Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.11] Updates to Entity Analytics Dashboard (backport #4345) #4407

Merged
merged 1 commit into from
Dec 6, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 12 additions & 17 deletions docs/dashboards/entity-dashboard.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,9 @@ The Entity Analytics dashboard provides a centralized view of emerging insider t
--

* A https://www.elastic.co/pricing/[Platinum subscription] or higher is required.
* To display host and user risk scores, the host risk score and user risk score features must be enabled. You can do this directly from the dashboard by clicking the *Enable* button. For more information, refer to the <<enable-host-risk-score, Enable host risk score>> and <<deploy-user-risk-score, Enable user risk score>> instructions.
* To display anomalies, you must {ml-docs}/ml-ad-run-jobs.html[install and run] the following machine learning jobs:
** Unusual Source IP for a User to Logon from (`auth_rare_source_ip_for_a_user`)
** Unusual Login Activity (`suspicious_login_activity`)
** DNS Tunneling (`packetbeat_dns_tunneling`)
** Unusual Network Destination Domain Name (`packetbeat_rare_server_domain`)
** Unusual DNS Activity (`packetbeat_rare_dns_question`)
** Suspicious Powershell Script (`v3_windows_anomalous_script`)
--
* To display host and user risk scores, you must <<turn-on-risk-engine, turn on the risk scoring engine>>.

--

The dashboard includes the following sections:

Expand Down Expand Up @@ -55,7 +48,7 @@ Interact with the table to filter data, view more details, and take action:
* Click *View all* in the upper-right to display all host risk information on the Hosts page.
* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated host name value.

For more information about host risk scores, click the *Learn more* link in the table, or refer to <<host-risk-score>>.
For more information about host risk scores, refer to <<entity-risk-scoring>>.

[[entity-user-risk-scores]]
[float]
Expand All @@ -74,22 +67,24 @@ Interact with the table to filter data, view more details, and take action:
* Click *View all* in the upper-right to display all user risk information on the Users page.
* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated user name value.

For more information about user risk scores, click the *Learn more* link in the table, or refer to <<user-risk-score>>.
For more information about user risk scores, refer to <<entity-risk-scoring>>.

[[entity-anomalies]]
[float]
== Anomalies

Anomalies identify suspicious or irregular behavior patterns. The Anomalies table displays the total number of host and user anomalies identified by six predefined {ml} jobs (named in the Anomaly name column). These jobs must be installed and running to provide anomaly data.
Anomaly detection jobs identify suspicious or irregular behavior patterns. The Anomalies table displays the total number of anomalies identified by these prebuilt {ml} jobs (named in the **Anomaly name** column).

[role="screenshot"]
image::images/anomalies-table.png[Anomalies table]
.Requirements
[sidebar]
--

If data is missing, click the *Run job* link next to a {ml} job to install and start the job.
To display anomaly results, you must {ml-docs}/ml-ad-run-jobs.html[install and run] one or more <<prebuilt-ml-jobs, prebuilt anomaly detection jobs>>. You cannot add custom anomaly detection jobs to the Entity Analytics dashboard.

[role="screenshot"]
image::images/run-job.png[Run a machine learning job]
--

[role="screenshot"]
image::images/anomalies-table.png[Anomalies table]

Interact with the table to view more details:

Expand Down
Binary file removed docs/dashboards/images/run-job.png
Binary file not shown.