[Security] Entity Analytics: overview and privileged user monitoring #2191
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| --- | ||
| applies_to: | ||
| stack: preview 9.1 | ||
| serverless: | ||
| security: preview | ||
| products: | ||
| - id: security | ||
| - id: cloud-serverless | ||
| --- | ||
|
|
||
| # Monitor privileged user activities | ||
|
|
||
| After you [set up privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md), you can start monitoring your privileged users' activity using the different panels on the Privileged user monitoring dashboard. | ||
|
|
||
| To get started, find **Privileged user monitoring** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). | ||
|
|
||
| ## Risk levels of privileged users | ||
|
|
||
| When entity risk scoring is enabled, this panel shows the percentages and numbers of privileged users exhibiting risky behaviors that trigger alerts, grouped by their risk levels. This helps you assess how much risk administrative and other privileged users are contributing to your environment’s overall risk posture. | ||
|
|
||
| ## Privileged users | ||
|
|
||
| This panel represents an inventory of privileged users, sourced from your provided [data sources](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md#manage-data-sources). It gives a rich catalog of users that may be valuable to investigate, and provides additional information, including user risk scores and asset criticality assignment. This table also serves as a window into the users that are currently being monitored for their privileged status from the configured data sources. | ||
|
|
||
| ## Top privileged access anomalies | ||
|
|
||
| The [Privileged Access Detection](integration-docs://reference/pad.md) package contains multiple {{ml}} jobs that can detect anomalous privileged user activity across various systems, such as Windows, Linux, and Okta system logs. You can install this package directly from the Privileged user monitoring dashboard and access the related {{ml}} jobs for any additional configuration. | ||
|
|
||
| Once you install the package, this panel displays a heatmap of the top privileged access anomalies performed by your defined privileged users. You can investigate these anomalies further by reviewing details for individual users or by navigating to the Anomaly Explorer. | ||
|
|
||
| ## Privileged user activity | ||
|
|
||
| This panel contains the following tabs: | ||
|
|
||
| * **Granted rights**: Monitor when rights are granted. This helps you detect behavior such as over-provisioning or potential insider threats. It also highlights possible misuse of administrative privileges or violations of least-privilege policies. | ||
|
|
||
| * **Account switches**: Track when privileged users switch accounts. This can help you proactively identify potential lateral movement or unauthorized access. | ||
|
|
||
| * **Authentications**: Review authentication events for privileged users. Frequent authentication shows how actively these privileges are being used, while repeated failed authentication events can indicate attempted unauthorized access. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,175 @@ | ||
| --- | ||
| applies_to: | ||
| stack: ga 9.1 | ||
| serverless: | ||
| security: ga | ||
| products: | ||
| - id: security | ||
| - id: cloud-serverless | ||
| --- | ||
|
|
||
| # Entity analytics overview | ||
|
|
||
| The **Entity analytics** page provides a centralized view of emerging insider threats—including host risk, user risk, service risk, and anomalies from within your network. Use it to triage, investigate, and respond to these emerging threats. | ||
|
|
||
| To access the page, find **Entity analytics** → **Overview** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). | ||
|
|
||
| :::{admonition} Requirements | ||
| * This feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. | ||
|
|
||
| * To get access to this page, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring). | ||
| ::: | ||
|
|
||
|
|
||
| The **Entity analytics** page includes the following sections: | ||
|
|
||
| * [Entity KPIs (key performance indicators)](#entity-kpis) | ||
| * [User Risk Scores](#entity-user-risk-scores) | ||
| * [Host Risk Scores](#entity-host-risk-scores) | ||
| * [Service Risk Scores](#service-risk-scores) | ||
| * [Entities](#entity-entities) | ||
| * [Anomalies](#entity-anomalies) | ||
|
|
||
|
|
||
| ## Entity KPIs (key performance indicators) [entity-kpis] | ||
|
|
||
| This section displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or **Anomalies** table. | ||
|
|
||
|
|
||
| ## User Risk Scores [entity-user-risk-scores] | ||
|
|
||
| :::{admonition} Requirements | ||
| To display user risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). | ||
| ::: | ||
|
|
||
|
|
||
| This section displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. User risk scores are [calculated](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest). | ||
|
|
||
| :::{image} /solutions/images/security-user-score-data.png | ||
| :alt: User risk table | ||
| :screenshot: | ||
