diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 9ccb359d73..83ba78e3dc 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -52,7 +52,7 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo [[preview-panel]] === Preview panel -Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **x**. +Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. [role="screenshot"] image::images/alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%] @@ -67,13 +67,13 @@ The left panel provides an expanded view of what's shown in the right panel. To + [role="screenshot"] -image::images/expand-details-button.png[Expand details button at the top of the alert details flyout, 45%] +image::images/expand-details-button.png[Expand details button at the top of the alert details flyout, 65%] * Click one of the section titles on the **Overview** tab within the right panel. + [role="screenshot"] -image::images/alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 45%] +image::images/alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%] [discrete] [[about-section]] @@ -201,7 +201,7 @@ From the right panel, click **Threat intelligence** to open the expanded Threat NOTE: The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to <> to learn more about threat intelligence indices. [role="screenshot"] -image::images/expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 70%] +image::images/expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%] The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. @@ -256,7 +256,7 @@ NOTE: To access data about alerts related by process ancestry, you must have a h From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. [role="screenshot"] -image::images/expanded-correlations-view.png[Expanded view of correlation data, 65%] +image::images/expanded-correlations-view.png[Expanded view of correlation data, 75%] In the expanded view, corelation data is organized into several tables: diff --git a/docs/detections/images/alert-details-flyout-preview-panel.gif b/docs/detections/images/alert-details-flyout-preview-panel.gif index 52f91aaf38..0e27cbf7dc 100644 Binary files a/docs/detections/images/alert-details-flyout-preview-panel.gif and b/docs/detections/images/alert-details-flyout-preview-panel.gif differ diff --git a/docs/detections/images/alert-details-flyout-right-panel.png b/docs/detections/images/alert-details-flyout-right-panel.png index 1f01cda76a..e1072a26f5 100644 Binary files a/docs/detections/images/alert-details-flyout-right-panel.png and b/docs/detections/images/alert-details-flyout-right-panel.png differ diff --git a/docs/detections/images/expand-details-button.png b/docs/detections/images/expand-details-button.png index 2a53fac260..3152e9cad2 100644 Binary files a/docs/detections/images/expand-details-button.png and b/docs/detections/images/expand-details-button.png differ diff --git a/docs/detections/images/expanded-correlations-view.png b/docs/detections/images/expanded-correlations-view.png index 2aa9b75275..7679fa88c5 100644 Binary files a/docs/detections/images/expanded-correlations-view.png and b/docs/detections/images/expanded-correlations-view.png differ diff --git a/docs/detections/images/expanded-entities-view.png b/docs/detections/images/expanded-entities-view.png index e7f05fe2ed..6a37b0cb0e 100644 Binary files a/docs/detections/images/expanded-entities-view.png and b/docs/detections/images/expanded-entities-view.png differ diff --git a/docs/detections/images/expanded-prevalence-view.png b/docs/detections/images/expanded-prevalence-view.png index 48c44f6a18..2bfe84fa1a 100644 Binary files a/docs/detections/images/expanded-prevalence-view.png and b/docs/detections/images/expanded-prevalence-view.png differ diff --git a/docs/detections/images/expanded-threat-intelligence-view.png b/docs/detections/images/expanded-threat-intelligence-view.png index da4632101c..0fff543aa7 100644 Binary files a/docs/detections/images/expanded-threat-intelligence-view.png and b/docs/detections/images/expanded-threat-intelligence-view.png differ diff --git a/docs/detections/images/ig-alert-flyout-invest-tab.png b/docs/detections/images/ig-alert-flyout-invest-tab.png index b686a3f4c0..b778699fb1 100644 Binary files a/docs/detections/images/ig-alert-flyout-invest-tab.png and b/docs/detections/images/ig-alert-flyout-invest-tab.png differ diff --git a/docs/detections/images/ig-alert-flyout.png b/docs/detections/images/ig-alert-flyout.png index eb6a4eee6a..a7a8bbe744 100644 Binary files a/docs/detections/images/ig-alert-flyout.png and b/docs/detections/images/ig-alert-flyout.png differ diff --git a/docs/detections/images/ig-timeline-query.png b/docs/detections/images/ig-timeline-query.png index 48f3029494..3999031407 100644 Binary files a/docs/detections/images/ig-timeline-query.png and b/docs/detections/images/ig-timeline-query.png differ diff --git a/docs/detections/images/ig-timeline.png b/docs/detections/images/ig-timeline.png index 706891bb91..d5ad773504 100644 Binary files a/docs/detections/images/ig-timeline.png