From 594fcf4054af5a94a38f5c07954e1fe0a592af6d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:17:16 -0500 Subject: [PATCH 1/2] [Serverless][8.16] Push and overlay display options added to flyout (#6095) * First draft * Minor tweaks (cherry picked from commit b43a8bcbe215ed3528634edd6c4827de98c99b52) # Conflicts: # docs/serverless/alerts/view-alert-details.asciidoc --- docs/detections/alerts-view-details.asciidoc | 2 + docs/detections/images/flyout-settings.png | Bin 0 -> 5416 bytes .../alerts/view-alert-details.asciidoc | 331 ++++++++++++++++++ .../-detections-flyout-settings.png | Bin 0 -> 5416 bytes 4 files changed, 333 insertions(+) create mode 100644 docs/detections/images/flyout-settings.png create mode 100644 docs/serverless/alerts/view-alert-details.asciidoc create mode 100644 docs/serverless/images/view-alert-details/-detections-flyout-settings.png diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 83ba78e3dc..b4e7f1699c 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -38,6 +38,8 @@ NOTE: If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[` + IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyout won't open until you expand a collapsed group and select an individual alert. +* Click the **Flyout settings** icon (image:images/flyout-settings.png[Flyout settings icon,15,15]) to access options for displaying the alert details flyout. The **Overlay** option (which displays the flyout over the Alerts table) is selected by default. Select **Push** to display the flyout to the side of the table instead. In either display, you can resize the flyout panels to your liking. Clicking **Reset size** reverts the flyout to its default dimensions. + * Find basic details about the alert, such as the: ** Associated rule diff --git a/docs/detections/images/flyout-settings.png b/docs/detections/images/flyout-settings.png new file mode 100644 index 0000000000000000000000000000000000000000..a7f23f0df125242db01cef0e273a5bb3a4ed322a GIT binary patch literal 5416 zcmX|DWmFW5+FZK3LqZyshGprlmlo-k?pP2J5a|+W0Rd@tL6)Vv1!<7(?(VMZd%y48 z=bU+F&YYS56RoYOjE7B)4FCY}R8<{#!ckscTUB13LEFpS z&e6pd08oieO~ZJryGQ)_#eaf^n=mFtTRu$_z`d0MFYZGXux4hfjh0f%UOaMypWxopl#_JX?q?3X<)g+ z>yRlxAMwsV1tCv+SkbE9ivR{BT5XJZz~I)FieX~n8X!^i!I!ELg(1Av5!!ckGWzlp zc7Y};0mxMe)4dgK0fxmhighKcK#*i!DLfX(da+=)1y>Z4auBZBV{2xvYGG?q*$eqe zu(HO)@x1~_WDKSjBgxb$K3+y0JDKbmO~3XJ+FqSf{pb5{S5 zLx*D0Z5V?jK4neVGFB!J4O+2jcztF6F4!O7CX+4@@1TFn48;yj;qNll9Ad`tLM~u4 z`u?hDQABURPD8*zOfM8DsK2L0;gNEOGj6@kCaOg#qGn`b=RNxt*JLkkAU~xQv%B+I z_W_+_l#y$Pw-rZpptf<3pK$=PsyW3=SY7P3&CKq+frE?;efKW)EXg!z%bZxJP{5o4 zTmK$%o}cOrNlb${xfY(|3O3{=CgaXB&_ofYB8y=vKcfK>xD2y?I)r6&_orb`j6?Q- zn{`;bwEUyX-;Os|H<3TDA8WQypEz##66c#`oWog>SGnnEXq zD4(&tFnCZ(VWR%EEmZTvJvnnzPX1E~FrGOkMTg?)#|Gl^aDuMkQ=?nX0Ge;V5UW_F4b=`Z4bQ%kTUW2eEnlqi}rL z-h98^@Lk(opIy#NByYiciF?*23dykNuX&c2{2)p#T#V$;s=t6;q}H5#4}87+6nypk zPw7NJa?P}OLcu7m=+thdb+mP+b${Y$8@Y3aVOA_vE|t{6UxjLg=HvEN=yTtPSVvg~ z`wsda`tAE}`cF7WW6*lylN9=k%Ak`vBRW5{rAoB*4)wsC0jXP@Q=G$`lAP{uu}Zf~ zfm3&-Xr*MO%6f>OZTd_wBUt5BgVW$->69jHNsmS!S}I{?9FgZP9n zK?#&Df?)g8`2@RN`*bTqw+{mzf1;c=t(k>5MZ{b$lgbtC#}qIBx%azIsBH6$svP=I z@0oT6!}`TMZIh~++;6R$&oLo1RkK+0%e!x=&!yNX&nR>b1rj1UA+Z$j(+_&5j1!^Q z(nB3f9*Y!#ANq^kQizYv=nXKCo5Fb7c)6;}m>(_xuQOSyh=7~HC*VKfh=mT28%Qqm z2((m3X+mI9=?XtG6R&zT$TM2rSw8c_j^3?(psnY5*t>d9bwWhrBA-S$&+n zX}m=sTJI5_?SqpxN&++dyndDvkCNZ~Yy1PQy)TBYB-ZbsY1szF2CXw4xW92bzqAV8 zw`jC9E;qMsNqOhkHOE|)eFAE<)!R5d|W+gMxvk9LLgY0|17V|qeGf(E0nC^{`2^s6B0K3$X0 zWdNlpP^^se(6Pa%L8!%*RYK5vdpjfEE@PB<)F~Q3lod5h6wgGJh{F_=9hdz|wE5%p z1$!^73pV25bQ!XHzne(;l8(nuV9jl9Tlvbf)DyC?zb^F~qdTo+Xm-nn7g2y zzlbqobFtOUETE)!(E)ioUEDa4g;wK%qS_-Z zS<|K(HY!c5)hSO52g4WrKSv&F*xkm)diG;`Vi8*=JBZ;R9m2P#7sQvu%Sm75Ho8*7 zTh)xze0f8^6#)+n-I`h){9a;K$uRVZ4eZJvT~mLRR_W2}_afZ51lWyrCU4|V3GjM2 zd&bwBom-|4ABmm{PJ7F1N1W^7Pv%{`jc@j~jdkvQUb!!&=FkR}K03Mt?%$W=xzW6L z>2@P^Z>jG0od_1VstT!U8x|B1Nt+l{8<2J}s@U=hSL+#pcf+gT=L4q$)2?<4Ah!qO zRCAx^`Szv~rFJ{l;ohUiBT4bc_d>@)vqnu9gFI{H{>`DjA~VL5`iGsz{RB?FYawy)-Dssmr)h|&E}1N$C49$uJHbn%!rQF@=5vi-cc zWI0hgN|WTxY3OPh_nJC#x)7dm?hS%G9eqeMF}U!#Ie?2uxYhWK?n+H>G_#Bc2pTIYzn6DO+JQ9@Gx>xYR9YUL%9g21y15h}akHmxArM ztxW5n`zJqFb}QHm{PJkF+2_P(<>Y1cJkJ{Jb=$8p-M8DDq}7yzA7JuT!t7kVK z(SS%@DQl|@BzSms06M#K$Nrs%>4wVxE&#$VuWMpqdMoo~O z8A&c4E%u+GXfb6xt2x&es^+*jwW1Eze;2Hat)Z%&h6aH1uf_zRB2fd-{wk!ukV2yQ zpH@O*2cZ1dM+N{Q9RaBSpV9ow|K8sb{NK+1F>)^Q{}MvEDF4&of1~HNd;hkvJXDMz z00245zd%xb!+iSJgQ_aXzI8x5GR890n<6*Ib-D*+pka8({Lu33TXRfDi9w4&`4)_e z%^3sUlyOq(htS=Je9ZeSz!7R0W6b&O8)b~;wl3|*Vh$%M5>hn5RE)L@_vN{)!PcEc zoMoxId*hYfrGrD^!`hL#U&hYXr|N)vl;Ab`K8o#u9DLzxUZ*m56pAq3qGYyqD4W&~ z_ENX$GAcaEKk=Y4le|6yi+ppa=~};TN?ICXii#2|5(2r{oh+HSsx?ZqKv=L#24c{c zS@&LV?*92YG&Iy#R>VO?O*#JbKmcoL$towafc`XyrE+)rNPe|9>$h46j2LLe`J&ZQJzS3?5sZ32Z8`qGBUEqJ3qo! za7yKqASlpM1z|1;gY0M;yCQ4FA1_f_*xItlMoP(e;w`lWMozm%y%yBf1!(}exiN!4 z)6-q=L~I+Pqp^+#mIqz2PH)y4K;0IrlFgeazpv*;BvI$i&m-UJ>njn^rRb_UmV91; z`rix~nw*_7w$fKd0f&SU8teiIv0I-Wj`%h3@r#^ioZd6J{tjL)j*~oEOjL@9KyRwh z^|=zH795E@UgQ{yrdNNuzbe*}zDvNx6^dsR-_kEPw&1nrn{8>d5)()H1g2}V#MjP7 zihTdZs}$J&n>P%t4d^9I(Pa-35Xu*4VL5dDmXh+uanI~t@k6ykc6N5(%nsf;^;W0t ze(2#`bG(3{@7NZXbYg8SS#4FV6&(I&e%3G<9*3u=XD}9%deAsOt1&kDu=V57NMVw; ztLf|tr&u|jj{ir0@}q;kVN~CX+(LR>rm6&8Ss9Q+l3UhQvP7eC_7?T{i!SslshITu zj*pxe*u~Rpzpv?dxm6hp%cRIA;wLzaM4WAh&>ov0M-6;MgVXUXJW06z=Hlt{03j@> zTBFm$2&~)RcTzgw$s+o`4P(E}pOYVF1bigFg8LU#8ipx&E(^;uvR zaKZ+jERV%=^!WwO-r^mO_x7P^alXOm@g#g`Ju79G_bCF=2z=x5y;F%&EC;f{1_xkY=4PTCtb7ZMVc zSr>Qv-nlypIfAbEE1G;!oqf@h6j?soC*-$ymzR{Xp%?_r>cSoEBcx+v1-);P=dQov zr=(`QF3@YG;TUMSQv+M|ucHYq`wIo>dt$bp06*o}CUp!Co4ipner+{6gZ{yJk4hMe z?$+RuDdhfoDyxBv^iwasTekzC+XJ!_=0p=xp=XWGpo7|g_e$YldKyTgV>p}_6BDVf z@&$4Fe&e0=x47)wU6(OG>

MZsL{g+n_h2bUf>n)Fxqk)!RTDp>EqV&m8svnVTgNn12=k-Lj`}C_6>-R(0`Q_+i;G!ny!^s$`$(CgldSGp46;>K?>+5Xdi^-4Sz{Rc zXpgq~>8xDdU+=tDwZ@_0vsE-~b;|fIm|G$mrnxCJAs-SfFiYATPDtF}Ih^C}InGzl zNIMgO3!xb@a$A1P*zid-sehKQkPXYooA|)Pavcp#*`XUumWL$3~jRfFjWcGp{wzihE85Hs2?Eu{|t`H3u!XWFB+3 zDKm*e%iQ#0{KDnT(v^Fnm9tjo_n`sO!n3|O7wv1-Ljx757QHI(;j3WS<4+~(P?_JG&l>k|D2OK`+Z%hDx!iLy($6Q=i$2ZF*8RU#NAr5 z)`n z4@=n*1oQ)ShG9w+yw91ZXb}AAZBv!maa|GxBDm|)AN###oN%i3o~;IXgK|?_q7ap{ zOmOga>nm2N{mIv|rd8flvS~a3d%~s~=LIE-_ajVr)d^HC8ea?WU(r%!Yc(#^2dyDn zmLdcRl>(_N>9?CfnE2=R7R7BNGQ2LKaR7y-sB=X=^2A^i4DAIF91ALyey&A2&V};K zlXNf@F`T7@Xa#*akEg)yHzOh=Gh^6b{XJRhOtHT<9>+)S#zu|Z8;0DTE|s4C7>-tw z&vQ&D#;Sf=4BMqtQX_f?jSxdc>qDGUsI;l)NCgom*LnIJ|5^g$hiQpQSRMrI6@Ax= zMk!N?%BP`WkV&1_tG_H;CzLzWVRDWQXFt@_f36?94SOi`IVfn5v{v#@3Y9l`##QKH z^j6Oli$1wBbgA@gaxY1Ekz@q%B%b7^s|prt>CkA};swXJK!!_Iurpgf^Si4pX&xFeTPm+rG z?XH>6P0g9?b5}UpFh(b^sppuc|9CpnczHao0uOkDzS!