diff --git a/solutions/images/security-gs-cloudsec-cspm.png b/solutions/images/security-gs-cloudsec-cspm.png new file mode 100644 index 0000000000..23d596bc81 Binary files /dev/null and b/solutions/images/security-gs-cloudsec-cspm.png differ diff --git a/solutions/images/security-gs-cloudsec-findings-flyout.gif b/solutions/images/security-gs-cloudsec-findings-flyout.gif new file mode 100644 index 0000000000..c3f4464362 Binary files /dev/null and b/solutions/images/security-gs-cloudsec-findings-flyout.gif differ diff --git a/solutions/images/security-gs-cspm-dashboard.png b/solutions/images/security-gs-cspm-dashboard.png new file mode 100644 index 0000000000..45c71c5b11 Binary files /dev/null and b/solutions/images/security-gs-cspm-dashboard.png differ diff --git a/solutions/images/security-gs-endpoint-endpoints-pg.png b/solutions/images/security-gs-endpoint-endpoints-pg.png new file mode 100644 index 0000000000..d2cecd29da Binary files /dev/null and b/solutions/images/security-gs-endpoint-endpoints-pg.png differ diff --git a/solutions/images/security-gs-siem-alert-flyout.png b/solutions/images/security-gs-siem-alert-flyout.png new file mode 100644 index 0000000000..1bb4d1e47f Binary files /dev/null and b/solutions/images/security-gs-siem-alert-flyout.png differ diff --git a/solutions/images/security-gs-siem-alerts-pg.png b/solutions/images/security-gs-siem-alerts-pg.png new file mode 100644 index 0000000000..40665181ac Binary files /dev/null and b/solutions/images/security-gs-siem-alerts-pg.png differ diff --git a/solutions/images/security-gs-siem-defend-flyout.png b/solutions/images/security-gs-siem-defend-flyout.png new file mode 100644 index 0000000000..79001ef720 Binary files /dev/null and b/solutions/images/security-gs-siem-defend-flyout.png differ diff --git a/solutions/images/security-gs-siem-install-agent.png b/solutions/images/security-gs-siem-install-agent.png new file mode 100644 index 0000000000..8166ae33f5 Binary files /dev/null and b/solutions/images/security-gs-siem-install-agent.png differ diff --git a/solutions/images/security-gs-siem-install-rules.png b/solutions/images/security-gs-siem-install-rules.png new file mode 100644 index 0000000000..3b911c5f34 Binary files /dev/null and b/solutions/images/security-gs-siem-install-rules.png differ diff --git a/solutions/images/security-gs-siem-rule-details.png b/solutions/images/security-gs-siem-rule-details.png new file mode 100644 index 0000000000..456858764a Binary files /dev/null and b/solutions/images/security-gs-siem-rule-details.png differ diff --git a/solutions/images/security-gs-siem-view-type.png b/solutions/images/security-gs-siem-view-type.png new file mode 100644 index 0000000000..396b83e38a Binary files /dev/null and b/solutions/images/security-gs-siem-view-type.png differ diff --git a/solutions/security/get-started.md b/solutions/security/get-started.md index d324624a5f..622f04e482 100644 --- a/solutions/security/get-started.md +++ b/solutions/security/get-started.md @@ -11,14 +11,25 @@ products: # Get started [getting-started] -This section describes how to set up {{elastic-sec}}, install {{agent}} and the {{elastic-defend}} integration on your hosts, and use the {{elastic-sec}} UI in {{kib}}. To get started, click on one of the following tutorials, depending on your use case: +New to {{elastic-sec}}? Discover more about our security features and how to get started. This section describes how to set up {{elastic-sec}}, install {{agent}} and the {{elastic-defend}} integration on your hosts, and use the {{elastic-sec}} UI in {{kib}}. -* [Detect threats in my data with SIEM](https://www.elastic.co/getting-started/security/detect-threats-in-my-data-with-siem) +:::::{{stepper}} +::::{{step}} Choose your deployment type -::::{note} -If you're migrating to Elastic's SIEM from Splunk, you can use [Automatic Migration](../security/get-started/automatic-migration.md). +Elastic provides several self-managed or Elastic-managed options for you to install {{elastic-sec}}. For simplicity and speed, we recommend one of our {{ecloud}} options. Check out our [deployment types](/deploy-manage/deploy.md#choosing-your-deployment-type) to learn more. :::: -* [Secure my hosts with endpoint security](https://www.elastic.co/getting-started/security/secure-my-hosts-with-endpoint-security) -* [Secure my cloud assets with cloud posture management (CSPM)](https://www.elastic.co/getting-started/security/secure-my-cloud-assets-with-cloud-security-posture-management) +::::{{step}} Ingest your data +After you've deployed {{elastic-sec}}, the next step is to get data into the product before you can search, analyze, or use any visualization tools. The