Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Updating "Manage detection alerts" topic #666

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
7b6e59d
Updating topic title.
nastasha-solomon May 3, 2021
8def142
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 6, 2021
6a1ff99
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 10, 2021
530e739
Expanded the section about vieiwing and filtering detection alerts.
nastasha-solomon May 11, 2021
a329e56
Fixed minor typos.
nastasha-solomon May 11, 2021
ad0df32
Updated section for customizing the Alerts table and added a section …
nastasha-solomon May 11, 2021
a67798e
Added float tag before the Customize the Alerts table section and fix…
nastasha-solomon May 11, 2021
f758ba0
Added images and started the view alert details section.
nastasha-solomon May 11, 2021
88a8b2c
Minor updates to drafted section.
nastasha-solomon May 11, 2021
89b32c6
Fixed minor issues.
nastasha-solomon May 12, 2021
c86ec95
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 13, 2021
902064f
Commiting drafted changes. Additional changes incoming.
nastasha-solomon May 13, 2021
4d82784
Incorporated additional comments from Ece.
nastasha-solomon May 13, 2021
dffc4bf
Removed duplicate text in description of Threat Intel tab.
nastasha-solomon May 14, 2021
9c07fb6
Re-adding feedback from Ece.
nastasha-solomon May 14, 2021
5e526a9
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 14, 2021
2a428d4
Incorporated Ece's latest suggestion.
nastasha-solomon May 17, 2021
508b8fd
Adding missing commas.
nastasha-solomon May 17, 2021
0a695f8
Incorporating feedback from Janeen,
nastasha-solomon May 19, 2021
359914e
Minor typos.
nastasha-solomon May 20, 2021
5cb41c3
Updated screenshot showing Detections page.
nastasha-solomon May 20, 2021
4094b03
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 24, 2021
e57a028
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 24, 2021
1033b26
Merge branch 'master' into issue-664-update-managing-detection-alerts…
jmikell821 May 25, 2021
49027c8
Updates to new prebuilt rules integration
jmikell821 May 25, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 83 additions & 17 deletions docs/detections/alerts-ui-manage.asciidoc
Original file line number Diff line number Diff line change
@@ -1,49 +1,117 @@
[[alerts-ui-manage]]
[role="xpack"]
== Managing detection alerts
== Manage detection alerts

The Detections page displays all <<detection-alert-def, detection alerts>>.
From the Alerts table, you can change an alert's status, and start
From the Alerts table, you can filter alerts, change an alert's status, and start
investigating and analyzing alerts in Timeline.

TIP: From Timeline, you can <<cases-ui-open, create cases>> to track issues and
share information with colleagues.

To view detection alerts created by a specific rule, you can:
[float]
[[download-prebuilt-rules]]
=== Download latest prebuilt Elastic rules

[beta]

As of {stack} >=7.13.0., you can download the latest version of Elastic prebuilt rules outside of a regular release cycle. This feature ensures you have the latest detection capabilties before upgrading to the latest {stack}.

To download the latest version of prebuilt rules:

. In {kib}, go to *Fleet > Integrations*.
. Search for "Prebuilt Security Detection Rules."
. Select the integration, then click *Add Prebuilt Security Detection Rules*. The integration configuration page is displayed.
. (Optional) If you have an {agent} enrolled and have created an agent policy you want to assign to this integration, select it from the drop-down.
. Configure the integration settings by entering a name and optional description.
. Click *Save integration* in the lower right corner.

[role="screenshot"]
image::images/prebuilt-integration.png[]

[float]
[[detection-view-and-filter-alerts]]
=== View and filter detection alerts
The Detections page offers various ways for you to organize and triage detection alerts as you investigate suspicious events. You can:

* Filter for a specific rule in the KQL bar (for example,
`signal.rule.name :"SSH (Secure Shell) from the Internet"`).
* View detection alerts in the *Rule details* page (click
*Manage detection rules* -> rule name in the *All rules* table).

