-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Updating "Manage detection alerts" topic #666
[DOCS] Updating "Manage detection alerts" topic #666
Conversation
…for viewing alert details.
…ed typo in alt text within security-ui file.
@ecezalp and @rylnd elastic/kibana#96096 docs are available for review at #666. I've drafted an outline for elastic/kibana#97185 and will be adding to it once I have more information. Thanks in advance for your help! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nastasha-solomon this is looking great so far! I had one comment about terminology, but please let us know if you're looking for specific feedback and/or need more info.
** `source (threat.indicator.provider)`` | ||
** `first_seen` | ||
** `last_seen` | ||
* *Threat Intel*: Shows the number of threat intelligence sources. If you you haven't enabled any, this tab displays the messaage `No Threat Intel Enrichment Found`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo:
* *Threat Intel*: Shows the number of threat intelligence sources. If you you haven't enabled any, this tab displays the messaage `No Threat Intel Enrichment Found`. | |
* *Threat Intel*: Shows the number of threat intelligence sources. If you haven't enabled any, this tab displays the messaage `No Threat Intel Enrichment Found`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it may be more accurate to describe these as "indicator enrichments" or "matched indicators," or something to that effect; "intelligence sources" conveys (to me) a broader idea than what we're displaying on this tab. I don't know if we have standardized this language.
@MikePaquette @shimonmodi any thoughts here? The Enrichment RFC is currently describing these fields generally as "threat enrichments", of which "indicator rule match" may be a subtype.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rylnd can you clarify what is actually displayed in that location?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what we are displaying is each item within the threat.indicator array on that specific alert. So we are displaying information copied over from the indicator document for each threat match on an alert. Chatted with Nastasha this morning and we agree with Ryland's comment, we will be updating this piece
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ecezalp SGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good! I believe that we can expand on the Threat Summary and Threat Intel sections slightly to include some of the information we have discussed during our call today, such as
- Threat Summary shows the fields in an aggregated fashion
- Threat Intel tab shows all fields from all matched threats with the specific mentioning of
threat.indicator
field being the parent of all information displayed - Number of matched threats show up in the title of the Threat Intel tab
- Threats are organized by timestamp with the most recent at the top within the Threat Intel tab
- source event details visible as a part of each threat match
* View detection alerts in the *Rule details* page (click | ||
*Manage detection rules* -> rule name in the *All rules* table). | ||
* Use the *Stack by* dropdown in the Detection alert trend histogram to select specific parameters for which to visualize the individual counts. For example, if you choose to stack by `signal.rule.name`, the histogram will display the total counts by alert name. | ||
* Augment the results shown in the Alerts table to include alerts from building blocks or only show alerts from indicator match rules. By default, building block alerts are excluded from the Alerts table. Opting to include them expands the results and displays building block alerts alongside regular detection alerts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rylnd @shimonmodi this is an interesting one. So we are filtering the alerts on signal.rule.threat_mapping - which I believe exists in all indicator match rules. Are we anticipating a future scenario in which threat match rules is a sub-category of indicator match rules, where threat_mapping
exists only on indicator matches of threat type? Unless I am mistaken, we are using the two concepts of indicator match and threat match interchangeably at the moment, which could create confusion for the end users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @nastasha-solomon - a few suggestions to make some of the sentences a little more concise. Can we edit the following as well, please?
Change alert statuses
In the alert’s row, click the more options icon, and then select the required status (Mark in progress, Close alert, or Open alert).
Change to:
In the alert’s row, click the More actions button (...), then select the appropriate status (Mark in progress, Close alert, or Open alert).
Send alerts to Timeline
If the rule that generated the alert uses a Timeline template, when you investigate the alert in Timeline, the dropzone query values defined in the template are replaced with their corresponding alert values.
Change to
Suppose the rule that generated the alert uses a Timeline template. In this case, when you investigate the alert in Timeline, the dropzone query values defined in the template are replaced with their corresponding alert values.
I tend to miss things the first go round, so will review again once feedback is merged. Thanks!
* Updating topic title. * Expanded the section about vieiwing and filtering detection alerts. * Fixed minor typos. * Updated section for customizing the Alerts table and added a section for viewing alert details. * Added float tag before the Customize the Alerts table section and fixed typo in alt text within security-ui file. * Added images and started the view alert details section. * Minor updates to drafted section. * Fixed minor issues. * Commiting drafted changes. Additional changes incoming. * Incorporated additional comments from Ece. * Removed duplicate text in description of Threat Intel tab. * Re-adding feedback from Ece. * Incorporated Ece's latest suggestion. * Adding missing commas. * Incorporating feedback from Janeen, * Minor typos. * Updated screenshot showing Detections page. * Updates to new prebuilt rules integration Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: jmikell821 <janeen.mikellstraughn@elastic.co>
* Updating topic title. * Expanded the section about vieiwing and filtering detection alerts. * Fixed minor typos. * Updated section for customizing the Alerts table and added a section for viewing alert details. * Added float tag before the Customize the Alerts table section and fixed typo in alt text within security-ui file. * Added images and started the view alert details section. * Minor updates to drafted section. * Fixed minor issues. * Commiting drafted changes. Additional changes incoming. * Incorporated additional comments from Ece. * Removed duplicate text in description of Threat Intel tab. * Re-adding feedback from Ece. * Incorporated Ece's latest suggestion. * Adding missing commas. * Incorporating feedback from Janeen, * Minor typos. * Updated screenshot showing Detections page. * Updates to new prebuilt rules integration Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: jmikell821 <janeen.mikellstraughn@elastic.co>
* Updating topic title. * Expanded the section about vieiwing and filtering detection alerts. * Fixed minor typos. * Updated section for customizing the Alerts table and added a section for viewing alert details. * Added float tag before the Customize the Alerts table section and fixed typo in alt text within security-ui file. * Added images and started the view alert details section. * Minor updates to drafted section. * Fixed minor issues. * Commiting drafted changes. Additional changes incoming. * Incorporated additional comments from Ece. * Removed duplicate text in description of Threat Intel tab. * Re-adding feedback from Ece. * Incorporated Ece's latest suggestion. * Adding missing commas. * Incorporating feedback from Janeen, * Minor typos. * Updated screenshot showing Detections page. * Updates to new prebuilt rules integration Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: jmikell821 <janeen.mikellstraughn@elastic.co> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: jmikell821 <janeen.mikellstraughn@elastic.co>
* Updating topic title. * Expanded the section about vieiwing and filtering detection alerts. * Fixed minor typos. * Updated section for customizing the Alerts table and added a section for viewing alert details. * Added float tag before the Customize the Alerts table section and fixed typo in alt text within security-ui file. * Added images and started the view alert details section. * Minor updates to drafted section. * Fixed minor issues. * Commiting drafted changes. Additional changes incoming. * Incorporated additional comments from Ece. * Removed duplicate text in description of Threat Intel tab. * Re-adding feedback from Ece. * Incorporated Ece's latest suggestion. * Adding missing commas. * Incorporating feedback from Janeen, * Minor typos. * Updated screenshot showing Detections page. * Updates to new prebuilt rules integration Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: jmikell821 <janeen.mikellstraughn@elastic.co> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: jmikell821 <janeen.mikellstraughn@elastic.co>
Addresses #664, elastic/kibana#96096 (see the fifth bullet under the section "View and filter detection alerts"), and elastic/kibana#97185 (see the section titled "View alert details").
Preview here.