diff --git a/_security-analytics/index.md b/_security-analytics/index.md index fee5094868..da10abce7f 100644 --- a/_security-analytics/index.md +++ b/_security-analytics/index.md @@ -57,7 +57,7 @@ To learn more about findings, see [Working with findings]({{site.url}}{{site.bas ### Alerts -When defining a detector, you can specify certain conditions that will trigger an alert. When an event triggers an alert, the system sends a notification to a channel—such as Chime, Slack, email, etc.—that you specify during configuration of the alert. The alert can be triggered when the detector matches one or multiple rules. Further conditions can be set by rule severity and tags. You can also create a notification message with a customzied subject line and message body. +When defining a detector, you can specify certain conditions that will trigger an alert. When an event triggers an alert, the system sends a notification to a preferred channel, such as Amazon Chime, Slack, or email. The alert can be triggered when the detector matches one or multiple rules. Further conditions can be set by rule severity and tags. You can also create a notification message with a customized subject line and message body. For information on setting up alerts, see [Step 3. Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-3-set-up-alerts) in detector creation documentation. For information on managing alerts on the Alerts window, see [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/). diff --git a/_security-analytics/sec-analytics-config/detectors-config.md b/_security-analytics/sec-analytics-config/detectors-config.md index 0230324f17..57e2eca0de 100644 --- a/_security-analytics/sec-analytics-config/detectors-config.md +++ b/_security-analytics/sec-analytics-config/detectors-config.md @@ -9,9 +9,9 @@ nav_order: 15 Security Analytics provides the options and functionality to monitor and respond to a wide range of security threats. Detectors are the essential components that determine what to look for and how to respond to those threats. This section covers their creation and configuration. -## Step 1. Define the detector +## Step 1. Defining a detector -Defining a new detector involves naming the detector, selecting a data source and detector type, and specifying a detector schedule. You can also create alerts for the detector at this stage, although there are options to create alerts in other areas of the interface. Follow the steps in this section to define a new detector. +Defining a new detector involves naming the detector, selecting a data source and detector type, and specifying a detector schedule. After defining a detector, you can also configure field mappings and set up alerts. Follow the steps in this section to accomplish all three of these setup tasks. 1. On the Detectors page, select the **Create detector** button. The Define detector page opens. 1. Give the detector a name and, as an option, add a description for the detector. @@ -34,7 +34,7 @@ Defining a new detector involves naming the detector, selecting a data source an 1. In the **Detector schedule** section, set how often the detector will run. Specify a unit of time and a corresponding number to set the interval. 1. Select the **Next** button in the lower-right corner of the screen to continue. The Configure field mapping page appears. -## Step 2. Make field mappings +## Step 2. Making field mappings Field mapping matches field names for the rule with field names from the log being used to provide data. The mappings are automatically applied once the detector is defined in previous steps. This page offers the user the option to map log-specific field names to the internal rule field names. @@ -44,24 +44,26 @@ For example, if you prefer to have the log field name UserID rather than EventID To make any changes to the automatically populated mappings, use the dropdown arrows across from the rule field names to specify a preferred log field name for the mapping. After completing the mappings, select the **Next** button in the lower-right corner of the screen. The Set up alerts page appears and displays settings for an alert trigger. -## Step 3. Set up alerts +## Step 3. Setting up alerts -At this stage, setting up alerts is optional for creating a new detector. Alerts can be configured at any time, including from the Findings window. This section describes the process for defining the alert conditions during creation of a detector. To see how to initiate creation of alerts from the Findings window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list). +The third step in creating a detector involves setting up alerts. Alerts are configured to create triggers that, when matched with a set of detection rule criteria, send a notification of a possible security event. You can select the criteria (rules, rule severity, and tags) in any combination to define a trigger. Once a trigger is defined, the alert setup lets you choose the channel on which to be notified and provides options for customizing a message for the notification. -To skip directly to generating findings from the detector, select the **Remove alert trigger** button and then the **Next** button in the lower-right corner of the screen. Review the detector's definition and then select the **Create** button in the lower-right corner of the screen. The detector is created. -{: .tip } +At least one alert condition is required before a detector can begin generating findings. +{: .note } -To set up an alert for the detector at this stage of detector creation, continue with the following steps: +You can also configure alerts from the Findings window. To see how to set up alerts from the Findings window, see [The findings list]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/#the-findings-list). A final option for adding additional alerts is to edit a detector and navigate to the **Alert triggers** tab, where you can edit existing alerts as well as add new ones. For details, see [Editing a detector]({{site.url}}{{site.baseurl}}security-analytics/usage/detectors/#editing-a-detector). + +To set up an alert for a detector, continue with the following steps: 1. In the **Trigger name** box, enter a name for the trigger. 1. To define rule matches for the alert, select security rules, severity levels, and tags. -Rules used to define an alert +
Rules used to define an alert * Select one rule or multiple rules that will trigger the alert. Put the cursor in the **Rule names** box and type a name to search for it. To remove a rule name, select the **X** beside the name. To remove all rule names, select the **X** beside the dropdown menu's down arrow.
