Skip to content

Commit

Permalink
[DOCS] Updating Elastic Security Overview topic (#101922)
Browse files Browse the repository at this point in the history
* updating overview topic for Kibana

* formatting fixes

* small formatting tweaks

* small formatting tweaks
  • Loading branch information
jmikell821 authored Jun 16, 2021
1 parent 1cf82cb commit dcb5a67
Show file tree
Hide file tree
Showing 2 changed files with 148 additions and 90 deletions.
Binary file added docs/siem/images/workflow.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
238 changes: 148 additions & 90 deletions docs/siem/siem-ui.asciidoc
Original file line number Diff line number Diff line change
@@ -1,102 +1,160 @@
[role="xpack"]
[[siem-ui]]
== Using Elastic Security
== Elastic Security Overview

Elastic Security is a highly interactive workspace designed for security
analysts. It provides a clear overview of events and alerts from your
environment, and you can use the interactive UI to drill down into areas of
interest.
Elastic Security combines SIEM threat detection features with endpoint
prevention and response capabilities in one solution. These analytical and
protection capabilities, leveraged by the speed and extensibility of
Elasticsearch, enable analysts to defend their organization from threats before
damage and loss occur.

[float]
[[hosts-ui]]
=== Hosts
Elastic Security provides the following security benefits and capabilities:

The Hosts page provides key metrics regarding host-related security events, and
data tables and histograms that let you interact with the Timeline Event Viewer.
You can drill down for deeper insights, and drag and drop items of interest from
the Hosts page to Timeline for further investigation.
* A detection engine to identify attacks and system misconfigurations
* A workspace for event triage and investigations
* Interactive visualizations to investigate process relationships
* Inbuilt case management with automated actions
* Detection of signatureless attacks with prebuilt machine learning anomaly jobs
and detection rules

[role="screenshot"]
image::siem/images/hosts-ui.png[]


[float]
[[network-ui]]
=== Network

The Network page displays key network activity metrics in an interactive map,
and provides network event tables that enable interaction with Timeline.

[role="screenshot"]
image::siem/images/network-ui.png[]

[float]
[[detections-ui]]
=== Detections (beta)

The Detections feature automatically searches for threats and creates
alerts when they are detected. Detection rules define the conditions
for when alerts are created. Elastic Security comes with prebuilt rules that
search for suspicious activity on your network and hosts. Additionally, you can
create your own rules.

See {security-guide}/detection-engine-overview.html[Detections] for information
on managing detection rules and alerts.

[role="screenshot"]
image::siem/images/detections-ui.png[]

[float]
[[cases-ui]]
=== Cases (beta)

Cases are used to open and track security issues directly in Elastic Security.
Cases list the original reporter and all users who contribute to a case
(`participants`). Case comments support Markdown syntax, and allow linking to
saved Timelines. Additionally, you can send cases to external systems from
within Elastic Security.
[discrete]
== Elastic Security components and workflow

For information about opening, updating, and closing cases, see
{security-guide}/cases-overview.html[Cases] in the Elastic Security Guide.
The following diagram provides a comprehensive illustration of the Elastic Security workflow.

[role="screenshot"]
image::siem/images/cases-ui.png[]

[float]
[[timelines-ui]]
=== Timeline

Timeline is your workspace for threat hunting and alert investigations.

[role="screenshot"]
image::siem/images/timeline-ui.png[Elastic Security Timeline]

You can drag objects of interest into the Timeline Event Viewer to create
exactly the query filter you need. You can drag items from table widgets within
Hosts and Network pages, or even from within Timeline itself.

A timeline is responsive and persists as you move through Elastic Security
collecting data.

For detailed information about Timeline, see
{security-guide}/timelines-ui.html[Investigating events in Timeline].

[float]
[[sample-workflow]]
=== Sample workflow

An analyst notices a suspicious user ID that warrants further investigation, and
clicks a URL that links to Elastic Security.

The analyst uses the tables, histograms, and filtering and search capabilities in
Elastic Security to get to the bottom of the alert. The analyst can drag items of
interest to Timeline for further analysis.

Within Timeline, the analyst can investigate further - drilling down,
searching, and filtering - and add notes and pin items of interest.

The analyst can name the timeline, write summary notes, and share it with others
if appropriate.
image::../siem/images/workflow.png[Elastic Security workflow]

Here's an overview of the flow and its components:

