-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds new Advanced Behavioral Detections section (#4296)
* Adds new Advanced Behavioral Detections section * Moves L4 pages to L3 * Moves ml-integrations under Behavioral detection use cases * Adds Advanced Behavioral Detections intro section * Adds links to AEA page * Uncomments reference that previously broke the build for no reason * Replaces verbal reference to ml-integrations * Removes frontmatter * Behavioral detection updates * Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Apply suggestion from TW review * Applies review feedback * Lowercase advanced behavioral detections * Lowercase entity risk scoring --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
- Loading branch information
1 parent
86523b2
commit e700a62
Showing
19 changed files
with
91 additions
and
68 deletions.
There are no files selected for viewing
9 changes: 9 additions & 0 deletions
9
docs/advanced-entity-analytics/advanced-behavioral-detections.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
[[advanced-behavioral-detections]] | ||
= Advanced behavioral detections | ||
|
||
Elastic's {ml} capabilities and advanced correlation, scoring, and visualization techniques can help you identify potential behavioral threats that may be associated with security incidents. | ||
|
||
Advanced behavioral detections includes two key capabilities: | ||
|
||
* <<machine-learning, Anomaly detection>> | ||
* <<behavioral-detection-use-cases, Behavioral detection use cases>> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
docs/advanced-entity-analytics/behavioral-detection-use-cases.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
[[behavioral-detection-use-cases]] | ||
= Behavioral detection use cases | ||
|
||
Behavioral detection identifies potential internal and external threats based on user and host activity. It employs a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. | ||
|
||
{elastic-sec} builds the behavioral detection feature on its foundational SIEM detection capabilities, leveraging {ml} algorithms to enable proactive threat detection and hunting. | ||
|
||
[float] | ||
[[ml-integrations]] | ||
=== Elastic {integrations} for behavioral detection use cases | ||
|
||
Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, {ml} jobs, and scripts. | ||
|
||
.Requirements | ||
[sidebar] | ||
-- | ||
* Elastic integrations require a https://www.elastic.co/pricing[Platinum subscription] or higher. | ||
* To learn more about the requirements for using {ml} jobs, refer to <<ml-requirements, Machine learning job and rule requirements>>. | ||
-- | ||
|
||
Here's a list of integrations for various behavioral detection use cases: | ||
|
||
* {integrations-docs}/ded[Data Exfiltration Detection] | ||
* {integrations-docs}/dga[Domain Generation Algorithm Detection] | ||
* {integrations-docs}/lmd[Lateral Movement Detection] | ||
* {integrations-docs}/problemchild[Living off the Land Attack Detection] | ||
* {integrations-docs}/beaconing[Network Beaconing Identification] | ||
|
||
To learn more about {ml} jobs enabled by these integrations, refer to the https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html[Prebuilt jobs page]. |
13 changes: 13 additions & 0 deletions
13
docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
[[entity-risk-scoring]] | ||
= Entity risk scoring | ||
|
||
beta::[] | ||
|
||
Entity risk scoring is an advanced {elastic-sec} analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response. | ||
|
||
Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days. | ||
|
||
It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated. | ||
|
||
Learn how to <<turn-on-risk-engine, turn on the latest risk scoring engine>>. | ||
|
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
File renamed without changes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[[prebuilt-ml-jobs]] | ||
= Prebuilt job reference | ||
|
||
include::{stack-docs-root}/docs/en/stack/ml/anomaly-detection/ootb-ml-jobs-siem.asciidoc[tag=siem-jobs] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters