-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
investigation notes field (documentation / metadata) #63386
Conversation
added text to the "investigation notes" field in md which the field supports.
Pinging @elastic/siem (Team:SIEM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the screenshots!
@@ -20,5 +20,6 @@ | |||
"Windows" | |||
], | |||
"type": "machine_learning", | |||
"note": "### Investigating an Unusual Windows User ###\nThis signal indicates activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: May want rule
instead of signal
here, or something like Signals from this rule indicate...
since this is only viewable on the Rule Details Page. Up to you, no chance necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK we decided to make this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out locally, loaded prebuilt rules and verified no issues with loading the rules or with how the Investigation Guide
markdown is rendered, edited, or exported/imported.
Rules Details looks good 👍
Edit Rules looks good 👍
LGTM -- thanks @randomuserid!
change to "Signals from this rule indicate"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested import/export, duplication, etc. LGTM!
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate"
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate"
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate" Co-authored-by: The SpaceCake Project <[email protected]>
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate" Co-authored-by: The SpaceCake Project <[email protected]>
* master: (132 commits) document code splitting for client code (elastic#62593) Escape single quotes surrounded by double quotes (elastic#63229) [Endpoint] Update cli mapping to match endpoint package (elastic#63372) update in-app links to metricbeat configuration docs (elastic#63295) investigation notes field (documentation / metadata) (elastic#63386) [Maps] fix bug where toggling Scaling type does not re-fetch data (elastic#63326) [Alerting] set correct parameter for unauthented email action (elastic#63086) [Telemetry] force staging urls in tests (elastic#63356) Migrate legacy maps service to NP & update refs (elastic#60942) Fix task manager query to return tasks to retry (elastic#63360) [Endpoint] Policy list support for URL pagination state (elastic#63291) [Canvas] Migrate saved object mappings and migrations to Kibana Platform (elastic#58891) [DOCS] Add ILM tutorial (elastic#59502) [Maps] Add SOURCE_TYPES enumeration (elastic#62975) [Maps] update geospatial filters to use geo_shape query for geo_point fields (elastic#62966) Move away from npStart for embeddables in canvas (elastic#62680) Use MapInput type from Maps plugin (elastic#61539) Update to pagination for workpad and templates (elastic#62050) [SIEM] Fix AlertsTable id (elastic#63368) Consistent terminology around cypress test data (elastic#63279) ...
* master: document code splitting for client code (elastic#62593) Escape single quotes surrounded by double quotes (elastic#63229) [Endpoint] Update cli mapping to match endpoint package (elastic#63372) update in-app links to metricbeat configuration docs (elastic#63295) investigation notes field (documentation / metadata) (elastic#63386) [Maps] fix bug where toggling Scaling type does not re-fetch data (elastic#63326) [Alerting] set correct parameter for unauthented email action (elastic#63086) [Telemetry] force staging urls in tests (elastic#63356) Migrate legacy maps service to NP & update refs (elastic#60942) Fix task manager query to return tasks to retry (elastic#63360) [Endpoint] Policy list support for URL pagination state (elastic#63291) [Canvas] Migrate saved object mappings and migrations to Kibana Platform (elastic#58891) [DOCS] Add ILM tutorial (elastic#59502) [Maps] Add SOURCE_TYPES enumeration (elastic#62975) [Maps] update geospatial filters to use geo_shape query for geo_point fields (elastic#62966) Move away from npStart for embeddables in canvas (elastic#62680)
* alerting/alert-services-mock: (107 commits) removed unused import added alert services mock and use it in siem [Metrics UI] Refactor With* containers to hooks (elastic#59503) [NP] Migrate logstash server side code to NP (elastic#63135) Clicking cancel in saved query save modal doesn't close it (elastic#62774) [Lens] Migration from 7.7 (elastic#62879) [Lens] Fix bug where suggestions didn't use filters (elastic#63293) Task/linux events (elastic#63400) [Remote clusters] guard against usageCollection plugin if unav… (elastic#63284) [Uptime] Remove pings graphql (elastic#59392) Index Pattern Field class - factor out copy_field code for future typescripting (elastic#63083) [EPM] add/remove package in package settings page (elastic#63389) Adjust API authorization logging (elastic#63350) Revert FTR: add chromium-based Edge browser support (elastic#61684) (elastic#63448) [Event Log] Adds namespace into save objects (elastic#62974) document code splitting for client code (elastic#62593) Escape single quotes surrounded by double quotes (elastic#63229) [Endpoint] Update cli mapping to match endpoint package (elastic#63372) update in-app links to metricbeat configuration docs (elastic#63295) investigation notes field (documentation / metadata) (elastic#63386) ...
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate"
Pinging @elastic/security-solution (Team: SecuritySolution) |
added text to the "investigation notes" field in md which the field supports.
Summary
Summarize your PR. If it involves visual changes include a screenshot or gif.
Checklist
Delete any items that are not applicable to this PR.
For maintainers