and b/docs/detections/images/ig-timeline.png differ diff --git a/docs/detections/images/open-alert-details-flyout.gif b/docs/detections/images/open-alert-details-flyout.gif index 462ff9f429..29a156e35c 100644 Binary files a/docs/detections/images/open-alert-details-flyout.gif and b/docs/detections/images/open-alert-details-flyout.gif differ diff --git a/docs/events/images/correlation-tab-eql-query.png b/docs/events/images/correlation-tab-eql-query.png index 2c2a104489..56d45538a3 100644 Binary files a/docs/events/images/correlation-tab-eql-query.png and b/docs/events/images/correlation-tab-eql-query.png differ diff --git a/docs/events/images/create-a-timeline-template-field.png b/docs/events/images/create-a-timeline-template-field.png index 6b2fd0ea1c..5a13242d44 100644 Binary files a/docs/events/images/create-a-timeline-template-field.png and b/docs/events/images/create-a-timeline-template-field.png differ diff --git a/docs/events/images/timeline-sidebar.png b/docs/events/images/timeline-sidebar.png index 2c4152ffeb..76d45ff77a 100644 Binary files a/docs/events/images/timeline-sidebar.png and b/docs/events/images/timeline-sidebar.png differ diff --git a/docs/events/images/timeline-ui-renderer.png b/docs/events/images/timeline-ui-renderer.png index e799fe2236..207d5e5ccb 100644 Binary files a/docs/events/images/timeline-ui-renderer.png and b/docs/events/images/timeline-ui-renderer.png differ diff --git a/docs/events/images/timeline-ui-updated.png b/docs/events/images/timeline-ui-updated.png index 4149116feb..63450436cd 100644 Binary files a/docs/events/images/timeline-ui-updated.png and b/docs/events/images/timeline-ui-updated.png differ diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index ebaaa901f9..4459a9149a 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -58,7 +58,7 @@ Many types of events automatically appear in preconfigured views that provide re contextual information, called *Event renderers*. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (image:images/customize-event-renderers.png[The customize event renderer button,20,20]) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you're done. Your changes are automatically applied to Timeline. [role="screenshot"] -image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted] +image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted, 70%] The example above displays the Flow event renderer, which highlights the movement of data between its source and destination. If you see a particular part of the rendered event that @@ -101,7 +101,7 @@ TIP: Collapse the query builder to provide more space for Timeline results by cl Click a filter to access additional operations such as *Add filter*, *Clear all*, *Load saved query*, and more: [role="screenshot"] -image::images/timeline-ui-filter-options.png[width=30%] +image::images/timeline-ui-filter-options.png[width=60%] Here are examples of various types of filters: diff --git a/docs/serverless/alerts/view-alert-details.asciidoc b/docs/serverless/alerts/view-alert-details.asciidoc index 3e9050a415..a845ddc8f3 100644 --- a/docs/serverless/alerts/view-alert-details.asciidoc +++ b/docs/serverless/alerts/view-alert-details.asciidoc @@ -13,7 +13,7 @@ preview:[] To learn more about an alert, click the **View details** button from the Alerts table. This opens the alert details flyout, which helps you understand and manage the alert. [role="screenshot"] -image::images/view-alert-details/-detections-open-alert-details-flyout.gif[Expandable flyout] +image::images/view-alert-details/-detections-open-alert-details-flyout.gif[Expandable flyout, 90%] Use the alert details flyout to begin an investigation, open a case, or plan a response. Click **Take action** at the bottom of the flyout to find more options for interacting with the alert. @@ -30,12 +30,12 @@ The alert details flyout has a right panel, a preview panel, and a left panel. E The right panel provides an overview of the alert. Expand any of the collapsed sections to learn more about the alert. You can also hover over fields on the **Overview** and **Table** tabs to display available <>. [role="screenshot"] -image::images/view-alert-details/-detections-alert-details-flyout-right-panel.png[Right panel of the alert details flyout] +image::images/view-alert-details/-detections-alert-details-flyout-right-panel.png[Right panel of the alert details flyout, 65%] From the right panel, you can also: * Click **Expand details** to open the <>, which shows more information about sections in the right panel. -* Click the **Chat** icon (image:images/icons/discuss.svg[Chat]) to access the <>. +* Click the **Chat** icon (image:images/view-alert-details/-detections-ai-assistant-chat.png[AI assistant chat icon,15,15]) to access the <>. * Click the **Share alert** icon (image:images/icons/share.svg[Share alert]) to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. + [NOTE] @@ -61,10 +61,10 @@ If you've enabled grouping on the Alerts page, the alert details flyout won't op [[preview-panel]] === Preview panel -Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **x**. +Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. [role="screenshot"] -image::images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout] +image::images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%] [discrete] [[left-panel]] @@ -75,11 +75,11 @@ The left panel provides an expanded view of what's shown in the right panel. To * Click **Expand details** at the top of the right panel. + [role="screenshot"] -image:images/view-alert-details/-detections-expand-details-button.png[Expand details button at the top of the alert details flyout] +image:images/view-alert-details/-detections-expand-details-button.png[Expand details button at the top of the alert details flyout, 65%] * Click one of the section titles on the **Overview** tab within the right panel. + [role="screenshot"] -image:images/view-alert-details/-detections-alert-details-flyout-left-panel.png[Left panel of the alert details flyout] +image:images/view-alert-details/-detections-alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%] [discrete] [[about-section]] @@ -88,7 +88,7 @@ image:images/view-alert-details/-detections-alert-details-flyout-left-panel.png[ The About section is located on the **Overview** tab in the right panel. It provides a brief description of the rule that's related to the alert and an explanation of what generated the alert. [role="screenshot"] -image::images/view-alert-details/-detections-about-section-rp.png[About section of the Overview tab] +image::images/view-alert-details/-detections-about-section-rp.png[About section of the Overview tab, 65%] The About section has the following information: @@ -109,7 +109,7 @@ The event renderer only displays if an event renderer exists for the alert type. The Investigation section is located on the **Overview** tab in the right panel. It offers a couple of ways to begin investigating the alert. [role="screenshot"] -image::images/view-alert-details/-detections-investigation-section-rp.png[Investigation section of the Overview tab] +image::images/view-alert-details/-detections-investigation-section-rp.png[Investigation section of the Overview tab, 65%] The Investigation section provides the following information: @@ -128,7 +128,7 @@ Add an <> to a rule when creating a new The Visualizations section is located on the **Overview** tab in the right panel. It offers a glimpse of the processes that led up to the alert and occurred after it. [role="screenshot"] -image::images/view-alert-details/-detections-visualizations-section-rp.png[Visualizations section of the Overview tab] +image::images/view-alert-details/-detections-visualizations-section-rp.png[Visualizations section of the Overview tab, 65%] Click **Visualizations** to display the following previews: @@ -150,7 +150,7 @@ To use the **Visualize** tab, you must turn on the `securitySolution:enableVisua The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session view preview** or **Analyzer preview** from the right panel. [role="screenshot"] -image::images/view-alert-details/-detections-visualize-tab-lp.png[Expanded view of visualization details] +image::images/view-alert-details/-detections-visualize-tab-lp.png[Expanded view of visualization details, 80%] As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout. @@ -164,7 +164,7 @@ image::images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif[ The Insights section is located on the **Overview** tab in the right panel. It offers different perspectives from which you can assess the alert. Click **Insights** to display overviews for <>, <>, <>, and <>. [role="screenshot"] -image::images/view-alert-details/-detections-insights-section-rp.png[Insights section of the Overview tab] +image::images/view-alert-details/-detections-insights-section-rp.png[Insights section of the Overview tab, 65%] [discrete] [[entities-overview]] @@ -173,7 +173,7 @@ image::images/view-alert-details/-detections-insights-section-rp.png[Insights se The Entities overview provides high-level details about the user and host that are related to the alert. Host and user risk classifications are also available if you have the Security Analytics Complete <>. [role="screenshot"] -image::images/view-alert-details/-detections-entities-overview.png[Overview of the entity details section in the right panel] +image::images/view-alert-details/-detections-entities-overview.png[Overview of the entity details section in the right panel, 60%] [discrete] [[expanded-entities-view]] @@ -182,7 +182,7 @@ image::images/view-alert-details/-detections-entities-overview.png[Overview of t From the right panel, click **Entities** to open a detailed view of the host and user associated with the alert. The expanded view also includes risk scores and classifications (if you have the Security Analytics Complete <>) and activity on related hosts and users. [role="screenshot"] -image::images/view-alert-details/-detections-expanded-entities-view.png[Expanded