* Data is shipped from your hosts to {es} via beat modules and the Elastic https://www.elastic.co/endpoint-security/[Endpoint Security agent integration]. This integration provides capabilities such as collecting events, detecting and preventing {security-guide}/detection-engine-overview.html#malware-prevention[malicious activity], and artifact delivery. The {fleet-guide}/fleet-overview.html[{fleet}] app is used to
install and manage agents and integrations on your hosts.
+
The Endpoint Security integration ships the following data sets:
+
*** *Windows*: Process, network, file, DNS, registry, DLL and driver loads,
malware security detections
*** *Linux/macOS*: Process, network, file
+
* https://www.elastic.co/integrations?solution=security[Beat modules]: {beats}
are lightweight data shippers. Beat modules provide a way of collecting and
parsing specific data sets from common sources, such as cloud and OS events,
logs, and metrics. Common security-related modules are listed {security-guide}/ingest-data.html#enable-beat-modules[here].
* The {security-app} in {kib} is used to manage the *Detection engine*,
*Cases*, and *Timeline*, as well as administer hosts running Endpoint Security:
** Detection engine: Automatically searches for suspicious host and network
activity via the following:
*** {security-guide}/detection-engine-overview.html#detection-engine-overview[Detection rules]: Periodically search the data
({es} indices) sent from your hosts for suspicious events. When a suspicious
event is discovered, a detection alert is generated. External systems, such as
Slack and email, can be used to send notifications when alerts are generated.
You can create your own rules and make use of our {security-guide}/prebuilt-rules.html[prebuilt ones].
*** {security-guide}/detections-ui-exceptions.html[Exceptions]: Reduce noise and the number of
false positives. Exceptions are associated with rules and prevent alerts when
an exception's conditions are met. *Value lists* contain source event
values that can be used as part of an exception's conditions. When
Elastic {endpoint-sec} is installed on your hosts, you can add malware exceptions
directly to the endpoint from the Security app.
*** {security-guide}/machine-learning.html#included-jobs[{ml-cap} jobs]: Automatic anomaly detection of host and
network events. Anomaly scores are provided per host and can be used with
detection rules.
** {security-guide}/timelines-ui.html[Timeline]: Workspace for investigating alerts and events.
Timelines use queries and filters to drill down into events related to
a specific incident. Timeline templates are attached to rules and use predefined
queries when alerts are investigated. Timelines can be saved and shared with
others, as well as attached to Cases.
** {security-guide}/cases-overview.html[Cases]: An internal system for opening, tracking, and sharing
security issues directly in the Security app. Cases can be integrated with
external ticketing systems.
** {security-guide}/admin-page-ov.html[Administration]: View and manage hosts running {endpoint-sec}.

{security-guide}/ingest-data.html[Ingest data to Elastic Security] and {security-guide}/install-endpoint.html[Configure and install the Elastic Endpoint integration] describe how to ship security-related
data to {es}.


For more background information, see:

* https://www.elastic.co/products/elasticsearch[{es}]: A real-time,
distributed storage, search, and analytics engine. {es} excels at indexing
streams of semi-structured data, such as logs or metrics.
* https://www.elastic.co/products/kibana[{kib}]: An open-source analytics and
visualization platform designed to work with {es}. You use {kib} to search,
view, and interact with data stored in {es} indices. You can easily compile
advanced data analysis and visualize your data in a variety of charts, tables,
and maps.

[discrete]
=== Compatibility with cold tier nodes

Cold tier is a {ref}/data-tiers.html[data tier] that holds time series data that is accessed only occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices:

* Index patterns specified in `securitySolution:defaultIndex`
* Index patterns specified in the definitions of detection rules, except for indicator match rules
* Index patterns specified in the data sources selector on various {security-app} pages

{elastic-sec} does NOT support cold tier data for the following {es} indices:

* Index patterns controlled by {elastic-sec}, including signals and list indices
* Index patterns specified in indicator match rules

Using cold tier data for unsupported indices may result in detection rule timeouts and overall performance degradation.

[discrete]
[[self-protection]]
==== Elastic Endpoint self-protection

Self-protection means that {elastic-endpoint} has guards against users and attackers that may try to interfere with its functionality. This protection feature is consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {elastic-endpoint}. Self-protection is enabled by default when {elastic-endpoint} installs on supported platforms, listed below.

Self-protection is enabled on the following 64-bit Windows versions:

* Windows 8.1
* Windows 10
* Windows Server 2012 R2
* Windows Server 2016
* Windows Server 2019

And on the following macOS versions:

* macOS 10.15 (Catalina)
* macOS 11 (Big Sur)

NOTE: Other Windows and macOS variants (and all Linux distributions) do not have self-protection.

For {stack} version >= 7.11.0, self-protection defines the following permissions:

* Users -- even Administrator/root -- *cannot* delete {elastic-endpoint} files (located at `c:\Program Files\Elastic\Endpoint` on Windows, and `/Library/Elastic/Endpoint` on macOS).
* Users *cannot* terminate the {elastic-endpoint} program or service.
* Administrator/root users *can* read the endpoint's files. On Windows, the easiest way to read Endpoint files is to start an Administrator `cmd.exe` prompt. On macOS, an Administrator can use the `sudo` command.
* Administrator/root users *can* stop the {elastic-agent}'s service. On Windows, run the `sc stop "Elastic Agent"` command. On macOS, run the `sudo launchctl stop elastic-agent` command.


[discrete]
[[siem-integration]]
=== Integration with other Elastic products

You can use {elastic-sec} with other Elastic products and features to help you
identify and investigate suspicious activity:

* https://www.elastic.co/products/stack/machine-learning[{ml-cap}]
* https://www.elastic.co/products/stack/alerting[Alerting]
* https://www.elastic.co/products/stack/canvas[Canvas]

[discrete]
[[data-sources]]
=== APM transaction data sources

By default, {elastic-sec} monitors {apm-app-ref}/apm-getting-started.html[APM]
`apm-*-transaction*` indices. To add additional APM indices, update the
index patterns in the `securitySolution:defaultIndex` setting ({kib} -> Stack Management -> Advanced Settings -> `securitySolution:defaultIndex`).

[discrete]
[[ecs-compliant-reqs]]
=== ECS compliance data requirements

The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be used for
storing event data in Elasticsearch. ECS helps users normalize their event data
to better analyze, visualize, and correlate the data represented in their
events. {elastic-sec} supports events and indicator index data from any ECS-compliant data source.

IMPORTANT: {elastic-sec} requires {ecs-ref}[ECS-compliant data]. If you use third-party data collectors to ship data to {es}, the data must be mapped to ECS.
{security-guide}/siem-field-reference.html[Elastic Security ECS field reference] lists ECS fields used in {elastic-sec}.

0 comments on commit dcb5a67

Please sign in to comment.