>;bEh)j<7pJ>F-0U+4cgiw z#>QOUUS7%&Tagjk6hkurMVo*I%>7C=M90iG<)bz{;31hVi?PN=#!2Btjq~9%hVB+? z`K2K}27bNgj;9O;I&tqZ{e`qx+!m9w8U5G7L$J%aDY(D$9^j%U`(P@RL1FQeC^CNv z`Ih~0S)h}f?2daGV&W-0rhBoczi%tcls;!qkBsOamizv!8=Nu;W#AjT(J-Hs4!j3G z-ENS4_%&7*6}{6MC5o9)(Tptq)CxxJkxh0& z84tCfvrB9Fj;=uOl_4J)&nIx6B@^@%t{meW6$jfOczyKz^gx^>lC@jC6OkONjnvin zIy@<<+531A?b#hrUjB4-ZNW^b?2a#M^f`wBf(f3E;&JBaIN`21z`F!(SrWDV$u%&$ zView alert details +++++ + +preview:[] + +To learn more about an alert, click the **View details** button from the Alerts table. This opens the alert details flyout, which helps you understand and manage the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-open-alert-details-flyout.gif[Expandable flyout, 90%] + +Use the alert details flyout to begin an investigation, open a case, or plan a response. Click **Take action** at the bottom of the flyout to find more options for interacting with the alert. + +[discrete] +[[alert-details-flyout-ui]] +== Alert details flyout UI + +The alert details flyout has a right panel, a preview panel, and a left panel. Each panel provides a different perspective of the alert. + +[discrete] +[[right-panel]] +=== Right panel + +The right panel provides an overview of the alert. Expand any of the collapsed sections to learn more about the alert. You can also hover over fields on the **Overview** and **Table** tabs to display available <>. + +[role="screenshot"] +image::images/view-alert-details/-detections-alert-details-flyout-right-panel.png[Right panel of the alert details flyout, 65%] + +From the right panel, you can also: + +* Click **Expand details** to open the <>, which shows more information about sections in the right panel. +* Click the **Chat** icon (image:images/view-alert-details/-detections-ai-assistant-chat.png[AI assistant chat icon,15,15]) to access the <>. +* Click the **Share alert** icon (image:images/icons/share.svg[Share alert]) to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. ++ +[NOTE] +==== +If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[`server.publicBaseUrl`] setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the **Table** tab. +==== ++ +[IMPORTANT] +==== +If you've enabled grouping on the Alerts page, the alert details flyout won't open until you expand a collapsed group and select an individual alert. +==== + +* Click the **Flyout settings** icon (image:images/view-alert-details/-detections-flyout-settings.png[Flyout settings icon,15,15]) to access options for displaying the alert details flyout. The **Overlay** option (which displays the flyout over the Alerts table) is selected by default. Select **Push** to display the flyout to the side of the table instead. In either display, you can resize the flyout panels to your liking. Clicking **Reset size** reverts the flyout to its default dimensions. + +* Find basic details about the alert, such as the: ++ +** Associated rule +** Alert status and when the alert was created +** Date and time the alert was created +** Alert severity and risk score (these are inherited from rule that generated the alert) +** Users assigned to the alert (click the image:images/icons/plusInCircle.svg[Assign alert] icon to assign more users) +** Notes attached to the alert (click the image:images/icons/plusInCircle.svg[Add note] icon to create a new note) +* Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. + +[discrete] +[[preview-panel]] +=== Preview panel + +Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. + +[role="screenshot"] +image::images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%] + +[discrete] +[[left-panel]] +=== Left panel + +The left panel provides an expanded view of what's shown in the right panel. To open the left panel, do one of the following: + +* Click **Expand details** at the top of the right panel. ++ +[role="screenshot"] +image:images/view-alert-details/-detections-expand-details-button.png[Expand details button at the top of the alert details flyout, 65%] +* Click one of the section titles on the **Overview** tab within the right panel. ++ +[role="screenshot"] +image:images/view-alert-details/-detections-alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%] + +[discrete] +[[about-section]] +== About + +The About section is located on the **Overview** tab in the right panel. It provides a brief description of the rule that's related to the alert and an explanation of what generated the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-about-section-rp.png[About section of the Overview tab, 65%] + +The About section has the following information: + +* **Rule description**: Describes the rule's purpose or detection goals. Click **Show rule summary** to display a preview of the rule's details. From the preview, click **Show rule details** to view the rule's details page. +* **Alert reason**: Describes the source event that generated the alert. Event details are displayed in plain text and ordered logically to provide context for the alert. Click **Show full reason** to display the alert reason in the event rendered format within the <>. ++ +[NOTE] +==== +The event renderer only displays if an event renderer exists for the alert type. Fields are interactive; hover over them to access the available actions. +==== +* **Last Alert Status Change**: Shows the last time the alert's status was changed, along with the user who changed it. +* **MITRE ATT&CK**: Provides relevant https://attack.mitre.org/[MITRE ATT&CK] framework tactics, techniques, and sub-techniques. + +[discrete] +[[investigation-section]] +== Investigation + +The Investigation section is located on the **Overview** tab in the right panel. It offers a couple of ways to begin investigating the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-investigation-section-rp.png[Investigation section of the Overview tab, 65%] + +The Investigation section provides the following information: + +* **Investigation guide**: The **Show investigation guide** button displays if the rule associated with the alert has an investigation guide. Click the button to open the expanded Investigation view in the left panel. ++ +[TIP] +==== +Add an <> to a rule when creating a new custom rule or modifying an existing custom rule's settings. +==== +* **Highlighted fields**: Shows relevant fields for the alert and any <> you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added. + +[discrete] +[[visualizations-section]] +== Visualizations + +The Visualizations section is located on the **Overview** tab in the right panel. It offers a glimpse of the processes that led up to the alert and occurred after it. + +[role="screenshot"] +image::images/view-alert-details/-detections-visualizations-section-rp.png[Visualizations section of the Overview tab, 65%] + +Click **Visualizations** to display the following previews: + +* **Session view preview**: Shows a preview of <> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. +* **Analyzer preview**: Shows a preview of the <>. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline. + +[discrete] +[[expanded-visualizations-view]] +=== Expanded visualizations view + +preview::[] + +.Requirements +[NOTE] +==== +To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` <>. +==== + +The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session view preview** or **Analyzer preview** from the right panel. + +[role="screenshot"] +image::images/view-alert-details/-detections-visualize-tab-lp.png[Expanded view of visualization details, 80%] + +As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout. + +[role="screenshot"] +image::images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer] + +[discrete] +[[insights-section]] +== Insights + +The Insights section is located on the **Overview** tab in the right panel. It offers different perspectives from which you can assess the alert. Click **Insights** to display overviews for <>, <>, <>, and <>. + +[role="screenshot"] +image::images/view-alert-details/-detections-insights-section-rp.png[Insights section of the Overview tab, 65%] + +[discrete] +[[entities-overview]] +=== Entities + +The Entities overview provides high-level details about the user and host that are related to the alert. Host and user risk classifications are also available if you have the Security Analytics Complete <>. + +[role="screenshot"] +image::images/view-alert-details/-detections-entities-overview.png[Overview of the entity details section in the right panel, 60%] + +[discrete] +[[expanded-entities-view]] +==== Expanded entities view + +From the right panel, click **Entities** to open a detailed view of the host and user associated with the alert. The expanded view also includes risk scores and classifications (if you have the Security Analytics Complete <>) and activity on related hosts and users. + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-entities-view.png[Expanded view of entity details, 70%] + +[discrete] +[[threat-intelligence-overview]] +=== Threat intelligence + +The Threat intelligence overview shows matched indicators, which provide threat intelligence relevant to the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-threat-intelligence-overview.png[Overview of threat intelligence on the alert, 70%] + +The Threat intelligence overview provides the following information: + +* **Threat match detected**: Only available when examining an alert generated from an <> rule. Shows the number of matched indicators that are present in the alert document. Shows zero if there are no matched indicators or you're examining an alert generated by another type of rule. +* **Fields enriched with threat intelligence**: Shows the number of matched indicators that are present on an alert that _wasn't_ generated from an indicator match rule. If none exist, the total number of matched indicators is zero. + +[discrete] +[[expanded-threat-intel-view]] +==== Expanded threat intelligence view + +From the right panel, click **Threat intelligence** to open the expanded Threat intelligence view within the left panel. + +[NOTE] +==== +The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to <> to learn more about threat intelligence indices. +==== + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%] + +The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. + +Matched threats are organized into two sections, described below. Within each section, matched threats are shown in reverse chronological order, with the most recent at the top. All mapped fields are displayed for each matched threat. + +**Threat match detected** + +The Threat match detected section is only populated with indicator match details if you're examining an alert that was generated from an indicator match rule. Indicator matches occur when alert field values match with threat intelligence data you've ingested. + +**Fields enriched with threat intelligence** + +Threat intelligence can also be found on alerts that weren't generated from indicator match rules. To find this information, {elastic-sec} queries alert documents from the past 30 days and searches for fields that contain known threat intelligence. If any are found, they're logged in this section. + +[TIP] +==== +Use the date time picker to modify the query time frame, which looks at the past 30 days by default. You can also click the **Inspect** button to examine the query that the Fields enriched with threat intelligence section uses. +==== + +When searching for threat intelligence, {elastic-sec} queries the alert document for the following fields: + +* `file.hash.md5`: The MD5 hash +* `file.hash.sha1`: The SHA1 hash +* `file.hash.sha256`: The SHA256 hash +* `file.pe.imphash`: Imports in a PE file +* `file.elf.telfhash`: Imports in an ELF file +* `file.hash.ssdeep`: The SSDEEP hash +* `source.ip`: The IP address of the source (IPv4 or IPv6) +* `destination.ip`: The event's destination IP address +* `url.full`: The full URL of the event source +* `registry.path`: The full registry path, including the hive, key, and value + +[discrete] +[[correlations-overview]] +=== Correlations + +The Correlations overview shows how an alert is related to other alerts and offers ways to investigate related alerts. Use this information to quickly find patterns between alerts and then take action. + +[role="screenshot"] +image::images/view-alert-details/-detections-correlations-overview.png[Overview of available correlation data, 60%] + +The Correlations overview provides the following information: + +* **Suppressed alerts**: Indicates that the alert was created with alert suppression, and shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. +* **Alerts related by source event**: Shows the number of alerts that were created by the same source event. +* **Cases related to the alert**: Shows the number of cases to which the alert has been added. +* **Alerts related by session ID**: Shows the number of alerts generated by the same session. +* **Alerts related by process ancestry**: Shows the number of alerts that are related by process events on the same linear branch. + +[discrete] +[[expanded-correlations-view]] +==== Expanded correlations view + +From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-correlations-view.png[Expanded view of correlation data, 75%] + +In the