Using Elastic Security

edit

Elastic Security is a highly interactive workspace designed for security analysts. It provides a clear overview of events and alerts from your environment, and you can use the interactive UI to drill down into areas of interest.

Hosts

edit

The Hosts page provides key metrics regarding host-related security events, and data tables and histograms that let you interact with the Timeline Event Viewer. You can drill down for deeper insights, and drag and drop items of interest from the Hosts page to Timeline for further investigation.

hosts ui

Network

edit

The Network page displays key network activity metrics in an interactive map, and provides network event tables that enable interaction with Timeline.

network ui

Detections (beta)

edit

The Detections feature automatically searches for threats and creates alerts when they are detected. Detection rules define the conditions for when alerts are created. Elastic Security comes with prebuilt rules that search for suspicious activity on your network and hosts. Additionally, you can create your own rules.

See Detections for information on managing detection rules and alerts.

detections ui

Cases (beta)

edit

Cases are used to open and track security issues directly in Elastic Security. Cases list the original reporter and all users who contribute to a case (participants). Case comments support Markdown syntax, and allow linking to saved Timelines. Additionally, you can send cases to external systems from within Elastic Security.

For information about opening, updating, and closing cases, see Cases in the Elastic Security Guide.

cases ui

Timeline

edit

Timeline is your workspace for threat hunting and alert investigations.

Elastic Security Timeline

You can drag objects of interest into the Timeline Event Viewer to create exactly the query filter you need. You can drag items from table widgets within Hosts and Network pages, or even from within Timeline itself.

A timeline is responsive and persists as you move through Elastic Security collecting data.

For detailed information about Timeline, see Investigating events in Timeline.

Sample workflow

edit

An analyst notices a suspicious user ID that warrants further investigation, and clicks a URL that links to Elastic Security.

The analyst uses the tables, histograms, and filtering and search capabilities in Elastic Security to get to the bottom of the alert. The analyst can drag items of interest to Timeline for further analysis.

Within Timeline, the analyst can investigate further - drilling down, searching, and filtering - and add notes and pin items of interest.

The analyst can name the timeline, write summary notes, and share it with others if appropriate.