diff --git a/images/security-alert-indices-ui.png b/images/security-detections-alert-indices-ui.png similarity index 100% rename from images/security-alert-indices-ui.png rename to images/security-detections-alert-indices-ui.png diff --git a/images/serverless--detections-alert-indices-ui.png b/images/serverless--detections-alert-indices-ui.png deleted file mode 100644 index 8344624d7..000000000 Binary files a/images/serverless--detections-alert-indices-ui.png and /dev/null differ diff --git a/raw-migrated-files/docs-content/serverless/security-building-block-rules.md b/raw-migrated-files/docs-content/serverless/security-building-block-rules.md deleted file mode 100644 index bef6002fe..000000000 --- a/raw-migrated-files/docs-content/serverless/security-building-block-rules.md +++ /dev/null @@ -1,29 +0,0 @@ -# Use building block rules [security-building-block-rules] - -Create building block rules when you do not want to see their generated alerts in the UI. This is useful when you want: - -* A record of low-risk alerts without producing noise in the Alerts table. -* Rules that execute on the alert indices (`.alerts-security.alerts-`). You can then use building block rules to create hidden alerts that act as a basis for an *ordinary* rule to generate visible alerts. - - -## Set up rules that run on alert indices [security-building-block-rules-set-up-rules-that-run-on-alert-indices] - -To create a rule that searches alert indices, select **Index Patterns** as the rule’s **Source** and enter the index pattern for alert indices (`.alerts-security.alerts-*`): - -:::{image} ../../../images/serverless--detections-alert-indices-ui.png -:alt: detections alert indices ui -:class: screenshot -::: - - -## View building block alerts in the UI [security-building-block-rules-view-building-block-alerts-in-the-ui] - -By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. - -1. Go to **Alerts**. -2. In the Alerts table, select **Additional filters** → **Include building block alerts**, located on the far-right. - -::::{note} -On a building block rule details page, the rule’s alerts are displayed (by default, **Include building block alerts** is selected). - -:::: diff --git a/raw-migrated-files/docs-content/serverless/security-rules-coverage.md b/raw-migrated-files/docs-content/serverless/security-rules-coverage.md deleted file mode 100644 index 1eb7a0df2..000000000 --- a/raw-migrated-files/docs-content/serverless/security-rules-coverage.md +++ /dev/null @@ -1,55 +0,0 @@ -# MITRE ATT&CK® coverage [security-rules-coverage] - -The **MITRE ATT&CK® coverage** page (**Rules** → **MITRE ATT&CK® Coverage**) shows which [MITRE ATT&CK®](https://attack.mitre.org) adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. - -Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic’s related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. - -::::{note} -This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following [MITRE ATT&CK® version](https://attack.mitre.org/resources/updates/updates-april-2024) used by {{elastic-sec}}: `v15.1`. Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map. - -You can map custom rules to tactics in **Advanced settings** when creating or editing a rule. - -:::: - - -:::{image} ../../../images/serverless--detections-rules-coverage.png -:alt: MITRE ATT&CK® coverage page -:class: screenshot -::: - - -## Filter rules [security-rules-coverage-filter-rules] - -Use the drop-down filters at the top of the page to control which of your installed detection rules are included in calculating coverage. - -* **Installed rule status**: Select to include **Enabled rules**, **Disabled rules**, or both. -* **Installed rule type**: Select to include **Elastic rules** (prebuilt rules), **Custom rules** (user-created rules), or both. - -You can also search for a tactic or technique name, technique number, or rule name in the search bar. The search bar acts as a filter for the coverage grid: only rules matching the search term will be included. - -::::{note} -Searches for tactics and techniques must match exactly, are case sensitive, and do *not* support wildcards. - -:::: - - - -## Expand and collapse cells [security-rules-coverage-expand-and-collapse-cells] - -Click **Collapse cells** or **Expand cells** to change how much information the cells display. Cells always include the technique’s name and the number of sub-techniques covered by enabled rules. Expand the cells to also display counts of disabled and enabled rules for each technique. - -::::{note} -The counts inside cells are affected by how you filter the page. For example, if you filter the **Installed