history and custom quick prompts persist in local browser storage [discrete] [[interact-with-assistant]] -== Interact with the Security Assistant +== Interact with AI Assistant -Use these features to adjust and act on your conversations with the Security Assistant: +Use these features to adjust and act on your conversations with AI Assistant: -* Select a _system prompt_ at the beginning of a conversation to establish how detailed and technical you want the Security Assistant's answers to be. +* Select a _system prompt_ at the beginning of a conversation to establish how detailed and technical you want AI Assistant's answers to be. + [role="screenshot"] image::images/system-prompt.gif[The system prompt drop-down menu,90%] + -NOTE: The system prompt is only configurable at the start of a conversation. To reconfigure it, clear the chat and start a new conversation. +System prompts provide context to the model, informing its response. To create a custom system prompt, open the system prompts dropdown menu and click *+ Add new system prompt...*. -* Select a _quick prompt_ at the bottom of the chat window to get help writing a prompt for a specific purpose, such as summarizing an alert or converting a query from a legacy SIEM to {elastic-sec}. Available quick prompts vary based on context. You can also add custom quick prompts for questions you frequently ask the Security Assistant. +* Select a _quick prompt_ at the bottom of the chat window to get help writing a prompt for a specific purpose, such as summarizing an alert or converting a query from a legacy SIEM to {elastic-sec}. + [role="screenshot"] image::images/quick-prompts.png[Quick prompts highlighted below a conversation,90%] ++ +Quick prompt availability varies based on context — for example, the **Alert summarization** quick prompt appears when you open AI Assistant while viewing an alert. To customize existing quick prompts and create new ones, click *Add Quick prompt*. * Use these buttons to perform actions in the conversation history and prompt entry area: -** *Add note to timeline* (image:images/icon-add-note.png[Add note icon,16,16]): Create a note in Timeline using the selected text. +** *Add note to timeline* (image:images/icon-add-note.png[Add note icon,16,16]): Add the selected text to your currently active Timeline as a note. ** *Add to existing case* (image:images/icon-add-to-case.png[Add to case icon,19,16]): Add a comment to an existing case using the selected text. -** *Copy to clipboard* (image:images/icon-copy.png[Copy to clipboard icon,17,18]): Copy the text to clipboard to paste elsewhere. This is also helpful for resubmitting a previous prompt. -** *Add to timeline* (image:images/icon-add-to-timeline.png[Copy to clipboard icon,17,18]): Add a filter or query to Timeline using the text. This button appears for certain queries in the Security Assistant's responses. +** *Copy to clipboard* (image:images/icon-copy.png[Copy to clipboard icon,17,18]): Copy the text to clipboard to paste elsewhere. Also helpful for resubmitting a previous prompt. +** *Add to timeline* (image:images/icon-add-to-timeline.png[Copy to clipboard icon,17,18]): Add a filter or query to Timeline using the text. This button appears for particular queries in AI Assistant's responses. + -TIP: Be sure to specify which language you'd like the Security Assistant to use for queries. For example: "Can you generate an Event Query Language query to find four failed logins followed by a successful login?" +TIP: Be sure to specify which language you'd like AI Assistant to use when writing a query. For example: "Can you generate an Event Query Language query to find four failed logins followed by a successful login?" ** *Clear chat* (image:images/icon-clear-red.png[Red X icon,16,16]): Delete the conversation history and start a new chat. -** *Conversation settings* (image:images/icon-settings.png[Settings icon,17,17]): Choose the Generative AI connector that the Security Assistant uses, or create a new connector. + +[discrete] +[[configure-ai-assistant]] +== Configure AI Assistant +The *Settings* menu (image:images/icon-settings.png[Settings icon,17,17]) allows you to configure default conversations, quick prompts, system prompts, and data anonymization. + +[role="screenshot"] +image::images/assistant-settings-menu.png[AI Assistant's settings menu, open to the Conversations tab] + +The *Settings* menu has four tabs: + +* **Conversations:** When you open AI Assistant from certain pages, such as Timeline or Alerts, it defaults to the relevant conversation type. Choose the default system prompt for each conversation type, the connector, and model (if applicable). +* **Quick Prompts:** Modify existing quick prompts or create new ones. To create a new quick prompt, type a unique name in the *Name* field, then press *enter*. Under *Prompt*, enter or update the quick prompt's text. Under *Contexts*, select where the quick prompt should appear. +* **System Prompts:** Edit existing system prompts or create new ones. To create a new system prompt, type a unique name in the *Name* field, then press *enter*. Under *Prompt*, enter or update the system prompt's text. Under *Contexts*, select where the system prompt should appear. ++ +NOTE: To delete a custom prompt, open the *Name* drop-down menu, hover over the prompt you want to delete, and click the *X* that appears. You cannot delete the default prompts. + +* **Anonymization:** When you provide an event to AI Assistant as context, you can select fields to include as plaintext, to obfuscate, and to not send. The **Anonymization** tab allows you to define default data anonymization behavior. You can update these settings for individual events when you include them in the chat. ++ +[role="screenshot"] +image::images/assistant-anonymization-menu.png[AI Assistant's settings menu, open to the Anonymization tab] ++ +The fields on this list are among those most likely to provide relevant context to AI Assistant. Fields with *Allowed* toggled on are included. *Allowed* fields with *Anonymized* set to *Yes* are included, but with their values obfuscated. ++ +[role="screenshot"] +image::images/add-alert-context.gif[A video that shows an alert being added as context to an AI Assistant chat message] ++ +When you include a particular event as context, you can use a similar interface to adjust anonymization behavior. Be sure the anonymization behavior meets your specifications before sending a message with the event attached. + +The *Show anonymized* toggle controls whether you see the obfuscated or plaintext versions of the fields you sent to AI Assistant. It doesn't control what gets obfuscated — that's determined by the anonymization settings. It also doesn't affect how event fields appear _before_ being sent to AI Assistant. Instead, it controls how fields that were already sent and obfuscated appear to you. diff --git a/docs/cloud-native-security/cloud-native-security-index.asciidoc b/docs/cloud-native-security/cloud-native-security-index.asciidoc index b78f9f66f5b..903758072ce 100644 --- a/docs/cloud-native-security/cloud-native-security-index.asciidoc +++ b/docs/cloud-native-security/cloud-native-security-index.asciidoc @@ -54,6 +54,7 @@ include::kspm-faq.asciidoc[leveloffset=+2] include::vuln-management-overview.asciidoc[leveloffset=+1] include::vuln-management-get-started.asciidoc[leveloffset=+2] include::vuln-management-findings.asciidoc[leveloffset=+2] +include::vuln-management-dashboard.asciidoc[leveloffset=+2] include::vuln-management-faq.asciidoc[leveloffset=+2] include::d4c-overview.asciidoc[leveloffset=+1] diff --git a/docs/cloud-native-security/cspm-get-started.asciidoc b/docs/cloud-native-security/cspm-get-started.asciidoc index 355e89c5822..eeb1e0045f3 100644 --- a/docs/cloud-native-security/cspm-get-started.asciidoc +++ b/docs/cloud-native-security/cspm-get-started.asciidoc @@ -24,7 +24,7 @@ NOTE: The CSPM feature currently only supports posture evaluations for Amazon We [[cspm-setup]] == Set up CSPM for AWS -To set up CSPM for AWS, add the CSPM integration then enable cloud account access. +To set up CSPM for AWS, first add the CSPM integration, then enable cloud account access. [discrete] @@ -38,7 +38,30 @@ To set up CSPM for AWS, add the CSPM integration then enable cloud account acces [discrete] [[cspm-set-up-cloud-access-section]] === Set up cloud account access -The CSPM integration requires access to AWS’s built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] in order to discover and evaluate resources in your cloud account. There are several ways to provide access: +The CSPM integration requires access to AWS’s built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] in order to discover and evaluate resources in your cloud account. There are several ways to provide access. + +For most users, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described below. + +[discrete] +[[cspm-set-up-cloudformation]] +=== CloudFormation (recommended) +. In the *Add Cloud Security Posture Management (CSPM) integration* menu, under *Setup Access*, select *CloudFormation*. +. In a new browser tab or window, log in as an admin to the AWS account you want to onboard. +. Return to your {kib} tab. Click *Save and continue* at the bottom of the page. +. Review the information, then click *Launch CloudFormation*. +. A CloudFormation template appears in a new browser tab. You don't need to modify its configuration. +. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. +. Tick the checkbox under *Capabilities* to authorize the creation of necessary resources. ++ +image::images/cspm-cloudformation-template.png[The Add permissions screen in AWS] ++ +. At the bottom of the template, select *Create stack*. + +When you return to {kib}, click *View assets* to review the data being collected by your new integration. + +[discrete] +[[cspm-set-up-manual]] +=== Manual options * <> * <> @@ -50,12 +73,12 @@ IMPORTANT: Regardless of which option you use, you’ll need to attach AWS’s b [discrete] [[cspm-use-instance-role]] -=== Option 1 - Use default instance role (recommended) +==== Option 1 - Default instance role Follow AWS's https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html[IAM roles for Amazon EC2] documentation to create an IAM role using the IAM console, which automatically generates an instance profile. . Create an IAM role: .. In AWS, go to your IAM dashboard. Click *Roles*, then *Create role*. -.. On the *Select trusted entity* page, under **Trusted entity type**, select *AWS service*. +.. On the *Select trusted entity* page, under **Trusted entity type**, select *AWS service*. .. Under **Use case**, select *EC2*. Click *Next*. + image::images/cspm-aws-auth-1.png[The Select trusted entity screen in AWS] @@ -73,14 +96,14 @@ image::images/cspm-aws-auth-3.png[The EC2 page in AWS, showing the Modify IAM ro + .. On the *Modify IAM role* page, search for and select your new IAM role. .. Click *Update IAM role*. -.. Return to {kib} and <>. +.. Return to {kib} and <>. IMPORTANT: Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in Kibana, in the *Setup Access* section, select *Assume role* and leave *Role ARN* empty. Click *Save and continue*. [discrete] [[cspm-use-keys-directly]] -=== Option 2 - Use access keys directly -Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. +==== Option 2 - Direct access keys +Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. After you provide credentials, <>. For more details, refer to https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html[Access Keys and Secret Access Keys]. @@ -88,7 +111,7 @@ IMPORTANT: You must select *Programmatic access* when creating the IAM user. [discrete] [[cspm-use-temp-credentials]] -=== Option 3 - Use temporary security credentials +==== Option 3 - Temporary security credentials You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a security token, which is typically found using `GetSessionToken`. Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration's configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss. @@ -108,9 +131,11 @@ The output from this command includes the following fields, which you should pro * `Secret Access Key`: The second part of the access key. * `Session Token`: The required token when using temporary security credentials. +After you provide credentials, <>. + [discrete] [[cspm-use-a-shared-credentials-file]] -=== Option 4 - Use a shared credentials file +==== Option 4 - Shared credentials file If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS' https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html[Shared Credentials Files] documentation. Instead of providing the `Access key ID` and `Secret Access Key` to the integration, provide the information required to locate the access keys within the shared credentials file: @@ -125,16 +150,18 @@ If you don't provide values for all configuration fields, the integration will u - If `Shared Credential File` is empty, the default directory will be used. - For Linux or Unix, the shared credentials file is located at `~/.aws/credentials`. +After providing credentials, <>. + [discrete] [[cspm-use-iam-arn]] -=== Option 5 - Use an IAM role Amazon Resource Name (ARN) -An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role's permissions. -Roles do not have standard long-term credentials such as passwords or access keys. -Instead, when you assume a role, it provides temporary security credentials for your session. +==== Option 5 - IAM role Amazon Resource Name (ARN) +An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role's permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. + +To use an IAM role ARN, select *Assume role* under *Preferred manual method*, enter the ARN, and continue to Finish manual setup. [discrete] -[[cspm-finish-setup]] -=== Finish CSPM setup +[[cspm-finish-manual]] +=== Finish manual setup Once you’ve provided AWS credentials: * If you want to monitor an AWS account where you have not yet deployed {agent}, select *New Hosts* under *Where to add this integration*. diff --git a/docs/cloud-native-security/d4c-get-started.asciidoc b/docs/cloud-native-security/d4c-get-started.asciidoc index 471833fc35e..afbfd72a005 100644 --- a/docs/cloud-native-security/d4c-get-started.asciidoc +++ b/docs/cloud-native-security/d4c-get-started.asciidoc @@ -1,6 +1,11 @@ [[d4c-get-started]] = Get started with CWP +:frontmatter-description: Secure your containerized workloads and start detecting threats and vulnerabilities. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [get-started] + This page describes how to set up Container Workload Protection (CWP) for various use cases. [discrete] @@ -40,7 +45,9 @@ In order to detect threats using this data, you'll need active < Manage > Rules*, and click *Load Elastic prebuilt rules and timeline templates* (this may take a few minutes). +. Go to *Security > Manage > Rules*, then click *Add Elastic rules*. +. Use the *Tags* selector to search for `container`. Select the `Data Source: Elastic Defend for Containers` tag. The rules table displays relevant rules. +. Select all the displayed rules and click *Install _x_ selected rule(s)*. . Once the rules have loaded, you will see the Rules management page. Use the *Tags* selector to search for `container`. Select the `Container Workload Protection` tag. . Select all the rules with the tag, and then click *Bulk actions > Enable*. diff --git a/docs/cloud-native-security/images/cnvm-findings-grouped.png b/docs/cloud-native-security/images/cnvm-findings-grouped.png new file mode 100644 index 00000000000..7e6b7345e05 Binary files /dev/null and b/docs/cloud-native-security/images/cnvm-findings-grouped.png differ diff --git a/docs/cloud-native-security/images/cnvm-findings-page.png