-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Docs]Detections and Alerts UI (#73)
* dtections-ui-overview * initial overview draft * typo * restructuring for dedicated alerts section * rewording * exceptions from alerts * adds new rule options * adds new action text placeholder * restructer * structure, exceptions and building-blocks * minor edits * adds exceptions * exceptions cont * exceptions correction * more stuff * proofing and whatnot * terminology * nested exception conditions * typo * typo - thanks Nate * corrections - round 1 * add nested conditions example * typo * editing * more proofing * updates ex example * adds promoted endpoint events * typo * corrections after review * corrections
- Loading branch information
1 parent
2051071
commit 1afe89b
Showing
23 changed files
with
787 additions
and
306 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
[[alerts-ui-manage]] | ||
[role="xpack"] | ||
== Managing detection alerts | ||
|
||
The Detections page displays all <<detection-alert-def, detection alerts>>. | ||
From the Alerts table, you can change an alert's status, and start | ||
investigating and analyzing alerts in Timeline. | ||
|
||
TIP: From Timeline, you can <<cases-ui-open, create cases>> to track issues and | ||
share information with colleagues. | ||
|
||
To view detection alerts created by a specific rule, you can: | ||
|
||
* Filter for a specific rule in the KQL bar (for example, | ||
`signal.rule.name :"SSH (Secure Shell) from the Internet"`). | ||
* View detection alerts in the *Rule details* page (click | ||
*Manage detection rules* -> rule name in the *All rules* table). | ||
|
||
NOTE: KQL autocomplete for `.siem-signals-*` indices is available on the | ||
*Detections* and *Rule details* pages, and in Timeline when either `All` or | ||
`Detection alerts` is selected. | ||
|
||
TIP: Use the icons in the upper left corner of the Alerts table to customize | ||
displayed columns and row renderers, and view the table in full screen mode. | ||
|
||
[float] | ||
[[detection-alert-status]] | ||
=== Change alert statuses | ||
|
||
You can set an alert's status to indicate whether it needs to be investigated | ||
(`Open`), is under active investigation (`In progress`), or resolved | ||
(`Closed`). By default, the Alerts table displays open alerts. To view alerts | ||
with other statuses, click *In progress* or *Closed*. | ||
|
||
To change alert statuses, either: | ||
|
||
* In the alert's row, click the *more options* icon, and then select the | ||
required status (*Mark in progress*, *Close alert*, or *Open alert*). | ||
* In the Alerts table, select all the alerts you want to change, and then select | ||
*Take action* -> *Close selected*, *Open selected*, or *Mark in progress*. | ||
|
||
[float] | ||
[[signals-to-timelines]] | ||
=== Send alerts to Timeline | ||
|
||
To view an alert in Timeline, click the *Investigate in timeline* icon. | ||
|
||
TIP: When you send an alert generated by a | ||
<<rules-ui-create, threshold rule>> to Timeline, all matching events are | ||
listed in the Timeline, even ones that did not reach the threshold value. For | ||
example, if you have an alert generated by a threshold rule that detects 10 | ||
failed login attempts, when you send that alert to Timeline all failed login | ||
attempts detected by the rule are listed. | ||
|
||
If the rule that generated the alert uses a Timeline template, when you | ||
investigate the alert in Timeline, the dropzone query values defined in the | ||
template are replaced with their corresponding alert values. | ||
|
||
// * `host.name` | ||
// * `host.hostname` | ||
// * `host.domain` | ||
// * `host.id` | ||
// * `host.ip` | ||
// * `client.ip` | ||
// * `destination.ip` | ||
// * `server.ip` | ||
// * `source.ip` | ||
// * `network.community_id` | ||
// * `user.name` | ||
// * `process.name` | ||
|
||
*Example* | ||
|
||
This Timeline template uses the `host.name: "{host.name}"` dropzone filter in | ||
the rule. When alerts generated by the rule are investigated in Timeline, the | ||
`{host.name}` value is replaced with the alert's `host.name` value. If the | ||
alerts's `host.name` value is `Windows-ArsenalFC`, the Timeline dropzone query | ||
is `host.name: "Windows-ArsenalFC"`. | ||
|
||
NOTE: See <<timelines-ui>> for information on creating Timelines and Timeline | ||
templates. For information on how to add Timeline templates to rules, see | ||
<<rules-ui-create>>. | ||
|
||
[float] | ||
[[add-exception-from-alerts]] | ||
=== Add rule exceptions | ||
|
||
You can add exceptions to the rule that generated the alert directly from the | ||
Alerts table. Exceptions prevent a rule from generating alerts even when its | ||
criteria are met. | ||
|
||
To add an exception, click the actions icon (three dots) and then select | ||
_Add exception_. | ||
|
||
For information about exceptions and how to use them, see | ||
<<detections-ui-exceptions>>. | ||
|
||
[float] | ||
[[alerts-to-resolver]] | ||
=== Visually analyze process relationships. | ||
|
||
For process events received from the Elastic Endpoint agent, you can open a | ||
visual mapping of the relationships and hierarchy connecting related processes. | ||
|
||
To visualize process relationships, click the *Analyze event* icon. For more | ||
information, see Ben xref. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
[[building-block-rule]] | ||
[role="xpack"] | ||
== About building-block rules | ||
|
||
Create building-block rules when you do not want to see their generated alerts | ||
in the UI. This is useful when you want: | ||
|
||
* A record of low-risk alerts without producing noise in the Alerts table. | ||
* Rules that execute on the alert indices (`.siem-signals-<kibana space>-*`). | ||
You can then use building-block rules to create hidden alerts that act as a | ||
basis for an 'ordinary' rule to generate visible alerts. | ||
|
||
[float] | ||
=== Set up rules that run on alert indices | ||
|
||
To create a rule that searches alert indices, in the *Index patterns* field, | ||
add the index pattern for alert indices: | ||
|
||
[role="screenshot"] | ||
image::images/alert-indices-ui.png[] | ||
|
||
[float] | ||
|
||
=== View building-block alerts in the UI | ||
|
||
. Go to *Security* -> *Detections* | ||
. In the Alert table, select _Additional filters_ -> | ||
_Include building-block alerts_. | ||
|
||
NOTE: On a building-block Rule details page, the rule's alerts are displayed (by | ||
default, _Include building-block alerts_ is selected). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.