expanded view, corelation data is organized into several tables: + +* **Suppressed alerts**: preview:[] Shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. +* **Related cases**: Shows cases to which the alert has been added. Click a case's name to open its details. +* **Alerts related by source event**: Shows alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the **Investigate in timeline** button to examine related alerts in Timeline. +* **Alerts related by session**: Shows alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Collect session data** setting in your {elastic-defend} integration policy. Refer to <> for more information. +* **Alerts related by ancestry**: Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click **Investigate in timeline**. + +[discrete] +[[prevalence-overview]] +=== Prevalence + +The Prevalence overview shows whether data from the alert was frequently observed on other host events from the last 30 days. Prevalence calculations use values from the alert’s highlighted fields. Highlighted field values that are observed on less than 10% of hosts in your environment are considered uncommon (not prevalent) and are listed individually in the Prevalence overview. Highlighted field values that are observed on more than 10% of hosts in your environment are considered common (prevalent) and are described as frequently observed in the Prevalence overview. + +[discrete] +[[expanded-prevalence-view]] +==== Expanded prevalence view + +From the right panel, click **Prevalence** to open the expanded Prevalence view within the left panel. Examine the table to understand the alert's relationship with other alerts, events, users, and hosts. + +[TIP] +==== +Update the date time picker for the table to show data from a different time range. +==== + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-prevalence-view.png[Expanded view of prevalence data] + +The expanded Prevalence view provides the following details: + +* **Field**: Shows <> for the alert and any custom highlighted fields that were added to the alert's rule. +* **Value**: Shows values for highlighted fields and any custom highlighted fields that were added to the alert's rule. +* **Alert count**: Shows the total number of alert documents that have identical highlighted field values, including the alert you're currently examining. For example, if the `host.name` field has an alert count of 5, that means there are five total alerts with the same `host.name` value. The Alert count column only retrieves documents that contain the {ecs-ref}/ecs-allowed-values-event-kind.html#ecs-event-kind-signal[`event.kind:signal`] field-value pair. +* **Document count**: Shows the total number of event documents that have identical field values. A dash (`——`) displays if there are no event documents that match the field value. The Document count column only retrieves documents that don't contain the {ecs-ref}/ecs-allowed-values-event-kind.html#ecs-event-kind-signal[`event.kind:signal`] field-value pair. +* **Host prevalence**: Shows the percentage of unique hosts that have identical field values. Host prevalence for highlighted fields is calculated by taking the number of unique hosts with identical highlighted field values and dividing that number by the total number of unique hosts in your environment. +* **User prevalence**: Shows the percentage of unique users that have identical highlighted field values. User prevalence for highlighted fields is calculated by taking the number of unique users with identical field values and dividing that number by the total number of unique users in your environment. + +[discrete] +[[response-overview]] +== Response + +The **Response** section is located on the **Overview** tab in the right panel. It shows <> that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel. + +[role="screenshot"] +image::images/view-alert-details/-detections-response-action-rp.png[Response section of the Overview tab, 50%] + +[discrete] +[[expanded-notes-view]] +== Notes + +The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. + +[TIP] +==== +Go to the **Notes** <> to find notes that were added to other alerts. +==== + +image::images/view-alert-details/-detections-notes-tab-lp.png[Notes tab in the left panel, 70%] diff --git a/docs/serverless/images/view-alert-details/-detections-flyout-settings.png b/docs/serverless/images/view-alert-details/-detections-flyout-settings.png new file mode 100644 index 0000000000000000000000000000000000000000..a7f23f0df125242db01cef0e273a5bb3a4ed322a GIT binary patch literal 5416 zcmX|DWmFW5+FZK3LqZyshGprlmlo-k?pP2J5a|+W0Rd@tL6)Vv1!<7(?(VMZd%y48 z=bU+F&YYS56RoYOjE7B)4FCY}R8<{#!ckscTUB13LEFpS z&e6pd08oieO~ZJryGQ)_#eaf^n=mFtTRu$_z`d0MFYZGXux4hfjh0f%UOaMypWxopl#_JX?q?3X<)g+ z>yRlxAMwsV1tCv+SkbE9ivR{BT5XJZz~I)FieX~n8X!^i!I!ELg(1Av5!!ckGWzlp zc7Y};0mxMe)4dgK0fxmhighKcK#*i!DLfX(da+=)1y>Z4auBZBV{2xvYGG?q*$eqe zu(HO)@x1~_WDKSjBgxb$K3+y0JDKbmO~3XJ+FqSf{pb5{S5 zLx*D0Z5V?jK4neVGFB!J4O+2jcztF6F4!O7CX+4@@1TFn48;yj;qNll9Ad`tLM~u4 z`u?hDQABURPD8*zOfM8DsK2L0;gNEOGj6@kCaOg#qGn`b=RNxt*JLkkAU~xQv%B+I z_W_+_l#y$Pw-rZpptf<3pK$=PsyW3=SY7P3&CKq+frE?;efKW)EXg!z%bZxJP{5o4 zTmK$%o}cOrNlb${xfY(|3O3{=CgaXB&_ofYB8y=vKcfK>xD2y?I)r6&_orb`j6?Q- zn{`;bwEUyX-;Os|H<3TDA8WQypEz##66c#`oWog>SGnnEXq zD4(&tFnCZ(VWR%EEmZTvJvnnzPX1E~FrGOkMTg?)#|Gl^aDuMkQ=?nX0Ge;V5UW_F4b=`Z4bQ%kTUW2eEnlqi}rL z-h98^@Lk(opIy#NByYiciF?*23dykNuX&c2{2)p#T#V$;s=t6;q}H5#4}87+6nypk zPw7NJa?P}OLcu7m=+thdb+mP+b${Y$8@Y3aVOA_vE|t{6UxjLg=HvEN=yTtPSVvg~ z`wsda`tAE}`cF7WW6*lylN9=k%Ak`vBRW5{rAoB*4)wsC0jXP@Q=G$`lAP{uu}Zf~ zfm3&-Xr*MO%6f>OZTd_wBUt5BgVW$->69jHNsmS!S}I{?9FgZP9n zK?#&Df?)g8`2@RN`*bTqw+{mzf1;c=t(k>5MZ{b$lgbtC#}qIBx%azIsBH6$svP=I z@0oT6!}`TMZIh~++;6R$&oLo1RkK+0%e!x=&!yNX&nR>b1rj1UA+Z$j(+_&5j1!^Q z(nB3f9*Y!#ANq^kQizYv=nXKCo5Fb7c)6;}m>(_xuQOSyh=7~HC*VKfh=mT28%Qqm z2((m3X+mI9=?XtG6R&zT$TM2rSw8c_j^3?(psnY5*t>d9bwWhrBA-S$&+n zX}m=sTJI5_?SqpxN&++dyndDvkCNZ~Yy1PQy)TBYB-ZbsY1szF2CXw4xW92bzqAV8 zw`jC9E;qMsNqOhkHOE|)eFAE<)!R5d|W+gMxvk9LLgY0|17V|qeGf(E0nC^{`2^s6B0K3$X0 zWdNlpP^^se(6Pa%L8!%*RYK5vdpjfEE@PB<)F~Q3lod5h6wgGJh{F_=9hdz|wE5%p z1$!^73pV25bQ!XHzne(;l8(nuV9jl9Tlvbf)DyC?zb^F~qdTo+Xm-nn7g2y zzlbqobFtOUETE)!(E)ioUEDa4g;wK%qS_-Z zS<|K(HY!c5)hSO52g4WrKSv&F*xkm)diG;`Vi8*=JBZ;R9m2P#7sQvu%Sm75Ho8*7 zTh)xze0f8^6#)+n-I`h){9a;K$uRVZ4eZJvT~mLRR_W2}_afZ51lWyrCU4|V3GjM2 zd&bwBom-|4ABmm{PJ7F1N1W^7Pv%{`jc@j~jdkvQUb!!&=FkR}K03Mt?%$W=xzW6L z>2@P^Z>jG0od_1VstT!U8x|B1Nt+l{8<2J}s@U=hSL+#pcf+gT=L4q$)2?<4Ah!qO zRCAx^`Szv~rFJ{l;ohUiBT4bc_d>@)vqnu9gFI{H{>`DjA~VL5`iGsz{RB?FYawy)-Dssmr)h|&E}1N$C49$uJHbn%!rQF@=5vi-cc zWI0hgN|WTxY3OPh_nJC#x)7dm?hS%G9eqeMF}U!