From d7977409fc5bd5223f72ff0eacec58fd7b700111 Mon Sep 17 00:00:00 2001 From: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:11:33 -0400 Subject: [PATCH 1/5] Update .backportrc.json (#5835) Add `8.x` branch to backport. --- .backportrc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.backportrc.json b/.backportrc.json index 93386e593f..07d7e72d40 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,5 +1,5 @@ { "upstream": "elastic/security-docs", - "branches": ["8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"], + "branches": ["8.x", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"], "labels": ["backport"] } From 7ece47616f1a906a149e94a2be81ef8b441e6f40 Mon Sep 17 00:00:00 2001 From: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:13:10 -0400 Subject: [PATCH 2/5] Update .mergify.yml (#5834) Adds mergify option for 8.16, which is to branch 8x. --- .mergify.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.mergify.yml b/.mergify.yml index 52352bba3c..6155a6d011 100644 --- a/.mergify.yml +++ b/.mergify.yml @@ -13,6 +13,20 @@ pull_request_rules: git merge upstream/{{base}} git push upstream {{head}} ``` + - name: backport patches to 8.16 branch + conditions: + - merged + - base=main + - label=v8.16.0 + actions: + backport: + assignees: + - "{{ author }}" + branches: + - "8.x" + title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})" + labels: + - backport - name: backport patches to 8.15 branch conditions: - merged From 13530eaf92708ab10b3de51e6f94270b4fc199c6 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 17 Sep 2024 13:26:02 -0400 Subject: [PATCH 3/5] [DE Team][8.16] Case system action being added for rules (#5703) * First draft * Fixed header level --- docs/detections/rules-ui-create.asciidoc | 29 ++++++++++------------- docs/serverless/rules/rules-ui-create.mdx | 6 ----- 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index dcb8574274..8b44ed230e 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -13,7 +13,7 @@ To create a new detection rule, follow these steps: . Configure basic rule settings. . Configure advanced rule settings (optional). . Set the rule's schedule. -. Set up alert notifications (optional). +. Set up rule actions (optional). . Set up response actions (optional). .Requirements @@ -616,9 +616,6 @@ run exactly at its scheduled time. `Additional look-back time` are _not_ created. ============== . Click *Continue*. The *Rule actions* pane is displayed. -+ -[role="screenshot"] -image::images/available-action-types.png[Available connector types] . Do either of the following: @@ -627,23 +624,26 @@ image::images/available-action-types.png[Available connector types] [float] [[rule-notifications]] -=== Set up alert notifications (optional) +=== Set up rule actions (optional) -Use {kib} Actions to set up notifications sent via other systems when alerts +Use {kib} actions to set up notifications sent via other systems when alerts are generated. -NOTE: To use {kib} Actions for alert notifications, you need the +NOTE: To use {kib} actions for alert notifications, you need the https://www.elastic.co/subscriptions[appropriate license] and your role needs *All* privileges for the *Action and Connectors* feature. For more information, see <>. . Select a connector type to determine how notifications are sent. For example, if you select the {jira} connector, notifications are sent to your {jira} system. + -NOTE: Each action type requires a connector. Connectors store the +[NOTE] +===== +Each action type requires a connector. Connectors store the information required to send the notification from the external system. You can configure connectors while creating the rule or in *{stack-manage-app}* -> *{connectors-ui}*. For more information, see {kibana-ref}/action-types.html[Action and connector types]. -+ -[role="screenshot"] -image::images/available-action-types.png[Available connector types] + +Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the {kibana-ref}/cases-action-type.html[Cases connector] + +===== . After you select a connector, set its action frequency to define when notifications are sent: @@ -775,8 +775,8 @@ Example using the mustache "current element" notation `{{.