Description
Description
What
New Entity Analytics workflow
We are introducing a brand new workflow in the Elastic Security Solution, called "Entity Analytics." This will include a new Entity Analytics navigation item, with two sub-pages: an "Overview" page, and a "Privileged user monitoring" page.
Overview page
The Overview page, at launch, will be an exact, one-to-one replica of the existing Entity Analytics dashboard. In 9.1, we do not plan to deprecate the existing dashboard. However, in the long term, it will be deprecated. With regards to documentation, the primary challenge will be determining how exactly we want to "duplicate" the content.
Privileged user monitoring page
Privileged user monitoring is the primary Entity Analytics feature releasing in 9.1, and is shipping as technical preview. At the highest level, privileged users are those who have some kind of elevated rights in a given system (such as an "admin" user), and we are introducing a new page and processes to allow customers to track the behaviors of users who are denoted as privileged in their systems.
What makes a user privileged?
There are two primary ways that privileged users can be denoted in the privileged user monitoring system:
Integrations
Some integrations give insight into what users are found in a given environment. In those cases, the privileged user monitoring experience can intelligently determine which Users in that integration are privileged, based on either their role or group information (depending on the specific integration under question).
At launch, the two integrations that we will support by default are the Active Directory Entity Analytics integration, where Domain Admins and Enterprise Admins are automatically marked as privileged, and the Okta Entity Analytics integration, where the Okta standard administrator roles (found here) are automatically marked as privileged.
Supplying privileged users directly
Privileged users can also be denoted by supplying them directly to the system. This can be done via:
- API requests to mark individual users as privileged
- A CSV upload process to bulk-upload privileged users
- A default index pattern that customers can fill in with privileged users, called
entity-analytics.privileged-users - A custom index pattern that customers can fill in with privileged users, and can select within the Privileged user monitoring page
What visualizations are available
The following mockup shows the visualizations that will be supported. Some details may be slightly different at launch.
What user permissions are required for initializing this experience or viewing results?
TODO
When
These features will be released within the 9.1 release cycle, and will be released in Serverless roughly the same time as 9.1 is generally available (late July).
Why
In order to give users, particularly the "Threat Hunter" persona, a dedicated workflow in order to access Elastic Security's Entity Analytics capabilities.
Resources
Entity Analytics Workflow Epic
Privileged User Monitoring Epic
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
N/A
What release is this request related to?
9.1
Serverless release
TBD - Likely the week of July 29th
Collaboration model
The documentation team
Point of contact.
Main contact: @jaredburgettelastic @hop-dev @natasha-moore-elastic