Skip to content

Commit

Permalink
Navigation changes: Upgrade Security, post-upgrade steps, endpoint pr… (
Browse files Browse the repository at this point in the history
#5980)

* Navigation changes: Upgrade Security, post-upgrade steps, endpoint protection, explore, and EA sections

* Changes main menu to navigation menu

(cherry picked from commit 958fbb8)
natasha-moore-elastic authored and mergify[bot] committed Nov 5, 2024

Unverified

The committer email address is not verified.
1 parent 3f3509f commit 33ea808
Showing 17 changed files with 43 additions and 42 deletions.
8 changes: 3 additions & 5 deletions docs/advanced-entity-analytics/machine-learning.asciidoc
Original file line number Diff line number Diff line change
@@ -49,13 +49,12 @@ interface. They are available when either:

* You ship data using https://www.elastic.co/products/beats[Beats] or the
<<install-endpoint,{agent}>>, and {kib} is configured with the required index
patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*`
in *{kib}* -> *{stack-manage-app}* -> *Data Views*).
patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*`) on the **Data Views** page. To find this page, navigate to **Data Views** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].

Or

* Your shipped data is ECS-compliant, and {kib} is configured with the shipped
data's index patterns in *{kib}* -> *{stack-manage-app}* -> *Data Views*.
data's index patterns on the **Data Views** page.

Or

@@ -78,6 +77,5 @@ To view the `Anomalies` table widget and `Max Anomaly Score By Job` details,
the user must have the `machine_learning_admin` or `machine_learning_user` role.

NOTE: To adjust the `score` threshold that determines which anomalies are shown,
you can modify
*{kib}* -> *{stack-manage-app}* -> *Advanced Settings* -> *`securitySolution:defaultAnomalyScore`*.
you can modify the `securitySolution:defaultAnomalyScore` <<advanced-settings,advanced setting>>.

16 changes: 10 additions & 6 deletions docs/advanced-entity-analytics/tune-anomaly-results.asciidoc
Original file line number Diff line number Diff line change
@@ -24,7 +24,8 @@ For example, to filter out results from a housekeeping process, named
[[create-fiter-list]]
=== Create a filter list

. Go to *Machine Learning* -> *Anomaly Detection* -> *Settings*.
. Find **Machine Learning** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. Under **Anomaly Detection**, select **Settings**.
. Click *Filter Lists* and then *New*.
+
The *Create new filter list* pane is displayed.
@@ -44,7 +45,8 @@ The new filter appears in the Filter List and can be added to relevant jobs.
[[add-job-filter]]
=== Add the filter to the relevant job

. Go to *Machine Learning* -> *Anomaly Detection* -> *Anomaly Explorer*.
. Find **Machine Learning** in the navigation menu.
. Under **Anomaly Detection**, select **Anomaly Explorer**.
. Navigate to the job results for which the filter is required. If the job results
are not listed, click *Edit job selection* and select the relevant job.
. In the *actions* column, click the gear icon and then select _Configure rules_.
@@ -78,7 +80,8 @@ must clone and run the cloned job.
IMPORTANT: Running the cloned job can take some time. Only run the job after you
have completed all job rule changes.

. Go to *Machine Learning* -> *Anomaly Detection* -> *Job Management*.
. Find **Machine Learning** in the navigation menu.
. Under **Anomaly Detection**, select **Jobs**.
. Navigate to the job for which you configured the rule.
. Optionally, expand the job row and click *JSON* to verify the configured filter
appears under `custom rules` in the JSON code.
@@ -121,7 +124,8 @@ Depending on your anomaly detection results, you may want to set a
minimum event count threshold for the `packetbeat_dns_tunneling` job:


. Go to *Machine Learning* -> *Anomaly Detection* -> *Anomaly Explorer*.
. Find **Machine Learning** in the navigation menu.
. Under **Anomaly Detection**, select **Anomaly Explorer**.
. Navigate to the job results for the `packetbeat_dns_tunneling` job. If the
job results are not listed, click *Edit job selection* and select
`packetbeat_dns_tunneling`.
@@ -139,5 +143,5 @@ _WHEN actual IS GREATER THAN <X>_
+
Where `<X>` is the threshold above which anomalies are detected.
. Click *Save*.
. To apply the new threshold, rerun the job (*Job Management* -> *Actions* ->
*Start datafeed*).
. To apply the new threshold, rerun the job by selecting *Actions* ->
*Start datafeed* on the **Anomaly Detection Jobs** page.
6 changes: 3 additions & 3 deletions docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@ You can preview risky entities before installing the latest risk engine. The pre

NOTE: The preview is limited to two risk scores per {kib} instance.

To preview risky entities, go to **Manage** -> **Entity Risk Score**:
To preview risky entities, find **Entity Risk Score** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].

[role="screenshot"]
image::images/preview-risky-entities.png[Preview of risky entities]
@@ -28,7 +28,7 @@ image::images/preview-risky-entities.png[Preview of risky entities]

If you're installing the risk scoring engine for the first time:

. Go to **Manage** -> **Entity Risk Score**.
. Find **Entity Risk Score** in the navigation menu.
. Turn the **Entity risk score** toggle on.

[role="screenshot"]
@@ -49,7 +49,7 @@ If you upgraded to 8.11 from an earlier {stack} version, and you have the origin
[role="screenshot"]
image::images/risk-engine-upgrade-prompt.png[Prompt to upgrade to the latest risk engine]

. Click **Manage** in the upgrade prompt, or go to **Manage** -> **Entity Risk Score**.
. Click **Manage** in the upgrade prompt, or find **Entity Risk Score** in the navigation menu.
. On the Entity Risk Score page, click **Start update** next to the **Update available** label.
+
[role="screenshot"]
5 changes: 3 additions & 2 deletions docs/getting-started/agent-tamper-protection.asciidoc
Original file line number Diff line number Diff line change
@@ -26,7 +26,8 @@ image::images/agent-tamper-protection.png[Agent tamper protection setting highli

You can enable Agent tamper protection by configuring the {agent} policy.

. Go to *{fleet}* -> *Agent policies*, then select the Agent policy you want to configure.
. Find *{fleet}* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. Select *Agent policies*, then select the Agent policy you want to configure.
. Select the *Settings* tab on the policy details page.
. In the *Agent tamper protection* section, turn on the *Prevent agent tampering* setting.
+
@@ -43,7 +44,7 @@ If you need the uninstall token to remove {agent} from an endpoint, you can find

* *On the Agent policy* — Go to the Agent policy's *Settings* tab, then click the *Get uninstall command* link. The *Uninstall agent* flyout opens, containing the full uninstall command with the token.

* *On the {fleet} page* — Go to *{fleet}* -> *Uninstall tokens* for a list of the uninstall tokens generated for your Agent policies. You can:
* *On the {fleet} page* — Select *Uninstall tokens* for a list of the uninstall tokens generated for your Agent policies. You can:

** Click the *Show token* icon in the *Token* column to reveal a specific token.
** Click the *View uninstall command* icon in the *Actions* column to open the *Uninstall agent* flyout, containing the full uninstall command with the token.
3 changes: 2 additions & 1 deletion docs/getting-started/artifact-control.asciidoc
Original file line number Diff line number Diff line change
@@ -16,7 +16,8 @@ CAUTION: It is strongly advised to keep automatic updates enabled to ensure the

To configure the protection artifacts version deployed in your environment:

. Go to **Manage** → **Policies**, select an {elastic-defend} integration policy, then select the **Protection updates** tab.
. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. Select an {elastic-defend} integration policy, then select the **Protection updates** tab.
. Turn off the **Enable automatic updates** toggle.
. Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment.
. (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts.
6 changes: 3 additions & 3 deletions docs/getting-started/configure-integration-policy.asciidoc
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@ on protected hosts (some features require a Platinum or Enterprise license). If
integration policy to configure protection settings, event collection, antivirus settings, trusted applications,
event filters, host isolation exceptions, and blocked applications to meet your organization's security needs.

