elastic · natasha-moore-elastic · Nov 8, 2024 · Nov 4, 2024 · Nov 5, 2024 · Nov 5, 2024
@@ -13,6 +13,7 @@ include::ers-req.asciidoc[leveloffset=+2]
 include::asset-criticality.asciidoc[leveloffset=+2]
 include::turn-on-risk-engine.asciidoc[leveloffset=+2]
 include::analyze-risk-score-data.asciidoc[leveloffset=+2]
+include::entity-store.asciidoc[leveloffset=+2]
 include::advanced-behavioral-detections.asciidoc[leveloffset=+1]
 include::ml-req.asciidoc[leveloffset=+2]
 include::machine-learning.asciidoc[leveloffset=+2]

@@ -18,6 +18,9 @@ TIP: We recommend that you prioritize <<alert-triaging, alert triaging>> to iden
 
 From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page.
 
+If you have enabled the <<entity-store, entity store>>, the dashboard also displays the <<entity-entities, **Entities** section>>, where you can view all hosts and users along with their risk and asset criticality data.
+
+// screenshot to be updated
 [role="screenshot"]
 image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard] 
 

@@ -44,6 +44,10 @@ image::images/assign-asset-criticality-host-flyout.png[Assign asset criticality
 [role="screenshot"]
 image::images/assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline]
 
+If you have enabled the <<entity-store, entity store>>, you can also view asset criticality assignments in the <<entity-entities, **Entities** section>> of the Entity Analytics dashboard:
+
+// screenshot
+
 [discrete]
 [[bulk-assign-asset-criticality]]
 === Bulk assign asset criticality

@@ -0,0 +1,52 @@
+[[entity-store]]
+= Entity store
+
+preview::[]
+
+.Requirements
+[sidebar]
+--
+To use the entity store, you must have the appropriate privileges. For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
+--
+
+The entity store allows you to query, reconcile, maintain, and persist entity metadata from various sources such as:
+
+* Ingested log sources
+* Integrated identity providers (such as Active Directory, EntraID, and Okta)
+* Internal and external alerts
+* External asset repositories
+* Asset criticality submissions
+
+The entity store can store any entity type observed by {elastic-sec}. This allows you to store, view, and query select entities directly from an index without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <<default-data-view-security, default data view>>.
+
+When the entity store is enabled, the following resources are generated:
+
+* {es} resources, such as transforms, ingest pipelines, and enrich policies.
+* Data and fields for each entity.
+* The `.entities.v1.latest.security_user_<space-id>` and `.entities.v1.latest.security_host_<space-id>` indices, which contain field mappings for hosts and users respectively. You can query these indices to see a list of fields that are mapped in the entity store.
+
+[discrete]
+[[enable-entity-store]]
+== Enable entity store
+
+To enable the entity store:
+
+. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. On the **Entity Store** page, turn the toggle on. 
+
+Once you enable the entity store, the Entity Analytics dashboard displays the <<entity-entities, **Entities**>> section.
+
+[discrete]
+[[clear-entity-store]]
+== Clear entity store data
+
+Once the entity store is enabled, you may want to start fresh and clear the extracted entity data. For example, if you have refined your data by normalizing the `user.name` or `host.name` fields, clearing the entity store data allows you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis.
+
+Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments.
+
+CAUTION: Clearing entity store data permanently deletes persisted user and host records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone.
+
+To clear entity data:
+
+. Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. On the **Entity Store** page, select **Clear**.
@@ -1,9 +1,9 @@
 [[ers-requirements]]
 = Entity risk scoring requirements
 
-To use entity risk scoring and asset criticality, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher.
+To use entity risk scoring, asset criticality, and entity store, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher.
 
-This page covers the requirements and guidelines for using the entity risk scoring and asset criticality features, as well as their known limitations.
+This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
 
 [discrete]
 == Entity risk scoring
@@ -65,4 +65,33 @@ To use asset criticality, you need the following privileges for the `.asset-crit
 | Unassign asset criticality
 | `delete`
 
+|==============================================
+
+[discrete]
+== Entity store
+
+[discrete]
+=== Privileges
+
+To use the entity store, you need the following privileges:
+
+[discrete]
+[width="100%",options="header"]
+|==============================================
+
+| Cluster | Index | {kib} 
+a| 
+* `manage_enrich` 
+* `manage_index_templates`
+* `manage_ingest_pipelines`
+* `manage_transform`
+
+a|
+* `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`
+* `read` and `manage` for `risk-score.risk-score-*`
+* `read` and `manage` for `.entities.v1.latest.*`
+* `read` and `view_index_metadata` for all {elastic-sec} indices
+
+| **All** for the **Security** and **Saved Objects Management** features 
+
 |==============================================
@@ -8,32 +8,63 @@ The Entity Analytics dashboard provides a centralized view of emerging insider t
 [sidebar]
 --
 
-* A https://www.elastic.co/pricing/[Platinum subscription] or higher is required.
-* To display host and user risk scores, you must <<turn-on-risk-engine, turn on the risk scoring engine>>.
+A https://www.elastic.co/pricing/[Platinum subscription] or higher is required.
 
