New entity store features (#6634) (#6657)

* New entity store features

* Moves flyout docs to new page

* fix formatting

(cherry picked from commit 2dcbce3)

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>

Author: mergify[bot]

docs/AI-for-security/attack-discovery.asciidoc

@@ -88,7 +88,7 @@ image::images/attck-disc-example-disc.png[Attack Discovery detail view]
 
 There are several ways you can incorporate discoveries into your {elastic-sec} workflows:
 
-* Click an entity's name to open the user or host details flyout and view more details that may be relevant to your investigation.
+* Click an entity's name to open the entity details flyout and view more details that may be relevant to your investigation.
 * Hover over an entity's name to either add the entity to Timeline (image:images/icon-add-to-timeline.png[Add to timeline icon,17,18]) or copy its field name and value to the clipboard (image:images/icon-copy.png[Copy to clipboard icon,17,18]). 
 * Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a <<cases-overview, case>>. This makes it easy to share the information with your team and other stakeholders.
 * Click **Investigate in timeline** to explore the discovery in <<timelines-ui, Timeline>>.

docs/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc

@@ -1,7 +1,7 @@
 [[advanced-entity-analytics-overview]]
 = Advanced Entity Analytics
 
-Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's {ml} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts and users.
+Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's {ml} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts, users, and services.
 
 Advanced Entity Analytics provides two key capabilities:
 
@@ -11,6 +11,7 @@ Advanced Entity Analytics provides two key capabilities:
 include::entity-risk-scoring.asciidoc[leveloffset=+1]
 include::ers-req.asciidoc[leveloffset=+2]
 include::turn-on-risk-engine.asciidoc[leveloffset=+2]
+include::view-entity-details.asciidoc[leveloffset=+2]
 include::asset-criticality.asciidoc[leveloffset=+2]
 include::entity-store.asciidoc[leveloffset=+2]
 include::analyze-risk-score-data.asciidoc[leveloffset=+2]

docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc

@@ -8,7 +8,7 @@ The {security-app} provides several options to monitor the change in the risk po
 * <<alert-details-flyout, Alert details flyout>>
 * <<hosts-users-pages, Hosts and Users pages>>
 * <<host-user-details-pages, Host and user details pages>>
-* <<host-and-user-details-flyouts, Host and user details flyouts>>
+* <<entity-details-flyouts, Entity details flyouts>>
 
 TIP: We recommend that you prioritize <<alert-triaging, alert triaging>> to identify anomalies or abnormal behavior patterns.
 
@@ -18,10 +18,7 @@ TIP: We recommend that you prioritize <<alert-triaging, alert triaging>> to iden
 
 From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page.
 
-If you have enabled the <<entity-store, entity store>>, the dashboard also displays the <<entity-entities, **Entities** section>>, where you can view all hosts and users along with their risk and asset criticality data.
-
-[role="screenshot"]
-image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard] 
+If you have enabled the <<entity-store, entity store>>, the dashboard also displays the <<entity-entities, **Entities** section>>, where you can view all hosts, users, and services along with their risk and asset criticality data.
 
 [discrete]
 [[alert-triaging]]
@@ -34,15 +31,15 @@ You can prioritize alert triaging to analyze alerts associated with risky or bus
 
 Use the Alerts table to investigate and analyze:
 
-* Host and user risk levels
-* Host and user risk scores
+* Host, user, and service risk levels
+* Host, user, and service risk scores
 * Asset criticality
 
 To display entity risk score and asset criticality data in the Alerts table, select **Fields**, and add the following:
 
-* `user.risk.calculated_level` or `host.risk.calculated_level`
-* `user.risk.calculated_score_norm` or `host.risk.calculated_score_norm`
-* `user.asset.criticality` or `host.asset.criticality`
+* `user.risk.calculated_level`, `host.risk.calculated_level`, or `service.risk.calculated_level`
+* `user.risk.calculated_score_norm`, `host.risk.calculated_score_norm`, or `service.risk.calculated_score_norm`
+* `user.asset.criticality`, `host.asset.criticality`, or `service.asset.criticality`
 
 Learn more about <<customize-the-alerts-table, customizing the Alerts table>>.
 
