diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index cd69a16b55..6d4ac4233f 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -5,7 +5,7 @@ The Alerts page displays all detection alerts. From the Alerts page, you can filter alerts, view alerting trends, change the status of alerts, add alerts to cases, and start investigating and analyzing alerts. [role="screenshot"] -image::detections/images/alert-page.png[] +image::detections/images/alert-page.png[Alerts page overview] [float] [[detection-view-and-filter-alerts]] @@ -21,7 +21,7 @@ image::images/view-alert-details.png[View details button, 200] * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours. -* Visualize and group alerts by specific parameters in the visualization section. Use the menu on the left to select a view type (*Trend*, *Table*, or *Treemap*), and use the menus on the right to select the ECS fields used for grouping alerts. Refer to <> for more on each view type. +* Visualize and group alerts by specific fields in the visualization section. Use the buttons on the left to select a view type (*Summary*, *Trend*, *Counts*, or *Treemap*), and use the menus on the right to select the ECS fields used for grouping alerts. Refer to <> for more on each view type. * Hover over a value in the data grid to display available inline actions, such as *Filter In*, *Filter Out*, and *Add to timeline investigation*. Click the expand button to open a full context menu of options, including *Show top values*, *Copy to Clipboard*, and *View rule details*. The available options vary based on the type of data. + @@ -37,6 +37,26 @@ image::images/additional-filters.png[Alerts table with Additional filters menu h * View detection alerts generated by a specific rule. Go to *Manage* -> *Rules*, then select a rule name in the table. The rule details page displays a comprehensive view of the rule's settings, and the Alerts table under the Trend histogram displays the alerts associated with the rule, including alerts from any previous or deleted revision of that rule. +[float] +[[group-alerts]] +=== Group alerts + +beta:[] You can group alerts by rule name, host name, user name, source IP address, or any other field. Select *Group alerts by*, then select an option or *Custom field* to specify a different field. + +[role="screenshot"] +image::images/group-alerts.png[Alerts table with Group alerts by drop-down] + +Each group displays information such as the alerts' severity and how many users, hosts, and alerts are in the group. The type of information displayed varies depending on the selected field. + +To interact with grouped alerts: + +* Select the *Take actions* menu to perform a bulk action on all alerts in a group, such as <>. + +* Click a group's name or the expand icon (image:images/expand-icon-vertical-right.png[Grouped alerts expand icon,16,16]) to display alerts within that group. You can filter and customize this view like any other alerts table. ++ +[role="screenshot"] +image::images/group-alerts-expand.png[Expanded alert group with alerts table] + [float] [[customize-the-alerts-table]] === Customize the Alerts table @@ -86,14 +106,16 @@ You can set an alert's status to indicate whether it needs to be investigated To change an alert's status, do one of the following: -* In the alert's row, click the *More actions* menu (*...*) in the Alerts table, then select the appropriate status (*Mark as open*, *Mark as acknowledged*, or *Mark as closed*). -* In the Alerts table, select all the alerts you want to change, click on the drop-down at the upper-left above the table, and then select *Mark as open*, *Mark as acknowledged*, or *Mark as closed*. +* In the Alerts table, click *More actions* (*...