Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Threat Intelligence - Indicators Page and Indicator Details #2526

Merged
merged 76 commits into from
Oct 18, 2022
Merged
Changes from 15 commits
Commits
Show all changes
76 commits
Select commit Hold shift + click to select a range
51a8076
First draft
nastasha-solomon Oct 3, 2022
8f14424
More changes
nastasha-solomon Oct 3, 2022
163a973
Fixing heading
nastasha-solomon Oct 3, 2022
b470be8
Removed pre-reqs
nastasha-solomon Oct 3, 2022
cc0e172
Input from Dhru
nastasha-solomon Oct 3, 2022
e97e4c4
Resize image
nastasha-solomon Oct 3, 2022
4e4ca4c
Re-org
nastasha-solomon Oct 3, 2022
d79e14f
Adding more sections
nastasha-solomon Oct 3, 2022
7b4185f
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 3, 2022
9c196be
Adding background
nastasha-solomon Oct 3, 2022
aa9ca53
Merge branch 'issue-2497-TIP' of github.com:elastic/security-docs int…
nastasha-solomon Oct 3, 2022
71ef3e5
Updating Elastic UI topic
nastasha-solomon Oct 4, 2022
5133f5d
Revisions
nastasha-solomon Oct 4, 2022
f7ef7b0
Adding gif
nastasha-solomon Oct 4, 2022
06d3f92
Removed unfinished parts
nastasha-solomon Oct 4, 2022
78dc0a3
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 4, 2022
c3e1149
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 4, 2022
62a1e69
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 5, 2022
d88f855
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 5, 2022
39f7269
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 5, 2022
f86bce6
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 5, 2022
f6c8ef0
Update docs/events/index.asciidoc
nastasha-solomon Oct 5, 2022
7c00ab8
Update docs/getting-started/security-ui.asciidoc
nastasha-solomon Oct 5, 2022
8c20a4d
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 5, 2022
9cc8543
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 5, 2022
39f8360
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 5, 2022
aae27d1
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 6, 2022
8cc4361
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 6, 2022
e14c4eb
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 8, 2022
8eea0a7
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 8, 2022
6f80faf
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 8, 2022
68baa9e
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 8, 2022
794c2d9
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 11, 2022
40e1554
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 12, 2022
87815d8
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 12, 2022
2663339
Adding preqs and troubleshooting section
nastasha-solomon Oct 12, 2022
91b13ed
Merge branch 'issue-2497-TIP' of github.com:elastic/security-docs int…
nastasha-solomon Oct 12, 2022
ee038d2
Updated screenshot
nastasha-solomon Oct 12, 2022
9063db6
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 13, 2022
0d7e785
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
608f2b0
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
744abdf
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
a833a54
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
f5c34a4
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
5b78453
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
3ef3da1
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
7c2bb9e
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
d3f3cb2
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
778588e
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
c6075c6
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
0f5c11a
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
23e3831
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
fbac7f8
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
17709b2
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 13, 2022
dbae18d
Breaking up example in last section
nastasha-solomon Oct 13, 2022
271d272
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
adca02b
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
66bf56d
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
1758f9d
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
57e6fc9
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
6aa94b7
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
f34f339
Update docs/events/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
668ec80
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 17, 2022
52f4a6d
Updated TOC and added Joe's other suggest
nastasha-solomon Oct 17, 2022
a474493
Update docs/cases/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
078d31d
Update docs/cases/indicators-of-compromise.asciidoc
nastasha-solomon Oct 17, 2022
91aa600
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 17, 2022
4baf66f
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 18, 2022
e837936
Update docs/getting-started/security-ui.asciidoc
nastasha-solomon Oct 18, 2022
736a86d
Update docs/getting-started/security-ui.asciidoc
nastasha-solomon Oct 18, 2022
4fa6728
Update docs/cases/indicators-of-compromise.asciidoc
nastasha-solomon Oct 18, 2022
b5f1904
Update docs/cases/indicators-of-compromise.asciidoc
nastasha-solomon Oct 18, 2022
f6a0fbf
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 18, 2022
2398bee
Update docs/cases/indicators-of-compromise.asciidoc
nastasha-solomon Oct 18, 2022
d6bf691
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 18, 2022
8f17bd5
Merge branch 'main' into issue-2497-TIP
nastasha-solomon Oct 18, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/events/images/indicator-in-timeline.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/events/images/indicators-table.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 2 additions & 1 deletion docs/events/index.asciidoc
Original file line number Diff line number Diff line change
@@ -2,7 +2,8 @@