}}` to output all the [float] [[rule-response-action]] -=== Set up response actions (optional) -Use Response Actions to set up additional functionality that will run whenever a rule executes: +==== Set up response actions (optional) +Use response actions to set up additional functionality that will run whenever a rule executes: * **Osquery**: Include live Osquery queries with a custom query rule. When an alert is generated, Osquery automatically collects data on the system related to the alert. Refer to <> to learn more. @@ -784,9 +784,6 @@ Use Response Actions to set up additional functionality that will run whenever a IMPORTANT: Host isolation involves quarantining a host from the network to prevent further spread of threats and limit potential damage. Be aware that automatic host isolation can cause unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. -[role="screenshot"] -image::images/available-response-actions.png[Shows available response actions] - [discrete] [[preview-rules]] === Preview your rule (optional) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index ee61b4ba02..4189eb8bdf 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -662,8 +662,6 @@ When configuring an ((esql)) rule's **setting up alert notifications and Response Actions (optional). @@ -690,8 +688,6 @@ To use actions for alert notifications, you need the appropriate user role. For Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the [Cases connector](((kibana-ref))/cases-action-type.html). - ![Available connector types](../images/rules-ui-create/-detections-available-action-types.png) - 1. After you select a connector, set its action frequency to define when notifications are sent: * **Summary of alerts**: Select this option to get a report that summarizes generated alerts, which you can review at your convenience. Alert summaries will be sent at the specified time intervals. @@ -845,8 +841,6 @@ Use response actions to set up additional functionality that will run whenever a Host isolation involves quarantining a host from the network to prevent further spread of threats and limit potential damage. Be aware that automatic host isolation can cause unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. -![Shows available response actions](../images/rules-ui-create/-detections-available-response-actions.png) -
## Preview your rule (optional) From 5e7608dd9dc64030d12371514626e0797f30cd35 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 17 Sep 2024 14:49:52 -0400 Subject: [PATCH 4/5] Update serverless billing docs with ingest & retention size calculations (#5796) * Add details: ingest & retention calculation * Minor change to trigger AsciiDoc build --- docs/serverless/billing.mdx | 2 ++ docs/whats-new.asciidoc | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/serverless/billing.mdx b/docs/serverless/billing.mdx index 3b12f7e337..613b14db70 100644 --- a/docs/serverless/billing.mdx +++ b/docs/serverless/billing.mdx @@ -17,6 +17,8 @@ Your monthly bill is based on the capabilities you use. When you use Security An * **Ingest** — Measured by the number of GB of log/event/info data that you send to your Security project over the course of a month. * **Retention** — Measured by the total amount of ingested data stored in your Security project. +Data volumes for both ingest and retention are based on the uncompressed data size at the point of ingest, before ((es)) compression is performed, and will be higher than the volumes traditionally reported by ((es)) index size. In addition, these volumes might be larger than the volumes reported by cloud provider proxy logs for data going into ((es)). + ## Endpoint Protection Endpoint Protection is an _optional_ add-on to Security Analytics that provides on-endpoint protection and prevention. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations: diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index f24db7abbd..d38bdd5da4 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -24,7 +24,7 @@ You can now interact with and manage {security-guide}/security-assistant.html[El preview:[] {security-guide}/automatic-import.html[Automatic Import] uses AI to create integrations for your custom data sources. [role="screenshot"] -image::whats-new/images/8.15/auto-import-success-message.png[The Automatic Import success message, 80%] +image::whats-new/images/8.15/auto-import-success-message.png[Automatic Import success message, 80%] [float] == Entity Analytics enhancements From 9c34da7f3d5a740527bedf6c46bc8e94e1d0a86f Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 18 Sep 2024 09:39:31 -0400 Subject: [PATCH 5/5] SentinelOne bidirectional `processes`, `kill-process`, and detection rule updates [ESS] (#5735) * Fix no-op typo in MDX * Draft all the changes from serverless * Remove weird extra spaces * Fix table header row --- .../admin/response-actions-config.asciidoc | 23 +++++++++++-------- .../admin/response-actions.asciidoc | 11 +++++++++ .../admin/third-party-actions.asciidoc | 11 +++++++++ .../response-actions-config.mdx | 2 +- 4 files changed, 37 insertions(+), 10 deletions(-) diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc index d64e2826b9..e38ab3022a 100644 --- a/docs/management/admin/response-actions-config.asciidoc +++ b/docs/management/admin/response-actions-config.asciidoc @@ -113,16 +113,21 @@ IMPORTANT: Do not create more than one SentinelOne connector. - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts. .. Click **Save**. -. **Create and enable a rule to generate {elastic-sec} alerts.