diff --git a/solutions/images/attack-discovery-rules-rbac.png b/solutions/images/attack-discovery-rules-rbac.png new file mode 100644 index 0000000000..beb51342ef Binary files /dev/null and b/solutions/images/attack-discovery-rules-rbac.png differ diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md index 082dda8569..a1b34a5011 100644 --- a/solutions/security/ai/attack-discovery.md +++ b/solutions/security/ai/attack-discovery.md @@ -22,17 +22,55 @@ For a demo, refer to the following video (click to view). ## Role-based access control (RBAC) for Attack Discovery [attack-discovery-rbac] -You need the `Attack Discovery: All` privilege to use Attack Discovery. +To use Attack Discovery, your role needs specific privileges. + +::::{applies-switch} + +:::{applies-item} { "stack": "ga 9.0" } + +Ensure your role has `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack Discover** {{kib}} feature. ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png) -{applies_to}`stack: ga 9.1` Your role must also have the following privileges: +::: + +:::{applies-item} { "stack": "ga 9.1"} + +Ensure your role has: + +* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack Discover** {{kib}} feature. + + ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png) + +* The appropriate [index privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges), based on what you want to do with Attack Discovery alerts: + +| Action | Indices | {{es}} privileges | +|---------|---------|--------------------------| +| Read Attack Discovery alerts | - `.alerts-security.attack.discovery.alerts-`
- `.internal.alerts-security.attack.discovery.alerts-`
- `.adhoc.alerts-security.attack.discovery.alerts-`
- `.internal.adhoc.alerts-security.attack.discovery.alerts-`| `read` and `view_index_metadata` | +| Read and modify Attack Discovery alerts. This includes:
- Generating discovery alerts manually
- Generating discovery alerts using schedules
- Sharing manually created alerts with other users
- Updating a discovery's status |- `.alerts-security.attack.discovery.alerts-`
- `.internal.alerts-security.attack.discovery.alerts-`
- `.adhoc.alerts-security.attack.discovery.alerts-`
- `.internal.adhoc.alerts-security.attack.discovery.alerts-`| `read`, `view_index_metadata`, `write`, and `maintenance`| + +::: + +:::{applies-item} { "stack": "ga 9.3", "serverless": "ga" } + +Ensure your role has: + +* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack Discover** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature. + + ![attack-discovery-rules-rbac](/solutions/images/attack-discovery-rules-rbac.png "elasticsearch =60%x60%") + +* The appropriate [index privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges), based on what you want to do with Attack Discovery alerts: | Action | Indices | {{es}} privileges | |---------|---------|--------------------------| | Read Attack Discovery alerts | - `.alerts-security.attack.discovery.alerts-`
- `.internal.alerts-security.attack.discovery.alerts-`
- `.adhoc.alerts-security.attack.discovery.alerts-`
- `.internal.adhoc.alerts-security.attack.discovery.alerts-`| `read` and `view_index_metadata` | | Read and modify Attack Discovery alerts. This includes:
- Generating discovery alerts manually
- Generating discovery alerts using schedules
- Sharing manually created alerts with other users
- Updating a discovery's status |- `.alerts-security.attack.discovery.alerts-`
- `.internal.alerts-security.attack.discovery.alerts-`
- `.adhoc.alerts-security.attack.discovery.alerts-`
