diff --git a/docs/dashboards/dashboards-overview.asciidoc b/docs/dashboards/dashboards-overview.asciidoc index 01bffdcd4f..797e808412 100644 --- a/docs/dashboards/dashboards-overview.asciidoc +++ b/docs/dashboards/dashboards-overview.asciidoc @@ -18,3 +18,5 @@ include::detection-response-dashboard.asciidoc[leveloffset=+1] include::kubernetes-dashboard.asciidoc[leveloffset=+1] include::cloud-posture.asciidoc[leveloffset=+1] + +include::entity-dashboard.asciidoc[leveloffset=+1] \ No newline at end of file diff --git a/docs/dashboards/entity-dashboard.asciidoc b/docs/dashboards/entity-dashboard.asciidoc new file mode 100644 index 0000000000..9bb1e0a377 --- /dev/null +++ b/docs/dashboards/entity-dashboard.asciidoc @@ -0,0 +1,98 @@ +[[detection-entity-dashboard]] += Entity Analytics dashboard + +The Entity Analytics dashboard provides a centralized view of emerging insider threats - including host risk, user risk, and notable anomalies from within your network. Use it to triage, investigate, and respond to these emerging threats. + + +.Requirements +[sidebar] +-- + +* A https://www.elastic.co/pricing/[Platinum subscription] or higher is required. +* To display host and user risk scores, the host risk score and user risk score features must be enabled. You can do this directly from the dashboard by clicking the *Enable* button. For more information, refer to the <> and <> instructions. +* To display notable anomalies, you must {ml-docs}/ml-ad-run-jobs.html[install and run] the following machine learning jobs: +** `auth_rare_source_ip_for_a_user` +** `suspicious_login_activity` +** `packetbeat_dns_tunneling` +** `packetbeat_rare_server_domain` +** `packetbeat_rare_dns_question` +** `v3_windows_anomalous_script` +-- + + +The dashboard includes the following sections: + +* <> +* <> +* <> +* <> + + +[role="screenshot"] +image::images/entity-dashboard.png[Entity dashboard] + +[[entity-kpis]] +[float] +== Entity KPIs (key performance indicators) + +Displays the total number of critical hosts, critical users, and anomalies. Select a link to go to the Host risk table, User risk table, or Anomaly Detection Jobs page. + +[[entity-host-risk-scores]] +[float] +== Host Risk Scores + +Displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names and risk classifications. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). + +[role="screenshot"] +image::images/host-score-data.png[Host risk table] + + +Interact with the table to filter data or view more details: + +* Select the *Host risk classification* menu to filter the chart by the selected classification. +* Click a host name link to go to the Host details page. +* Click *View all* in the upper-right to display all host risk information on the Hosts page. + + +For more information about host risk scores, click the *Learn more* link in the table, or refer to <>. + +[[entity-user-risk-scores]] +[float] +== User Risk Scores + +Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names and risk classifications. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). + +[role="screenshot"] +image::images/user-score-data.png[User risk table ] + +Interact with the table to filter data or view more details: + +* Select the *User risk classification* menu to filter the chart by the selected classification. +* Click a user name link to go to the User details page. +* Click *View all* in the upper-right to display all user risk information on the Users page. + +NOTE: The host risk and user risk score tables are not affected by the date and time range. + +[[entity-anomalies]] +[float] +== Notable Anomalies + +Anomalies identify suspicious or irregular behavior patterns. The Notable Anomalies table displays the total number of host and user anomalies identified by six predefined {ml} jobs (named in the Anomaly name column). These jobs must be installed and running to provide anomaly data. + +[role="screenshot"] +image::images/anomalies-table.png[Anomalies table] + + +If data is missing: + +* If the *Run job* link is displayed next to a {ml} job, it's installed but not running. Click the link to go to the Anomaly Detection Jobs page, where you can run the job. +* If the *uninstalled* link is displayed next to a {ml} job, it needs to be installed and started. Click the link to find out how to do this. + +Interact with the table to view more details: + +* Click *View all host anomalies* to go to the Anomalies table on the Hosts page. +* Click *View all user anomalies* to go to the Anomalies table on the Users page. +* Click *View all* to display and manage all machine learning jobs on the Anomaly Detection Jobs page. + +TIP: To learn more about {ml}, refer to {ml-docs}/machine-learning-intro.html[What is Elastic machine learning?] + diff --git a/docs/dashboards/images/anomalies-table.png b/docs/dashboards/images/anomalies-table.png new file mode 100644 index 0000000000..d15a1f46ae Binary files /dev/null and b/docs/dashboards/images/anomalies-table.png differ diff --git a/docs/dashboards/images/entity-dashboard.png b/docs/dashboards/images/entity-dashboard.png new file mode 100644 index 0000000000..7b351410ac Binary files /dev/null and b/docs/dashboards/images/entity-dashboard.png differ diff --git a/docs/dashboards/images/host-score-data.png b/docs/dashboards/images/host-score-data.png new file mode 100644 index 0000000000..530d17b278 Binary files /dev/null and b/docs/dashboards/images/host-score-data.png differ diff --git a/docs/dashboards/images/user-score-data.png b/docs/dashboards/images/user-score-data.png new file mode 100644 index 0000000000..a5327f380f Binary files /dev/null and b/docs/dashboards/images/user-score-data.png differ