 --
 
 The dashboard includes the following sections:
 
 * <<entity-kpis>>
-* <<entity-host-risk-scores>>
 * <<entity-user-risk-scores>>
-* <<entity-anomalies>> 
-
+* <<entity-host-risk-scores>>
+* <<entity-entities>>
+* <<entity-anomalies>>
 
+// screenshot to be updated
 [role="screenshot"]
 image::images/entity-dashboard.png[Entity dashboard]
 
 [[entity-kpis]]
 [float]
 == Entity KPIs (key performance indicators)
 
-Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the Host risk table, User risk table, or Anomalies table. 
+Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or the **Anomalies** table. 
+
+[[entity-user-risk-scores]]
+[float]
+== User Risk Scores
+
+.Requirements
+[sidebar]
+-- 
+To display user risk scores, you must <<turn-on-risk-engine, turn on the risk scoring engine>>.
+-- 
+
+Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). 
+
+[role="screenshot"]
+image::images/user-score-data.png[User risk table]
+
+Interact with the table to filter data, view more details, and take action:
+
+* Select the *User risk level* menu to filter the chart by the selected level. 
+* Click a user name link to open the user details flyout. 
+* Hover over a user name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. 
+* Click *View all* in the upper-right to display all user risk information on the Users page. 
+* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated user name value.
+
+For more information about user risk scores, refer to <<entity-risk-scoring>>. 
 
 [[entity-host-risk-scores]]
 [float]
 == Host Risk Scores
 
+.Requirements
+[sidebar]
+-- 
+To display host risk scores, you must <<turn-on-risk-engine, turn on the risk scoring engine>>.
+-- 
+
 Displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). 
 
 [role="screenshot"]
@@ -50,24 +81,38 @@ Interact with the table to filter data, view more details, and take action:
 
 For more information about host risk scores, refer to <<entity-risk-scoring>>. 
 
-[[entity-user-risk-scores]]
+[[entity-entities]]
 [float]
-== User Risk Scores
+== Entities
 
-Displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. Like host risk scores, user risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest). 
+preview::[]
 
-[role="screenshot"]
-image::images/user-score-data.png[User risk table]
+.Requirements
+[sidebar]
+-- 
+To display the **Entities** section, you must <<enable-entity-store,enable the entity store>>.
+-- 
 
-Interact with the table to filter data, view more details, and take action:
+The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities stored in the <<entity-store, entity store>>, which:
 
-* Select the *User risk level* menu to filter the chart by the selected level. 
-* Click a user name link to open the user details flyout. 
-* Hover over a user name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. 
-* Click *View all* in the upper-right to display all user risk information on the Users page. 
-* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated user name value.
+* Have been observed by {elastic-sec}
+* Have an asset criticality assignment
+* Have been added to {elastic-sec} through an integration, such Active Directory or Okta
 
-For more information about user risk scores, refer to <<entity-risk-scoring>>. 
+The stored entity data appears in the **Entities** section based on the following timelines:
+
+* Observed events from the {elastic-sec} default data view are processed in near real-time.
+* Entity Analytics data, such as entity risk scores and asset criticality (including bulk asset criticality upload), is also processed in near real-time.
+* The availability of entities extracted from Entity Analytics integrations depends on the specific integration. Refer to {integrations-docs}/entityanalytics_ad[Active Directory Entity Analytics], {integrations-docs}/entityanalytics_entra_id[Microsoft Entra ID Entity Analytics], and {integrations-docs}/entityanalytics_okta[Okta Entity Analytics] for more details.
+
+NOTE: The **Entities** table only shows a subset of the attributes stored in the entity store. You can query the `.entities.v1.latest.security_user_<space-id>` and `.entities.v1.latest.security_host_<space-id>` indices to see all the attributes stored in the entity store.
+
+Interact with the table to filter data and view more details:
+
+* Select the **Risk level** dropdown to filter the table by the selected user or host risk level.
+* Select the **Criticality** dropdown to filter the table by the selected asset criticality level.
+* Select the **Source** dropdown to filter the table by the data source.
+* Click the **View details** icon to open the entity details flyout.
 
 [[entity-anomalies]]
 [float]