You can also create multiple {elastic-defend} integration policies to maintain unique configuration profiles. To create an additional {elastic-defend} integration policy, go to **Management** -> **Integrations**, then follow the steps for <<add-security-integration, adding the {elastic-defend} integration>>.
You can also create multiple {elastic-defend} integration policies to maintain unique configuration profiles. To create an additional {elastic-defend} integration policy, find **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then follow the steps for <<add-security-integration, adding the {elastic-defend} integration>>.

.Requirements
[sidebar]
@@ -19,7 +19,7 @@ TIP: In addition to configuring an {elastic-defend} policy through the {elastic-

To configure an integration policy:

1. In the {security-app}, go to **Manage** -> **Policies** to view the **Policies** page.
1. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
2. Select the integration policy you want to configure. The integration policy configuration page appears.
3. On the **Policy settings** tab, review and configure the following settings as appropriate:
* <<malware-protection>>
@@ -47,7 +47,7 @@ then select an item from the flyout. This view lists any existing artifacts that
+
NOTE: You can't create a new endpoint policy artifact while configuring an integration policy.
To create a new artifact, go to its main page in the {security-app} (for example,
to create a new trusted application, go to **Manage** -> **Trusted applications**).
to create a new trusted application, find **Trusted applications** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]).

5. Click the *Protection updates* tab to configure how {elastic-defend} receives updates from Elastic with the latest threat detections, malware models, and other protection artifacts. Refer to <<artifact-control>> for more information.

4 changes: 2 additions & 2 deletions docs/getting-started/create-defend-policy-api.asciidoc
Original file line number Diff line number Diff line change
@@ -80,7 +80,7 @@ Replace these values:

. `<KIBANA-VERSION>` with your version of {kib}.
. `<POLICY-ID>` with the agent policy ID you received in step 1.
. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, go to **Management** -> **Integrations** and select *{elastic-defend}*.
. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, navigate to **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select *{elastic-defend}*.

This adds the {elastic-defend} integration to your agent policy with the default settings.

@@ -490,7 +490,7 @@ Include the resulting JSON object in the following call to save your customized

. `<PACKAGE-POLICY-ID>` with the {elastic-defend} policy ID you received in step 2.
. `<KIBANA-VERSION>` with your version of {kib}.
. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, go to **Management** -> **Integrations** and select *{elastic-defend}*.
. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, navigate to **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select *{elastic-defend}*.

[source,console]
----
2 changes: 1 addition & 1 deletion docs/getting-started/defend-feature-privs.asciidoc
Original file line number Diff line number Diff line change
@@ -8,7 +8,7 @@

You can create user roles and define privileges to manage feature access in {elastic-sec}. This allows you to use the principle of least privilege while managing access to {elastic-defend}'s features.

Configure roles and privileges in *Stack Management* → *Roles* in {kib}. For more details on using this UI, refer to {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privileges].
To configure roles and privileges, find **Roles** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. For more details on using this UI, refer to {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privileges].

NOTE: {elastic-defend}'s feature privileges must be assigned to *All Spaces*. You can't assign them to an individual space.

2 changes: 1 addition & 1 deletion docs/getting-started/endpoint-diagnostic-data.asciidoc
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ By default, {elastic-defend} streams diagnostic data to your cluster, which Elas

NOTE: {kib} also collects usage telemetry, which includes {elastic-defend} diagnostic data. You can modify telemetry preferences in {kibana-ref}/telemetry-settings-kbn.html[Advanced Settings].