| ::: | ||
|
|
||
| Interact with the table to filter data, view more details, and take action: | ||
|
|
||
| * Select the **User risk level** menu to filter the chart by the selected level. | ||
| * Click **View all** to display all user risk information on the **Users** page. | ||
| * Click a user name link to open the entity details flyout. | ||
| * Hover over a user name link to display inline actions: **Add to timeline** ({icon}`timeline`) and **Copy to Clipboard** ({icon}`copy_clipboard`). | ||
| * Click the number link in the **Alerts** column to view the alerts on the **Alerts** page. Hover over the number and select **Investigate in timeline** ({icon}`timeline`) to launch Timeline with a query that includes the associated user name value. | ||
|
|
||
| For more information about user risk scores, refer to [](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). | ||
|
|
||
|
|
||
| ## Host Risk Scores [entity-host-risk-scores] | ||
|
|
||
| :::{admonition} Requirements | ||
| To display host risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). | ||
| ::: | ||
|
|
||
|
|
||
| This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are [calculated]/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest). | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| :::{image} /solutions/images/security-host-score-data.png | ||
| :alt: Host risk scores table | ||
| :screenshot: | ||
| ::: | ||
|
|
||
| Interact with the table to filter data, view more details, and take action: | ||
|
|
||
| * Select the **Host risk level** menu to filter the chart by the selected level. | ||
| * Click **View all** to display all host risk information on the **Hosts** page. | ||
| * Click a host name link to open the entity details flyout. | ||
| * Hover over a host name link to display inline actions: **Add to timeline** ({icon}`timeline`) and **Copy to Clipboard** ({icon}`copy_clipboard`). | ||
| * Click the number link in the **Alerts** column to view the alerts on the **Alerts** page. Hover over the number and select **Investigate in timeline** ({icon}`timeline`) to launch Timeline with a query that includes the associated host name value. | ||
|
|
||
| For more information about host risk scores, refer to [](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). | ||
|
|
||
|
|
||
| ## Service Risk Scores | ||
|
|
||
| :::{admonition} Requirements | ||
| To display service risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). | ||
| ::: | ||
|
|
||
| This section displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are [calculated](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest). | ||
|
|
||
| :::{image} /solutions/images/security-service-risk-scores.png | ||
| :alt: Service risk scores table | ||
| :screenshot: | ||
| ::: | ||
|
|
||
|
|
||
| Interact with the table to filter data, view more details, and take action: | ||
|
|
||
| * Select the **Service risk level** menu to filter the chart by the selected level. | ||
| * Click a service name link to open the service details flyout. | ||
| * Hover over a service name link to display inline actions: **Add to timeline** ({icon}`timeline`) and **Copy to Clipboard** ({icon}`copy_clipboard`). | ||
| * Click the number link in the **Alerts** column to view the alerts on the **Alerts** page. Hover over the number and select **Investigate in timeline** ({icon}`timeline`) to launch Timeline with a query that includes the associated service name value. | ||
|
|
||
| For more information about service risk scores, refer to [](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). | ||
|
|
||
|
|
||
| ## Entities [entity-entities] | ||
|
|
||
|
|
||
| :::{admonition} Requirements | ||
| To display the **Entities** section, you must [enable the entity store](/solutions/security/advanced-entity-analytics/entity-store.md#enable-entity-store). | ||
| ::: | ||
|
|
||
|
|
||
| This section provides a centralized view of all hosts, users, and services in your environment. It displays entities from the [entity store](/solutions/security/advanced-entity-analytics/entity-store.md), which meet any of the following criteria: | ||
|
|
||
| * Have been observed by {{elastic-sec}} | ||
| * Have an asset criticality assignment | ||
| * Have been added to {{elastic-sec}} through an integration, such Active Directory or Okta | ||
|
|
||
| :::{note} | ||
| The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_<space-id>`, `.entities.v1.latest.security_host_<space-id>`, and `.entities.v1.latest.security_service_<space-id>` indices to see all the fields for each entity in the entity store. | ||
| ::: | ||
|
|
||
|
|
||
| :::{image} /solutions/images/security-entities-section.png | ||
| :alt: Entities section | ||
| :screenshot: | ||
| ::: | ||
|
|
||
| Entity data from different sources appears in the **Entities** section based on the following timelines: | ||
|
|
||
| * When you first enable the entity store, only data stored in the last 24 hours is processed. After that, data is processed continuously. | ||
| * Observed events from the {{elastic-sec}} default data view are processed in near real-time. | ||
