Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

investigation notes field (documentation / metadata) #63386

Merged
merged 5 commits into from
Apr 13, 2020

Conversation

randomuserid
Copy link
Contributor

@randomuserid randomuserid commented Apr 13, 2020

added text to the "investigation notes" field in md which the field supports.

Summary

Summarize your PR. If it involves visual changes include a screenshot or gif.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

added text to the "investigation notes" field in md which the field supports.
@randomuserid randomuserid requested a review from a team as a code owner April 13, 2020 18:32
@randomuserid randomuserid requested a review from spong April 13, 2020 18:32
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@randomuserid randomuserid added release_note:skip Skip the PR/issue when compiling release notes v7.7.0 v7.8.0 v8.0.0 labels Apr 13, 2020
@randomuserid
Copy link
Contributor Author

Screenshots of the Glorious Investigation Notes Field
Screen Shot 2020-04-13 at 4 23 47 PM
Screen Shot 2020-04-13 at 4 23 56 PM
Screen Shot 2020-04-13 at 4 24 04 PM
Screen Shot 2020-04-13 at 4 24 13 PM
Screen Shot 2020-04-13 at 4 24 21 PM
Screen Shot 2020-04-13 at 4 24 29 PM
Screen Shot 2020-04-13 at 4 24 40 PM
Screen Shot 2020-04-13 at 4 24 49 PM

Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the screenshots!

@@ -20,5 +20,6 @@
"Windows"
],
"type": "machine_learning",
"note": "### Investigating an Unusual Windows User ###\nThis signal indicates activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: May want rule instead of signal here, or something like Signals from this rule indicate... since this is only viewable on the Rule Details Page. Up to you, no chance necessary.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK we decided to make this change.

Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out locally, loaded prebuilt rules and verified no issues with loading the rules or with how the Investigation Guide markdown is rendered, edited, or exported/imported.

Rules Details looks good 👍

Edit Rules looks good 👍

LGTM -- thanks @randomuserid!

change to "Signals from this rule indicate"
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested import/export, duplication, etc. LGTM!

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@randomuserid randomuserid merged commit b543887 into master Apr 13, 2020
spong pushed a commit to spong/kibana that referenced this pull request Apr 13, 2020
* notes field

added text to the "investigation notes" field in md which the field supports.

* Revert "notes field"

This reverts commit dae6ffc.

* Revert "Revert "notes field""

This reverts commit f9de4bf.

* Update linux_anomalous_network_activity.json

* text change

change to "Signals from this rule indicate"
spong pushed a commit to spong/kibana that referenced this pull request Apr 13, 2020
* notes field

added text to the "investigation notes" field in md which the field supports.

* Revert "notes field"

This reverts commit dae6ffc.

* Revert "Revert "notes field""

This reverts commit f9de4bf.

* Update linux_anomalous_network_activity.json

* text change

change to "Signals from this rule indicate"
spong added a commit that referenced this pull request Apr 14, 2020
* notes field

added text to the "investigation notes" field in md which the field supports.

* Revert "notes field"

This reverts commit dae6ffc.

* Revert "Revert "notes field""

This reverts commit f9de4bf.

* Update linux_anomalous_network_activity.json

* text change

change to "Signals from this rule indicate"

Co-authored-by: The SpaceCake Project <[email protected]>
spong added a commit that referenced this pull request Apr 14, 2020
* notes field

added text to the "investigation notes" field in md which the field supports.

* Revert "notes field"

This reverts commit dae6ffc.

* Revert "Revert "notes field""

This reverts commit f9de4bf.