*) in the alert's row, then select a status. + +* In the Alerts table, select the alerts you want to change, click *Selected _x_ alerts* at the upper-left above the table, and then select a status. + [role="screenshot"] image::images/alert-change-status.png[Bulk action menu with multiple alerts selected, 225] -* In the alert details flyout, click *Take action* and select *Mark as open*, *Mark as acknowledged*, or *Mark as closed*. +* beta:[] To bulk-change the status of <>, select the *Take actions* menu for the group, then select a status. +* In an alert's details flyout, click *Take action* and select a status. [float] [[add-exception-from-alerts]] diff --git a/docs/detections/alerts-visualizations.asciidoc b/docs/detections/alerts-visualizations.asciidoc index ed31e4a031..469c2855a2 100644 --- a/docs/detections/alerts-visualizations.asciidoc +++ b/docs/detections/alerts-visualizations.asciidoc @@ -4,33 +4,55 @@ Visualize and group detection alerts by specific parameters in the visualization section of the Alerts page. [role="screenshot"] -image::images/alert-page-visualizations.png[] +image::images/alert-page-visualizations.png[Alerts page with visualizations section highlighted] -Use the left menu to select a view type (*Trend*, *Table*, or *Treemap*), and use the right menus to select the ECS fields to use for grouping: +Use the left buttons to select a view type (*Summary*, *Trend*, *Counts*, or *Treemap*), and use the right menus to select the ECS fields to use for grouping: -* *Group by*: Primary field for grouping alerts. +* *Top alerts by* or *Group by*: Primary field for grouping alerts. * *Group by top* (if available): Secondary field for further subdividing grouped alerts. For example, you can group first by rule name (`Group by: kibana.alert.rule.name`), then by host name (`Group by top: host.name`) to visualize which detection rules generated alerts, and which hosts triggered each of those rules. For groupings with a lot of unique values, the top 1,000 results are displayed. -NOTE: The *Group by top* option isn't available in all view types. You can also leave *Group by top* blank to group by only the primary field in *Group by*. +NOTE: Some view types don't have the *Group by top* option. You can also leave *Group by top* blank to group by only the primary field in *Group by*. -To reset a view to default settings, click the settings menu (image:images/three-dot-icon.png[Settings menu icon,18,18]) in the upper-right and select *Reset group by fields* (the settings menu appears when hovering over the area). +To reset a view to default settings, click the settings menu (image:images/three-dot-icon.png[Settings menu icon,18,18]) in the upper-right and select *Reset group by fields* (the settings menu appears when you hover over the area). +Click the collapse icon (image:images/collapse-icon-horiz-down.png[Collapse icon,16,15]) to minimize the visualization section and display a summary of key information instead. + +[role="screenshot"] +image::images/alert-page-viz-collapsed.png[Alerts page with visualizations section collapsed] + +[discrete] +=== Summary + +On the Alerts page, the summary visualization displays by default and shows how alerts are distributed across these indicators: + +* *Severity levels*: How many alerts are in each severity level. +* *Alerts by name*: How many alerts each detection rule created. +* *Top alerts by*: Percentage of alerts with a specified field value: `host.name` (default), `user.name`, `source.ip`, or `destination.ip`. + +You can hover and click on elements within the summary — such as severity levels, rule names, and host names — to add filters with those values to the Alerts page. + +[role="screenshot"] +image::images/alerts-viz-summary.png[Summary visualization for alerts] + +[discrete] === Trend -The trend view is the default visualization on the Alerts page and shows the occurrence of alerts over time. By default, it groups alerts by detection rule name (`kibana.alert.rule.name`). +The trend view shows the occurrence of alerts over time. By default, it groups alerts by detection rule name (`kibana.alert.rule.name`). NOTE: The *Group by top* menu is unavailable for the trend view. [role="screenshot"] image::images/alerts-viz-trend.png[Trend visualization for alerts] -=== Table -The table view shows the count of alerts in each group. By default, it groups alerts first by detection rule name (`kibana.alert.rule.name`), then by host name (`host.name`). +[discrete] +=== Counts +The counts view shows the count of alerts in each group. By default, it groups alerts first by detection rule name (`kibana.alert.rule.name`), then by host