| * Entity Analytics data, such as entity risk scores and asset criticality (including bulk asset criticality upload), is also processed in near real-time. | ||
| * The availability of entities extracted from Entity Analytics integrations depends on the specific integration. Refer to [Active Directory Entity Analytics](https://docs.elastic.co/en/integrations/entityanalytics_ad), [Microsoft Entra ID Entity Analytics](https://docs.elastic.co/en/integrations/entityanalytics_entra_id), and [Okta Entity Analytics](https://docs.elastic.co/en/integrations/entityanalytics_okta) for more details. | ||
|
|
||
| Interact with the table to filter data and view more details: | ||
|
|
||
| * Select the **Risk level** dropdown to filter the table by the selected user, host, or service risk level. | ||
| * Select the **Criticality** dropdown to filter the table by the selected asset criticality level. | ||
| * Select the **Source** dropdown to filter the table by the data source. | ||
| * Click the **View details** icon ({icon}`expand` ) to open the entity details flyout. | ||
|
|
||
|
|
||
|
|
||
| ## Anomalies [entity-anomalies] | ||
|
|
||
| Anomaly detection jobs identify suspicious or irregular behavior patterns. The **Anomalies** table displays the total number of anomalies identified by these prebuilt {{ml}} jobs (named in the **Anomaly name** column). | ||
|
|
||
| :::{admonition} Requirements | ||
| To display anomaly results, you must [install and run](/explore-analyze/machine-learning/anomaly-detection/ml-ad-run-jobs.md) one or more [prebuilt anomaly detection jobs](/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md). You cannot add custom anomaly detection jobs to the **Entity analytics** page. | ||
| ::: | ||
|
|
||
|
|
||
| :::{image} /solutions/images/security-anomalies-table.png | ||
| :alt: Anomalies table | ||
| :screenshot: | ||
| ::: | ||
|
|
||
| Interact with the table to view more details: | ||
|
|
||
| * Click **View all host anomalies** to go to the **Anomalies** table on the **Hosts** page. | ||
| * Click **View all user anomalies** to go to the **Anomalies** table on the **Users** page. | ||
| * Click **View all** to display and manage all machine learning jobs on the **Anomaly Detection Jobs** page. | ||
|
|
||
| :::{tip} | ||
| To learn more about {{ml}}, refer to [](/explore-analyze/machine-learning.md) | ||
| ::: | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| --- | ||
| applies_to: | ||
| stack: preview 9.1 | ||
| serverless: | ||
| security: preview | ||
| products: | ||
| - id: security | ||
| - id: cloud-serverless | ||
| --- | ||
|
|
||
| # Privileged user monitoring requirements | ||
|
|
||
| This page covers the requirements for using the privileged user monitoring feature, as well as its known limitations. | ||
|
|
||
| * Privileged user monitoring feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. | ||
|
|
||
| * To enable this feature, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring). | ||
|
|
||
| * To use these features in {{stack}}, your role must have certain [privileges](#privmon_privs). In {{serverless-short}}, you need an appropriate [predefined user role](#privmon_roles) or a custom role with the right [privileges](#privmon_privs). | ||
|
|
||
| ## Privileges [privmon_privs] | ||
|
|
||
| | Action | Index Privileges | Kibana Privileges | | ||
| | ------ | ---------------- | ----------------- | | ||
| | View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> - `.ml-anomalies-shared`<br> - security data view indices | **Read** for the **Security** feature | | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| | Enable the privileged user monitoring feature | TBD | **Read** for the **Security** feature | | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| ## Predefined roles [privmon_roles] | ||
| ```yaml {applies_to} | ||
| serverless: all | ||
| ``` | ||
|
|
||
| | Action | Predefined role | | ||
|
There was a problem hiding this comment. Roles for serverless TBD There was a problem hiding this comment. We haven't created these roles yet, the feature isn't enabled in serverless yet @jaredburgettelastic whats our plan here? There was a problem hiding this comment. @natasha-moore-elastic we wont be releasing this in serverless for probably ~2 weeks does that affect the docs you wish to add? There was a problem hiding this comment. Thanks @hop-dev, I've removed serverless references and updated the availability tags to reflect that it will only be available in 9.1. I'll spin off another doc issue to track when we need to add back the serverless references. |
||
| | ------ | --------------- | | ||
| | TBD | TBD | | ||
| | TBD | TBD | | ||
|
|
||
|
|
||
| ## Known limitations | ||
|
|
||
| * Currently, none of the privileged user monitoring visualizations support [cross-cluster search](/solutions/search/cross-cluster-search.md) as part of the data that they query from. | ||
|
|
||
| * You can define up to 10,000 privileged users per data source. | ||
|
|
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.