From 30678645acd205d77796ab8851a484f2e2189f2e Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 11 Sep 2024 14:48:41 -0400 Subject: [PATCH 1/8] Add previously omitted spaces page, align with ESS --- docs/getting-started/security-spaces.asciidoc | 2 +- docs/serverless/security-spaces.mdx | 18 ++++++++++++++++++ .../serverless/serverless-security.docnav.json | 7 ++++++- 3 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 docs/serverless/security-spaces.mdx diff --git a/docs/getting-started/security-spaces.asciidoc b/docs/getting-started/security-spaces.asciidoc index 0e06ee2d83..81c20356de 100644 --- a/docs/getting-started/security-spaces.asciidoc +++ b/docs/getting-started/security-spaces.asciidoc @@ -2,7 +2,7 @@ = Spaces and {elastic-sec} {elastic-sec} supports the organization of your security operations into -logical instances with the {kibana-ref}/xpack-spaces.html[{kib} spaces] +logical instances with the {kibana-ref}/xpack-spaces.html[spaces] feature. Each space in {kib} represents a separate logical instance of {elastic-sec} in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and {kib} advanced settings are private to the diff --git a/docs/serverless/security-spaces.mdx b/docs/serverless/security-spaces.mdx new file mode 100644 index 0000000000..2d547bb41e --- /dev/null +++ b/docs/serverless/security-spaces.mdx @@ -0,0 +1,18 @@ +--- +slug: /serverless/security/security-spaces +title: Spaces and ((elastic-sec)) +description: Learn how spaces work in ((elastic-sec)) +tags: [ 'serverless', 'security', 'reference' ] +--- + +{/* TO DO: Replace link below (which points to ESS docs) with page in serverless general docs (once it's added). */} + +((elastic-sec)) supports the organization of your security operations into logical instances with the [spaces](((kibana-ref))/xpack-spaces.html) feature. Each space in ((kib)) represents a separate logical instance of ((elastic-sec)) in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and ((kib)) advanced settings are private to the space and accessible only by users that have role privileges to access the space. For details about configuring privileges for ((es)) and ((kib)), refer to . + +For example, if you create a `SOC_prod` space in which you load and activate all the ((elastic-sec)) prebuilt detection rules, these rules and any detection alerts they generate will be accessible only when visiting the ((security-app)) in the `SOC_prod` space. If you then create a new `SOC_dev` space, you'll notice that no detection rules or alerts are present. Any rules subsequently loaded or created here will be private to the `SOC_dev` space, and they will run independently of those in the `SOC_prod` space. + + + By default, alerts created by detection rules are stored in ((es)) indices under the `.alerts-security.alerts-` index pattern, and they may be accessed by any user with role privileges to access those ((es)) indices. In our example above, any user with ((es)) privileges to access `.alerts-security.alerts-SOC_prod` will be able to view `SOC_prod` alerts from within ((es)) and other ((kib)) apps such as Discover. + + To ensure that detection alert data remains private to the space in which it was created, ensure that the roles assigned to your ((elastic-sec)) users include ((es)) privileges that limit their access to alerts within their space's alerts index. + diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json index 737bd4969e..99dd48fd76 100644 --- a/docs/serverless/serverless-security.docnav.json +++ b/docs/serverless/serverless-security.docnav.json @@ -17,7 +17,12 @@ }, { "slug": "/serverless/security/security-ui", - "classic-sources": [ "enSecurityEsUiOverview" ] + "classic-sources": [ "enSecurityEsUiOverview" ], + "items": [ + { + "slug": "/serverless/security/security-spaces" + } + ] }, { "label": "AI for security", From 985c99f2849c1f6109430a13f0490e727162112b Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 11 Sep 2024 15:04:52 -0400 Subject: [PATCH 2/8] Fix typo in description frontmatter --- docs/serverless/security-spaces.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/security-spaces.mdx b/docs/serverless/security-spaces.mdx index 2d547bb41e..a9209b0cb4 100644 --- a/docs/serverless/security-spaces.mdx +++ b/docs/serverless/security-spaces.mdx @@ -1,7 +1,7 @@ --- slug: /serverless/security/security-spaces title: Spaces and ((elastic-sec)) -description: Learn how spaces work in ((elastic-sec)) +description: Learn how spaces work in ((elastic-sec)). tags: [ 'serverless', 'security', 'reference' ] --- From 73fd7849c2d6bf83d7f13b13344a77e1d95225fe Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 11 Sep 2024 15:09:24 -0400 Subject: [PATCH 3/8] Minor edit --- docs/getting-started/security-spaces.asciidoc | 2 +- docs/serverless/security-spaces.