Deletes all selected rules * Select one or more rule severities as conditions for the alert. * Select from a list of tags to include as conditions for the alert. 1. To define a notification for the alert, assign an alert severity, select a channel for the notification, and customize a message generated for the alert. -Notification settings for the alert +
Notification settings for the alert * Assign a level of severity for the alert to give the recipient an indication of its urgency. * Select a channel for the notification. Examples include Slack, Chime, or email. Select the **Manage channels** link to the right of the field to link the notification to a preferred channel. * Select the **Show notify message** label to expand message preferences. You can add a subject for the message and a note to inform recipients of the nature of the message. diff --git a/_security-analytics/usage/detectors.md b/_security-analytics/usage/detectors.md index 5615a4f20b..1570bd1994 100644 --- a/_security-analytics/usage/detectors.md +++ b/_security-analytics/usage/detectors.md @@ -25,12 +25,15 @@ To edit a detector, begin by selecting the link to the detector in the Detector * In the upper-right corner of the window, you can select **View alerts** to go to the Alerts window or **View findings** to go to the Findings window. You can also select **Actions** to perform actions for the detector. See [Detector actions]({{site.url}}{{site.baseurl}}/security-analytics/usage/detectors/#detector-actions). * In the lower portion of the window, select the **Edit** button for either Detector details or Detection rules to make changes accordingly. * Finally, you can select the **Field mappings** tab to edit field mappings for the detector, or select the **Alert triggers** tab to make edits to alerts associated with the detector. -Field mappings and Alert triggers tabs +
Field mappings and Alert triggers tabs + + After you select the **Alert triggers** tab, you also have the option to add additional alerts for the detector by selecting **Add another alert condition** at the bottom of the page. + {: .tip } ## Detector actions Threat detector actions allow you to stop and start detectors or delete a detector. To enable actions, first select the checkbox beside one or more detectors in the list. -Threat detector actions +
Threat detector actions ### Changing detector status diff --git a/_security-analytics/usage/overview.md b/_security-analytics/usage/overview.md index 4beccecfe0..d32fef9588 100644 --- a/_security-analytics/usage/overview.md +++ b/_security-analytics/usage/overview.md @@ -18,27 +18,31 @@ Each section provides a summary description for each element of Security Analyti ## Overview and getting started -The upper-right corner of the Overview page contains two control buttons for refreshing information and getting started with Security Analytics. You can select the **Refresh** button to refresh all of the information on the page. You can also select the **Getting started** link to expand the Get started with Security Analytics window, which inludes a summary of the steps for set up as well as control buttons that allow you to jump to any of the steps. -The getting started quick launch window +The upper portion of the Overview page contains two control buttons for refreshing information and getting started with Security Analytics. You can select the **Refresh** button to refresh all of the information on the page. + +You can also select the **Getting started** link to expand the Get started with Security Analytics window, which includes a summary of the setup steps as well as control buttons that allow you to jump to any of the steps. +
The overview page with getting started quick launch window * In step 1 of setup, select **Create detector** to define a detector. -* In step 2, select **View findings** to go to the Findings page. For more on findings, see [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/) -* In step 3, select **Manage rules** to go to the Rules page. For more on rules, see [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/) +* In step 2, select **View findings** to go to the Findings page. For details about this page, see [Working with findings]({{site.url}}{{site.baseurl}}/security-analytics/usage/findings/). +* In step 3, select **View alerts** to go to the Security alerts page. For details about this page, see [Working with alerts]({{site.url}}{{site.baseurl}}/security-analytics/usage/alerts/). +* In step 4, select **Manage rules** to go to the Rules page. For more on rules, see [Working with rules]({{site.url}}{{site.baseurl}}/security-analytics/usage/rules/). ## Findings and alert count -The Findings and alert count section provides a graph showing data on the latest findings. Use the **Group by** dropdown menu to select between all findings and findings by log type. +The Findings and alert count section provides a graph showing data on the latest findings. Use the **Group by** menu to select either **All findings** or **Log type**. -## Top recent alerts +## Recent alerts -Top recent alerts displays recent alerts by time, trigger name, and alert severity. Select **View alerts** to go to the Alerts page. +The Recent alerts table displays recent alerts by time, trigger name, and alert severity. Select **View alerts** to go to the Alerts page. -## Top recent findings +## Recent findings -Top recent findings displays recent findings by time, rule name, rule severity, and detector. Select **View all findings** to go to the Findings page. +The Recent findings table displays recent findings by time, rule name, rule severity, and detector. Select **View all findings** to go to the Findings page. ## Most frequent detection rules -This section provides a graphical representation of detection rules that trigger findings most often and how they compare to others as a percentage of the whole. Rules are also listed to the right side of the graph. +This section provides a graphical representation of detection rules that trigger findings most often and how they compare to others as a percentage of the whole. The rule names represented by the graph are listed to the right. +
The detection rule graph on the Overview page ## Detectors diff --git a/images/Security/get-started.png b/images/Security/get-started.png deleted file mode 100644 index 8651fafd83..0000000000 Binary files a/images/Security/get-started.png and /dev/null differ diff --git a/images/Security/overview.png b/images/Security/overview.png new file mode 100644 index 0000000000..c0513faa42 Binary files /dev/null and b/images/Security/overview.png differ diff --git a/images/Security/rule_graph.png b/images/Security/rule_graph.png new file mode 100644 index 0000000000..3dcf01df00 Binary files /dev/null and b/images/Security/rule_graph.png differ