@@ -59,24 +56,24 @@ NOTE: If you change the entity's criticality level after an alert is generated,
 
 * Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by:
 
-** `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level:
+** `user.risk.calculated_level`, `host.risk.calculated_level`, or `service.risk.calculated_level` for entity risk level:
 +
 [role="screenshot"]
 image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level]
 
-** `user.asset.criticality` or `host.asset.criticality` for asset criticality level:
+** `user.asset.criticality`, `host.asset.criticality`, or `service.asset.criticality`  for asset criticality level:
 +
 [role="screenshot"]
 image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level]
 
 * To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for:
 
-** `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level:
+** `host.risk.calculated_level`, `user.risk.calculated_level`, or `service.risk.calculated_level` for entity risk level:
 +
 [role="screenshot"]
 image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels]
 
-** `host.asset.criticality` or `user.asset.criticality` for asset criticality level:
+** `host.asset.criticality`, `user.asset.criticality`, or `service.asset.criticality` for asset criticality level:
 +
 [role="screenshot"]
 image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels]
@@ -87,7 +84,7 @@ image::images/group-by-asset-criticality.png[Alerts grouped by entity asset crit
 ... Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**).
 ... Select **Sort fields** → **Pick fields to sort by**.
 ... Select fields in the following order:
-.... `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low**
+.... `host.risk.calculated_score_norm`, `user.risk.calculated_score_norm` or `service.risk.calculated_score_norm`: **High-Low**
 .... `Risk score`: **High-Low**
 .... `@timestamp`: **New-Old**
 --
@@ -137,10 +134,10 @@ image::images/host-details-overview.png[Host risk data in the Overview section o
 image::images/host-details-hr-tab.png[Host risk data on the Host risk tab of the host details page]
 
 [discrete]
-[[host-and-user-details-flyouts]]
-=== Host and user details flyouts
+[[entity-details-flyouts]]
+=== Entity details flyouts
 
-In the host details and user details flyouts, you can access the risk score data in the risk summary section:
+In the entity details flyouts, you can access the risk score data in the risk summary section:
 
 [role="screenshot"]
 image::images/risk-summary.png[Host risk data in the Host risk summary section]

docs/advanced-entity-analytics/asset-criticality.asciidoc

@@ -34,12 +34,12 @@ You can view, assign, change, or unassign asset criticality from the following p
 [role="screenshot"]
 image::images/assign-asset-criticality-host-details.png[Assign asset criticality from the host details page]
 
-* The <<host-details-flyout, host details flyout>> and <<user-details-flyout, user details flyout>>:
+* The <<entity-details-flyout, entity details flyout>>:
 +
 [role="screenshot"]
 image::images/assign-asset-criticality-host-flyout.png[Assign asset criticality from the host details flyout]
 
-* The host details flyout and user details flyout in <<timelines-ui, Timeline>>:
+* The entity details flyout in <<timelines-ui, Timeline>>:
 +
 [role="screenshot"]
 image::images/assign-asset-criticality-timeline.png[Assign asset criticality from the host details flyout in Timeline]
@@ -57,8 +57,8 @@ You can bulk assign asset criticality to multiple entities by importing a CSV, T
 
 The file must contain three columns, with each entity record listed on a separate row:
 
-. The first column should indicate whether the entity is a `host` or a `user`.
-. The second column should specify the entity's `host.name` or `user.name`.
+. The first column should indicate whether the entity is a `host`, `user`, or `service`.
+. The second column should specify the entity's `host.name`, `user.name`, or `service.name`.
 . The third column should specify one of the following asset criticality levels:
 ** `extreme_impact`
 ** `high_impact`
@@ -74,6 +74,7 @@ File structure example:
 user,user-001,low_impact
 user,user-002,medium_impact
 host,host-001,extreme_impact
+service,service-001,extreme_impact
 --------------------------------------------------
 
 To import a file:
@@ -112,7 +113,7 @@ The risk scoring engine dynamically factors in an entity's asset criticality, al
 
 To view the impact of asset criticality on an entity's risk score, follow these steps:
 
-. Open the <<host-details-flyout, host details flyout>> or <<user-details-flyout, user details flyout>>. The risk summary section shows asset criticality's contribution to the overall risk score.
+. Open the <<entity-details-flyout, entity details flyout>>. The risk summary section shows asset criticality's contribution to the overall risk score.
 . Click **View risk contributions** to open the flyout's left panel.
 . In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated.
 

docs/advanced-entity-analytics/entity-risk-scoring.asciidoc

@@ -8,7 +8,7 @@ If you’ve installed the original user and host risk score modules, refer to {s
 
 Entity risk scoring is an advanced {elastic-sec} analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response.
 
-Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days.
+Entity risk scoring allows you to monitor risk score changes of hosts, users, and services in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host, user, and service risk scores from the last 30 days.
 
 It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases, and allows you to customize and control how and when risk is calculated.
 
@@ -38,7 +38,7 @@ NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigne
 +
 NOTE: When <<turn-on-risk-engine, turning on the risk engine>>, you can choose to also include `Closed` alerts in risk scoring calculations.
 
-. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
+. The engine groups alerts by `host.name`, `user.name`, or `service.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<entity-risk-summary, risk summary>>.
 
 . The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
 +

docs/advanced-entity-analytics/entity-store.asciidoc

@@ -18,11 +18,11 @@ The entity store allows you to query, reconcile, maintain, and persist entity me
 
 The entity store can hold any entity type observed by {elastic-sec}. It allows you to view and query select entities represented in your indices  without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <<default-data-view-security, default data view>>.
 
-When the entity store is enabled, the following resources are generated for each entity type (hosts and users):
+When the entity store is enabled, the following resources are generated for each entity type (hosts, users, and services):
 
 * {es} resources, such as transforms, ingest pipelines, and enrich policies.
 * Data and fields for each entity.
-* The `.entities.v1.latest.security_user_<space-id>` and `.entities.v1.latest.security_host_<space-id>` indices, which contain field mappings for hosts and users respectively. You can query these indices to see a list of fields that are mapped in the entity store.
+* The `.entities.v1.latest.security_user_<space-id>`, `.entities.v1.latest.security_host_<space-id>`, and `.entities.v1.latest.security_services_<space-id>` indices, which contain field mappings for hosts, users, and services respectively. You can query these indices to see a list of fields that are mapped in the entity store.
 
 [discrete]
 [[enable-entity-store]]
@@ -39,13 +39,19 @@ Once you enable the entity store, the Entity Analytics dashboard displays the <<
 [[clear-entity-store]]
 == Clear entity store data
 
-Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name` or `host.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis.
+Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name`, `host.name`, or `service.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis.
 
 Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments.
 
-CAUTION: Clearing entity store data permanently deletes persisted user and host records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone.
+CAUTION: Clearing entity store data permanently deletes persisted user, host, and service records, and data is no longer available for analysis. Proceed with caution, as this cannot be undone.
 
 To clear entity data:
 
 . Find **Entity Store** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
-. On the **Entity Store** page, select **Clear**.
+. On the **Entity Store** page, select **Clear**.
+
+[discrete]
+[[verify-engine-status]]
+== Verify engine status
+
+Once the entity store is enabled, the **Entity Store** page displays the **Engine Status** tab, where you can verify which engines are installed and their statuses. This tab shows a list of installed resources for each installed entity. Click the resource link to navigate to the resource page and view more information.

docs/advanced-entity-analytics/ers-req.asciidoc

@@ -40,7 +40,7 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 [discrete]
 === Known limitations
 
-The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores.
+The risk scoring engine uses an internal user role to score all hosts, users, and services, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host, user, and service risk scores.
 
 [discrete]
 == Asset criticality

docs/advanced-entity-analytics/images/preview-risky-entities.png

@@ -6,15 +6,12 @@ IMPORTANT: To use entity risk scoring, your role must have the appropriate privi
 [discrete]
 == Preview risky entities
 
-You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
+You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts, users, and services found in the 1000 sampled entities during the time frame selected in the date picker.
 
 NOTE: The preview is limited to two risk scores per {kib} instance.
 
 To preview risky entities, find **Entity Risk Score** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 
-[role="screenshot"]
-image::images/preview-risky-entities.png[Preview of risky entities]
-
 [discrete]
 == Turn on the latest risk engine