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/getting-started/security-spaces.asciidoc b/docs/getting-started/security-spaces.asciidoc index 81c20356de..faa1430d4c 100644 --- a/docs/getting-started/security-spaces.asciidoc +++ b/docs/getting-started/security-spaces.asciidoc @@ -22,7 +22,7 @@ the `SOC_dev` space, and they will run independently of those in the [NOTE] ===== By default, alerts created by detection rules are stored in {es} indices -under the `.alerts-security.alerts-` index pattern, and they may be +under the `.alerts-security.alerts-` index pattern, and they may be accessed by any user with role privileges to access those {es} indices. In our example above, any user with {es} privileges to access `.alerts-security.alerts-SOC_prod` will be able to view `SOC_prod` alerts from diff --git a/docs/serverless/security-spaces.mdx b/docs/serverless/security-spaces.mdx index a9209b0cb4..ca9d1d8620 100644 --- a/docs/serverless/security-spaces.mdx +++ b/docs/serverless/security-spaces.mdx @@ -12,7 +12,7 @@ tags: [ 'serverless', 'security', 'reference' ] For example, if you create a `SOC_prod` space in which you load and activate all the ((elastic-sec)) prebuilt detection rules, these rules and any detection alerts they generate will be accessible only when visiting the ((security-app)) in the `SOC_prod` space. If you then create a new `SOC_dev` space, you'll notice that no detection rules or alerts are present. Any rules subsequently loaded or created here will be private to the `SOC_dev` space, and they will run independently of those in the `SOC_prod` space. - By default, alerts created by detection rules are stored in ((es)) indices under the `.alerts-security.alerts-` index pattern, and they may be accessed by any user with role privileges to access those ((es)) indices. In our example above, any user with ((es)) privileges to access `.alerts-security.alerts-SOC_prod` will be able to view `SOC_prod` alerts from within ((es)) and other ((kib)) apps such as Discover. + By default, alerts created by detection rules are stored in ((es)) indices under the `.alerts-security.alerts-` index pattern, and they may be accessed by any user with role privileges to access those ((es)) indices. In our example above, any user with ((es)) privileges to access `.alerts-security.alerts-SOC_prod` will be able to view `SOC_prod` alerts from within ((es)) and other ((kib)) apps such as Discover. To ensure that detection alert data remains private to the space in which it was created, ensure that the roles assigned to your ((elastic-sec)) users include ((es)) privileges that limit their access to alerts within their space's alerts index. From bf97ef99b35c7102cff9877b147913a23d4d9c7f Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 25 Sep 2024 16:43:12 -0400 Subject: [PATCH 4/8] Update "Data views in Elastic Security" Align across platforms, and omit "feature visibility" since it's unavailable in security --- docs/getting-started/data-views-in-sec.asciidoc | 2 +- docs/serverless/explore/data-views-in-sec.mdx | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/getting-started/data-views-in-sec.asciidoc b/docs/getting-started/data-views-in-sec.asciidoc index 1e5d4d8000..62cfddaa9f 100644 --- a/docs/getting-started/data-views-in-sec.asciidoc +++ b/docs/getting-started/data-views-in-sec.asciidoc @@ -33,7 +33,7 @@ NOTE: You cannot update the data view for the Alerts page. This includes referen [[default-data-view-security]] == The default {data-source} -The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {kib}'s advanced settings (**Stack Management** > **Advanced Settings** > **Security Solution**). To learn more about this setting, including its default value, refer to {security-guide}/advanced-settings.html#update-sec-indices[Advanced settings]. +The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {security-guide}/advanced-settings.html#update-sec-indices[advanced settings]. The first time a user visits {elastic-sec} within a given {kib} {kibana-ref}/xpack-spaces.html[space], the default {data-source} generates in that space and becomes active. diff --git a/docs/serverless/explore/data-views-in-sec.mdx b/docs/serverless/explore/data-views-in-sec.mdx index ec94ad099a..58f7a539e7 100644 --- a/docs/serverless/explore/data-views-in-sec.mdx +++ b/docs/serverless/explore/data-views-in-sec.mdx @@ -44,14 +44,16 @@ This only allows you to add index patterns that match indices that currently con ## The default ((data-source)) -The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in your project's advanced settings{/* path to be updated: (**Stack Management** → **Advanced Settings** → **Security Solution**) */}. To learn more about this setting, including its default value, refer to ). +The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in advanced settings. -The first time a user visits ((elastic-sec)){/* within a given ((kib)) [space](((kibana-ref))/xpack-spaces.html)*/}, the default ((data-source)) generates{/* in that space*/} and becomes active. +The first time a user visits ((elastic-sec)) within a given ((kib)) [space](((kibana-ref))/xpack-spaces.html), the default ((data-source)) generates in that space and becomes active. -{/* TO-DO: in the first sentence of the following note, link to the Serverless page that explains spaces. */} +{/* Feature visibility is not available in serverless. Omitting this note for now, but keeping it commented out just in case someone decides to add feature visibility to serverless later. - - Your space must have **Data View Management**{/*{kibana-ref}/xpack-spaces.html#spaces-control-feature-visibility[feature visibility*/} feature visibility setting enabled for the default ((data-source)) to generate and become active in your space. - +TO-DO: in the first sentence of the following note, link to the Serverless page that explains feature visibility. */} + +{/* + Your space must have **Data View Management** {kibana-ref}/xpack-spaces.html#spaces-control-feature-visibility[feature visibility] feature visibility setting enabled for the default ((data-source)) to generate and become active in your space. + */} -If you delete the active ((data-source)) when there are no other defined ((data-sources)), the default ((data-source)) will regenerate and become active upon refreshing any ((elastic-sec)) page{/* in the space*/}. +If you delete the active ((data-source)) when there are no other defined ((data-sources)), the default ((data-source)) will regenerate and become active upon refreshing any ((elastic-sec)) page in the space. From 82d42cac9fe7c8e86ab2f9f3a0f3c0ac9acc8f4a Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 25 Sep 2024 16:47:07 -0400 Subject: [PATCH 5/8] Update "Timeline" --- docs/events/timeline-ui-overview.asciidoc | 2 +- docs/serverless/investigate/timelines-ui.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index fe3d534f8e..9d2dc54ef6 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -171,7 +171,7 @@ then select an action from the *Bulk actions* menu. == Export and import Timelines You can export and import Timelines, which enables you to share Timelines from one -{kib} space or instance to another. Exported Timelines are saved as `.ndjson` files. +space or {elastic-sec} instance to another. Exported Timelines are saved as `.ndjson` files. To export Timelines: diff --git a/docs/serverless/investigate/timelines-ui.mdx b/docs/serverless/investigate/timelines-ui.mdx index b3c74e1600..bb77be3496 100644 --- a/docs/serverless/investigate/timelines-ui.mdx +++ b/docs/serverless/investigate/timelines-ui.mdx @@ -176,7 +176,7 @@ then select an action from the **Bulk actions** menu. ## Export and import Timelines -You can export and import Timelines, which enables you to share Timelines from one {/* space or */} ((elastic-sec)) instance to another. Exported Timelines are saved as `.ndjson` files. +You can export and import Timelines, which enables you to share Timelines from one space or ((elastic-sec)) instance to another. Exported Timelines are saved as `.ndjson` files. To export Timelines: From cd1eb62248bc7fe0a6f0fb84e8989327bd2de377 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 25 Sep 2024 16:49:25 -0400 Subject: [PATCH 6/8] Update "Timeline templates" --- docs/events/timeline-templates.asciidoc | 2 +- docs/serverless/investigate/timeline-templates-ui.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/events/timeline-templates.asciidoc b/docs/events/timeline-templates.asciidoc index b4e90f9535..54fafc59ed 100644 --- a/docs/events/timeline-templates.asciidoc +++ b/docs/events/timeline-templates.asciidoc @@ -136,7 +136,7 @@ NOTE: You cannot delete prebuilt templates. == Export and import Timeline templates You can import and export Timeline templates, which enables importing templates -from one {kib} space or instance to another. Exported templates are saved in an `ndjson` file. +from one space or {elastic-sec} instance to another. Exported templates are saved in an `ndjson` file. . Go to *Timelines* -> *Templates*. . To export templates, do one of the following: diff --git a/docs/serverless/investigate/timeline-templates-ui.mdx b/docs/serverless/investigate/timeline-templates-ui.mdx index 1ebcc84146..68eab9ce24 100644 --- a/docs/serverless/investigate/timeline-templates-ui.mdx +++ b/docs/serverless/investigate/timeline-templates-ui.mdx @@ -135,7 +135,7 @@ You cannot delete prebuilt templates. ## Export and import Timeline templates -You can import and export Timeline templates, which enables importing templates from one {/*space or (*/}((elastic-sec)) instance to another. Exported templates are saved in an `ndjson` file. +You can import and export Timeline templates, which enables importing templates from one space or ((elastic-sec)) instance to another. Exported templates are saved in an `ndjson` file. 1. Go to **Investigations** → **Timelines** → **Templates**. 