- `.internal.adhoc.alerts-security.attack.discovery.alerts-`| `read`, `view_index_metadata`, `write`, and `maintenance`| +::: + +:::: + + ## Set up Attack Discovery By default, Attack Discovery analyzes up to 100 alerts from the last 24 hours, but you can customize how many and which alerts it analyzes using the settings menu. To open it, click the settings icon next to the **Run** button. diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md index bf9e2685d1..ac7c8dac66 100644 --- a/solutions/security/detect-and-alert/detections-requirements.md +++ b/solutions/security/detect-and-alert/detections-requirements.md @@ -22,50 +22,64 @@ Several steps are **only** required for **self-managed** {{stack}} deployments. ## Configure self-managed {{stack}} deployments [detections-on-prem-requirements] ```yaml {applies_to} -stack: + deployment: + self: ``` These steps are only required for **self-managed** deployments: -* HTTPS must be configured for communication between [{{es}} and {{kib}}](/deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-http). -* In [`kibana.yml`](/deploy-manage/stack-settings.md): +- HTTPS must be configured for communication between [{{es}} and {{kib}}](/deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-http). +- In [`kibana.yml`](/deploy-manage/stack-settings.md): Add the `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value of at least 32 characters. For example: - `xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'` - -* In [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md): - * Set the `xpack.security.enabled` setting to `true`. Refer to [General security settings](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#general-security-settings) for more information. - * If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the `elasticsearch.yml` file, you don't need to make changes. This setting must be `true` for key detection features, such as [alerting rules](/explore-analyze/alerts-cases/alerts/alerting-setup.md#alerting-prerequisites) and rule exceptions, to work. + `xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'` +- In [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md): + - Set the `xpack.security.enabled` setting to `true`. Refer to [General security settings](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#general-security-settings) for more information. + - If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the `elasticsearch.yml` file, you don't need to make changes. This setting must be `true` for key detection features, such as [alerting rules](/explore-analyze/alerts-cases/alerts/alerting-setup.md#alerting-prerequisites) and rule exceptions, to work. ::::{important} After changing the `xpack.encryptedSavedObjects.encryptionKey` value and restarting {{kib}}, you must restart all detection rules. :::: - - ## Enable and access detections [enable-detections-ui] +```yaml {applies_to} +stack: ga +serverless: ga +``` + To use the Detections feature, it must be enabled, your role must have access to rules and alerts, and your {{kib}} space must have **Data View Management** [feature visibility](/deploy-manage/manage-spaces.md). If your role doesn’t have the cluster and index privileges needed to enable this feature, you can request someone who has these privileges to visit your {{kib}} space, which will turn it on for you. ::::{note} For instructions about using {{ml}} jobs and rules, refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md). :::: - ### Custom role privileges [security-detections-requirements-custom-role-privileges] -The following table describes the required privileges to access the Detections feature, including rules and alerts. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access). | Action | Cluster Privileges | Index Privileges | Kibana Privileges | | --- | --- | --- | --- | -| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature | -| Enable detections in all spaces