b/docs/cloud-native-security/images/cnvm-findings-page.png index 94780daf6d8..707ab74181e 100644 Binary files a/docs/cloud-native-security/images/cnvm-findings-page.png and b/docs/cloud-native-security/images/cnvm-findings-page.png differ diff --git a/docs/cloud-native-security/images/cspm-cloudformation-template.png b/docs/cloud-native-security/images/cspm-cloudformation-template.png new file mode 100644 index 00000000000..64f22dad94e Binary files /dev/null and b/docs/cloud-native-security/images/cspm-cloudformation-template.png differ diff --git a/docs/cloud-native-security/images/vuln-management-dashboard.png b/docs/cloud-native-security/images/vuln-management-dashboard.png new file mode 100644 index 00000000000..0bc59839627 Binary files /dev/null and b/docs/cloud-native-security/images/vuln-management-dashboard.png differ diff --git a/docs/cloud-native-security/kspm-cloud-posture-dashboard.asciidoc b/docs/cloud-native-security/kspm-cloud-posture-dashboard.asciidoc index 4dc6d8bb0ec..ceeaf378908 100644 --- a/docs/cloud-native-security/kspm-cloud-posture-dashboard.asciidoc +++ b/docs/cloud-native-security/kspm-cloud-posture-dashboard.asciidoc @@ -3,7 +3,7 @@ = Cloud Posture dashboard -The Cloud Posture dashboard summarizes your cloud infrastructure's overall performance against <> defined by the Center for Internet Security (CIS). To get started monitoring your security posture, refer to <> or <>. +The Cloud Posture dashboard summarizes your cloud infrastructure's overall performance against <> defined by the Center for Internet Security (CIS). To start collecting this data, refer to <> or <>. [role="screenshot"] image::images/cloud-sec-dashboard.png[The cloud Security dashboard] diff --git a/docs/cloud-native-security/vuln-management-dashboard.asciidoc b/docs/cloud-native-security/vuln-management-dashboard.asciidoc new file mode 100644 index 00000000000..e67509d7cf9 --- /dev/null +++ b/docs/cloud-native-security/vuln-management-dashboard.asciidoc @@ -0,0 +1,44 @@ +[[vuln-management-dashboard]] +// Note: This page is intentionally duplicated by docs/dashboards/vuln-management-dashboard-dash.asciidoc. When you update this page, update that page to match. And careful with the anchor links because they should not match. += Cloud Native Vulnerability Management Dashboard + +:frontmatter-description: The CNVM dashboard gives an overview of vulnerabilities detected in your cloud infrastructure. +:frontmatter-tags-products: [security, cloud] +:frontmatter-tags-content-type: [reference] +:frontmatter-tags-user-goals: [manage] + +The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview of vulnerabilities detected in your cloud infrastructure. + +image::images/vuln-management-dashboard.png[The CNVM dashboard] + +.Requirements +[sidebar] +-- +* To collect this data, install the <> integration. +* The CNVM dashboard is available to all Elastic Cloud users. For on-premises deployments, it requires an https://www.elastic.co/pricing[Enterprise subscription]. +-- + +beta[] + +[discrete] +[[CNVM-dashboard-UI]] +== CNVM dashboard UI +The summary cards at the top of the dashboard display the number of monitored cloud accounts, scanned virtual machines (VMs), and vulnerabilities (grouped by severity). + +The *Trend by severity* bar graph complements the summary cards by displaying the number of vulnerabilities found on your infrastructure over time, sorted by severity. It has a maximum time scale of 30 days. + +.Graph tips +[sidebar] +-- +* Click the severity levels legend on its right to hide/show each severity level. +* To display data from specific cloud accounts, select the account names from the *Accounts* drop-down menu. +-- + + +The page also includes three tables: + +* *Top 10 vulnerable resources* shows your VMs with the highest number of vulnerabilities. +* *Top 10 patchable vulnerabilities* shows the most common vulnerabilities in your environment that can be fixed by a software update. +* *Top 10 vulnerabilities* shows the most common vulnerabilities in your environment, with additional details. + +Click *View all vulnerabilities* at the bottom of a table to open the <> page, where you can view additional details. diff --git a/docs/cloud-native-security/vuln-management-faq.asciidoc b/docs/cloud-native-security/vuln-management-faq.asciidoc index 389e702acde..9940cb0d11b 100644 --- a/docs/cloud-native-security/vuln-management-faq.asciidoc +++ b/docs/cloud-native-security/vuln-management-faq.asciidoc @@ -33,7 +33,7 @@ Yes, CNVM scans all AWS EC2 instances in every scan cycle, including any created *Does CNVM scan AWS EC2 instances with encrypted volumes?* -CNVM does not currently support scanning of encrypted volumes. This limitation will be addressed in future releases. +Encrypted volumes can be scanned only if they were encrypted using Amazon's default EBS key, and are _not_ running Amazon Linux 2023. *Does CNVM prevent multiple installations in a single region?* @@ -50,3 +50,7 @@ Yes, CNVM scans all EC2 instances, whether they are running or stopped, to ensur *What AWS permissions does the user require to run the CloudFormation template for CNVM onboarding?* To run the CloudFormation template for CNVM onboarding, you need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances. + +*Why do I get an error when I try to run the CloudFormation template?* + +It's possible you're using an unsupported region. Currently the `eu-north-1` and `af-south-1` regions are not supported because they don't provide the required instance types. diff --git a/docs/cloud-native-security/vuln-management-findings.asciidoc b/docs/cloud-native-security/vuln-management-findings.asciidoc index 15f02f4bfa1..a193ab4c715 100644 --- a/docs/cloud-native-security/vuln-management-findings.asciidoc +++ b/docs/cloud-native-security/vuln-management-findings.asciidoc @@ -3,7 +3,9 @@ The vulnerabilities findings page displays the vulnerabilities detected by the <>. CNVM findings include metadata such as the CVE identifier, CVSS score, severity, affected package, and fix version if available, as well as information about impacted systems. -To help you prioritize remediation efforts, you can filter and sort your findings based on these fields. Clicking on a finding provides a detailed description of the vulnerability, and any available remediation information. +To help you prioritize remediation efforts, you can filter and sort your findings based on these fields. + +Clicking on a finding provides a detailed description of the vulnerability, and any available remediation information. image::images/cnvm-findings-page.png[The Vulnerabilities tab of the Findings page] @@ -11,10 +13,16 @@ image::images/cnvm-findings-page.png[The Vulnerabilities tab of the Findings pag [discrete] [[vuln-findings-grouping]] -== Group and filter findings +== Group, sort, and filter findings + +You can group your data by resource by selecting *Resource* from the *Group by* menu. When data is grouped by resource, you can click on the name of a virtual machine to view all vulnerabilities that were found on it. + +image::images/cnvm-findings-grouped.png[The Vulnerabilities tab of the Findings page] -You can filter vulnerability data in two ways: +When *Group by* is set to *None*, you can sort the Findings table by clicking the column headings or the *Sort fields* button to the upper left of the table. When sorting is active, the *Sort fields* button changes to *X fields sorted* (where _X_ is the number of fields sorting your data), and can be used to modify or clear sorting. + +Independent of grouping, you can filter data in two ways: - *The KQL search bar*: Use this to filter your findings. For example, search for `vulnerability.id : CVE-2019-00001` to view all findings related to a particular vulnerability. @@ -24,7 +32,9 @@ You can filter vulnerability data in two ways: [[vuln-findings-learn-more]] == Learn