name (`host.name`). [role="screenshot"] -image::images/alerts-viz-table.png[Table visualization for alerts] +image::images/alerts-viz-counts.png[Counts visualization for alerts] +[discrete] === Treemap The treemap view shows the distribution of alerts as nested, proportionally-sized tiles. This view can help you quickly pinpoint the most prevalent and critical alerts. diff --git a/docs/detections/images/additional-filters.png b/docs/detections/images/additional-filters.png index d21a162c12..af39ef8d42 100644 Binary files a/docs/detections/images/additional-filters.png and b/docs/detections/images/additional-filters.png differ diff --git a/docs/detections/images/alert-page-visualizations.png b/docs/detections/images/alert-page-visualizations.png index d03da894e8..a291259d6d 100644 Binary files a/docs/detections/images/alert-page-visualizations.png and b/docs/detections/images/alert-page-visualizations.png differ diff --git a/docs/detections/images/alert-page-viz-collapsed.png b/docs/detections/images/alert-page-viz-collapsed.png new file mode 100644 index 0000000000..b8d7a793ea Binary files /dev/null and b/docs/detections/images/alert-page-viz-collapsed.png differ diff --git a/docs/detections/images/alert-page.png b/docs/detections/images/alert-page.png index 54244edc8a..d5ea721cce 100644 Binary files a/docs/detections/images/alert-page.png and b/docs/detections/images/alert-page.png differ diff --git a/docs/detections/images/alert-table-toolbar-buttons.png b/docs/detections/images/alert-table-toolbar-buttons.png index fdb6deaee5..91211efadd 100644 Binary files a/docs/detections/images/alert-table-toolbar-buttons.png and b/docs/detections/images/alert-table-toolbar-buttons.png differ diff --git a/docs/detections/images/alerts-viz-counts.png b/docs/detections/images/alerts-viz-counts.png new file mode 100644 index 0000000000..45af7cccfa Binary files /dev/null and b/docs/detections/images/alerts-viz-counts.png differ diff --git a/docs/detections/images/alerts-viz-summary.png b/docs/detections/images/alerts-viz-summary.png new file mode 100644 index 0000000000..d15a12b714 Binary files /dev/null and b/docs/detections/images/alerts-viz-summary.png differ diff --git a/docs/detections/images/alerts-viz-table.png b/docs/detections/images/alerts-viz-table.png deleted file mode 100644 index 4ae16a4f3f..0000000000 Binary files a/docs/detections/images/alerts-viz-table.png and /dev/null differ diff --git a/docs/detections/images/alerts-viz-treemap.png b/docs/detections/images/alerts-viz-treemap.png index 52c7126c84..5383244b84 100644 Binary files a/docs/detections/images/alerts-viz-treemap.png and b/docs/detections/images/alerts-viz-treemap.png differ diff --git a/docs/detections/images/alerts-viz-trend.png b/docs/detections/images/alerts-viz-trend.png index 3651223b7f..82671e084f 100644 Binary files a/docs/detections/images/alerts-viz-trend.png and b/docs/detections/images/alerts-viz-trend.png differ diff --git a/docs/detections/images/collapse-icon-horiz-down.png b/docs/detections/images/collapse-icon-horiz-down.png new file mode 100644 index 0000000000..406dfcd928 Binary files /dev/null and b/docs/detections/images/collapse-icon-horiz-down.png differ diff --git a/docs/detections/images/event-rendered-view.png b/docs/detections/images/event-rendered-view.png index 079f75c701..54471ada23 100644 Binary files a/docs/detections/images/event-rendered-view.png and b/docs/detections/images/event-rendered-view.png differ diff --git a/docs/detections/images/expand-icon-vertical-right.png b/docs/detections/images/expand-icon-vertical-right.png new file mode 100644 index 0000000000..5ce4ddd974 Binary files /dev/null and b/docs/detections/images/expand-icon-vertical-right.png differ diff --git a/docs/detections/images/group-alerts-expand.png b/docs/detections/images/group-alerts-expand.png new file mode 100644 index 0000000000..0304592bd8 Binary files /dev/null and b/docs/detections/images/group-alerts-expand.png differ diff --git a/docs/detections/images/group-alerts.png b/docs/detections/images/group-alerts.png new file mode 100644 index 0000000000..359103801b Binary files /dev/null and b/docs/detections/images/group-alerts.png differ