= Investigate

The following sections describe how to use Timelines and the Timeline graphical interface to investigate events, and how to use cases to open and track security issues directly in the {security-app}.
The following sections describe tools that you can use to investigate security events and track security issues directly in the {security-app}.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

include::timeline-ui-overview.asciidoc[leveloffset=+1]
include::timeline-templates.asciidoc[leveloffset=+1]
include::indicators-of-compromise.asciidoc[leveloffset=+1]
64 changes: 64 additions & 0 deletions docs/events/indicators-of-compromise.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
[[indicators-of-compromise]]
= Indicators of compromise

The Intelligence page collects data from enabled threat intelligence feeds and provides you with a centralized view of indicators. This topic offers definitions of threat intelligence and indicators, helps you get started using the Intelligence page, and explains how to work with indicators.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

[role="screenshot"]
image::images/indicators-table.png[Shows the Indicators table on the Intelligence page]

[discrete]
[[ti-indicators]]
== Threat intelligence and indicators
If you are unfamiliar with threat intelligence, think of it as a research function that helps an organization make informed decisions when taking actions to protect itself. An organization's security operation center (SOC) team is usually responsible for managing threat intelligence. A SOC team's goals are to understand current and emerging threats so they can recommend actions that will prevent, stop, and mitigate threats to an organization.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

An indicator, also referred to as an Indicator of Compromise (IoC), is a piece of information that represents a known malicious threat or reported vulnerability. There are many types of indicators, including URLs, files, domains, email addresses and more. Within SOC teams, threat intelligence analysts use indicators to detect, assess, and respond to threats.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

[discrete]
[[setup-intelligence-page]]
== Set up the Intelligence page
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

Install threat intelligence integrations to add indicators to the Intelligence page.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

IMPORTANT: Before enabling a threat intelligence feed, ensure you have installed a {fleet-guide}/install-fleet-managed-elastic-agent.html[{fleet}-managed {agent}] on the hosts you want to monitor.

. Choose one of the following:
.. From the {security-app} main menu, click the Intelligence page, then click *Add Integrations*.
.. From the {kib} main menu and click *Add integrations*. Scroll down list of integration categories and select *Threat Intelligence* to filter for threat intelligence integrations.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
. Select a threat intelligence integration, then complete the installation steps.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
+
NOTE: Refer to the Threat intelligence section of the https://docs.elastic.co/integrations[Elastic integration documentation] for more information about required field mappings.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

. Return to the Intelligence page in {elastic-sec}. Refresh the page if indicator data isn't displaying.

[discrete]
[[intelligence-page-ui]]
== Intelligence page UI
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

After you add indicators to the Intelligence page, you can <<examine-indicator-details,examine indicators>> and search, filter, and take actions on indicator data. Indicators are also visualized in the Trend view, which shows the occurrence of indicators over time.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

[role="screenshot"]
image::images/interact-with-indicators-table.gif[width=90%][height=90%][Shows how to interact with the Intelligence page]

[discrete]
[[examine-indicator-details]]
=== Examine indicator details
Learn more about an indicator by clicking the *View details* button and opening the Indicators details flyout. The flyout contains these informational tabs:
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

* *Overview*: Offers a summary of the indicator. Provides the indicator's name, the threat intelligence feed it came from, the indicator type, and additional relevant data.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
+
NOTE: Some threat intelligence feeds provide https://www.cisa.gov/tlp#:~:text=Introduction,shared%20with%20the%20appropriate%20audience[Traffic Light Protocol (TLP) markings]. The *TLP Marking* field will be empty if the data is not available.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's true not only for TLP Marking but for Confidence as well


* *Table*: The indicator data in table format. Data is organized into field-value pairs.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* *JSON*: The indicator data in JSON format.
+
[role="screenshot"]
image::images/indicator-details-flyout.png[Shows the Indicator details flyout, 600]

[discrete]
[[find-related-sec-events]]
== Find related security events

Investigating an indicator in Timeline helps you find related security events in your environment. You can add an indicator to Timeline from the Indicators table or the Indicator details flyout.

[role="screenshot"]
image::images/indicator-in-timeline.png[Shows the results of an indicator being investigated in Timeline]
8 changes: 8 additions & 0 deletions docs/getting-started/security-ui.asciidoc
Original file line number Diff line number Diff line change
@@ -99,6 +99,14 @@ image::images/network-ui.png[Shows the Network page]
[role="screenshot"]
image::images/users/users-page.png[Shows the Users page]

[float]
=== Intelligence

Access and interact with indicator data in a centralized location. Refer to <<indicators-of-compromise>> to learn more.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

[role="screenshot"]
image::images/indicators-table.png[Shows the Intelligence page]
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

[float]
=== Get started