easiest way to get data into Security is through one of our integrations—a pre-packaged collection of assets that allows you to easily collect, store, and visualize any data from any source. You can add an integration directly from the **Get Started** page within the **Ingest your data** section. Choose from one of our recommended integrations, or select one of the other tabs to browse by category. Elastic also provides different [ingestion methods](integration-docs://reference/index.md#ingestion-methods) to meet your infrastructure needs. +:::{{tip}} +If you have data from a source that doesn't yet have an integration, you can use our [Automatic Import tool](/solutions/security/get-started/automatic-import.md). +::: +:::: + +::::{{step}} Get started with your use case +Not sure where to start exploring {{elastic-sec}} +or which features may be relevant for you? Continue to the next topic to view our quickstart guides, which are tailored to specific use cases and help you complete a core task so you can get up and running. +:::: + +::::: diff --git a/solutions/security/get-started/get-started-cloud-security.md b/solutions/security/get-started/get-started-cloud-security.md new file mode 100644 index 0000000000..a86758fbef --- /dev/null +++ b/solutions/security/get-started/get-started-cloud-security.md @@ -0,0 +1,92 @@ +--- +navigation_title: Secure your cloud assets with cloud security posture management +description: A quick start guide to securing your cloud assets using {{elastic-sec}}. +applies_to: + serverless: +products: + - id: security +--- + +# Quickstart: Secure your cloud assets with cloud security posture management + +In this quickstart guide, you'll learn how to get started with Elastic Security for Cloud Security so you can monitor, detect, and investigate anomalous activity within cloud environments. + +## Prerequisites + +* Access to an {{sec-serverless}} project. If you don't have one yet, refer to [Create a Security project](/solutions/security/get-started/create-security-project.md) to learn how to create one. +* An admin account for the cloud service provider (CSP) you want to use. + + +## Add the Cloud Security Posture Management integration + +The Cloud Security Posture Management (CSPM) integration helps you identify and remediate configurations risks that could potentially undermine the confidentiality, integrity, and availability of your data in the cloud. + +To add the CSPM integration: + +1. On the **Get Started** home page, in the **Ingest your data** section, select the **Cloud** tab. +2. Select **Cloud Security Posture Management (CSPM)**, then click Add **Cloud Security Posture Management (CSPM)**. The integration configuration page displays. +3. For this guide, we'll be using AWS single account for configuration. Select these options in the configuration integration section. +4. Give the integration a name and enter an optional description. +5. Next, choose your deployment option. An agent-based deployment requires you to deploy and manage {{agent}} in the cloud account you want to monitor, whereas an agentless deployment allows you to collect cloud posture data without having to manage the {{agent}} deployment in your cloud. For simplicity, select **Agentless**. +6. Next, in the **Setup Access** section, choose your preferred authentication method—direct access keys (recommended) or temporary keys. For this guide, we'll use direct access keys. +7. Expand the Steps to Generate AWS Account Credentials, and follow the instructions. +8. Once you've generated an access key ID and secret access key and pasted the credentials, click **Save and continue** to complete deployment. Your data should start to appear within a few minutes. + +:::{image} /solutions/images/security-gs-cloudsec-cspm.png +:alt: Cloud Security Posture management integration +:screenshot: +::: + +% insert image + +:::{{{note}}} +Consider also adding the Cloud Native Vulnerability Management (CNVM) integration, which identifies vulnerabilities in your cloud workloads. +::: + +## View the Cloud Security Posture dashboard + +The Cloud Posture dashboard summarizes your cloud infrastructure's overall performance against security guidelines defined by the Center for Internet Security (CIS). It shows configuration risk metrics for all of your monitored cloud accounts and Kubernetes clusters and groups them by specific parameters. All configuration risks the integration identifies are called benchmark rules, and are listed on the **Findings** page. + +The dashboard also shows your overall compliance score, and your compliance score for each CIS section. Use these scores to determine how securely configured your overall cloud environment is. To learn more, refer to our [documentation](/solutions/security/cloud/cspm-dashboard.md). + +:::{image} /solutions/images/security-gs-cspm-dashboard.png +:alt: Cloud Security Posture dashboard +:screenshot: +::: + +To access the Cloud Security Posture dashboard, go to **Dashboards** → **Cloud Security Posture**. + + +## Analyze Findings + +After you install the CSPM integration, it evaluates the configuration of resources in your environment every 24 hours. It lists the results and whether a given resource passed or failed evaluation against a specific security guideline on the **Findings** page, which you can access from the navigation menu. By default, the Findings page lists all findings without any grouping or filtering. However, we recommend [filtering the data](/solutions/security/cloud/findings-page.md#cspm-findings-page-filter-findings) for failed findings. You can also [customize](/solutions/security/cloud/findings-page.md#cspm-customize-the-findings-table) the table to control which columns appear. + +To remediate a failed finding, click the arrow to the left of a failed finding to open the findings flyout, then follow the steps under **Remediation**. + +:::{image} /solutions/images/security-gs-cloudsec-findings-flyout.gif +:alt: Findings flyout +:screenshot: +::: + +:::{{tip}} +On the Cloud Security Posture dashboard, click one of the "View all failed findings" links to display a filtered view. +::: + +### Set up alerts + +To monitor your configuration more closely, we recommend creating detection rules to detect specific failed findings, which if found, generates an alert. + +You can create detection rule directly from the **Findings** page: + +1. Click the arrow to the left of a finding to open the findings flyout. +2. Click **Take action**, then **Create a detection rule**. This creates a detection rule that creates alerts when the associated benchmark rule generates a failed finding. +3. To review or customize the new rule, click **View rule**. For example, you may want to set up a rule action—like an email or Slack notification—when alerts are generated. To learn more about rule actions, refer to [](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications). + +## More resources + +Now that you've configured CSPM, check out these other Cloud Security resources: + +* [CSPM for Google Cloud Posture (GCP)](/solutions/security/cloud/get-started-with-cspm-for-gcp.md) and [Azure](/solutions/security/cloud/get-started-with-cspm-for-azure.md) +* [Kubernetes security posture management](/solutions/security/cloud/kubernetes-security-posture-management.md) +* [Cloud native vulnerability management](/solutions/security/cloud/cloud-native-vulnerability-management.md) +* [Cloud workload protection for VMs](/solutions/security/cloud/cloud-workload-protection-for-vms.md) \ No newline at end of file diff --git a/solutions/security/get-started/get-started-detect-with-siem.md b/solutions/security/get-started/get-started-detect-with-siem.md new file mode 100644 index 0000000000..53dcd3e5b6 --- /dev/null +++ b/solutions/security/get-started/get-started-detect-with-siem.md @@ -0,0 +1,179 @@ +--- +navigation_title: Detect and respond to threats with SIEM +description: An introduction to detecting threats with SIEM in {{elastic-sec}}. +applies_to: + serverless: +products: + - id: security +--- + +# Quickstart: Detect and respond to threats with SIEM + +In this quickstart guide, we'll learn how to use some of {{elastic-sec}}'s SIEM features to detect, investigate, and respond to threats. + +## Prerequisites + +* Access to an {{sec-serverless}} project. If you don't have one yet, refer to [Create a Security project](/solutions/security/get-started/create-security-project.md). +* Ensure you have the appropriate [{{elastic-defend}} feature privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). + + +## Add data using {{elastic-defend}} + +Before you can start using {{elastic-sec}}, you need to choose an integration to start collecting and analyzing your data. For this guide, we're going to use the {{elastic-defend}} integration. {{elastic-defend}} detects and protects endpoints from malicious activity, and provides automated response options before damage and loss occur. You have full control over which protections are enabled + +:::::{stepper} +::::{step} Install the Elastic Defend integration + +:::{dropdown} Steps to install {{elastic-defend}} +1. On the **Get started** page, in the **Ingest your data** section, select **{{elastic-defend}}**, then click **Add {{elastic-defend}}**. Elastic has several integrations for you to choose from—so you can select one of our recommended integrations or another of your choice. + + :::{note} + If you've added data through another integration besides {{elastic-defend}}, you can skip to [Add Elastic prebuilt detection rules](#add-elastic-prebuilt-detection-rules). + ::: +2. On the next page that says, "Ready to add your first integration?", click **Add integration only (skip agent installation)**. The integration configuration page appears. +3. Give the {{elastic-defend}} integration a name and optional description. +4. Select the type of environment you want to protect—**Traditional Endpoints** or **Cloud Workloads**. For this guide, we'll select **Traditional Endpoints**. +5. Select a configuration preset. Each preset comes with different default settings for {{agent}}, which you can further customize later by [configuring the {{elastic-defend}} integration policy](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md). For optimal endpoint protection, we recommend selecting **Complete EDR (Endpoint, Detection & Response)**. +6. Enter a name for the agent policy in the **New agent policy name** field. +7. Click **Save and continue**. Next, click **Add {{agent}} to your hosts**. +:::{image} /solutions/images/security-gs-siem-defend-flyout.png +:alt: Elastic Defend configuration +:screenshot: +::: +:::: + +::::{step} Add the Elastic Agent + +[{{agent}}](/reference/fleet/index.md#elastic-agent) is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. You'll need to install this component so it can monitor any malicious activity on your hosts. + +:::{dropdown} Steps to add {{agent}} +1. In the **Add agent** flyout that appears after you install the {{elastic-defend}} integration, you'll see the policy selected that you previously added. Leave the default enrollment token selected. +2. Ensure that the **Enroll in {{fleet}}** option is selected. {{elastic-defend}} cannot be integrated with {{agent}} in standalone mode. +3. Select the appropriate platform or operating system for the host on which you're installing the agent, then copy the provided commands. +4. On the host, open a command-line interface and navigate to the directory where you want to install {{agent}}. Paste and run the commands from {{fleet}} to download, extract, enroll, and start {{agent}}. +5. (Optional) Return to the **Add agent** flyout, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {{es}}. +6. (Optional) After you have enrolled the {{agent}} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {{fleet}}. Otherwise, select **Close**. + + The host will now appear on the **Endpoints** page in the {{security-app}} (**Assets** → **Endpoints**). It may take another minute or two for endpoint data to appear in {{elastic-sec}}. + +:::{important} +If you’re using macOS, some versions may require you to grant {{elastic-endpoint}} Full Disk Access to different kernels, system extensions, or files. Refer to [Elastic Defend requirements](/solutions/security/configure-elastic-defend/elastic-defend-requirements.md) for more information. +::: +::: +:::: + +::::{step} Modify policy configuration settings + +After you install the {{agent}} with {{elastic-defend}}, the Endpoint Security ({{elastic-defend}}) detection rule is automatically enabled and can generate either detection or protection alerts. +You can can also set up endpoint protections—such as preventions against malware, ransomware, memory threats, and other malicious behavior—on protected hosts. +This means that {{elastic-defend}} not only monitors for these behaviors and generates an alert when they are detected but also blocks them. Due to this maximum level of protection, we recommend modifying the policy to _detect_ instead of _prevent_ so that only an alert will be generated, and you can decide how to respond to the threat. Then, closely monitor which alerts and how many are generating over a specific time period before enabling higher protection, if needed. + +:::{dropdown} Steps to modify an endpoint policy +1. From the left navigation menu, go to **Assets** → **Endpoints** → **Policies**. +2. From the list, select the policy you want to configure. The policy configuration page appears. +3. On the **Policy settings** tab, for each protection, switch the protection level from `Prevent` to `Detect`. +4. Review and configure the event collection and antivirus settings as appropriate. +5. Once you're finished making changes, click **Save** in the lower-right corner to update the policy. + +:::{note} +For a comprehensive explanation of all endpoint protections and policy settings, refer to [Configure an integration policy](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md). +::: +::: +::::: + +## Add