** Create a <> to generate {elastic-sec} alerts whenever SentinelOne generates alerts. +. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <> to generate {elastic-sec} alerts based on SentinelOne events and data. + -Use these settings when creating the custom query rule to target the data collected from SentinelOne: +This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. + --- -- **Index patterns**: `logs-sentinel_one.alert*` -- **Custom query**: `observer.serial_number:*` --- +When creating a rule, you can target any event containing a SentinelOne agent ID field. Use one or more of these index patterns: + -NOTE: Do not include any other index patterns or query parameters. +[cols="1,1"] +|=== +|Index pattern |SentinelOne agent ID field + +|`logs-sentinel_one.alert*` |`sentinel_one.alert.agent.id` +|`logs-sentinel_one.threat*` |`sentinel_one.threat.agent.id` +|`logs-sentinel_one.activity*` |`sentinel_one.activity.agent.id` +|`logs-sentinel_one.agent*` |`sentinel_one.agent.agent.id` +|=== + -This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout. -==== \ No newline at end of file +NOTE: Do not include any other index patterns. +==== diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 15d57085d2..277cb9e680 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -69,6 +69,7 @@ Example: `release --comment "Release host, everything looks OK"` Show information about the host's status, including: {agent} status and version, the {elastic-defend} integration's policy status, and when the host was last active. [discrete] +[[processes]] === `processes` Show a list of all processes running on the host. This action may take a minute or so to complete. @@ -81,7 +82,10 @@ Use this command to get current PID or entity ID values, which are required for Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system. ==== +NOTE: Running this command on third-party-protected hosts might return the process list in a different format. Refer to <> for more information. + [discrete] +[[kill-process]] === `kill-process` Terminate a process. You must include one of the following parameters to identify the process to terminate: @@ -93,6 +97,13 @@ Required privilege: *Process Operations* Example: `kill-process --pid 123 --comment "Terminate suspicious process"` +[NOTE] +==== +For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. + +Example: `kill-process --processName cat --comment "Terminate suspicious process"` +==== + [discrete] === `suspend-process` diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc index 4daea36693..27dece4a79 100644 --- a/docs/management/admin/third-party-actions.asciidoc +++ b/docs/management/admin/third-party-actions.asciidoc @@ -52,4 +52,15 @@ Refer to the instructions on <> and <>. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file. + +* **Terminate a process running on a host** with the <>. ++ +[NOTE] +==== +For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. + +Example: `kill-process --processName cat --comment "Terminate suspicious process"` +==== + * **View past response action activity** in the <> log. diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.mdx b/docs/serverless/endpoint-response-actions/response-actions-config.mdx index 7cc57e528a..983060651e 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-config.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions-config.mdx @@ -117,7 +117,7 @@ Select a tab below for your endpoint security system: | Index pattern | SentinelOne agent ID field | | ----------------------------- | -------------------------------- | | `logs-sentinel_one.alert*` | `sentinel_one.alert.agent.id` | - | `logs-sentinel_one.threat*` | `sentinel_one.threat.agent.id` | + | `logs-sentinel_one.threat*` | `sentinel_one.threat.agent.id` | | `logs-sentinel_one.activity*` | `sentinel_one.activity.agent.id` | | `logs-sentinel_one.agent*` | `sentinel_one.agent.agent.id` |