#Ie?2uxYhWK?n+H>G_#Bc2pTIYzn6DO+JQ9@Gx>xYR9YUL%9g21y15h}akHmxArM ztxW5n`zJqFb}QHm{PJkF+2_P(<>Y1cJkJ{Jb=$8p-M8DDq}7yzA7JuT!t7kVK z(SS%@DQl|@BzSms06M#K$Nrs%>4wVxE&#$VuWMpqdMoo~O z8A&c4E%u+GXfb6xt2x&es^+*jwW1Eze;2Hat)Z%&h6aH1uf_zRB2fd-{wk!ukV2yQ zpH@O*2cZ1dM+N{Q9RaBSpV9ow|K8sb{NK+1F>)^Q{}MvEDF4&of1~HNd;hkvJXDMz z00245zd%xb!+iSJgQ_aXzI8x5GR890n<6*Ib-D*+pka8({Lu33TXRfDi9w4&`4)_e z%^3sUlyOq(htS=Je9ZeSz!7R0W6b&O8)b~;wl3|*Vh$%M5>hn5RE)L@_vN{)!PcEc zoMoxId*hYfrGrD^!`hL#U&hYXr|N)vl;Ab`K8o#u9DLzxUZ*m56pAq3qGYyqD4W&~ z_ENX$GAcaEKk=Y4le|6yi+ppa=~};TN?ICXii#2|5(2r{oh+HSsx?ZqKv=L#24c{c zS@&LV?*92YG&Iy#R>VO?O*#JbKmcoL$towafc`XyrE+)rNPe|9>$h46j2LLe`J&ZQJzS3?5sZ32Z8`qGBUEqJ3qo! za7yKqASlpM1z|1;gY0M;yCQ4FA1_f_*xItlMoP(e;w`lWMozm%y%yBf1!(}exiN!4 z)6-q=L~I+Pqp^+#mIqz2PH)y4K;0IrlFgeazpv*;BvI$i&m-UJ>njn^rRb_UmV91; z`rix~nw*_7w$fKd0f&SU8teiIv0I-Wj`%h3@r#^ioZd6J{tjL)j*~oEOjL@9KyRwh z^|=zH795E@UgQ{yrdNNuzbe*}zDvNx6^dsR-_kEPw&1nrn{8>d5)()H1g2}V#MjP7 zihTdZs}$J&n>P%t4d^9I(Pa-35Xu*4VL5dDmXh+uanI~t@k6ykc6N5(%nsf;^;W0t ze(2#`bG(3{@7NZXbYg8SS#4FV6&(I&e%3G<9*3u=XD}9%deAsOt1&kDu=V57NMVw; ztLf|tr&u|jj{ir0@}q;kVN~CX+(LR>rm6&8Ss9Q+l3UhQvP7eC_7?T{i!SslshITu zj*pxe*u~Rpzpv?dxm6hp%cRIA;wLzaM4WAh&>ov0M-6;MgVXUXJW06z=Hlt{03j@> zTBFm$2&~)RcTzgw$s+o`4P(E}pOYVF1bigFg8LU#8ipx&E(^;uvR zaKZ+jERV%=^!WwO-r^mO_x7P^alXOm@g#g`Ju79G_bCF=2z=x5y;F%&EC;f{1_xkY=4PTCtb7ZMVc zSr>Qv-nlypIfAbEE1G;!oqf@h6j?soC*-$ymzR{Xp%?_r>cSoEBcx+v1-);P=dQov zr=(`QF3@YG;TUMSQv+M|ucHYq`wIo>dt$bp06*o}CUp!Co4ipner+{6gZ{yJk4hMe z?$+RuDdhfoDyxBv^iwasTekzC+XJ!_=0p=xp=XWGpo7|g_e$YldKyTgV>p}_6BDVf z@&$4Fe&e0=x47)wU6(OG>

MZsL{g+n_h2bUf>n)Fxqk)!RTDp>EqV&m8svnVTgNn12=k-Lj`}C_6>-R(0`Q_+i;G!ny!^s$`$(CgldSGp46;>K?>+5Xdi^-4Sz{Rc zXpgq~>8xDdU+=tDwZ@_0vsE-~b;|fIm|G$mrnxCJAs-SfFiYATPDtF}Ih^C}InGzl zNIMgO3!xb@a$A1P*zid-sehKQkPXYooA|)Pavcp#*`XUumWL$3~jRfFjWcGp{wzihE85Hs2?Eu{|t`H3u!XWFB+3 zDKm*e%iQ#0{KDnT(v^Fnm9tjo_n`sO!n3|O7wv1-Ljx757QHI(;j3WS<4+~(P?_JG&l>k|D2OK`+Z%hDx!iLy($6Q=i$2ZF*8RU#NAr5 z)`n z4@=n*1oQ)ShG9w+yw91ZXb}AAZBv!maa|GxBDm|)AN###oN%i3o~;IXgK|?_q7ap{ zOmOga>nm2N{mIv|rd8flvS~a3d%~s~=LIE-_ajVr)d^HC8ea?WU(r%!Yc(#^2dyDn zmLdcRl>(_N>9?CfnE2=R7R7BNGQ2LKaR7y-sB=X=^2A^i4DAIF91ALyey&A2&V};K zlXNf@F`T7@Xa#*akEg)yHzOh=Gh^6b{XJRhOtHT<9>+)S#zu|Z8;0DTE|s4C7>-tw z&vQ&D#;Sf=4BMqtQX_f?jSxdc>qDGUsI;l)NCgom*LnIJ|5^g$hiQpQSRMrI6@Ax= zMk!N?%BP`WkV&1_tG_H;CzLzWVRDWQXFt@_f36?94SOi`IVfn5v{v#@3Y9l`##QKH z^j6Oli$1wBbgA@gaxY1Ekz@q%B%b7^s|prt>CkA};swXJK!!_Iurpgf^Si4pX&xFeTPm+rG z?XH>6P0g9?b5}UpFh(b^sppuc|9CpnczHao0uOkDzS!>;bEh)j<7pJ>F-0U+4cgiw z#>QOUUS7%&Tagjk6hkurMVo*I%>7C=M90iG<)bz{;31hVi?PN=#!2Btjq~9%hVB+? z`K2K}27bNgj;9O;I&tqZ{e`qx+!m9w8U5G7L$J%aDY(D$9^j%U`(P@RL1FQeC^CNv z`Ih~0S)h}f?2daGV&W-0rhBoczi%tcls;!qkBsOamizv!8=Nu;W#AjT(J-Hs4!j3G z-ENS4_%&7*6}{6MC5o9)(Tptq)CxxJkxh0& z84tCfvrB9Fj;=uOl_4J)&nIx6B@^@%t{meW6$jfOczyKz^gx^>lC@jC6OkONjnvin zIy@<<+531A?b#hrUjB4-ZNW^b?2a#M^f`wBf(f3E;&JBaIN`21z`F!(SrWDV$u%&$ z Date: Tue, 12 Nov 2024 16:19:22 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../alerts/view-alert-details.asciidoc | 331 ------------------ .../-detections-flyout-settings.png | Bin 5416 -> 0 bytes 2 files changed, 331 deletions(-) delete mode 100644 docs/serverless/alerts/view-alert-details.asciidoc delete mode 100644 docs/serverless/images/view-alert-details/-detections-flyout-settings.png diff --git a/docs/serverless/alerts/view-alert-details.asciidoc b/docs/serverless/alerts/view-alert-details.asciidoc deleted file mode 100644 index 62e141319e..0000000000 --- a/docs/serverless/alerts/view-alert-details.asciidoc +++ /dev/null @@ -1,331 +0,0 @@ -[[security-view-alert-details]] -= View detection alert details - -// :description: Expand an alert to view detailed alert data. -// :keywords: serverless, security, defend, reference, manage - -++++ -View alert details -++++ - -preview:[] - -To learn more about an alert, click the **View details** button from the Alerts table. This opens the alert details flyout, which helps you understand and manage the alert. - -[role="screenshot"] -image::images/view-alert-details/-detections-open-alert-details-flyout.gif[Expandable flyout, 90%] - -Use the alert details flyout to begin an investigation, open a case, or plan a response. Click **Take action** at the bottom of the flyout to find more options for interacting with the alert. - -[discrete] -[[alert-details-flyout-ui]] -== Alert details flyout UI - -The alert details flyout has a right panel, a preview panel, and a left panel. Each panel provides a different perspective of the alert. - -[discrete] -[[right-panel]] -=== Right panel - -The right panel provides an overview of the alert. Expand any of the collapsed sections to learn more about the alert. You can also hover over fields on the **Overview** and **Table** tabs to display available <>. - -[role="screenshot"] -image::images/view-alert-details/-detections-alert-details-flyout-right-panel.png[Right panel of the alert details flyout, 65%] - -From the right panel, you can also: - -* Click **Expand details** to open the <>, which shows more information about sections in the right panel. -* Click the **Chat** icon (image:images/view-alert-details/-detections-ai-assistant-chat.png[AI assistant chat icon,15,15]) to access the <>. -* Click the **Share alert** icon (image:images/icons/share.svg[Share alert]) to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. -+ -[NOTE] -==== -If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[`server.publicBaseUrl`] setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the **Table** tab. -==== -+ -[IMPORTANT] -==== -If you've enabled grouping on the Alerts page, the alert details flyout won't open until you expand a collapsed group and select an individual alert. -==== - -* Click the **Flyout settings** icon (image:images/view-alert-details/-detections-flyout-settings.png[Flyout settings icon,15,15]) to access options for displaying the alert details flyout. The **Overlay** option (which displays the flyout over the Alerts table) is selected by default. Select **Push** to display the flyout to the side of the table instead. In either display, you can resize the flyout panels to your liking. Clicking **Reset size** reverts the flyout to its default dimensions. - -* Find basic details about the alert, such as the: -+ -** Associated rule -** Alert status and when the alert was created -** Date and time the alert was created -** Alert severity and risk score (these are inherited from rule that generated the alert) -** Users assigned to the alert (click the image:images/icons/plusInCircle.svg[Assign alert] icon to assign more users) -** Notes attached to the alert (click the image:images/icons/plusInCircle.svg[Add note] icon to create a new note) -* Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. - -[discrete] -[[preview-panel]] -=== Preview panel - -Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. - -[role="screenshot"] -image::images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%] - -[discrete] -[[left-panel]] -=== Left panel - -The left panel provides an expanded view of what's shown in the right panel. To open the left panel, do one of the following: - -* Click **Expand details** at the top of the right panel. -+ -[role="screenshot"] -image:images/view-alert-details/-detections-expand-details-button.png[Expand details button at the top of the alert details flyout, 65%] -* Click one of the section titles on the **Overview** tab within the right panel. -+ -[role="screenshot"] -image:images/view-alert-details/-detections-alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%] - -[discrete] -[[about-section]] -== About - -The About section is located on the **Overview** tab in the right panel. It provides a brief description of the rule that's related to the alert and an explanation of what generated the alert. - -[role="screenshot"] -image::images/view-alert-details/-detections-about-section-rp.png[About section of the Overview tab, 65%] - -The About section has the following information: - -* **Rule description**: Describes the rule's purpose or detection goals. Click **Show rule summary** to display a preview of the rule's details. From the preview, click **Show rule details** to view the rule's details page. -* **Alert reason**: Describes the source event that generated the alert. Event details are displayed in plain text and ordered logically to provide context for the alert. Click **Show full reason** to display the alert reason in the event rendered format within the <>. -+ -[NOTE] -==== -The event renderer only displays if an event renderer exists for the alert type. Fields are interactive; hover over them to access the available actions. -==== -* **Last Alert Status Change**: Shows the last time the alert's status was changed, along with the user who changed it. -* **MITRE ATT&CK**: Provides relevant https://attack.mitre.org/[MITRE ATT&CK] framework tactics, techniques, and sub-techniques. - -[discrete] -[[investigation-section]] -== Investigation - -The Investigation section is located on the **Overview** tab in the right panel. It offers a couple of ways to begin investigating the alert. - -[role="screenshot"] -image::images/view-alert-details/-detections-investigation-section-rp.png[Investigation section of the Overview tab, 65%] - -The Investigation section provides the following information: - -* **Investigation guide**: The **Show investigation guide** button displays if the rule associated with the alert has an investigation guide. Click the button to open the expanded Investigation view in the left panel. -+ -[TIP] -==== -Add an <> to a rule when creating a new custom rule or modifying an existing custom rule's settings. -==== -* **Highlighted fields**: Shows relevant fields for the alert and any <> you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added. - -[discrete] -[[visualizations-section]] -== Visualizations - -The Visualizations section is located on the **Overview** tab in the right panel. It offers a glimpse of the processes that led up to the alert and occurred after it. - -[role="screenshot"] -image::images/view-alert-details/-detections-visualizations-section-rp.png[Visualizations section of the Overview tab, 65%] - -Click **Visualizations** to display the following previews: - -* **Session view preview**: Shows a preview of <> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. -* **Analyzer preview**: Shows a preview of the <>. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline. - -[discrete] -[[expanded-visualizations-view]] -=== Expanded visualizations view - -preview::[] - -.Requirements -[NOTE] -==== -To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` <>. -==== - -The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session view preview** or **Analyzer preview** from the right panel. - -[role="screenshot"] -image::images/view-alert-details/-detections-visualize-tab-lp.png[Expanded view of visualization details, 80%] - -As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout. - -[role="screenshot"] -image::images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer] - -[discrete] -[[insights-section]] -== Insights - -The Insights section is located on the **Overview** tab in the right panel. It offers different perspectives from which you can assess the alert. Click **Insights** to display overviews for <>, <>, <>, and <>. - -[role="screenshot"] -image::images/view-alert-details/-detections-insights-section-rp.png[Insights section of the Overview tab, 65%] - -[discrete] -[[entities-overview]] -=== Entities - -The Entities overview provides high-level details about the user and host that are related to the alert. Host and user risk classifications are also available if you have the Security Analytics Complete <>. - -[role="screenshot"] -image::images/view-alert-details/-detections-entities-overview.png[Overview of the entity details section in the right panel, 60%] - -[discrete] -[[expanded-entities-view]] -==== Expanded entities view - -From the right panel, click **Entities** to open a detailed view of the host and user associated with the alert. The expanded view also includes risk scores and classifications (if you have the Security Analytics Complete <>) and activity on related hosts and users. - -[role="screenshot"] -image::images/view-alert-details/-detections-expanded-entities-view.png[Expanded view of entity details, 70%] - -[discrete] -[[threat-intelligence-overview]] -=== Threat intelligence - -The Threat intelligence overview shows matched indicators, which provide threat intelligence relevant to the alert. - -[role="screenshot"] -image::images/view-alert-details/-detections-threat-intelligence-overview.png[Overview of threat intelligence on the alert, 70%] - -The Threat intelligence overview provides the following information: - -* **Threat match detected**: Only available when examining an alert generated from an <> rule. Shows the number of matched indicators that are present in the alert document. Shows zero if there are no matched indicators or you're examining an alert generated by another type of rule. -* **Fields enriched with threat intelligence**: Shows the number of matched indicators that are present on an alert that _wasn't_ generated from an indicator match rule. If none exist, the total number of matched indicators is zero. - -[discrete] -[[expanded-threat-intel-view]] -==== Expanded threat intelligence view - -From the right panel, click **Threat intelligence** to open the expanded Threat intelligence view within the left panel. - -[NOTE] -==== -The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to <> to learn more about threat intelligence indices. -==== - -[role="screenshot"] -image::images/view-alert-details/-detections-expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%] - -The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. - -Matched threats are organized into two sections, described below. Within each section, matched threats are shown in reverse chronological order, with the most recent at the top. All mapped fields are displayed for each matched threat. - -**Threat match detected** - -The Threat match detected section is only populated with indicator match details if you're examining an alert that was generated from an indicator match rule. Indicator matches occur when alert field values match with threat intelligence data you've ingested. - -**Fields enriched with threat intelligence** - -Threat intelligence can also be found on alerts that weren't generated from indicator match rules. To find this information, {elastic-sec} queries alert documents from the past 30 days and searches for fields that contain known threat intelligence. If any are found, they're logged in this section. - -[TIP] -==== -Use the date time picker to modify the query time frame, which looks at the past 30 days by default. You can also click the **Inspect** button to examine the query that the Fields enriched with threat intelligence section uses. -==== - -When searching for threat intelligence, {elastic-sec} queries the alert document for the following fields: - -* `file.hash.md5`: The MD5 hash -* `file.hash.sha1`: The SHA1 hash -* `file.hash.sha256`: The SHA256 hash -* `file.pe.imphash`: Imports in a PE file -* `file.elf.telfhash`: Imports in an ELF file -* `file.hash.ssdeep`: The SSDEEP hash -* `source.ip`: The IP address of the source (IPv4 or IPv6) -* `destination.ip`: The event's destination IP address -* `url.full`: The full URL of the event source -* `registry.path`: The full registry path, including the hive, key, and value - -[discrete] -[[correlations-overview]] -=== Correlations - -The Correlations overview shows how an alert is related to other alerts and offers ways to investigate related alerts. Use this information to quickly find patterns between alerts and then take action. - -[role="screenshot"] -image::images/view-alert-details/-detections-correlations-overview.png[Overview of available correlation data, 60%] - -The Correlations overview provides the following information: - -* **Suppressed alerts**: Indicates that the alert was created with alert suppression, and shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. -* **Alerts related by source event**: Shows the number of alerts that were created by the same source event. -* **Cases related to the alert**: Shows the number of cases to which the alert has been added. -* **Alerts related by session ID**: Shows the number of alerts generated by the same session. -* **Alerts related by process ancestry**: Shows the number of alerts that are related by process events on the same linear branch. - -[discrete] -[[expanded-correlations-view]] -==== Expanded correlations view - -From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. - -[role="screenshot"] -image::images/view-alert-details/-detections-expanded-correlations-view.png[Expanded view of correlation data, 75%] - -In the expanded view, corelation data is organized into several tables: - -* **Suppressed alerts**: preview:[] Shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. -* **Related cases**: Shows cases to which the alert has been added. Click a case's name to open its details. -* **Alerts related by source event**: Shows alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the **Investigate in timeline** button to examine related alerts in Timeline. -* **Alerts related by session**: Shows alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Collect session data** setting in your {elastic-defend} integration policy. Refer to <> for more information. -* **Alerts related by ancestry**: Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click **Investigate in timeline**. - -[discrete] -[[prevalence-overview]] -=== Prevalence - -The Prevalence overview shows whether data from the alert was frequently observed on other host events from the last 30 days. Prevalence calculations use values from the alert’s highlighted fields. Highlighted field values that are observed on less than 10% of hosts in your environment are considered uncommon (not prevalent) and are listed individually in the Prevalence overview. Highlighted field values that are observed on more than 10% of hosts in your environment are considered common (prevalent) and are described as frequently observed in the Prevalence overview. - -[discrete] -[[expanded-prevalence-view]] -==== Expanded prevalence view - -From the right panel, click **Prevalence** to open the expanded Prevalence view within the left panel. Examine the table to understand the alert's relationship with other alerts, events, users, and hosts. - -[TIP] -==== -Update the date time picker for the table to show data from a different time range. -==== - -[role="screenshot"] -image::images/view-alert-details/-detections-expanded-prevalence-view.png[Expanded view of prevalence data] - -The expanded Prevalence view provides the following details: - -* **Field**: Shows <> for the alert and any custom highlighted fields that were added to the alert's rule. -* **Value**: Shows values for highlighted fields and any custom highlighted fields that were added to the alert's rule. -* **Alert count**: Shows the total number of alert documents that have identical highlighted field values, including the alert you're currently examining. For example, if the `host.name` field has an alert count of 5, that means there are five total alerts with the same `host.name` value. The Alert count column only retrieves documents that contain the {ecs-ref}/ecs-allowed-values-event-kind.html#ecs-event-kind-signal[`event.kind:signal`] field-value pair. -* **Document count**: Shows the total number of event documents that have identical field values. A dash (`——`) displays if there are no event documents that match the field value. The Document