Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.5] [DOCS] Entity dashboard (backport #2565) #2619

Merged
merged 1 commit into from
Oct 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/dashboards/dashboards-overview.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,5 @@ include::detection-response-dashboard.asciidoc[leveloffset=+1]
include::kubernetes-dashboard.asciidoc[leveloffset=+1]

include::cloud-posture.asciidoc[leveloffset=+1]

include::entity-dashboard.asciidoc[leveloffset=+1]
98 changes: 98 additions & 0 deletions docs/dashboards/entity-dashboard.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
[[detection-entity-dashboard]]
= Entity Analytics dashboard

The Entity Analytics dashboard provides a centralized view of emerging insider threats - including host risk, user risk, and notable anomalies from within your network. Use it to triage, investigate, and respond to these emerging threats.


.Requirements
[sidebar]
--

* A https://www.elastic.co/pricing/[Platinum subscription] or higher is required.
* To display host and user risk scores, the host risk score and user risk score features must be enabled. You can do this directly from the dashboard by clicking the *Enable* button. For more information, refer to the <<enable-host-risk-score, Enable host risk score>> and <<deploy-user-risk-score, Enable user risk score>> instructions.
* To display notable anomalies, you must {ml-docs}/ml-ad-run-jobs.html[install and run] the following machine learning jobs:
** `auth_rare_source_ip_for_a_user`
** `suspicious_login_activity`
** `packetbeat_dns_tunneling`
** `packetbeat_rare_server_domain`
** `packetbeat_rare_dns_question`
** `v3_windows_anomalous_script`
--


The dashboard includes the following sections:

* <<entity-kpis>>
* <<entity-host-risk-scores>>
* <<entity-user-risk-scores>>
* <<entity-anomalies>>


[role="screenshot"]
image::images/entity-dashboard.png[Entity dashboard]

[[entity-kpis]]
[float]
== Entity KPIs (key performance indicators)

Displays the total number of critical hosts, critical users, and anomalies. Select a link to go to the Host risk table, User risk table, or Anomaly Detection Jobs page.

[[entity-host-risk-scores]]
[float]
== Host Risk Scores

Displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names and risk classifications. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).

[role="screenshot"]
image::images/host-score-data.png[Host risk table]


Interact with the table to filter data or view more details:

* Select the *Host risk classification* menu to filter the chart by the selected classification.
* Click a host name link to go to the Host details page.
* Click *View all* in the upper-right to display all host risk information on the Hosts page.


For more information about host risk scores, click the *Learn more* link in the table, or refer to <<host-risk-score>>.

[[entity-user-risk-scores]]
[float]
== User Risk Scores

Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names and risk classifications. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).

[role="screenshot"]
image::images/user-score-data.png[User risk table ]

Interact with the table to filter data or view more details:

* Select the *User risk classification* menu to filter the chart by the selected classification.
* Click a user name link to go to the User details page.
* Click *View all* in the upper-right to display all user risk information on the Users page.

NOTE: The host risk and user risk score tables are not affected by the date and time range.

[[entity-anomalies]]
[float]
== Notable Anomalies

Anomalies identify suspicious or irregular behavior patterns. The Notable Anomalies table displays the total number of host and user anomalies identified by six predefined {ml} jobs (named in the Anomaly name column). These jobs must be installed and running to provide anomaly data.

[role="screenshot"]
image::images/anomalies-table.png[Anomalies table]


If data is missing:

* If the *Run job* link is displayed next to a {ml} job, it's installed but not running. Click the link to go to the Anomaly Detection Jobs page, where you can run the job.
* If the *uninstalled* link is displayed next to a {ml} job, it needs to be installed and started. Click the link to find out how to do this.

Interact with the table to view more details:

* Click *View all host anomalies* to go to the Anomalies table on the Hosts page.
* Click *View all user anomalies* to go to the Anomalies table on the Users page.
* Click *View all* to display and manage all machine learning jobs on the Anomaly Detection Jobs page.

TIP: To learn more about {ml}, refer to {ml-docs}/machine-learning-intro.html[What is Elastic machine learning?]

Binary file added docs/dashboards/images/anomalies-table.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/dashboards/images/entity-dashboard.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/dashboards/images/host-score-data.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/dashboards/images/user-score-data.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.