investigation notes field (documentation / metadata) #63386
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added text to the "investigation notes" field in md which the field supports.
|
Pinging @elastic/siem (Team:SIEM) |
randomuserid
added
release_note:skip
added 3 commits
April 13, 2020 14:48
|
Screenshots of the Glorious Investigation Notes Field |
rw-access
approved these changes
Apr 13, 2020
spong
reviewed
Apr 13, 2020
| @@ -20,5 +20,6 @@ | |||
| "Windows" | |||
| ], | |||
| "type": "machine_learning", | |||
| "note": "### Investigating an Unusual Windows User ###\nThis signal indicates activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? \n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", | |||
There was a problem hiding this comment.
nit: May want rule instead of signal here, or something like Signals from this rule indicate... since this is only viewable on the Rule Details Page. Up to you, no chance necessary.
There was a problem hiding this comment.
OK we decided to make this change.
spong
approved these changes
Apr 13, 2020
There was a problem hiding this comment.
Checked out locally, loaded prebuilt rules and verified no issues with loading the rules or with how the Investigation Guide markdown is rendered, edited, or exported/imported.
Rules Details looks good 👍
Edit Rules looks good 👍
LGTM -- thanks @randomuserid!
change to "Signals from this rule indicate"
rylnd
approved these changes
Apr 13, 2020
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
spong
pushed a commit
to spong/kibana
that referenced
this pull request
Apr 13, 2020
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate"
spong
pushed a commit
to spong/kibana
that referenced
this pull request
Apr 13, 2020
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate"
spong
added a commit
that referenced
this pull request
Apr 14, 2020
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate" Co-authored-by: The SpaceCake Project <randomuserid@users.noreply.github.com>
spong
added a commit
that referenced
this pull request
Apr 14, 2020
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate" Co-authored-by: The SpaceCake Project <randomuserid@users.noreply.github.com>
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Apr 14, 2020
* master: (132 commits) document code splitting for client code (elastic#62593) Escape single quotes surrounded by double quotes (elastic#63229) [Endpoint] Update cli mapping to match endpoint package (elastic#63372) update in-app links to metricbeat configuration docs (elastic#63295) investigation notes field (documentation / metadata) (elastic#63386) [Maps] fix bug where toggling Scaling type does not re-fetch data (elastic#63326) [Alerting] set correct parameter for unauthented email action (elastic#63086) [Telemetry] force staging urls in tests (elastic#63356) Migrate legacy maps service to NP & update refs (elastic#60942) Fix task manager query to return tasks to retry (elastic#63360) [Endpoint] Policy list support for URL pagination state (elastic#63291) [Canvas] Migrate saved object mappings and migrations to Kibana Platform (elastic#58891) [DOCS] Add ILM tutorial (elastic#59502) [Maps] Add SOURCE_TYPES enumeration (elastic#62975) [Maps] update geospatial filters to use geo_shape query for geo_point fields (elastic#62966) Move away from npStart for embeddables in canvas (elastic#62680) Use MapInput type from Maps plugin (elastic#61539) Update to pagination for workpad and templates (elastic#62050) [SIEM] Fix AlertsTable id (elastic#63368) Consistent terminology around cypress test data (elastic#63279) ...
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Apr 14, 2020
* master: document code splitting for client code (elastic#62593) Escape single quotes surrounded by double quotes (elastic#63229) [Endpoint] Update cli mapping to match endpoint package (elastic#63372) update in-app links to metricbeat configuration docs (elastic#63295) investigation notes field (documentation / metadata) (elastic#63386) [Maps] fix bug where toggling Scaling type does not re-fetch data (elastic#63326) [Alerting] set correct parameter for unauthented email action (elastic#63086) [Telemetry] force staging urls in tests (elastic#63356) Migrate legacy maps service to NP & update refs (elastic#60942) Fix task manager query to return tasks to retry (elastic#63360) [Endpoint] Policy list support for URL pagination state (elastic#63291) [Canvas] Migrate saved object mappings and migrations to Kibana Platform (elastic#58891) [DOCS] Add ILM tutorial (elastic#59502) [Maps] Add SOURCE_TYPES enumeration (elastic#62975) [Maps] update geospatial filters to use geo_shape query for geo_point fields (elastic#62966) Move away from npStart for embeddables in canvas (elastic#62680)
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Apr 15, 2020
* alerting/alert-services-mock: (107 commits) removed unused import added alert services mock and use it in siem [Metrics UI] Refactor With* containers to hooks (elastic#59503) [NP] Migrate logstash server side code to NP (elastic#63135) Clicking cancel in saved query save modal doesn't close it (elastic#62774) [Lens] Migration from 7.7 (elastic#62879) [Lens] Fix bug where suggestions didn't use filters (elastic#63293) Task/linux events (elastic#63400) [Remote clusters] guard against usageCollection plugin if unav… (elastic#63284) [Uptime] Remove pings graphql (elastic#59392) Index Pattern Field class - factor out copy_field code for future typescripting (elastic#63083) [EPM] add/remove package in package settings page (elastic#63389) Adjust API authorization logging (elastic#63350) Revert FTR: add chromium-based Edge browser support (elastic#61684) (elastic#63448) [Event Log] Adds namespace into save objects (elastic#62974) document code splitting for client code (elastic#62593) Escape single quotes surrounded by double quotes (elastic#63229) [Endpoint] Update cli mapping to match endpoint package (elastic#63372) update in-app links to metricbeat configuration docs (elastic#63295) investigation notes field (documentation / metadata) (elastic#63386) ...
wayneseymour
pushed a commit
that referenced
this pull request
Apr 15, 2020
* notes field added text to the "investigation notes" field in md which the field supports. * Revert "notes field" This reverts commit dae6ffc. * Revert "Revert "notes field"" This reverts commit f9de4bf. * Update linux_anomalous_network_activity.json * text change change to "Signals from this rule indicate"
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
added text to the "investigation notes" field in md which the field supports.
Summary
Summarize your PR. If it involves visual changes include a screenshot or gif.
Checklist
Delete any items that are not applicable to this PR.
For maintainers