. In the {security-app}, go to *Manage* -> *Endpoints* to view the Endpoints list.
. To view the Endpoints list, find **Endpoints** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. Locate the endpoint for which you want to disable diagnostic data, then click the integration policy in the *Policy* column.
. Scroll down to the bottom of the policy and click *Show advanced settings*.
. Enter `false` for these settings:
8 changes: 2 additions & 6 deletions docs/getting-started/install-endpoint.asciidoc
Original file line number Diff line number Diff line change
@@ -28,11 +28,7 @@ NOTE: {elastic-defend} does not support deployment within an {agent} DaemonSet i
[[add-security-integration]]
== Add the {elastic-defend} integration

. Go to the *Integrations* page, which you can access in several ways:

* In {kib}: *Management* -> *Integrations*
* In the {security-app}: *Get started* -> *Add security integrations*

. Find **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+
[role="screenshot"]
image::images/install-endpoint/endpoint-cloud-sec-integrations-page.png[Search result for "{elastic-defend}" on the Integrations page.]
@@ -100,7 +96,7 @@ If you have upgraded to an {stack} version that includes {fleet-server} 7.13.0 o
[[enroll-agent]]
=== Add the {agent}

. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to *{fleet}* -> *Agents* -> **Add agent**.
. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, find **{fleet}** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select **Agents** → **Add agent**.
+
[role="screenshot"]
image::images/install-endpoint/endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.]
5 changes: 3 additions & 2 deletions docs/getting-started/linux-file-monitoring.asciidoc
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ By default, {elastic-defend} monitors specific Linux file system types that Elas

CAUTION: Ignoring file systems can create gaps in your security coverage. Use additional security layers for any file systems ignored by {elastic-defend}.

To monitor or ignore additional file systems, configure the following advanced settings related to *fanotify*, a Linux feature that monitors file system events. Go to *Manage* -> *Policies*, click a policy's name, then scroll down and select *Show advanced settings*.
To monitor or ignore additional file systems, configure the following advanced settings related to *fanotify*, a Linux feature that monitors file system events. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], click a policy's name, then scroll down and select *Show advanced settings*.

NOTE: Even when configured to monitor all file systems (`ignore_unknown_filesystems` is `false`), {elastic-defend} will still ignore specific file systems that Elastic has internally identified as incompatible. The following settings apply to any _other_ file systems.

@@ -43,7 +43,8 @@ In a typical setup, when you install {agent}, {filebeat} is installed alongside

To find the system file name:

. From the Hosts page (*Explore* -> *Hosts*), search for `message: "Current sync path"` to reveal the file path.
. Find **Hosts** in the navigation menu, or search for `Security/Explore/Hosts` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. From the Hosts page, search for `message: "Current sync path"` to reveal the file path.

. If you have access to the endpoint, run `findmnt -o FSTYPE -T <file path>` to return the file system. For example:
+
5 changes: 2 additions & 3 deletions docs/getting-started/net-map-req.asciidoc
Original file line number Diff line number Diff line change
@@ -21,9 +21,8 @@ To view the map, you need a role with at least `Read` {kibana-ref}/kibana-role-m
=== Create {kib} data views

To display map data, you must define a {kib}
{kibana-ref}/data-views.html[data view] (*Stack Management* ->
*Data Views*) that includes one or more of the indices specified in the `securitysolution:defaultIndex` field
(*{kib}* -> *Stack Management* -> *Advanced Settings* -> *`securitysolution:defaultIndex`*).
{kibana-ref}/data-views.html[data view] that includes one or more of the indices specified in the `securitysolution:defaultIndex` field. To view those indices, find **Stack Management** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to
*Advanced Settings* -> *`securitysolution:defaultIndex`*.

For example, to display data that is stored in indices matching the index pattern `servers-europe-*` on the map, you must use a {kib} data view whose index pattern matches `servers-europe-*`, such as `servers-*`.

