Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Updating "Manage detection alerts" topic #666

Merged
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
7b6e59d
Updating topic title.
nastasha-solomon May 3, 2021
8def142
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 6, 2021
6a1ff99
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 10, 2021
530e739
Expanded the section about vieiwing and filtering detection alerts.
nastasha-solomon May 11, 2021
a329e56
Fixed minor typos.
nastasha-solomon May 11, 2021
ad0df32
Updated section for customizing the Alerts table and added a section …
nastasha-solomon May 11, 2021
a67798e
Added float tag before the Customize the Alerts table section and fix…
nastasha-solomon May 11, 2021
f758ba0
Added images and started the view alert details section.
nastasha-solomon May 11, 2021
88a8b2c
Minor updates to drafted section.
nastasha-solomon May 11, 2021
89b32c6
Fixed minor issues.
nastasha-solomon May 12, 2021
c86ec95
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 13, 2021
902064f
Commiting drafted changes. Additional changes incoming.
nastasha-solomon May 13, 2021
4d82784
Incorporated additional comments from Ece.
nastasha-solomon May 13, 2021
dffc4bf
Removed duplicate text in description of Threat Intel tab.
nastasha-solomon May 14, 2021
9c07fb6
Re-adding feedback from Ece.
nastasha-solomon May 14, 2021
5e526a9
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 14, 2021
2a428d4
Incorporated Ece's latest suggestion.
nastasha-solomon May 17, 2021
508b8fd
Adding missing commas.
nastasha-solomon May 17, 2021
0a695f8
Incorporating feedback from Janeen,
nastasha-solomon May 19, 2021
359914e
Minor typos.
nastasha-solomon May 20, 2021
5cb41c3
Updated screenshot showing Detections page.
nastasha-solomon May 20, 2021
4094b03
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 24, 2021
e57a028
Merge branch 'master' into issue-664-update-managing-detection-alerts…
nastasha-solomon May 24, 2021
1033b26
Merge branch 'master' into issue-664-update-managing-detection-alerts…
jmikell821 May 25, 2021
49027c8
Updates to new prebuilt rules integration
jmikell821 May 25, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 55 additions & 8 deletions docs/detections/alerts-ui-manage.asciidoc
Original file line number Diff line number Diff line change
@@ -1,27 +1,74 @@
[[alerts-ui-manage]]
[role="xpack"]
== Managing detection alerts
== Manage detection alerts

The Detections page displays all <<detection-alert-def, detection alerts>>.
From the Alerts table, you can change an alert's status, and start
From the Alerts table, you can filter alerts, change an alert's status, and start
investigating and analyzing alerts in Timeline.

TIP: From Timeline, you can <<cases-ui-open, create cases>> to track issues and
share information with colleagues.

To view detection alerts created by a specific rule, you can:
[float]
[[detection-view-and-filter-alerts]]
=== View and filter detection alerts
The Detections page offers a variety of ways for you to organize and triage detection alerts as you investigate suspicious events. You can:
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

* Filter for a specific rule in the KQL bar (for example,
`signal.rule.name :"SSH (Secure Shell) from the Internet"`).
* View detection alerts in the *Rule details* page (click
*Manage detection rules* -> rule name in the *All rules* table).

NOTE: KQL autocomplete for `.siem-signals-*` indices is available on the
*Detections* and *Rule details* pages, and in Timeline when either `All` or
`Detection alerts` is selected.

TIP: Use the icons in the upper left corner of the Alerts table to customize
displayed columns and row renderers, and view the table in full screen mode.
* Use the date and time filter to select a time range that you’re interested in exploring. By default, this filter is set to search through the last 24 hours.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* View detection alerts in the *Rule details* page (click
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
*Manage detection rules* -> rule name in the *All rules* table).
* Use the *Stack by* dropdown in the Detection alert trend histogram to select specific parameters for which to visualize the individual counts. For example, if you choose to stack by `signal.rule.name`, the histogram will display the total counts by alert name.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Augment the results shown in the Alerts table to include alerts from building blocks or only show alerts from indicator match rules. By default, building block alerts are excluded from the Alerts table. Opting to include them expands the results and displays building block alerts alongside regular detection alerts.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rylnd @shimonmodi this is an interesting one. So we are filtering the alerts on signal.rule.threat_mapping - which I believe exists in all indicator match rules. Are we anticipating a future scenario in which threat match rules is a sub-category of indicator match rules, where threat_mapping exists only on indicator matches of threat type? Unless I am mistaken, we are using the two concepts of indicator match and threat match interchangeably at the moment, which could create confusion for the end users.

nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

NOTE: When updating alert results to also include building block alerts, the Security app searches the `.siem-signals-<Kibana space>` index for the `signal.rule.building_block_type` field. When looking for alerts created from indicator match rules, the app searches the same index for the `signal.rule.threat_mapping` field.

[role="screenshot"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, IMO, we don't need this many arrows. I think we should just draw a box around the additional filter options and maybe the stack by drop-down. WDYT?

Copy link
Contributor Author

@nastasha-solomon nastasha-solomon May 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree that we don't need as many arrows. Initially, I figured it'd be useful to include a screenshot that highlighted all the components listed. However, because of where the image is placed (after the last bullet), it might make more sense to only highlight the Additional Filters dropdown. That said, if we want to emphasize that the Trend histogram can be filtered too, it'd make sense to draw a box around the Stack by dropdown as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the arrows and only highlighting the Additional Filters dropdown to resolve this comment.

image::images/additional-filters.png[Shows multiple ways to filter information]

[float]
[[customize-the-alerts-table]]
=== Customize the Alerts table
Use the icons in the upper left corner of the Alerts table to customize displayed columns and to view the table in full screen mode.

[role="screenshot"]
image::images/alert-table-columns-and-size.gif[width=100%][height=100%][Demo that shows how to select the customize display icon and full screen icon]

Click the *Customize Event Renderers* icon to enable event renderers within the Alerts table. When enabled, event renderers show relevant details that provide more context to the event. For example, if you enable the *Flow* Event Renderer, the Alerts table shows relevant details describing the flow of the data between a source and destination. These details could include hosts, ports, protocol, direction, duration, amount transferred, process, and geographic location.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

[role="screenshot"]
image::images/customize-event-renderer.png[Shows the Event Renderer icon, 200]

All event renderers are disabled by default. To pivot between event views in the Alerts table, you can enable individual event renderers or click *Enable all*. Closing *Customize Event Renderers* page saves your configurations.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

[role="screenshot"]
image::images/customize-event-renderer-page.png[Shows the Event Renderer page]

[float]
[[view-alert-details]]
=== View alert details
To inspect an alert further, click the *View details* icon from the Alerts table.

[role="screenshot"]
image::images/view-alert-details.png[Shows the Event Renderer icon, 200]

The Alert details flyout appears and offers several options for viewing alert details:

* *Summary*: Shows details about the alert. If the alert has been enriched with indicator match fields, the *threat summary* section also displays on the *Summary* tab and provides the details for the following fields:
** `matched.field`
** `matched.type`
** `source (threat.indicator.provider)``
** `first_seen`
** `last_seen`
* *Threat Intel*: Shows the number of threat intelligence sources. If you you haven't enabled any, this tab displays the messaage `No Threat Intel Enrichment Found`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo:

Suggested change
* *Threat Intel*: Shows the number of threat intelligence sources. If you you haven't enabled any, this tab displays the messaage `No Threat Intel Enrichment Found`.
* *Threat Intel*: Shows the number of threat intelligence sources. If you haven't enabled any, this tab displays the messaage `No Threat Intel Enrichment Found`.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it may be more accurate to describe these as "indicator enrichments" or "matched indicators," or something to that effect; "intelligence sources" conveys (to me) a broader idea than what we're displaying on this tab. I don't know if we have standardized this language.

@MikePaquette @shimonmodi any thoughts here? The Enrichment RFC is currently describing these fields generally as "threat enrichments", of which "indicator rule match" may be a subtype.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rylnd can you clarify what is actually displayed in that location?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what we are displaying is each item within the threat.indicator array on that specific alert. So we are displaying information copied over from the indicator document for each threat match on an alert. Chatted with Nastasha this morning and we agree with Ryland's comment, we will be updating this piece

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ecezalp SGTM

nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* *Table*: Shows the alert details in table format. Alert details are organized into field value pairs.
* *JSON View*: Shows the alert details in JSON format.

[float]
[[detection-alert-status]]
Expand Down Expand Up @@ -100,4 +147,4 @@ For information about exceptions and how to use them, see
=== Visually analyze process relationships

For process events received from the Elastic Endpoint agent, you can open a
visual mapping of the relationships and hierarchy connecting related processes. For more information see, <<visual-event-analyzer>>.
visual mapping of the relationships and hierarchy connecting related processes. For more information see, <<visual-event-analyzer>>.
Binary file added docs/detections/images/additional-filters.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/view-alert-details.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/events/images/test2.gif
Binary file not shown.
2 changes: 1 addition & 1 deletion docs/getting-started/security-ui.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ Use your keyboard to navigate through rows, columns, and menu options in the Ela
* Use the directional arrows to move keyboard focus right, left, up, and down in a table.

[role="screenshot"]
image::images/timeline-ui-accessiblity-directional-arrows.gif[width=100%][height=100%][Demo that shows how to to move keyboard focus right, left, up, and down in a table]
image::images/timeline-ui-accessiblity-directional-arrows.gif[width=100%][height=100%][Demo that shows how to move keyboard focus right, left, up, and down in a table]

* Press the `Tab` key to navigate through a table cell with multiple elements, such as buttons, field names, and menus. Pressing the `Tab` key will apply keyboard focus in a sequential manner to each element in the table cell.

Expand Down