more about a vulnerability -Click the arrow to the left of a vulnerability's row to open the vulnerability flyout. This will display the detailed vulnerability description, link to the National Vulnerability Database (NVD), vulnerability publication date, identified data sources, and CVSS vector strings. +Click the arrow to the left of a vulnerability's row to open the vulnerability details flyout. This flyout includes a link to the related vulnerability database, the vulnerability's publication date, CVSS vector strings, fix versions (if available), and more. + +When you open the vulnerability details flyout, it defaults to the *Overview* tab, which highlights key information. To view every field present in the vulnerability document, select the *Table* or *JSON* tabs. [discrete] [[vuln-findings-remediate]] diff --git a/docs/dashboards/cloud-posture.asciidoc b/docs/dashboards/cloud-posture.asciidoc index 85c269110f6..e04f9454981 100644 --- a/docs/dashboards/cloud-posture.asciidoc +++ b/docs/dashboards/cloud-posture.asciidoc @@ -2,7 +2,7 @@ // Note: This page is intentionally duplicated by docs/cloud-native-security/cloud-nat-sec-posture.asciidoc. When you update this page, update that page to match. And careful with the anchor links because they should not match. = Cloud Posture dashboard -The Cloud Posture dashboard summarizes your cloud infrastructure's overall performance against <> defined by the Center for Internet Security (CIS). To get started monitoring your security posture, refer to <> or <>. +The Cloud Posture dashboard summarizes your cloud infrastructure's overall performance against <> defined by the Center for Internet Security (CIS). To start collecting this data, refer to <> or <>. [role="screenshot"] image::images/cloud-sec-dashboard.png[The cloud Security dashboard] diff --git a/docs/dashboards/dashboards-overview.asciidoc b/docs/dashboards/dashboards-overview.asciidoc index 93c113fc814..93bf937996f 100644 --- a/docs/dashboards/dashboards-overview.asciidoc +++ b/docs/dashboards/dashboards-overview.asciidoc @@ -1,14 +1,16 @@ [[dashboards-overview]] - = Dashboards -The following sections describe the {security-app}'s prebuilt dashboards, which provide visualizations of your security environment. - -You can also create and access custom security dashboards from the Dashboards landing page. To create one, click **Create Dashboard**. Once created, custom dashboards appear on the page: +:frontmatter-description: Dashboards give you insight into your security environment. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [overview] +:frontmatter-tags-user-goals: [visualize, monitor, analyze] -image::images/custom-dashboard-setup.png[The dashboards landing page, with the "create dashboard" button and custom dashboards table highlighted] +The following sections describe the {security-app}'s prebuilt dashboards, which provide visualizations of your security environment. +You can also create and access custom security dashboards from the Dashboards landing page. To create one, click **Create Dashboard**. Custom dashboards must have the tag `Security Solution` to appear on the Dashboards page. +image::images/dashboards-landing-page.png[The Dashboards landing page] include::overview-dashboard.asciidoc[leveloffset=+1] @@ -22,3 +24,7 @@ include::cloud-posture.asciidoc[leveloffset=+1] include::entity-dashboard.asciidoc[leveloffset=+1] include::data-quality-dashboard.asciidoc[leveloffset=+1] + +include::vuln-management-dashboard-dash.asciidoc[leveloffset=+1] + +include::rule-monitoring-dashboard.asciidoc[leveloffset=+1] diff --git a/docs/dashboards/images/dashboards-landing-page.png b/docs/dashboards/images/dashboards-landing-page.png new file mode 100644 index 00000000000..df89c9c2d7b Binary files /dev/null and b/docs/dashboards/images/dashboards-landing-page.png differ diff --git a/docs/dashboards/images/rule-monitoring-overview.png b/docs/dashboards/images/rule-monitoring-overview.png new file mode 100644 index 00000000000..039a3905df3 Binary files /dev/null and b/docs/dashboards/images/rule-monitoring-overview.png differ diff --git a/docs/dashboards/rule-monitoring-dashboard.asciidoc b/docs/dashboards/rule-monitoring-dashboard.asciidoc new file mode 100644 index 00000000000..cf22b2cf32b --- /dev/null +++ b/docs/dashboards/rule-monitoring-dashboard.asciidoc @@ -0,0 +1,67 @@ +[[rule-monitoring-dashboard]] += Detection rule monitoring dashboard + +:frontmatter-description: Visualize your detection rules' performance. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [visualize, monitor] + +The Detection rule monitoring dashboard provides visualizations to help you monitor the overall health and performance of {elastic-sec}'s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they're taking to run, search data, and create alerts. + +[role="screenshot"] +image::images/rule-monitoring-overview.png[Overview of Detection rule monitoring dashboard] + +.Requirements +[sidebar] +-- +To access this dashboard and its data, you must have: + +* At least `Read` {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privileges] for both the *Analytics > Dashboard* and *Security > Security* {kib} features. + +* At least `read` {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privileges] for the `.kibana-event-log-*` index. +-- + +[discrete] +[[rule-monitoring-visualizations]] +== Visualization data and types + +The dashboard presents a variety of information about your detection rules. Visualizations display and calculate data within the time range and filters selected at the top of the dashboard. + +The dashboard also includes data from all {kib} spaces. To display data only from specific spaces, open the dashboard in {kib} (*Analytics* -> *Dashboard*) and use the *Kibana space* drop-down filter. + +The following visualizations are included: + +* *Rule KPIs (key performance indicators)*: The total number of rules enabled, how many times they collectively ran, and their response statuses. +* *Executions by rule type*: Rule executions over time, broken down by rule type. +* *Executions by status*: Rule executions over time, broken down by status. +* *Total rule execution duration*: How long rules take to run, from start to finish. +* *Rule schedule delay*: The delay between a rule's scheduled start time and when it actually starts running. +* *Search/query duration*: How long rules take to query source indices or data views. +* *Indexing duration*: How long rules take to generate alerts and write them to the `.alerts-security.alerts-*` index. +* *Top 10 rules*: Lists of the overall slowest rules, most delayed rules, and rules with the most *Failed* and *Warning* response statuses. + +[discrete] +[[rule-visualization-actions]] +== Visualization panel actions + +Open a panel's options menu (image:images/three-dot-icon.png[Options menu,18,18]) customize the panel or use its data for further analysis and investigation: + +* *Edit panel settings*: Customize the panel's display settings. Options vary by visualization type. +* *Inspect*: Examine the panel's underlying data and queries. +* *Explore data in Discover*: Open Discover with preloaded filters to display the panel's data. +* *Maximize panel*: Expand the panel. +* *Download as CSV*: Download the panel's data in a CSV file. +* *Copy to dashboard*: Copy the panel to an existing or new dashboard. +* *Add to existing case*: Add the panel to an existing case. +* *Add to new case*: Create a new case and add the panel to it. +* *Create anomaly detection job*: Create a {ml} anomaly detection job using the panel's data. + +[discrete] +[[clone-edit-dashboard]] +== Clone and edit the dashboard + +This dashboard is managed by {kib}, so any changes you make to it will not last. To make persistent changes, you can clone the dashboard and edit the cloned copy, but your copy will not get updates from