Elastic prebuilt detection rules + +Detection rules allow you to monitor your environment by searching for source events, matches, sequences, or {{ml}} job anomaly results that meet their criteria. When a rule’s criteria are met, {{elastic-sec}} generates an alert. While you can create your own rules tailored for your environment, Elastic ships out-of-the-box prebuilt rules that you can install. Remember that if you installed {{elastic-defend}}, the Endpoint Security rule is already enabled. + +:::{dropdown} Steps to install and enable prebuilt rules +1. On the **Get Started** page, scroll down to the **Configure rules and alerts** section. +2. Click **Install Elastic rules**, then **Add Elastic rules**. The **Rules** page displays. +3. At the top of the page, click **Add Elastic rules**. The badge next to it shows the number of prebuilt rules available for installation. +4. Use the search bar and **Tags** filter to find the rules you want to install. For example, to filter by operating system, search for the appropriate OS (such as `macOS`) from the **Tags** menu. +5. Once you've filtered the rules, confirm that the rules displayed are the ones you'd like to install. If you'd like to learn more about any rule before installing it, click on the rule name to expand the rule details flyout. Here's an example of one: + + :::{image} /solutions/images/security-gs-siem-rule-details.png + :alt: Rule details flyout + :screenshot: + ::: + +6. Select the check box next to the rules you want to install. To select all rules on the page, select the check box to the left of the **Rule** column heading. We recommend installing all the rules for your operating system, but you can install whichever rules you're comfortable with to start. You can always install more later. +7. Click ![Vertical boxes button](/solutions/images/serverless-boxesVertical.svg "") → **Install and enable** to install and start running the rules. Alternatively, after a rule is installed, you can enable it from the installed rules table. Once you enable a rule, it starts running on its configured schedule. + +:::{image} /solutions/images/security-gs-siem-install-rules.png +:alt: Alerts page with visualizations section collapsed +:screenshot: +::: + + To learn how to view and manage all detection rules, refer to [Manage detection rules](/solutions/security/detect-and-alert/manage-detection-rules.md). + +::: + +## Visualize and examine alert details + +Now that you've installed and enabled rules, it's time to monitor your {{sec-serverless}} project to see if you receive any alerts. Remember, an alert is generated if any of the rule's criteria are met. {{elastic-sec}} provides several tools for investigating security events: + +* **Alerts table:** View all generated alerts in a comprehensive list, apply filters for a customized view, and drill down into details. +* **Timeline:** Explore alerts in a central, interactive workspace. Create customized queries and collaborate on incident analysis by combining data from various sources. +* **Visual event analyzer:** View a graphical timeline of processes leading up to the alert and the events that occurred immediately after. +* **Session View:** Examine Linux process data and real-time data insights. + +To view a quick video tutorial on how to use these features, on the **Get Started** page, scroll down to **View alerts**, select a feature from the list, and click **Play Video** on the right. + +For this guide, let's take a closer look at how to visualize and examine alert details by viewing the **Alerts** page. + +:::{note} +If you don't have any alerts yet in your environment, that's great news! You can use the [Elastic demo server](https://demo.elastic.co/) to explore alerts. +::: + +To access the **Alerts** page, do one of the following: +* On the **Get Started** page, scroll down to the **View alerts** section, then click **View Alerts** at the bottom. +* From the left navigation menu, select **Alerts**. + +:::{image} /solutions/images/security-gs-siem-alerts-pg.png +:alt: Alerts page overview +:screenshot: +::: + +At the top of the **Alerts** page are four filter controls—**Status**, **Severity**, **User**, and **Host**—that you can use to filter your alerts view. Except for **Status**, you can [edit and customize](/solutions/security/detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) these to your preference. + + +In the visualization section, you can group alerts by a specific view type: +* **Summary:** Shows how alerts are distributed across specific indicators. +* **Trend:** Shows the occurrence of alerts over time. +* **Counts:** Shows the count of alerts in each group. Although there are default values, you can change the `Group by` parameters. +* **Treemap:** Shows the distribution of alerts as nested, proportionally sized and color-coded tiles based on the number of alerts, and the alert's risk score. This view is useful to quickly pinpoint the most critical alerts. + +:::{image} /solutions/images/security-gs-siem-view-type.png +:alt: Alerts page, view by type +:screenshot: +::: + +**View alert details** + +At the bottom of the **Alerts** page is the alerts table, which includes a comprehensive list of all generated alerts, and inline actions so you can take action directly on the alert. You can customize and filter the table by specific criteria to help drill down and narrow alerts. + +:::{tip} +Consider [grouping alerts](/solutions/security/detect-and-alert/manage-detection-alerts.md#group-alerts) by other parameters such as rule name, user name, host name, source IP address, or any other field. You can select up to three fields. +::: + +To view specific details about an alert, in the alerts table, click the **View details** button, which opens the alert details flyout. Here, you can view a quick description of the alert, or conduct a deep dive to investigate. Each section of the alert details flyout provides a different insight, and the **Take Action** menu at the bottom provides several options to respond to or interact with the alert. + +:::{image} /solutions/images/security-gs-siem-alert-flyout.png +:alt: Alert details flyout +:screenshot: +::: + + +For a comprehensive overview of the alert details flyout, refer to [View detection alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md#alert-details-flyout-ui). + +## Next steps + +Once you've had a chance to install detection rules and check out alerts, we recommend exploring the following investigation tools and resources to assist you with threat hunting: + +* View and analyze data with out-of-the-box [dashboards](/solutions/security/dashboards.md). +* Learn how to reduce your mean time to respond with [Attack Discovery](/solutions/security/ai/attack-discovery.md), an AI threat hunting feature that leverages large language models (LLMs) to analyze alerts in your environment, identify threats, and show how they correspond to the MITRE ATT&CK matrix. +* Learn how to use [Cases](/solutions/security/investigate/cases.md) to track investigation details. +* Download the "Guide to high-volume data sources for SIEM" [white paper](https://www.elastic.co/campaigns/guide-to-high-volume-data-sources-for-siem?elektra=organic&storm=CLP&rogue=siem-gic). +* Check out [Elastic Security Labs](https://www.elastic.co/security-labs) for the latest on threat research. +% add endpoint getting started guide when it's done \ No newline at end of file diff --git a/solutions/security/get-started/get-started-endpoint-security.md b/solutions/security/get-started/get-started-endpoint-security.md new file mode 100644 index 0000000000..816bf859f6 --- /dev/null +++ b/solutions/security/get-started/get-started-endpoint-security.md @@ -0,0 +1,122 @@ +--- +navigation_title: Protect your hosts with endpoint security +description: A quick start guide to securing your hosts with endpoint security. +applies_to: + serverless: +products: + - id: security +--- + +# Quickstart: Protect your hosts with endpoint security + +In this guide, you’ll learn how to use {{elastic-sec}} to protect your hosts from malware, ransomware, and other threats. + +## Prerequisites + +* Access to an {{sec-serverless}} project. If you don't have one yet, refer to [Create a Security project](/solutions/security/get-started/create-security-project.md) to learn how to create one. +* Ensure you have the appropriate [{{elastic-defend}} feature privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). +* Ensure you have the appropriate user role to configure an integration policy and access the **Endpoints** page. + +## Enable {{elastic-defend}} + +:::::{stepper} +::::{step} Install the Elastic Defend integration + +{{elastic-defend}} detects and protects endpoints from malicious activity and provides automated response options before damage and loss occur. + +:::{note} +If you're installing {{elastic-defend}} on macOS, the following instructions apply to hosts without a Mobile Device Management (MDM) profile. If your host has an MDM profile, refer to [Deploy Elastic Defend on macOS with mobile device management](/solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md). +::: + +:::{dropdown} Steps to install {{elastic-defend}} +1. On the **Get started** home page, in the **Ingest your data** section, select **{{elastic-defend}}**, then click **Add {{elastic-defend}}**. +2. On the next page that says, "Ready to add your first integration?", click **Add integration only (skip agent installation)**. The integration configuration page appears. +3. Give the {{elastic-defend}} integration a name and enter an optional description. +4. Select the type of environment you want to protect — **Traditional Endpoints** or **Cloud Workloads**. For this guide, we'll select **Traditional Endpoints**. +5. Select a configuration preset, which will differ based on your prior selection. Each preset comes with different default settings for {{agent}}, which you can further customize later by [configuring the {{elastic-defend}} integration policy](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md). For optimal endpoint protection, we recommend selecting **Complete EDR (Endpoint, Detection & Response)**. +6. Enter a name for the agent policy in the **New agent policy name** field. +7. Click **Save and continue**. Next, click **Add {{agent}} to your hosts**. +::: +:::: + +::::{step} Add the Elastic Agent + +{{agent}} is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. + +:::{dropdown} Steps to add {{agent}} +1. In the **Add agent** flyout that appears after you install the {{elastic-defend}} integration, you'll see the policy selected that you previously added. Leave the default enrollment token selected. +2. Ensure that the **Enroll in {{fleet}}** option is selected. {{elastic-defend}} cannot be integrated with {{agent}} in standalone mode. +3. Select the appropriate platform or operating system for the host on which you're installing the agent, then copy the provided commands. +4. On the host, open a command-line interface and navigate to the directory where you want to install {{agent}}. Paste and run the commands from {{fleet}} to download, extract, enroll, and start {{agent}}. +5. (Optional) Return to the **Add agent** flyout, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {{es}}. +6. (Optional) After you have enrolled the {{agent}} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {{fleet}}. Otherwise, select **Close**. + + The host will now appear on the **Endpoints** page in the {{security-app}} (**Assets** → **Endpoints**). It may take another minute or two for endpoint data to appear in {{elastic-sec}}. + +:::{important} +If you’re using macOS, some versions may require you to grant {{elastic-endpoint}} Full Disk Access to different kernels, system extensions, or files. Refer to [Elastic Defend requirements](/solutions/security/configure-elastic-defend/elastic-defend-requirements.md) for more information. +::: +::: +:::: + +::::{step} Modify policy configuration settings + +After you install the {{agent}} with {{elastic-defend}}, several endpoint protections—such as preventions against malware, ransomware, memory threats, and other malicious behavior—are automatically enabled on protected hosts. If any of these behaviors are detected, {{elastic-defend}} generates an alert, and by default, prevents the malicious activity from completing. However, you can tailor the policy configuration to meet your organization’s security needs. + +:::{tip} +You may want to consider analyzing which and how many alerts are generated over a specific time period to identify common patterns or anomalies before you make any policy changes. Check out the [SIEM quick start guide](/solutions/security/get-started/get-started-detect-with-siem.md) to learn more about how to monitor alerts. +::: + +:::{dropdown} Steps to modify an integration policy +1. From the left navigation menu, go to **Assets** → **Endpoints** → **Policies**. +2. From the list, select the policy you want to configure. The integration policy configuration page appears. +3. On the **Policy settings** tab, review and configure the protection, event collection, and antivirus settings as appropriate. +4. Once you're finished making changes, click **Save** in the lower-right corner to update the policy. +5. (Optional) You can click the **Trusted applications**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review and manage those artifacts assigned to the policy, but we'll cover how to manage these in the next section. + +:::{note} +For a comprehensive explanation of all endpoint protections and policy settings, refer to [Configure an integration policy](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md). +::: + +% insert image +::: +:::: +::::: + +## Manage endpoints +Now that you've got endpoint protection enabled, it's important not only to monitor your environment for alerts, but to manage your hosts to ensure they're healthy and have all appropriate security settings. + +:::{{note}} +You must have `admin` privileges to manage endpoints. +::: + +To view all endpoints running {{elastic-defend}}, go to **Assets** → **Endpoints**. From here, you can view details such as agent and policy status, associated policy and IP address, or perform specific actions on the endpoint. For more information, refer to our documentation on [managing endpoints](/solutions/security/manage-elastic-defend/endpoints.md). + +:::{image} /solutions/images/security-gs-endpoint-endpoints-pg.png +:alt: Endpoints page in Elastic Security +:screenshot: +::: + +Here are some other features {{elastic-sec}} provides to help manage host configuration: + +* [Endpoint response actions](/solutions/security/endpoint-response-actions.md): Perform response actions on an endpoint using a terminal-like interface. For example, isolating or releasing a host, getting a list of processes, or suspending a running process. + + :::{tip} + You can also automate some responses when an event meets the rule's criteria. Refer to [Automated response actions](/solutions/security/endpoint-response-actions/automated-response-actions.md) for more information. + ::: + +* [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md): Add Windows, macOS, and Linux applications that should be trusted so that {{elastic-defend}} doesn't monitor them. +* [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md): Prevent specified applications from running on hosts to extend the list of processes that {{elastic-defend}} considers malicious. This adds an extra layer of protection by ensuring that known malicious processes aren’t accidentally executed by end users. +* [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md): Add specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. + +:::{tip} +You can apply trusted applications, blocklist entries, and host isolation exceptions to a single policy, or to all policies. +::: + +## Next steps + +After your hosts are secure and your environment has all the appropriate security configuration enabled, we recommend taking these next steps: + +* Check out the [Hosts page](/solutions/security/explore/hosts-page.md) for a comprehensive overview of all hosts and host-related security events. This page is also useful to identify uncommon processes and anomalies discovered by {{ml}} jobs. +* Enable prebuilt detection rules. You're already set to receive endpoint threat alerts from {{elastic-defend}}, but did you know {{elastic-sec}} ships with several out-of-the-box rules that you can enable? Check out our [SIEM quick start guide](/solutions/security/get-started/get-started-detect-with-siem.md#add-elastic-prebuilt-detection-rules) or our [documentation](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules). +* Discover all the other tools available to [manage {{elastic-defend}}](/solutions/security/manage-elastic-defend.md). \ No newline at end of file diff --git a/solutions/security/get-started/quickstarts.md b/solutions/security/get-started/quickstarts.md new file mode 100644 index 0000000000..6186a93ba8 --- /dev/null +++ b/solutions/security/get-started/quickstarts.md @@ -0,0 +1,21 @@ +--- +applies_to: + serverless: ga +products: + - id: security +--- + +# {{elastic-sec}} quickstarts + +Our quickstarts reduce your time-to-value by offering a fast path to learn about security strategies, tailored to your use case. +Each quickstart provides: + +- A highly opinionated, fast path to a specific use case +- Essential steps to complete a core task +- Contextual information to understand {{elastic-sec}}'s value + +Follow the steps in these guides to get started quickly: + +- [Detect and respond to threats with SIEM](/solutions/security/get-started/get-started-detect-with-siem.md) +- [Protect my hosts with endpoint security](/solutions/security/get-started/get-started-endpoint-security.md) +- [Secure your cloud assets with cloud security posture management](/solutions/security/get-started/get-started-cloud-security.md) \ No newline at end of file diff --git a/solutions/toc.yml b/solutions/toc.yml index 918381a427..099a157d1a 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -466,6 +466,11 @@ toc: - file: security/elastic-security-serverless.md - file: security/get-started.md children: + - file: security/get-started/quickstarts.md + children: + - file: security/get-started/get-started-detect-with-siem.md + - file: security/get-started/get-started-endpoint-security.md + - file: security/get-started/get-started-cloud-security.md - file: security/get-started/elastic-security-requirements.md - file: security/get-started/create-security-project.md - file: security/get-started/elastic-security-ui.md