count column only retrieves documents that don't contain the {ecs-ref}/ecs-allowed-values-event-kind.html#ecs-event-kind-signal[`event.kind:signal`] field-value pair. -* **Host prevalence**: Shows the percentage of unique hosts that have identical field values. Host prevalence for highlighted fields is calculated by taking the number of unique hosts with identical highlighted field values and dividing that number by the total number of unique hosts in your environment. -* **User prevalence**: Shows the percentage of unique users that have identical highlighted field values. User prevalence for highlighted fields is calculated by taking the number of unique users with identical field values and dividing that number by the total number of unique users in your environment. - -[discrete] -[[response-overview]] -== Response - -The **Response** section is located on the **Overview** tab in the right panel. It shows <> that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel. - -[role="screenshot"] -image::images/view-alert-details/-detections-response-action-rp.png[Response section of the Overview tab, 50%] - -[discrete] -[[expanded-notes-view]] -== Notes - -The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. - -[TIP] -==== -Go to the **Notes** <> to find notes that were added to other alerts. -==== - -image::images/view-alert-details/-detections-notes-tab-lp.png[Notes tab in the left panel, 70%] diff --git a/docs/serverless/images/view-alert-details/-detections-flyout-settings.png b/docs/serverless/images/view-alert-details/-detections-flyout-settings.png deleted file mode 100644 index a7f23f0df125242db01cef0e273a5bb3a4ed322a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5416 zcmX|DWmFW5+FZK3LqZyshGprlmlo-k?pP2J5a|+W0Rd@tL6)Vv1!<7(?(VMZd%y48 z=bU+F&YYS56RoYOjE7B)4FCY}R8<{#!ckscTUB13LEFpS z&e6pd08oieO~ZJryGQ)_#eaf^n=mFtTRu$_z`d0MFYZGXux4hfjh0f%UOaMypWxopl#_JX?q?3X<)g+ z>yRlxAMwsV1tCv+SkbE9ivR{BT5XJZz~I)FieX~n8X!^i!I!ELg(1Av5!!ckGWzlp zc7Y};0mxMe)4dgK0fxmhighKcK#*i!DLfX(da+=)1y>Z4auBZBV{2xvYGG?q*$eqe zu(HO)@x1~_WDKSjBgxb$K3+y0JDKbmO~3XJ+FqSf{pb5{S5 zLx*D0Z5V?jK4neVGFB!J4O+2jcztF6F4!O7CX+4@@1TFn48;yj;qNll9Ad`tLM~u4 z`u?hDQABURPD8*zOfM8DsK2L0;gNEOGj6@kCaOg#qGn`b=RNxt*JLkkAU~xQv%B+I z_W_+_l#y$Pw-rZpptf<3pK$=PsyW3=SY7P3&CKq+frE?;efKW)EXg!z%bZxJP{5o4 zTmK$%o}cOrNlb${xfY(|3O3{=CgaXB&_ofYB8y=vKcfK>xD2y?I)r6&_orb`j6?Q- zn{`;bwEUyX-;Os|H<3TDA8WQypEz##66c#`oWog>SGnnEXq zD4(&tFnCZ(VWR%EEmZTvJvnnzPX1E~FrGOkMTg?)#|Gl^aDuMkQ=?nX0Ge;V5UW_F4b=`Z4bQ%kTUW2eEnlqi}rL z-h98^@Lk(opIy#NByYiciF?*23dykNuX&c2{2)p#T#V$;s=t6;q}H5#4}87+6nypk zPw7NJa?P}OLcu7m=+thdb+mP+b${Y$8@Y3aVOA_vE|t{6UxjLg=HvEN=yTtPSVvg~ z`wsda`tAE}`cF7WW6*lylN9=k%Ak`vBRW5{rAoB*4)wsC0jXP@Q=G$`lAP{uu}Zf~ zfm3&-Xr*MO%6f>OZTd_wBUt5BgVW$->69jHNsmS!S}I{?9FgZP9n zK?#&Df?)g8`2@RN`*bTqw+{mzf1;c=t(k>5MZ{b$lgbtC#}qIBx%azIsBH6$svP=I z@0oT6!}`TMZIh~++;6R$&oLo1RkK+0%e!x=&!yNX&nR>b1rj1UA+Z$j(+_&5j1!^Q z(nB3f9*Y!#ANq^kQizYv=nXKCo5Fb7c)6;}m>(_xuQOSyh=7~HC*VKfh=mT28%Qqm z2((m3X+mI9=?XtG6R&zT$TM2rSw8c_j^3?(psnY5*t>d9bwWhrBA-S$&+n zX}m=sTJI5_?SqpxN&++dyndDvkCNZ~Yy1PQy)TBYB-ZbsY1szF2CXw4xW92bzqAV8 zw`jC9E;qMsNqOhkHOE|)eFAE<)!R5d|W+gMxvk9LLgY0|17V|qeGf(E0nC^{`2^s6B0K3$X0 zWdNlpP^^se(6Pa%L8!%*RYK5vdpjfEE@PB<)F~Q3lod5h6wgGJh{F_=9hdz|wE5%p z1$!^73pV25bQ!XHzne(;l8(nuV9jl9Tlvbf)DyC?zb^F~qdTo+Xm-nn7g2y zzlbqobFtOUETE)!(E)ioUEDa4g;wK%qS_-Z zS<|K(HY!c5)hSO52g4WrKSv&F*xkm)diG;`Vi8*=JBZ;R9m2P#7sQvu%Sm75Ho8*7 zTh)xze0f8^6#)+n-I`h){9a;K$uRVZ4eZJvT~mLRR_W2}_afZ51lWyrCU4|V3GjM2 zd&bwBom-|4ABmm{PJ7F1N1W^7Pv%{`jc@j~jdkvQUb!!&=FkR}K03Mt?%$W=xzW6L z>2@P^Z>jG0od_1VstT!U8x|B1Nt+l{8<2J}s@U=hSL+#pcf+gT=L4q$)2?<4Ah!qO zRCAx^`Szv~rFJ{l;ohUiBT4bc_d>@)vqnu9gFI{H{>`DjA~VL5`iGsz{RB?FYawy)-Dssmr)h|&E}1N$C49$uJHbn%!rQF@=5vi-cc zWI0hgN|WTxY3OPh_nJC#x)7dm?hS%G9eqeMF}U!#Ie?2uxYhWK?n+H>G_#Bc2pTIYzn6DO+JQ9@Gx>xYR9YUL%9g21y15h}akHmxArM ztxW5n`zJqFb}QHm{PJkF+2_P(<>Y1cJkJ{Jb=$8p-M8DDq}7yzA7JuT!t7kVK z(SS%@DQl|@BzSms06M#K$Nrs%>4wVxE&#$VuWMpqdMoo~O z8A&c4E%u+GXfb6xt2x&es^+*jwW1Eze;2Hat)Z%&h6aH1uf_zRB2fd-{wk!ukV2yQ zpH@O*2cZ1dM+N{Q9RaBSpV9ow|K8sb{NK+1F>)^Q{}MvEDF4&of1~HNd;hkvJXDMz z00245zd%xb!+iSJgQ_aXzI8x5GR890n<6*Ib-D*+pka8({Lu33TXRfDi9w4&`4)_e z%^3sUlyOq(htS=Je9ZeSz!7R0W6b&O8)b~;wl3|*Vh$%M5>hn5RE)L@_vN{)!PcEc zoMoxId*hYfrGrD^!`hL#U&hYXr|N)vl;Ab`K8o#u9DLzxUZ*m56pAq3qGYyqD4W&~ z_ENX$GAcaEKk=Y4le|6yi+ppa=~};TN?ICXii#2|5(2r{oh+HSsx?ZqKv=L#24c{c zS@&LV?*92YG&Iy#R>VO?O*#JbKmcoL$towafc`XyrE+)rNPe|9>$h46j2LLe`J&ZQJzS3?5sZ32Z8`qGBUEqJ3qo! za7yKqASlpM1z|1;gY0M;yCQ4FA1_f_*xItlMoP(e;w`lWMozm%y%yBf1!(}exiN!4 z)6-q=L~I+Pqp^+#mIqz2PH)y4K;0IrlFgeazpv*;BvI$i&m-UJ>njn^rRb_UmV91; z`rix~nw*_7w$fKd0f&SU8teiIv0I-Wj`%h3@r#^ioZd6J{tjL)j*~oEOjL@9KyRwh z^|=zH795E@UgQ{yrdNNuzbe*}zDvNx6^dsR-_kEPw&1nrn{8>d5)()H1g2}V#MjP7 zihTdZs}$J&n>P%t4d^9I(Pa-35Xu*4VL5dDmXh+uanI~t@k6ykc6N5(%nsf;^;W0t ze(2#`bG(3{@7NZXbYg8SS#4FV6&(I&e%3G<9*3u=XD}9%deAsOt1&kDu=V57NMVw; ztLf|tr&u|jj{ir0@}q;kVN~CX+(LR>rm6&8Ss9Q+l3UhQvP7eC_7?T{i!SslshITu zj*pxe*u~Rpzpv?dxm6hp%cRIA;wLzaM4WAh&>ov0M-6;MgVXUXJW06z=Hlt{03j@> zTBFm$2&~)RcTzgw$s+o`4P(E}pOYVF1bigFg8LU#8ipx&E(^;uvR zaKZ+jERV%=^!WwO-r^mO_x7P^alXOm@g#g`Ju79G_bCF=2z=x5y;F%&EC;f{1_xkY=4PTCtb7ZMVc zSr>Qv-nlypIfAbEE1G;!oqf@h6j?soC*-$ymzR{Xp%?_r>cSoEBcx+v1-);P=dQov zr=(`QF3@YG;TUMSQv+M|ucHYq`wIo>dt$bp06*o}CUp!Co4ipner+{6gZ{yJk4hMe z?$+RuDdhfoDyxBv^iwasTekzC+XJ!_=0p=xp=XWGpo7|g_e$YldKyTgV>p}_6BDVf z@&$4Fe&e0=x47)wU6(OG>

MZsL{g+n_h2bUf>n)Fxqk)!RTDp>EqV&m8svnVTgNn12=k-Lj`}C_6>-R(0`Q_+i;G!ny!^s$`$(CgldSGp46;>K?>+5Xdi^-4Sz{Rc zXpgq~>8xDdU+=tDwZ@_0vsE-~b;|fIm|G$mrnxCJAs-SfFiYATPDtF}Ih^C}InGzl zNIMgO3!xb@a$A1P*zid-sehKQkPXYooA|)Pavcp#*`XUumWL$3~jRfFjWcGp{wzihE85Hs2?Eu{|t`H3u!XWFB+3 zDKm*e%iQ#0{KDnT(v^Fnm9tjo_n`sO!n3|O7wv1-Ljx757QHI(;j3WS<4+~(P?_JG&l>k|D2OK`+Z%hDx!iLy($6Q=i$2ZF*8RU#NAr5 z)`n z4@=n*1oQ)ShG9w+yw91ZXb}AAZBv!maa|GxBDm|)AN###oN%i3o~;IXgK|?_q7ap{ zOmOga>nm2N{mIv|rd8flvS~a3d%~s~=LIE-_ajVr)d^HC8ea?WU(r%!Yc(#^2dyDn zmLdcRl>(_N>9?CfnE2=R7R7BNGQ2LKaR7y-sB=X=^2A^i4DAIF91ALyey&A2&V};K zlXNf@F`T7@Xa#*akEg)yHzOh=Gh^6b{XJRhOtHT<9>+)S#zu|Z8;0DTE|s4C7>-tw z&vQ&D#;Sf=4BMqtQX_f?jSxdc>qDGUsI;l)NCgom*LnIJ|5^g$hiQpQSRMrI6@Ax= zMk!N?%BP`WkV&1_tG_H;CzLzWVRDWQXFt@_f36?94SOi`IVfn5v{v#@3Y9l`##QKH z^j6Oli$1wBbgA@gaxY1Ekz@q%B%b7^s|prt>CkA};swXJK!!_Iurpgf^Si4pX&xFeTPm+rG z?XH>6P0g9?b5}UpFh(b^sppuc|9CpnczHao0uOkDzS!>;bEh)j<7pJ>F-0U+4cgiw z#>QOUUS7%&Tagjk6hkurMVo*I%>7C=M90iG<)bz{;31hVi?PN=#!2Btjq~9%hVB+? z`K2K}27bNgj;9O;I&tqZ{e`qx+!m9w8U5G7L$J%aDY(D$9^j%U`(P@RL1FQeC^CNv z`Ih~0S)h}f?2daGV&W-0rhBoczi%tcls;!qkBsOamizv!8=Nu;W#AjT(J-Hs4!j3G z-ENS4_%&7*6}{6MC5o9)(Tptq)CxxJkxh0& z84tCfvrB9Fj;=uOl_4J)&nIx6B@^@%t{meW6$jfOczyKz^gx^>lC@jC6OkONjnvin zIy@<<+531A?b#hrUjB4-ZNW^b?2a#M^f`wBf(f3E;&JBaIN`21z`F!(SrWDV$u%&$ z