Elastic. + +. Click *Edit*, then *Save as*. +. On the *Save dashboard* dialog, enter a new *Title* for your cloned copy. +. Make sure *Save as new dashboard* is selected, then click *Save*. You can now make additional changes and save them to your copy. \ No newline at end of file diff --git a/docs/dashboards/vuln-management-dashboard-dash.asciidoc b/docs/dashboards/vuln-management-dashboard-dash.asciidoc new file mode 100644 index 00000000000..7c27c36b685 --- /dev/null +++ b/docs/dashboards/vuln-management-dashboard-dash.asciidoc @@ -0,0 +1,44 @@ +[[vuln-management-dashboard-dash]] +// Note: This page is intentionally duplicated by docs/cloud-native-security/vuln-management-dashboard.asciidoc. When you update this page, update that page to match. And careful with the anchor links because they should not match. += Cloud Native Vulnerability Management Dashboard + +:frontmatter-description: The CNVM dashboard gives an overview of vulnerabilities detected in your cloud infrastructure. +:frontmatter-tags-products: [security, cloud] +:frontmatter-tags-content-type: [reference] +:frontmatter-tags-user-goals: [manage] + +The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview of vulnerabilities detected in your cloud infrastructure. + +image::images/vuln-management-dashboard.png[The CNVM dashboard] + +.Requirements +[sidebar] +-- +* To collect this data, install the <> integration. +* The CNVM dashboard is available to all Elastic Cloud users. For on-premises deployments, it requires an https://www.elastic.co/pricing[Enterprise subscription]. +-- + +beta[] + +[discrete] +[[CNVM-dashboard-UI-dash]] +== CNVM dashboard UI +The summary cards at the top of the dashboard display the number of monitored cloud accounts, scanned virtual machines (VMs), and vulnerabilities (grouped by severity). + +The *Trend by severity* bar graph complements the summary cards by displaying the number of vulnerabilities found on your infrastructure over time, sorted by severity. It has a maximum time scale of 30 days. + +.Graph tips +[sidebar] +-- +* Click the severity levels legend on its right to hide/show each severity level. +* To display data from specific cloud accounts, select the account names from the *Accounts* drop-down menu. +-- + + +The page also includes three tables: + +* *Top 10 vulnerable resources* shows your VMs with the highest number of vulnerabilities. +* *Top 10 patchable vulnerabilities* shows the most common vulnerabilities in your environment that can be fixed by a software update. +* *Top 10 vulnerabilities* shows the most common vulnerabilities in your environment, with additional details. + +Click *View all vulnerabilities* at the bottom of a table to open the <> page, where you can view additional details. diff --git a/docs/detections/detections-index.asciidoc b/docs/detections/detections-index.asciidoc index 8af712fcd9b..dfd83904157 100644 --- a/docs/detections/detections-index.asciidoc +++ b/docs/detections/detections-index.asciidoc @@ -10,6 +10,8 @@ include::rules-cross-cluster-search.asciidoc[leveloffset=+1] include::investigation-guide-actions.asciidoc[leveloffset=+1] +include::prebuilt-rules-management.asciidoc[] + include::rules-ui-manage.asciidoc[] include::rules-ui-monitor.asciidoc[] diff --git a/docs/detections/images/install-prebuilt-settings.png b/docs/detections/images/install-prebuilt-settings.png index bfaef88d540..5fe7a35d42e 100644 Binary files a/docs/detections/images/install-prebuilt-settings.png and b/docs/detections/images/install-prebuilt-settings.png differ diff --git a/docs/detections/images/prebuilt-rules-add-badge.png b/docs/detections/images/prebuilt-rules-add-badge.png new file mode 100644 index 00000000000..a305df45ce3 Binary files /dev/null and b/docs/detections/images/prebuilt-rules-add-badge.png differ diff --git a/docs/detections/images/prebuilt-rules-add.png b/docs/detections/images/prebuilt-rules-add.png new file mode 100644 index 00000000000..8e41fd24acb Binary files /dev/null and b/docs/detections/images/prebuilt-rules-add.png differ diff --git a/docs/detections/images/prebuilt-rules-update.png b/docs/detections/images/prebuilt-rules-update.png new file mode 100644 index 00000000000..df66983085d Binary files /dev/null and b/docs/detections/images/prebuilt-rules-update.png differ diff --git a/docs/detections/machine-learning/machine-learning.asciidoc b/docs/detections/machine-learning/machine-learning.asciidoc index 6b37a208856..0374818293e 100644 --- a/docs/detections/machine-learning/machine-learning.asciidoc +++ b/docs/detections/machine-learning/machine-learning.asciidoc @@ -2,6 +2,11 @@ [role="xpack"] = Anomaly detection with {ml} +:frontmatter-description: Use the power of machine learning to detect outliers and suspicious events. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [overview] +:frontmatter-tags-user-goals: [manage] + {ml-docs}/ml-ad-overview.html[{ml-cap}] functionality is available when you have the appropriate subscription, are using a *{ess-trial}[cloud deployment]*, or are testing out a *Free Trial*. Refer to <>. @@ -32,7 +37,7 @@ details*). You can also check the status of {ml} detection rules, and start or stop their associated {ml} jobs: -* In the *Rules* table, the *Last response* column displays the rule's current <>. An indicator icon (image:images/rules-table-error-icon.png[Error icon from Rules table,15,15]) also appears if a required {ml} job isn't running. Click the icon to list the affected jobs, then click *Visit rule details page to investigate* to open the rule's details page. +* On the *Rules* page, the *Last response* column displays the rule's current <>. An indicator icon (image:images/rules-table-error-icon.png[Error icon from rules table,15,15]) also appears if a required {ml} job isn't running. Click the icon to list the affected jobs, then click *Visit rule details page to investigate* to open the rule's details page. + [role="screenshot"] image::images/rules-table-ml-job-error.png[Rules table {ml} job error] diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc new file mode 100644 index 00000000000..61b60294f5d --- /dev/null +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rules-management]] +== Install and manage Elastic prebuilt rules + +:frontmatter-description: Start detections quickly with prebuilt rules designed and updated by Elastic. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [manage] + +Follow these guidelines to start using the {es-sec-app}'s <>, keep them updated, and make sure they have the data needed to run successfully. + +* <> +* <> +* <> +* <> +* <> + +[NOTE] +==== +* Prebuilt rules don't start running by default. You must first install the rules, then enable them. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule. + +* You can't modify most settings on Elastic prebuilt rules. You can only edit <> and <>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. +==== + +[float] +[[load-prebuilt-rules]] +=== Install and enable Elastic prebuilt rules + +. Go to *Manage* -> *Rules*. The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. ++ +[role="screenshot"] +image::images/prebuilt-rules-add-badge.png[The Add Elastic Rules page] + +. Click *Add Elastic rules*, then do one of the following: +* Install all available rules: Click *Install all*. +* Install a single rule: Click *Install rule* for that rule. +* Install multiple rules: Select the rules and click *Install _x_ selected rule(s)*. ++ +TIP: Use the search bar and *Tags* filter to find the rules you want to install. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <>. ++ +[role="screenshot"] +image::images/prebuilt-rules-add.png[The Add Elastic Rules page] + +. Go back to the *Rules* page, search or filter for any rules you want to run, and do either of the following: + +* Enable a single rule: Turn on the rule's *Enabled* switch. +* Enable multiple rules: Select the rules, then click *Bulk actions* -> *Enable*. + +Once you enable a rule, it starts running on its configured schedule. To confirm that it's running successfully, check its *Last response* status in the rules table, or open the rule's details page and check the <> tab. + +[float] +[[prebuilt-rule-tags]] +=== Prebuilt rule tags + +Each prebuilt rule includes several tags identifying the rule's purpose, detection method, associated resources, and other information to help categorize your rules. These tags are category-value pairs; for example, `OS: Windows` indicates rules designed for Windows endpoints. Categories include: + +* `Data Source`: The application, cloud provider, data shipper, or Elastic integration providing data for the rule. +* `Domain`: A general category of data source types (such as cloud, endpoint, or network). +* `OS`: The host operating system, which could be considered another data source type. +* `Resources`: Additional rule resources such as investigation guides. +* `Rule Type`: Identifies if the rule depends on specialized resources (such as machine learning jobs or threat intelligence indicators), or if it's a higher-order rule built from other rules' alerts. +* `Tactic`: MITRE ATT&CK tactics that the rule addresses. +* `Threat`: Specific threats the rule detects (such as Cobalt Strike or BPFDoor). +* `Use Case`: The type of activity the rule detects and its purpose. Use cases include: +** `Active Directory Monitoring`: Detects changes related to Active Directory. +** `Asset Visibility`: Detects changes to specified asset types. +** `Configuration Audit`: Detects undesirable configuration changes. +** `Guided Onboarding`: Example rule, used for {elastic-sec}'s guided onboarding tour. +** `Identity and Access Audit`: Detects activity related to identity and access management (IAM). +** `Log Auditing`: Detects activity on log configurations or storage. +** `Network Security Monitoring`: Detects network security configuration activity. +** `Threat Detection`: Detects threats. +** `Vulnerability`: Detects exploitation of specific vulnerabilities. + +[float] +[[select-all-prebuilt-rules]] +=== Select and duplicate all prebuilt rules + +. Go to *Manage* -> *Rules*, then select the *Elastic rules* filter. +. Click *Select all _x_ rules* above the rules table. +. Click *Bulk actions* -> *Duplicate*. +. Select whether to duplicate the rules' exceptions, then click *Duplicate*. + +You can then modify the duplicated rules and, if required, delete the prebuilt ones. However, your customized rules are entirely separate from the original prebuilt rules, and will not get updates from Elastic if the prebuilt rules are updated. + +[float] +[[update-prebuilt-rules]] +=== Update Elastic prebuilt rules + +Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. + +. Go to *Manage* -> *Rules*, then select the *Rule Updates* tab. ++ +NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. ++ +[role="screenshot"] +image::images/prebuilt-rules-update.png[The Rule Updates tab on the Rules page] + +. Do one of the following: +* Update all available rules: Click *Update all*. +* Update a single rule: Click *Update rule* for that rule. +* Update multiple rules: Select the rules and click *Update _x_ selected rule(s)*. ++ +TIP: Use the search bar and *Tags* filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <>. + +[float] +[[rule-prerequisites]] +=== Confirm rule prerequisites + +Many Elastic prebuilt rules are designed to work with specific Elastic integrations and data fields. These prerequisites are identified in the *Related integrations* and *Required fields* fields on a rule's details page (*Manage* -> *Rules*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. + +Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements. + +[role="screenshot"] +image::images/rule-details-prerequisites.png[Rule details page with Related integrations, Required fields, and Setup guide highlighted] + +You can also check rules' related integrations in the *Installed Rules* and *Rule Monitoring* tables. Click the *integrations* badge to display the related integrations in a popup. + +[role="screenshot"] +image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] + +TIP: You can hide the *integrations* badge in the rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`. diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 9c22707159f..c285889192c 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -4,7 +4,7 @@ This section lists all updates to prebuilt detection rules, made available with the *Prebuilt Security Detection Rules* integration in Fleet. -To download the latest updates, follow the instructions in <> +To update your installed rules to the latest versions, follow the instructions in <>. [width="100%",options="header"] diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index c9ac6b9694e..81c5af43fd4 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -1,7 +1,11 @@ [[rules-ui-management]] -[role="xpack"] == Manage detection rules +:frontmatter-description: Manage your detection rules and enable Elastic prebuilt rules on the Rules page. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [manage] + The Rules page allows you to view and manage all prebuilt and custom detection rules. [role="screenshot"] @@ -11,10 +15,6 @@ On the Rules page, you can: * <> * <> -* <> -* <> -* <> -* <> * <> * <> * <> @@ -49,75 +49,8 @@ The *Last response* column displays the current status of each rule, based on th * *Failed*: The rule encountered an error that prevented it from running. For example, a {ml} rule whose corresponding {ml} job wasn't running. * *Warning*: Nothing prevented the rule from running, but it might have returned unexpected results. For example, a custom query rule tried to search an index pattern that couldn't be found in {es}. -For {ml} rules, an indicator icon (image:images/rules-table-error-icon.png[Error icon from Rules table,15,15]) also appears in this column if a required {ml} job isn't running. Click the icon to list the affected jobs, then click *Visit rule details page to investigate* to open the rule's details page, where you can start the {ml} job. - -You can filter rules by status using the *Last response* filter. - -[float] -[[load-prebuilt-rules]] -=== Load and activate Elastic prebuilt rules - -To load the {es-sec-app}'s <>, go to *Manage* -> *Rules* -> *Load Elastic prebuilt rules and Timeline templates*. - -You can then activate whichever rules you want. If you delete any prebuilt rules, a button appears that enables you to reload all of the deleted ones. - -[NOTE] -============== -Apart from the Elastic Endpoint rule, prebuilt rules are not activated by -default. If you want to modify a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. All Elastic prebuilt rules are tagged with the word `Elastic`. - -To learn how to enable detection rules in Elastic Security, watch the <> at the end of this topic. -============== +For {ml} rules, an indicator icon (image:images/rules-table-error-icon.png[Error icon from rules table,15,15]) also appears in this column if a required {ml} job isn't running. Click the icon to list the affected jobs, then click *Visit rule details page to investigate* to open the rule's details page, where you can start the {ml} job. -[float] -[[select-all-prebuilt-rules]] -=== Select and duplicate all prebuilt rules - -. Go to *Manage* -> *Rules*. -. Click *Select all _x_ rules* above the rules table. -. Click *Bulk actions* -> *Duplicate*. -. Select the *Custom rules* tab. - -You can then modify the duplicated rules and, if required, delete the prebuilt ones. - -[float] -[[download-prebuilt-rules]] -=== Download latest Elastic prebuilt rules - -As of {stack} >=7.13.0, you can download the latest version of Elastic prebuilt rules outside of a regular release cycle. This feature ensures you have the latest detection