rule status** to only include **Enabled rules**, then all disabled rule counts will be 0 because disabled rules are filtered out. - -:::: - - - -## Enable rules [security-rules-coverage-enable-rules] - -You can quickly enable all the rules for a specific technique that you’ve installed, but not enabled. Click the technique’s cell, then click **Enable all disabled** in the popup that appears. - - -## Learn more about techniques and sub-techniques [security-rules-coverage-learn-more-about-techniques-and-sub-techniques] - -For more information on a specific technique and its sub-techniques, click the technique’s cell, then click the title in the popup that appears. This opens a new browser tab with the technique’s MITRE ATT&CK® documentation. diff --git a/raw-migrated-files/docs-content/serverless/security-ui.md b/raw-migrated-files/docs-content/serverless/security-ui.md index 82f50c231..0663c8a6b 100644 --- a/raw-migrated-files/docs-content/serverless/security-ui.md +++ b/raw-migrated-files/docs-content/serverless/security-ui.md @@ -113,6 +113,8 @@ Expand this section to access the following pages: :class: screenshot ::: +% When we delete this page, we can also delete the serverless--detections-rules-coverage.png file because it's no longer referenced in the Security docs or elsewhere. + * [**MITRE ATT&CK® coverage**](../../../solutions/security/detect-and-alert/mitre-attandckr-coverage.md): Review your coverage of MITRE ATT&CK® tactics and techniques, based on installed rules. :::{image} ../../../images/serverless--detections-rules-coverage.png diff --git a/raw-migrated-files/security-docs/security/building-block-rule.md b/raw-migrated-files/security-docs/security/building-block-rule.md deleted file mode 100644 index 504288d83..000000000 --- a/raw-migrated-files/security-docs/security/building-block-rule.md +++ /dev/null @@ -1,28 +0,0 @@ -# About building block rules [building-block-rule] - -Create building block rules when you do not want to see their generated alerts in the UI. This is useful when you want: - -* A record of low-risk alerts without producing noise in the Alerts table. -* Rules that execute on the alert indices (`.alerts-security.alerts-`). You can then use building block rules to create hidden alerts that act as a basis for an *ordinary* rule to generate visible alerts. - - -## Set up rules that run on alert indices [_set_up_rules_that_run_on_alert_indices] - -To create a rule that searches alert indices, select **Index Patterns** as the rule’s **Source** and enter the index pattern for alert indices (`.alerts-security.alerts-*`): - -:::{image} ../../../images/security-alert-indices-ui.png -:alt: alert indices ui -:class: screenshot -::: - - -## View building block alerts in the UI [_view_building_block_alerts_in_the_ui] - -By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. - -1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. In the Alerts table, select **Additional filters** → **Include building block alerts**, located on the far-right. - -::::{note} -On a building block rule details page, the rule’s alerts are displayed (by default, **Include building block alerts** is selected). -:::: diff --git a/raw-migrated-files/security-docs/security/rules-coverage.md b/raw-migrated-files/security-docs/security/rules-coverage.md deleted file mode 100644 index 0e1cf57e1..000000000 --- a/raw-migrated-files/security-docs/security/rules-coverage.md +++ /dev/null @@ -1,55 +0,0 @@ -# MITRE ATT&CK® coverage [rules-coverage] - -The **MITRE ATT&CK® coverage** page shows which [MITRE ATT&CK®](https://attack.mitre.org) adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. - -Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic’s related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. - -To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to **MITRE ATT&CK® coverage**. - -::::{note} -This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following [MITRE ATT&CK® version](https://attack.mitre.org/resources/updates/updates-april-2024) used by {{elastic-sec}}: `v15.1`. Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map. - -You can map custom rules to tactics in **Advanced settings** when creating or editing a rule. - -:::: - - -:::{image} ../../../images/security-rules-coverage.png -:alt: MITRE ATT&CK® coverage page -:class: screenshot -::: - - -## Filter rules [_filter_rules] - -Use the drop-down filters at the top of the page to control which of your installed detection rules are included in calculating coverage. - -* **Installed rule status**: Select to include **Enabled rules**, **Disabled rules**, or both. -* **Installed rule type**: Select to include **Elastic rules** (prebuilt rules), **Custom rules** (user-created rules), or both. - -You can also search for a tactic or technique name, technique number, or rule name in the search bar. The search bar acts as a filter for the coverage grid: only rules matching the search term will be included. - -::::{note} -Searches for tactics and techniques must match exactly, are case sensitive, and do *not* support wildcards. -:::: - - - -## Expand and collapse cells [_expand_and_collapse_cells] - -Click **Collapse cells** or **Expand cells** to change how much information the cells display. Cells always include the technique’s name and the number of sub-techniques covered by enabled rules. Expand the cells to also display counts of disabled and enabled rules for each technique. - -::::{note} -The counts inside cells are affected by how you filter the page. For example, if you filter the **Installed rule status** to only include **Enabled rules**, then all disabled rule counts will be 0 because disabled rules are filtered out. -:::: - - - -## Enable rules [_enable_rules] - -You can quickly enable all the rules for a specific technique that you’ve installed, but not enabled. Click the technique’s cell, then click **Enable all disabled** in the popup that appears. - - -## Learn more about techniques and sub-techniques [_learn_more_about_techniques_and_sub_techniques] - -For more information on a specific technique and its sub-techniques, click the technique’s cell, then click the title in the popup that appears. This opens a new browser tab with the technique’s MITRE ATT&CK® documentation. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 9f3d4bff7..7c81df6be 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -416,7 +416,6 @@ toc: - file: docs-content/serverless/security-benchmark-rules-kspm.md - file: docs-content/serverless/security-benchmark-rules.md - file: docs-content/serverless/security-blocklist.md - - file: docs-content/serverless/security-building-block-rules.md - file: docs-content/serverless/security-cases-open-manage.md - file: docs-content/serverless/security-cases-overview.md - file: docs-content/serverless/security-cases-requirements.md @@ -497,7 +496,6 @@ toc: - file: docs-content/serverless/security-response-actions-history.md - file: docs-content/serverless/security-response-actions.md - file: docs-content/serverless/security-rule-monitoring-dashboard.md - - file: docs-content/serverless/security-rules-coverage.md - file: docs-content/serverless/security-rules-create.md - file: docs-content/serverless/security-rules-ui-management.md - file: docs-content/serverless/security-runtime-fields.md @@ -794,7 +792,6 @@ toc: - file: security-docs/security/behavioral-detection-use-cases.md - file: security-docs/security/benchmark-rules.md - file: security-docs/security/blocklist.md - - file: security-docs/security/building-block-rule.md - file: security-docs/security/case-permissions.md - file: security-docs/security/cases-manage-settings.md - file: security-docs/security/cases-open-manage.md @@ -875,7 +872,6 @@ toc: - file: security-docs/security/response-actions-history.md - file: security-docs/security/response-actions.md - file: security-docs/security/rule-monitoring-dashboard.md - - file: security-docs/security/rules-coverage.md - file: security-docs/security/rules-ui-create.md - file: security-docs/security/rules-ui-management.md - file: security-docs/security/runtime-fields.md diff --git a/solutions/security/detect-and-alert/about-building-block-rules.md b/solutions/security/detect-and-alert/about-building-block-rules.md index 9c52d0807..fa9fed7f1 100644 --- a/solutions/security/detect-and-alert/about-building-block-rules.md +++ b/solutions/security/detect-and-alert/about-building-block-rules.md @@ -4,11 +4,34 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-building-block-rules.html --- -# About building block rules +# Use building block rules [security-building-block-rules] -% What needs to be done: Lift-and-shift +Create building block rules when you do not want to see their generated alerts in the UI. This is useful when you want: + +* A record of low-risk alerts without producing noise in the Alerts table. +* Rules that execute on the alert indices (`.alerts-security.alerts-`). You can then use building block rules to create hidden alerts that act as a basis for an *ordinary* rule to generate visible alerts. + + +## Set up rules that run on alert indices [security-building-block-rules-set-up-rules-that-run-on-alert-indices] + +To create a rule that searches alert indices, select **Index Patterns** as