2 changes: 1 addition & 1 deletion docs/getting-started/self-healing-rollback.asciidoc
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ This feature can cause permanent data loss since it overwrites recent changes an
Also, rollback is triggered by _every_ {elastic-defend} prevention alert, so you should tune your system to eliminate false positives before enabling this feature.
====

. In the {security-app}, go to *Manage* -> *Policies*, then select the integration policy you want to configure.
. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select the integration policy you want to configure.
. Scroll down to the bottom of the policy and click *Show advanced settings*.
. Enter `true` for the setting `windows.advanced.alerts.rollback.self_healing.enabled`.
. Click *Save*.
3 changes: 2 additions & 1 deletion docs/getting-started/uninstall-agent.asciidoc
Original file line number Diff line number Diff line change
@@ -3,7 +3,8 @@

To uninstall {agent} from a host, run the `uninstall` command from the directory where it's running. Refer to the {fleet-guide}/uninstall-elastic-agent.html[{fleet} and {agent} documentation] for more information.

If <<agent-tamper-protection,Agent tamper protection>> is enabled on the Agent policy for the host, you'll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can <<fleet-uninstall-tokens,find the uninstall token>> on the Agent policy or at *{fleet}* -> *Uninstall tokens*.
If <<agent-tamper-protection,Agent tamper protection>> is enabled on the Agent policy for the host, you'll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can <<fleet-uninstall-tokens,find the uninstall token>> on the Agent policy. Alternatively, find *{fleet}* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select *Uninstall tokens*.


For example, to uninstall {agent} on a macOS or Linux host:

Original file line number Diff line number Diff line change
@@ -53,7 +53,7 @@ A CORS rule is required for communication between Elastic and {sn}. To create a

Follow these steps:

. Go to *Cases -> Edit external connection*.
. Find **Cases** in the navigation menu, or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **Settings**.
. From the Incident management system list, select the deprecated connector to open the *Edit connector* flyout.
. Click *Update <connector name>*.
. In the warning message, click *Update this connector*.
4 changes: 2 additions & 2 deletions docs/post-upgrade/post-upgrade-req-cti-alerts.asciidoc
Original file line number Diff line number Diff line change
@@ -18,7 +18,7 @@ To migrate detection alerts:

To deactivate all detection rules:

. Go to *Rules* -> *Detection rules (SIEM)*.
. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. Click the *Select all _x_ rules* option above the rules table.
. Click *Bulk actions* -> *Disable*.

@@ -28,6 +28,6 @@ To deactivate all detection rules:

To reactivate all detection rules:

. Go to *Rules* -> *Detection rules (SIEM)*.
. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. Click the *Select all _x_ rules* option above the rules table.
. Click *Bulk actions* -> *Enable*.
4 changes: 2 additions & 2 deletions docs/upgrade/upgrade-7.17-8.x.asciidoc
Original file line number Diff line number Diff line change
@@ -79,7 +79,7 @@ NOTE: If you're using Elastic Cloud Hosted or {ece}, this is already included in
. Validate that {es} and {kib} are operating as expected by completing the following checks:
.. For {es}:
... Check the status of your clusters and ensure that they're green by running a `GET _cat/health` API request. For more information, refer to the {ref}/cat-health.html[cat health API documentation].
... Ensure that the index and search rate are close to what they were before upgrading. Go to **Stack Monitoring** -> **{es}** -> **Overview**.
... Ensure that the index and search rate are close to what they were before upgrading. To view these, find **Stack Monitoring** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **{es}** **Overview**.
+
TIP: You can also check the index document count using the {ref}/cat-indices.html[cat index API].
... Verify that {slm} SLM is taking snapshots by {ref}/snapshots-take-snapshot.html#check-slm-history[checking the SLM history].
@@ -114,7 +114,7 @@ The following sections describe procedures to complete after upgrading {elastic-

Any active rules when you upgrade from 7.17 to 8.0.1 or newer are automatically disabled, and a tag named `auto_disabled_8.0` is added to those rules for tracking purposes. Once the upgrade is complete, you can filter rules by the new tag, then use bulk actions to re-enable them:

. Go to the Rules page (*Detect -> Rules*).
. Find **Detection rules (SIEM)** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
. From the *Tags* dropdown, search for `auto_disabled_8.0`.
. Click *Select all _x_ rules*, or individually select the rules you want to re-enable.
. Click *Bulk actions -> Enable* to re-enable the rules.

0 comments on commit 33ea808

Please sign in to comment.