capabilities before upgrading to the latest {stack}. - -To download the latest version of prebuilt rules: - -. In {kib}, go to *Management* -> *Integrations*. -. Search for "Prebuilt Security Detection Rules." -. Select the integration, then select the *Settings* tab. The integration settings page is displayed. -+ -[role="screenshot"] -image::images/install-prebuilt-settings.png[] -+ -. Click *Install Prebuilt Security Detection Rules assets*. -. Click *Install Prebuilt Security Detection Rules* to confirm the installation. -+ -[role="screenshot"] -image::images/install-prebuilt-rules.png[] - -[float] -[[rule-prerequisites]] -=== Confirm rule prerequisites - -Many Elastic prebuilt rules are designed to work with specific Elastic integrations and data fields. These prerequisites are identified in the *Related integrations* and *Required fields* fields on a rule's details page (*Manage* -> *Rules*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. - -Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements. - -[role="screenshot"] -image::images/rule-details-prerequisites.png[Rule details page with Related integrations, Required fields, and Setup guide highlighted] - -You can also check rules' related integrations in the *Rules* and *Rule Monitoring* tables. Click the *integrations* badge to display the related integrations in a popup. - -[role="screenshot"] -image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] - -TIP: You can hide the *integrations* badge in the Rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`. [float] [[edit-rules-settings]] @@ -177,7 +110,7 @@ Instead of turning rules off to stop alert notifications, you can snooze rule ac You can snooze notifications temporarily or indefinitely. When actions are snoozed, you can cancel or change the duration of the snoozed state. You can also schedule and manage recurring downtime for actions. -You can snooze rule notifications from the Rules table, the rule details page, or the *Actions* tab when editing a rule. +You can snooze rule notifications from the *Installed Rules* tab, the rule details page, or the *Actions* tab when editing a rule. [role="screenshot"] image::images/rule-snoozing.png[Rules snooze options,65%] @@ -226,21 +159,3 @@ NOTE: Imported rules must be in an `.ndjson` file. .. (Optional) Select *Overwrite existing connectors with conflicting action "id"* to update existing connectors if they match the `action id` value of any rule actions in the import file. Configuration data included with the actions is also overwritten. .. Click *Import rule*. .. (Optional) If a connector is missing sensitive information after the import, a warning displays and you're prompted to fix the connector. In the warning, click *Go to connector*. On the Connectors page, find the connector that needs to be updated, click *Fix*, then add the necessary details. - -[float] -[[enable-detection-rules]] -=== Tutorial: Enable detection rules -To learn how to enable detection rules in Elastic Security, watch the following tutorial. - -++++ - - -
-++++ diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 20f68e7ea98..f24177aa961 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -1,14 +1,20 @@ [[alerts-ui-monitor]] -[role="xpack"] == Monitor and troubleshoot rule executions -The Rules page offers several ways to gain insight into the status of your detection rules: +:frontmatter-description: Find out how your rules are performing, and troubleshoot common rule issues. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [monitor, manage] + +Several tools can help you gain insight into the performance of your detection rules: * <> — The current state of all detection rules and their most recent executions. Go to the *Rule Monitoring* tab to get an overview of which rules are running, how long they're taking, and if they're having any trouble. * <> — Historical data for a single detection rule's executions over time. Consult the execution results to understand how a particular rule is running and whether it's creating the alerts you expect. -Refer to the <> section below for strategies on using these tools. +* <> — Visualizations to help you monitor the overall health and performance of {elastic-sec}'s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they're taking to run, search data, and create alerts. + +Refer to the <> section below for strategies on adjusting rules if they aren't creating the expected alerts. [float] [[rule-monitoring-tab]] @@ -21,11 +27,11 @@ times, select the *Rule Monitoring* tab on the *Rules* page (*Manage* -> [role="screenshot"] image::images/monitor-table.png[] -On the *Rule Monitoring* tab, you can <> just like you can on the *Rules* tab. +On the *Rule Monitoring* tab, you can <> just like you can on the *Installed Rules* tab. TIP: To sort the rules list, click any column header. To sort in descending order, click the column header again. -For detailed information on a rule, the alerts it generated, and associated errors, click on its name in the table. This also allows you to perform the same actions that are available on the <>, such as modifying or deleting rules, activating or deactivating rules, exporting or importing rules, and duplicating prebuilt rules. +For detailed information on a rule, the alerts it generated, and associated errors, click on its name in the table. This also allows you to perform the same actions that are available on the <>, such as modifying or deleting rules, activating or deactivating rules, exporting or importing rules, and duplicating prebuilt rules. [float] [[rule-execution-logs]] diff --git a/docs/getting-started/images/dashboards-pg.png b/docs/getting-started/images/dashboards-pg.png index d4fadf1a0f3..917daf569ac 100644 Binary files a/docs/getting-started/images/dashboards-pg.png and b/docs/getting-started/images/dashboards-pg.png differ diff --git a/docs/management/admin/images/response-console-help-panel.png b/docs/management/admin/images/response-console-help-panel.png index 75738009051..3a2900544c4 100644 Binary files a/docs/management/admin/images/response-console-help-panel.png and b/docs/management/admin/images/response-console-help-panel.png differ diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index c961133ad48..c7425774272 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -139,6 +139,21 @@ Example: `execute --command "ls -al" --timeout 2s --comment "Get list of all fil WARNING: This response action runs commands on the host using the same user account running the {elastic-defend} integration, which normally has full control over the system. Be careful with any commands that could cause irrevocable changes. +=== `upload` + +Upload a file to the host. The file is saved to the location on the host where {elastic-endpoint} is installed. After you run the command, the full path is returned in the console for reference. Use these parameters: + +* `--file` : (Required) The file to send to the host. As soon as you type this parameter, a popup appears — select it to navigate to the file, or drag and drop the file onto the popup. +* `--overwrite` : (Optional) Overwrite the file on the host if it already exists. + +Required privilege: *File Operations* + +Example: `upload --file --comment "Upload remediation script"` + +TIP: You can follow this with the `execute` response action to upload and run scripts for mitigation or other purposes. + +NOTE: The default file size maximum is 25 MB, configurable in `kibana.yml` with the `maxUploadResponseActionFileBytes` setting. You must enter the value in bytes (the maximum is `104857600` bytes, or 100 MB). + [[supporting-commands-parameters]] == Supporting commands and parameters diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index 2adde485e1b..89c5074f705 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> @@ -40,6 +41,7 @@ This section summarizes the changes in each release. :issue: https://github.com/elastic/kibana/issues/ :pull: https://github.com/elastic/kibana/pull/ +include::release-notes/8.9.asciidoc[] include::release-notes/8.8.asciidoc[] include::release-notes/8.7.asciidoc[] include::release-notes/8.6.asciidoc[] diff --git a/docs/release-notes/8.7.asciidoc b/docs/release-notes/8.7.asciidoc index 9e4991a72b4..5dd151705a1 100644 --- a/docs/release-notes/8.7.asciidoc +++ b/docs/release-notes/8.7.asciidoc @@ -231,12 +231,7 @@ GET .kibana*/_search [[breaking-changes-8.7.0]] ==== Breaking changes -//tag::breaking-changes[] -// NOTE: The breaking-changes tagged regions are reused in the Elastic Installation and Upgrade Guide. The pull attribute is defined within this snippet so it properly resolves in the output. -:pull: https://github.com/elastic/kibana/pull/ There are no breaking changes in 8.7.0. -//end::breaking-changes[] - [discrete] [[deprecations-8.7.0]] diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc index d5d57222070..43fbca93cc1 100644 --- a/docs/release-notes/8.8.asciidoc +++ b/docs/release-notes/8.8.asciidoc @@ -15,16 +15,10 @@ [[breaking-changes-8.8.2]] ==== Breaking changes -//tag::breaking-changes[] -// NOTE: The breaking-changes tagged regions are reused in the Elastic Installation and Upgrade Guide. The pull attribute is defined within this snippet so it properly resolves in the output. -// THIS ALSO MEANS IF YOU USE LINKS HERE, THEY SHOULD BE FULL URLS WITH NO ATTRIBUTES - :pull: https://github.com/elastic/kibana/pull/ There are no breaking changes in 8.8.2. -//end::breaking-changes[] - [discrete] [[enhancements-8.8.2]] ==== Enhancements diff --git a/docs/release-notes/8.9.asciidoc b/docs/release-notes/8.9.asciidoc new file mode 100644 index 00000000000..aacc9c831d8 --- /dev/null +++ b/docs/release-notes/8.9.asciidoc @@ -0,0 +1,73 @@ +[[release-notes-header-8.9.0]] +== 8.9 + +[discrete] +[[release-notes-8.9.0]] +=== 8.9.0 + +[discrete] +[[known-issue-8.9.0]] +==== Known issues + +* On the new Detection rule monitoring dashboard, total `Rule executions` will not always equal the sum of `Succeeded`, `Warning`, and `Failed` executions. This is expected because rules can write multiple statuses per execution. One typical example is gap detection: if a rule detects a gap in rule execution it will write an intermediate `Failed` status, then continue to run, and write a final status (such as `Warning`) before finishing its execution. +* Rule changes can't be saved if the rule's action frequency is shorter than the rule's run interval. +* The `upload` response action does not report the correct amount of available disk space. The correct amount is approximately four gigabytes. + +[discrete] +[[breaking-changes-8.9.0]] +==== Breaking changes +//tag::breaking-changes[] +// NOTE: The breaking-changes tagged regions are reused in the Elastic Installation and Upgrade Guide. The pull attribute is defined within this snippet so it properly resolves in the output. +// THIS ALSO MEANS IF YOU USE LINKS HERE, THEY SHOULD BE FULL URLS WITH NO ATTRIBUTES + +:pull: https://github.com/elastic/kibana/pull/ + +There are no breaking changes in 8.9.0. + +//end::breaking-changes[] + +[discrete] +[[deprecations-8.9.0]] +==== Deprecations +* Removes the option to use the legacy navigation menu ({pull}158094[#158094]). +* General prebuilt threat indicator match rules were deprecated and replaced with improved indicator-type rules. + +[discrete] +[[features-8.9.0]] +==== New features +* Allows you to install the Cloud Security Posture Management (CSPM) integration via CloudFormation ({pull}159994[#159994]). +* Creates a new dashboard, Cloud Native Vulnerability Management, that provides an overview of vulnerabilities on your cloud hosts ({pull}159699[#159699]). +* Allows you to group vulnerabilities by resource (host) on the Vulnerabilities Findings page, and creates a Resource flyout that displays detailed vulnerability findings for individual hosts ({pull}159873[#159873], {pull}158987[#158987]). +* Adds a new custom dashboard, "Detection rule monitoring" ({pull}159875[#159875]). +* Allows you to anonymize event field values sent to AI Assistant ({pull}159857[#159857]). +* Adds a *Chat* button that opens AI Assistant to the alert details flyout ({pull}159633[#159633]). +* Updates AI Assistant to let you create and delete custom system prompts and default conversations ({pull}159365[#159365]). +* Allows you to add alert tags ({pull}157786[#157786]). +* Adds the ability to automatically isolate a host through a rule’s endpoint response action ({pull}152424[#152424]). +* Moves response actions to General Availability. +* Adds a new response action that allows you to upload files to an endpoint that has {elastic-endpoint} installed ({pull}157208[#157208]). +* Makes the Lateral Movement Detection advanced analytics package General Availability, and adds the ability to detect malicious activities in Windows RDP events (https://github.com/elastic/integrations/pull/6588[#6588]). + +[discrete] +[[enhancements-8.9.0]] +==== Enhancements +* Makes it easier to set up exceptions by auto-populating exception conditions and values with relevant alert data. +* Adds a *Last response* dropdown menu to the Rules table that allows you to filter rules by the status of their last execution ("Succeeded", "Warning", or "Failed") ({pull}159865[#159865]). +* Creates a Lens dashboard for monitoring the use of tokens by AI Assistant ({pull}159075[#159075]). +* Creates a connector for D3 Security ({pull}158569[#158569]). +* Improves the interface for installing and upgrading Elastic prebuilt rules ({pull}158450[#158450]). +* Shows a rule's actions on its details page ({pull}158189[#158189]). +* Allows you to add Lens visualizations to cases from the visualization's *More actions* menu ({pull}154918[#154918]). +* Adds a tooltip to snoozed rules that shows exactly when alerting will resume ({pull}157407[#157407]). +* Enhances the Data Exfiltration Detection package by adding the ability to detect exfiltration anomalies through USB devices and Airdrop (https://github.com/elastic/integrations/pull/6577[#6577]). + +[discrete] +[[bug-fixes-8.9.0]] +==== Bug fixes +* Fixes a bug that prevented rule exceptions from being auto-populated when you created a new exception from an alert's **Take action** menu. +* Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule. +* Fixes a bug that restricted the number of cloud accounts that could appear on the Cloud Security Posture dashboard to 10 ({pull}157233[#157233]). +* Fixes a bug that allowed you to save a rule with an alert filter missing a query ({pull}159690[#159690]). +* Fixes unexpected filtering behavior on the Alerts page. Now, when you select a filter that excludes all alerts, an empty table now appears as expected ({pull}160374[#160374]). +* Fixes a UI bug where the **Label** field in the Investigation Guide form incorrectly turns red when the entered value is correct ({pull}160574[#160574], {pull}160577[#160577]). +* Fixes a bug that caused rules to snooze longer than specified ({pull}152873[#152873]). diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 9507f268de6..4b97d10b935 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -63,7 +63,7 @@ image::whats-new/images/8.9/IG-UI.png[Interactive investigation guide] [float] === Prebuilt rule updates -Check out the {security-guide}/prebuilt-rules-downloadable-updates.html[latest updates] to prebuilt rules. To download the latest updates, refer to {security-guide}/rules-ui-management.html#download-prebuilt-rules[Download latest Elastic prebuilt rules]. +Check out the {security-guide}/prebuilt-rules-downloadable-updates.html[latest updates] to prebuilt rules. To download the latest updates, refer to {security-guide}/prebuilt-rules-management.html#update-prebuilt-rules[Update Elastic prebuilt rules]. [float] === Manage and filter alert tags