the rule’s **Source** and enter the index pattern for alert indices (`.alerts-security.alerts-*`): + +:::{image} ../../../images/security-detections-alert-indices-ui.png +:alt: Detections alert indices UI +:class: screenshot +::: + + +## View building block alerts in the UI [security-building-block-rules-view-building-block-alerts-in-the-ui] + +By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. + +1. Find **Alerts** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. In the Alerts table, select **Additional filters** → **Include building block alerts**, located on the far-right. + +::::{note} +On a building block rule details page, the rule’s alerts are displayed (by default, **Include building block alerts** is selected). + +:::: -% Use migrated content from existing pages that map to this page: -% - [ ] ./raw-migrated-files/security-docs/security/building-block-rule.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-building-block-rules.md \ No newline at end of file diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md index cd818e173..91a0fcc43 100644 --- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md +++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md @@ -4,11 +4,60 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-rules-coverage.html --- -# MITRE ATT&CK® coverage +# MITRE ATT&CK® coverage [rules-coverage] -% What needs to be done: Lift-and-shift +The **MITRE ATT&CK® coverage** page shows which [MITRE ATT&CK®](https://attack.mitre.org) adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. -% Use migrated content from existing pages that map to this page: +Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic’s related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. -% - [ ] ./raw-migrated-files/security-docs/security/rules-coverage.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-rules-coverage.md \ No newline at end of file +To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to **MITRE ATT&CK® coverage**. + +%The following note was included in Serverless docs too, despite it having details that are only relevant for ESS users. Will need to revisit this note at a later time to apply the proper versioning notes or to update. + +::::{note} +This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following [MITRE ATT&CK® version](https://attack.mitre.org/resources/updates/updates-april-2024) used by {{elastic-sec}}: `v15.1`. Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map. + +You can map custom rules to tactics in **Advanced settings** when creating or editing a rule. + +:::: + + +:::{image} ../../../images/security-rules-coverage.png +:alt: MITRE ATT&CK® coverage page +:class: screenshot +::: + + +## Filter rules [_filter_rules] + +Use the drop-down filters at the top of the page to control which of your installed detection rules are included in calculating coverage. + +* **Installed rule status**: Select to include **Enabled rules**, **Disabled rules**, or both. +* **Installed rule type**: Select to include **Elastic rules** (prebuilt rules), **Custom rules** (user-created rules), or both. + +You can also search for a tactic or technique name, technique number, or rule name in the search bar. The search bar acts as a filter for the coverage grid: only rules matching the search term will be included. + +::::{note} +Searches for tactics and techniques must match exactly, are case sensitive, and do *not* support wildcards. +:::: + + + +## Expand and collapse cells [_expand_and_collapse_cells] + +Click **Collapse cells** or **Expand cells** to change how much information the cells display. Cells always include the technique’s name and the number of sub-techniques covered by enabled rules. Expand the cells to also display counts of disabled and enabled rules for each technique. + +::::{note} +The counts inside cells are affected by how you filter the page. For example, if you filter the **Installed rule status** to only include **Enabled rules**, then all disabled rule counts will be 0 because disabled rules are filtered out. +:::: + + + +## Enable rules [_enable_rules] + +You can quickly enable all the rules for a specific technique that you’ve installed, but not enabled. Click the technique’s cell, then click **Enable all disabled** in the popup that appears. + + +## Learn more about techniques and sub-techniques [_learn_more_about_techniques_and_sub_techniques] + +For more information on a specific technique and its sub-techniques, click the technique’s cell, then click the title in the popup that appears. This opens a new browser tab with the technique’s MITRE ATT&CK® documentation.