1. To export templates, do one of the following: From 5f02cf731fa85a52f064ccee85ffe2ae4cd13a91 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 25 Sep 2024 17:16:24 -0400 Subject: [PATCH 7/8] Update link to general docs on spaces This link will be broken until https://github.com/elastic/docs-content/pull/55 is merged --- docs/serverless/security-spaces.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/serverless/security-spaces.mdx b/docs/serverless/security-spaces.mdx index ca9d1d8620..6ebb426c24 100644 --- a/docs/serverless/security-spaces.mdx +++ b/docs/serverless/security-spaces.mdx @@ -5,9 +5,7 @@ description: Learn how spaces work in ((elastic-sec)). tags: [ 'serverless', 'security', 'reference' ] --- -{/* TO DO: Replace link below (which points to ESS docs) with page in serverless general docs (once it's added). */} - -((elastic-sec)) supports the organization of your security operations into logical instances with the [spaces](((kibana-ref))/xpack-spaces.html) feature. Each space in ((kib)) represents a separate logical instance of ((elastic-sec)) in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and ((kib)) advanced settings are private to the space and accessible only by users that have role privileges to access the space. For details about configuring privileges for ((es)) and ((kib)), refer to . +((elastic-sec)) supports the organization of your security operations into logical instances with the spaces feature. Each space in ((kib)) represents a separate logical instance of ((elastic-sec)) in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and ((kib)) advanced settings are private to the space and accessible only by users that have role privileges to access the space. For details about configuring privileges for ((es)) and ((kib)), refer to . For example, if you create a `SOC_prod` space in which you load and activate all the ((elastic-sec)) prebuilt detection rules, these rules and any detection alerts they generate will be accessible only when visiting the ((security-app)) in the `SOC_prod` space. If you then create a new `SOC_dev` space, you'll notice that no detection rules or alerts are present. Any rules subsequently loaded or created here will be private to the `SOC_dev` space, and they will run independently of those in the `SOC_prod` space. From a484862c432c88419bf936971ba09b10d710ba29 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 23 Oct 2024 10:17:16 -0400 Subject: [PATCH 8/8] Fix links: targets from stateful to serverless --- docs/serverless/explore/data-views-in-sec.mdx | 10 +--------- docs/serverless/sec-requirements.mdx | 2 +- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/docs/serverless/explore/data-views-in-sec.mdx b/docs/serverless/explore/data-views-in-sec.mdx index 58f7a539e7..91f48a2fef 100644 --- a/docs/serverless/explore/data-views-in-sec.mdx +++ b/docs/serverless/explore/data-views-in-sec.mdx @@ -46,14 +46,6 @@ This only allows you to add index patterns that match indices that currently con The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in advanced settings. -The first time a user visits ((elastic-sec)) within a given ((kib)) [space](((kibana-ref))/xpack-spaces.html), the default ((data-source)) generates in that space and becomes active. - -{/* Feature visibility is not available in serverless. Omitting this note for now, but keeping it commented out just in case someone decides to add feature visibility to serverless later. - -TO-DO: in the first sentence of the following note, link to the Serverless page that explains feature visibility. */} - -{/* - Your space must have **Data View Management** {kibana-ref}/xpack-spaces.html#spaces-control-feature-visibility[feature visibility] feature visibility setting enabled for the default ((data-source)) to generate and become active in your space. - */} +The first time a user visits ((elastic-sec)) within a given ((kib)) space, the default ((data-source)) generates in that space and becomes active. If you delete the active ((data-source)) when there are no other defined ((data-sources)), the default ((data-source)) will regenerate and become active upon refreshing any ((elastic-sec)) page in the space. diff --git a/docs/serverless/sec-requirements.mdx b/docs/serverless/sec-requirements.mdx index 36d55bfe46..bcb666ac59 100644 --- a/docs/serverless/sec-requirements.mdx +++ b/docs/serverless/sec-requirements.mdx @@ -18,7 +18,7 @@ supported operating systems, platforms, and browsers on which components such as To use ((elastic-sec)), your role must have at least: - * `Read` privilege for the `Security` feature in the [space](((kibana-ref))/xpack-spaces.html). This grants you `Read` access to all features in ((elastic-sec)) except cases. You need additional minimum privileges to use cases. + * `Read` privilege for the `Security` feature in the space. This grants you `Read` access to all features in ((elastic-sec)) except cases. You need additional minimum privileges to use cases. * `Read` and `view_index_metadata` privileges for all ((elastic-sec)) indices, such as `filebeat-*`, `packetbeat-*`, `logs-*`, and `endgame-*` indices.