NOTE: KQL autocomplete for `.siem-signals-*` indices is available on the
*Detections* and *Rule details* pages, and in Timeline when either `All` or
`Detection alerts` is selected.

TIP: Use the icons in the upper left corner of the Alerts table to customize
displayed columns and row renderers, and view the table in full screen mode.
* Use the date and time filter to select a time range that you’re interested in exploring. By default, this filter is set to search the last 24 hours.
* View detection alerts generated by a specific rule. To do this, click *Manage detection rules*, then click on a rule name in the All rules table. The *Rules detail page* displays a comprehensive view of the rule's details, and alert details are displayed in the Alerts table beneath the Trend histogram.
* Use the *Stack by* dropdown in the Trend histogram to select specific parameters by which to visualize the individual counts. For example, if you select `signal.rule.name`, the histogram displays the total counts by alert name.
* Filter alert results to include building block alerts or to only show alerts from indicator match rules by selecting the *Additional filters* drop-down. By default, building block alerts are excluded from the Alerts table; therefore, including them expands the number of alerts.

NOTE: When updating alert results to also include building block alerts, the Security app searches the `.siem-signals-<Kibana space>` index for the `signal.rule.building_block_type` field. When looking for alerts created from indicator match rules, the app searches the same index for the `signal.rule.threat_mapping` field.

[role="screenshot"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, IMO, we don't need this many arrows. I think we should just draw a box around the additional filter options and maybe the stack by drop-down. WDYT?

Copy link
Contributor Author

@nastasha-solomon nastasha-solomon May 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree that we don't need as many arrows. Initially, I figured it'd be useful to include a screenshot that highlighted all the components listed. However, because of where the image is placed (after the last bullet), it might make more sense to only highlight the Additional Filters dropdown. That said, if we want to emphasize that the Trend histogram can be filtered too, it'd make sense to draw a box around the Stack by dropdown as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the arrows and only highlighting the Additional Filters dropdown to resolve this comment.

image::images/additional-filters.png[Shows multiple ways to filter information]

[float]
[[customize-the-alerts-table]]
=== Customize the Alerts table
Use the buttons in the upper left corner of the Alerts table to customize the columns you want displayed and to view the table in full-screen mode.

[role="screenshot"]
image::images/alert-table-columns-and-size.gif[width=100%][height=100%][Demo that shows how to select the customize display button and full screen button]

Click the *Customize Event Renderers* button to enable event renderers within the Alerts table. When enabled, event renderers show relevant details that provide more context to the event. For example, if you enable the *Flow* Event Renderer, the Alerts table shows relevant details describing the data flow between a source and destination. These details include information such as hosts, ports, protocol, direction, duration, amount transferred, process, and geographic location.

[role="screenshot"]
image::images/customize-event-renderer.png[Shows the Event Renderer button, 200]

All event renderers are disabled by default. To switch between event views in the Alerts table, you can enable individual event renderers or click *Enable all*. Closing the *Customize Event Renderers* page saves your configurations.

[role="screenshot"]
image::images/customize-event-renderer-page.png[Shows the Event Renderer page]

[float]
[[view-alert-details]]
=== View alert details
To further inspect an alert, click the *View details* button from the Alerts table.

[role="screenshot"]
image::images/view-alert-details.png[Shows the Event Renderer button, 200]

The Alert details flyout appears and offers several options for viewing alert details:

* *Summary*: Shows an aggregated view of alert details. Alerts that have been enriched with `threat.indicator` data also display the *threat summary* section, which is an additional section located beneath the alert summary. In the *threat summary* section, you can view mapped data for the following `threat.indicator` subfields:
** `matched.field`
** `matched.type`
** `source (threat.indicator.provider)`
** `first_seen`
** `last_seen`

NOTE: If an alert is linked to more than one threat, `threat.indicator` data is still aggregated under the *threat summary* section, but will be parsed out in the *Threat Intel* tab.

* *Threat Intel*: Shows the number of matched threats and displays them individually. Threats appear in reverse chronological order, with the most recent alerts at the top. The available `threat.indicator` and `source.event` data is displayed for each threat. If the alert has not been enriched with threat data, the *Threat Intel* tab displays the message "No Threat Intel Enrichment Found" and provides a link to Threat Intel module documentation.
* *Table*: Shows the alert details in table format. Alert details are organized into field value pairs.
* *JSON View*: Shows the alert details in JSON format.

[float]
[[detection-alert-status]]
=== Change alert statuses

You can set an alert's status to indicate whether it needs to be investigated
(`Open`), is under active investigation (`In progress`), or resolved
(`Closed`). By default, the Alerts table displays open alerts. To view alerts
(*Open*), is under active investigation (*In progress*), or resolved
(*Closed*). By default, the Alerts table displays open alerts. To view alerts
with other statuses, click *In progress* or *Closed*.

To change alert statuses, either:

* In the alert's row, click the *more options* icon, and then select the
required status (*Mark in progress*, *Close alert*, or *Open alert*).
* In the alert's row, click the *More actions* button, then select the appropriate status (*Mark in progress*, *Close alert*, or *Open alert*).
* In the Alerts table, select all the alerts you want to change, and then select
*Take action* -> *Close selected*, *Open selected*, or *Mark in progress*.

[float]
[[signals-to-timelines]]
=== Send alerts to Timeline

To view an alert in Timeline, click the *Investigate in timeline* icon.
To view an alert in Timeline, click the *Investigate in timeline* button.

TIP: When you send an alert generated by a
<<rules-ui-create, threshold rule>> to Timeline, all matching events are
Expand All @@ -52,9 +120,7 @@ example, if you have an alert generated by a threshold rule that detects 10
failed login attempts, when you send that alert to Timeline all failed login
attempts detected by the rule are listed.

If the rule that generated the alert uses a Timeline template, when you
investigate the alert in Timeline, the dropzone query values defined in the
template are replaced with their corresponding alert values.
Suppose the rule that generated the alert uses a Timeline template. In this case, when you investigate the alert in Timeline, the dropzone query values defined in the template are replaced with their corresponding alert values.

// * `host.name`
// * `host.hostname`
Expand Down Expand Up @@ -89,7 +155,7 @@ You can add exceptions to the rule that generated the alert directly from the
Alerts table. Exceptions prevent a rule from generating alerts even when its
criteria are met.

To add an exception, click the actions icon (three dots) and then select
To add an exception, click the actions button (three dots) and then select
_Add exception_.

For information about exceptions and how to use them, see
Expand All @@ -100,4 +166,4 @@ For information about exceptions and how to use them, see
=== Visually analyze process relationships

For process events received from the Elastic Endpoint agent, you can open a
visual mapping of the relationships and hierarchy connecting related processes. For more information see, <<visual-event-analyzer>>.
visual mapping of the relationships and hierarchy connecting related processes. For more information see, <<visual-event-analyzer>>.
Binary file added docs/detections/images/additional-filters.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/prebuilt-integration.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/view-alert-details.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/events/images/test2.gif
Binary file not shown.
2 changes: 1 addition & 1 deletion docs/getting-started/security-ui.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ Use your keyboard to navigate through rows, columns, and menu options in the Ela
* Use the directional arrows to move keyboard focus right, left, up, and down in a table.

[role="screenshot"]
image::images/timeline-ui-accessiblity-directional-arrows.gif[width=100%][height=100%][Demo that shows how to to move keyboard focus right, left, up, and down in a table]
image::images/timeline-ui-accessiblity-directional-arrows.gif[width=100%][height=100%][Demo that shows how to move keyboard focus right, left, up, and down in a table]

* Press the `Tab` key to navigate through a table cell with multiple elements, such as buttons, field names, and menus. Pressing the `Tab` key will apply keyboard focus in a sequential manner to each element in the table cell.

Expand Down