**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature | -| Preview rules | N/A | `read` for these indices:

- `.preview.alerts-security.alerts-`
- `.internal.preview.alerts-security.alerts--*`
| `All` for the `Security` feature | -| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature

**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:

- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.
| -| Manage alerts

**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.internal.alerts-security.alerts--*`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `Read` for the `Security` feature | -| Create the `.lists` and `.items` data streams in your space

**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:

- `.lists-`
- `.items-`
| `All` for the `Security` and `Saved Objects Management` features | +| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature

- {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature | +| Enable detections in all spaces

**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature

- {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature | +| Preview rules | N/A | `read` for these indices:

- `.preview.alerts-security.alerts-`
- `.internal.preview.alerts-security.alerts--*`
| - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature

- {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature | +| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature

- {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature

**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:

- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.
| +| Manage alerts

**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.internal.alerts-security.alerts--*`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

**NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature

- {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature

**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules` feature. | +| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature

- {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature | +| Manage value lists.

Create the `.lists` and `.items` data streams in your space

**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:

- `.lists-`
- `.items-`
| - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature

- {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` and `Saved Objects Management` features | + +### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections] +```yaml {applies_to} +serverless: ga +``` +| Action | Predefined role | +| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Manage rules | - Threat Intelligence Analyst
- Tier 3 Analyst
- Detections Eng
- SOC Manager
- Endpoint Policy Manager
- Tier 3 Analyst
- Platform Engineer
- Editor | +| Rules read only | - Tier 1 Analyst
- Tier 2 Analyst
- Viewer
- Endpoint Operations Analyst | +| Manage alerts | - All roles except for Viewer | +| Manage exceptions and value lists | - Threat Intelligence Analyst
- Tier 3 Analyst
- Detections Eng
- SOC Manager
- Endpoint Policy Manager
- Tier 3 Analyst
- Platform Engineer
- Editor | +| Exceptions and value lists read only | - Tier 1 Analyst
- Tier 2 Analyst
- Viewer
- Endpoint Operations Analyst | ### Authorization [alerting-auth-model] @@ -80,8 +94,6 @@ If a rule requires certain privileges to run, such as index privileges, keep in :::: - - ## Configure list upload limits [adv-list-settings] ```yaml {applies_to} @@ -95,8 +107,8 @@ To set the value: 1. Open [`kibana.yml`](/deploy-manage/stack-settings.md) [configuration file](kibana://reference/configuration-reference/general-settings.md) or edit your {{kib}} cloud instance. 2. Add any of these settings and their required values: - * `xpack.lists.maxImportPayloadBytes`: Sets the number of bytes allowed for uploading {{elastic-sec}} value lists (default `9000000`, maximum `100000000`). For every 10 megabytes, it is recommended to have an additional 1 gigabyte of RAM reserved for Kibana. + - `xpack.lists.maxImportPayloadBytes`: Sets the number of bytes allowed for uploading {{elastic-sec}} value lists (default `9000000`, maximum `100000000`). For every 10 megabytes, it is recommended to have an additional 1 gigabyte of RAM reserved for Kibana. - For example, on a Kibana instance with 2 gigabytes of RAM, you can set this value up to 20000000 (20 megabytes). + For example, on a Kibana instance with 2 gigabytes of RAM, you can set this value up to 20000000 (20 megabytes). - * `xpack.lists.importBufferSize`: Sets the buffer size used for uploading {{elastic-sec}} value lists (default `1000`). Change the value if you’re experiencing slow upload speeds or larger than wanted memory usage when uploading value lists. Set to a higher value to increase throughput at the expense of using more Kibana memory, or a lower value to decrease throughput and reduce memory usage. \ No newline at end of file + - `xpack.lists.importBufferSize`: Sets the buffer size used for uploading {{elastic-sec}} value lists (default `1000`). Change the value if you’re experiencing slow upload speeds or larger than wanted memory usage when uploading value lists. Set to a higher value to increase throughput at the expense of using more Kibana memory, or a lower value to decrease throughput and reduce memory usage. diff --git a/solutions/security/get-started/automatic-migration.md b/solutions/security/get-started/automatic-migration.md index 234184c51f..879f494735 100644 --- a/solutions/security/get-started/automatic-migration.md +++ b/solutions/security/get-started/automatic-migration.md @@ -16,13 +16,31 @@ For rule migrations, if comparable Elastic-authored rules exist, Automatic Migra You can ingest your data before migrating your assets, or migrate your assets first in which case the tool recommends which data sources you need to power your migrated rules. -::::{admonition} Requirements -* The `SIEM migrations: All` Security sub-feature privilege. +::::{applies-switch} + +:::{applies-item} { "stack": "ga 9.0" } +**Requirements** + +* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > SIEM migrations** {{kib}} feature. * A working [LLM connector](/explore-analyze/ai-features/llm-guides/llm-connectors.md). * {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription. * {{Stack}} users: {{ml}} must be enabled. * {{serverless-short}} users: a [Security Complete](/deploy-manage/deploy/elastic-cloud/project-settings.md) subscription. * {{ecloud}} users: {{ml}} must be enabled. We recommend a minimum size of 4GB of RAM per {{ml}} zone. + +::: + +:::{applies-item} { "stack": "ga 9.3", "serverless": "ga" } +**Requirements** + +* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > SIEM migrations** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature. +* A working [LLM connector](/explore-analyze/ai-features/llm-guides/llm-connectors.md). +* {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription. +* {{Stack}} users: {{ml}} must be enabled. +* {{serverless-short}} users: a [Security Complete](/deploy-manage/deploy/elastic-cloud/project-settings.md) subscription. +* {{ecloud}} users: {{ml}} must be enabled. We recommend a minimum size of 4GB of RAM per {{ml}} zone. +::: + :::: ::::{admonition} Dashboard migration limitations