* Update linux_anomalous_network_activity.json

* text change

change to "Signals from this rule indicate"

Co-authored-by: The SpaceCake Project <[email protected]>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Apr 14, 2020
* master: (132 commits)
  document code splitting for client code (elastic#62593)
  Escape single quotes surrounded by double quotes (elastic#63229)
  [Endpoint] Update cli mapping to match endpoint package (elastic#63372)
  update in-app links to metricbeat configuration docs (elastic#63295)
  investigation notes field (documentation / metadata) (elastic#63386)
  [Maps] fix bug where toggling Scaling type does not re-fetch data (elastic#63326)
  [Alerting] set correct parameter for unauthented email action (elastic#63086)
  [Telemetry] force staging urls in tests (elastic#63356)
  Migrate legacy maps service to NP & update refs (elastic#60942)
  Fix task manager query to return tasks to retry (elastic#63360)
  [Endpoint] Policy list support for URL pagination state (elastic#63291)
  [Canvas] Migrate saved object mappings and migrations to Kibana Platform (elastic#58891)
  [DOCS] Add ILM tutorial (elastic#59502)
  [Maps] Add SOURCE_TYPES enumeration (elastic#62975)
  [Maps] update geospatial filters to use geo_shape query for geo_point fields (elastic#62966)
  Move away from npStart for embeddables in canvas (elastic#62680)
  Use MapInput type from Maps plugin (elastic#61539)
  Update to pagination for workpad and templates (elastic#62050)
  [SIEM] Fix AlertsTable id (elastic#63368)
  Consistent terminology around cypress test data (elastic#63279)
  ...
gmmorris added a commit to gmmorris/kibana that referenced this pull request Apr 14, 2020
* master:
  document code splitting for client code (elastic#62593)
  Escape single quotes surrounded by double quotes (elastic#63229)
  [Endpoint] Update cli mapping to match endpoint package (elastic#63372)
  update in-app links to metricbeat configuration docs (elastic#63295)
  investigation notes field (documentation / metadata) (elastic#63386)
  [Maps] fix bug where toggling Scaling type does not re-fetch data (elastic#63326)
  [Alerting] set correct parameter for unauthented email action (elastic#63086)
  [Telemetry] force staging urls in tests (elastic#63356)
  Migrate legacy maps service to NP & update refs (elastic#60942)
  Fix task manager query to return tasks to retry (elastic#63360)
  [Endpoint] Policy list support for URL pagination state (elastic#63291)
  [Canvas] Migrate saved object mappings and migrations to Kibana Platform (elastic#58891)
  [DOCS] Add ILM tutorial (elastic#59502)
  [Maps] Add SOURCE_TYPES enumeration (elastic#62975)
  [Maps] update geospatial filters to use geo_shape query for geo_point fields (elastic#62966)
  Move away from npStart for embeddables in canvas (elastic#62680)
gmmorris added a commit to gmmorris/kibana that referenced this pull request Apr 15, 2020
* alerting/alert-services-mock: (107 commits)
  removed unused import
  added alert services mock and use it in siem
  [Metrics UI] Refactor With* containers to hooks (elastic#59503)
  [NP] Migrate logstash server side code to NP (elastic#63135)
  Clicking cancel in saved query save modal doesn't close it (elastic#62774)
  [Lens] Migration from 7.7 (elastic#62879)
  [Lens] Fix bug where suggestions didn't use filters (elastic#63293)
  Task/linux events (elastic#63400)
  [Remote clusters] guard against usageCollection plugin if unav… (elastic#63284)
  [Uptime] Remove pings graphql (elastic#59392)
  Index Pattern Field class - factor out copy_field code for future typescripting (elastic#63083)
  [EPM] add/remove package in package settings page (elastic#63389)
  Adjust API authorization logging (elastic#63350)
  Revert FTR: add chromium-based Edge browser support (elastic#61684) (elastic#63448)
  [Event Log] Adds namespace into save objects (elastic#62974)
  document code splitting for client code (elastic#62593)
  Escape single quotes surrounded by double quotes (elastic#63229)
  [Endpoint] Update cli mapping to match endpoint package (elastic#63372)
  update in-app links to metricbeat configuration docs (elastic#63295)
  investigation notes field (documentation / metadata) (elastic#63386)
  ...
wayneseymour pushed a commit that referenced this pull request Apr 15, 2020
* notes field

added text to the "investigation notes" field in md which the field supports.

* Revert "notes field"

This reverts commit dae6ffc.

* Revert "Revert "notes field""

This reverts commit f9de4bf.

* Update linux_anomalous_network_activity.json

* text change

change to "Signals from this rule indicate"
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spalger spalger deleted the 77-siem-notes-field branch May 8, 2022 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.7.0 v7.8.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants