-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Entity Analytics: Requirements and limitations #4162
Merged
Merged
Changes from 3 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
010996c
Entity Analytics: Requirements and limitations
natasha-moore-elastic a3a12ea
Fixes capitalization
natasha-moore-elastic 89a424c
Uses attribute
natasha-moore-elastic d12e9e0
Update docs/getting-started/ea-req.asciidoc
natasha-moore-elastic a3ec7b1
Update docs/getting-started/ea-req.asciidoc
natasha-moore-elastic 69ccf0f
Update docs/getting-started/ea-req.asciidoc
natasha-moore-elastic 6ae21aa
Update docs/getting-started/ea-req.asciidoc
natasha-moore-elastic 981b0c6
Applies review comments
natasha-moore-elastic 00c76d9
Adds reference to Entity Risk Scoring
natasha-moore-elastic de68953
Updates licensing info
natasha-moore-elastic 6662e52
Applies review feedback
natasha-moore-elastic 0b9f8fa
Merge branch 'main' into issue-4124-EA-reqs
natasha-moore-elastic f2e8763
Merge branch 'main' into issue-4124-EA-reqs
natasha-moore-elastic 62a20f4
Update docs/getting-started/ers-req.asciidoc
natasha-moore-elastic File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| [[ea-requirements]] | ||
| = Entity Analytics prerequisites | ||
|
|
||
| [discrete] | ||
| == Privileges | ||
|
|
||
| To enable the risk scoring engine, you need the following privileges: | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Cluster privileges: | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| * `manage_index_templates` | ||
| * `manage_transform` | ||
|
|
||
| Index privileges: | ||
|
|
||
| `all` privilege for `risk-score.risk-score-*` | ||
|
|
||
| {kib} privileges: | ||
|
|
||
| * **All** for the **Saved Objects Management** feature under **Management** | ||
| * **Read** for the **Security** feature | ||
|
|
||
| [discrete] | ||
| == {es} resource guidelines | ||
|
|
||
| Follow these guidelines to ensure clusters have adequate memory to handle data volume: | ||
|
|
||
| * With 2GB of Java Virtual Machine (JVM) heap memory, the risk scoring task can safely process around 44 million documents (30 days of risk data with an ingest rate of 1000 documents per minute). | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| * With 1GB of JVM heap, the risk scoring task can safely process around 20 million documents (30 days of risk data with an ingest rate of around 450 documents per minute). | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| [discrete] | ||
| == Known limitations | ||
|
|
||
| * You can only enable the risk scoring engine in a single {kib} space within a cluster. | ||
|
|
||
| * The risk scoring engine uses the internal {kib} user to score all hosts and users. This means the scoring task does not respect custom user or role permissions. All alerts from the configured {kib} space will contribute to the entity's risk. | ||
natasha-moore-elastic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@natasha-moore-elastic following the page title with a section header is a bit jarring. To give users some quick context, it might be useful to write a sentence or two that briefly summarizes this page.
@SourinPaul are we now calling the risk scoring feature "Entity Analytics" in the docs? Also, should this page be included under the Useful links section within the Entity Risk Score page? Linking to multiple doc pages in the UI is a little excessive imo, but I definitely think feature requirements are necessary to highlight.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nastasha-solomon the current UI reference to the feature is incorrect. Here is the bug logged to correct the UI reference #7920. In its correct form, the UI reference will take the user to the (new)
Entity Risk Scoringfeature documentation page.I agree that linking to multiple doc pages (Feature overview, Prerequisites for the feature) in the UI may be excessive, given we expect to improve or evolve the feature quickly.
How about ensuring the
Entity Risk Scoring Prerequisitessection is highlighted on the page the user first lands ( section above)?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for sharing that issue, @SourinPaul. Good to know that the links are being updated for 8.11! :)
As for linking this page, I do think it should be placed at the top of the list under the Useful links section. I'd use the page title as well, so the linked text is consistent with our docs.
Lastly, it might be a good idea to reference this page wherever these privileges are needed to view risk score data within the Security app. For example, if these privileges are required to turn on and or view risk score in the Entity Analytics dashboard, I would mention it there. I'm not sure what that'd look like, or if there's even time to add it into 8.11, so just something to consider for a future release.