Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Updating "Manage detection alerts" topic #666
[DOCS] Updating "Manage detection alerts" topic #666
Changes from 10 commits
7b6e59d
8def142
6a1ff99
530e739
a329e56
ad0df32
a67798e
f758ba0
88a8b2c
89b32c6
c86ec95
902064f
4d82784
dffc4bf
9c07fb6
5e526a9
2a428d4
508b8fd
0a695f8
359914e
5cb41c3
4094b03
e57a028
1033b26
49027c8
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rylnd @shimonmodi this is an interesting one. So we are filtering the alerts on signal.rule.threat_mapping - which I believe exists in all indicator match rules. Are we anticipating a future scenario in which threat match rules is a sub-category of indicator match rules, where
threat_mapping
exists only on indicator matches of threat type? Unless I am mistaken, we are using the two concepts of indicator match and threat match interchangeably at the moment, which could create confusion for the end users.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, IMO, we don't need this many arrows. I think we should just draw a box around the additional filter options and maybe the stack by drop-down. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree that we don't need as many arrows. Initially, I figured it'd be useful to include a screenshot that highlighted all the components listed. However, because of where the image is placed (after the last bullet), it might make more sense to only highlight the Additional Filters dropdown. That said, if we want to emphasize that the Trend histogram can be filtered too, it'd make sense to draw a box around the Stack by dropdown as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing the arrows and only highlighting the Additional Filters dropdown to resolve this comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it may be more accurate to describe these as "indicator enrichments" or "matched indicators," or something to that effect; "intelligence sources" conveys (to me) a broader idea than what we're displaying on this tab. I don't know if we have standardized this language.
@MikePaquette @shimonmodi any thoughts here? The Enrichment RFC is currently describing these fields generally as "threat enrichments", of which "indicator rule match" may be a subtype.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rylnd can you clarify what is actually displayed in that location?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what we are displaying is each item within the threat.indicator array on that specific alert. So we are displaying information copied over from the indicator document for each threat match on an alert. Chatted with Nastasha this morning and we agree with Ryland's comment, we will be updating this piece
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ecezalp SGTM