view of entity details] +image::images/view-alert-details/-detections-expanded-entities-view.png[Expanded view of entity details, 70%] [discrete] [[threat-intelligence-overview]] @@ -191,7 +191,7 @@ image::images/view-alert-details/-detections-expanded-entities-view.png[Expanded The Threat intelligence overview shows matched indicators, which provide threat intelligence relevant to the alert. [role="screenshot"] -image::images/view-alert-details/-detections-threat-intelligence-overview.png[Overview of threat intelligence on the alert] +image::images/view-alert-details/-detections-threat-intelligence-overview.png[Overview of threat intelligence on the alert, 70%] The Threat intelligence overview provides the following information: @@ -210,7 +210,7 @@ The expanded threat intelligence view queries indices specified in the `security ==== [role="screenshot"] -image::images/view-alert-details/-detections-expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert] +image::images/view-alert-details/-detections-expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%] The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. @@ -249,7 +249,7 @@ When searching for threat intelligence, {elastic-sec} queries the alert document The Correlations overview shows how an alert is related to other alerts and offers ways to investigate related alerts. Use this information to quickly find patterns between alerts and then take action. [role="screenshot"] -image::images/view-alert-details/-detections-correlations-overview.png[Overview of available correlation data] +image::images/view-alert-details/-detections-correlations-overview.png[Overview of available correlation data, 60%] The Correlations overview provides the following information: @@ -266,7 +266,7 @@ The Correlations overview provides the following information: From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. [role="screenshot"] -image::images/view-alert-details/-detections-expanded-correlations-view.png[Expanded view of correlation data] +image::images/view-alert-details/-detections-expanded-correlations-view.png[Expanded view of correlation data, 75%] In the expanded view, corelation data is organized into several tables: @@ -312,7 +312,7 @@ The expanded Prevalence view provides the following details: The **Response** section is located on the **Overview** tab in the right panel. It shows <> that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel. [role="screenshot"] -image::images/view-alert-details/-detections-response-action-rp.png[Response section of the Overview tab] +image::images/view-alert-details/-detections-response-action-rp.png[Response section of the Overview tab, 50%] [discrete] [[expanded-notes-view]] @@ -325,4 +325,4 @@ The **Notes** tab (located in the left panel) shows all notes attached to the al Go to the **Notes** <> to find notes that were added to other alerts. ==== -image::images/view-alert-details/-detections-notes-tab-lp.png[Notes tab in the left panel] +image::images/view-alert-details/-detections-notes-tab-lp.png[Notes tab in the left panel, 70%] diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png index b686a3f4c0..b778699fb1 100644 Binary files a/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png differ diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png index eb6a4eee6a..a7a8bbe744 100644 Binary files a/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png differ diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png index 48f3029494..3999031407 100644 Binary files a/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png differ diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png index 706891bb91..d5ad773504 100644 Binary files a/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png differ diff --git a/docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png b/docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png index 6b2fd0ea1c..5a13242d44 100644 Binary files a/docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png and b/docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png differ diff --git a/docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png b/docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png index 2c2a104489..56d45538a3 100644 Binary files a/docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png and b/docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png differ diff --git a/docs/serverless/images/timelines-ui/-events-timeline-sidebar.png b/docs/serverless/images/timelines-ui/-events-timeline-sidebar.png index 2c4152ffeb..76d45ff77a 100644 Binary files a/docs/serverless/images/timelines-ui/-events-timeline-sidebar.png and b/docs/serverless/images/timelines-ui/-events-timeline-sidebar.png differ diff --git a/docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png b/docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png index e799fe2236..207d5e5ccb 100644 Binary files a/docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png and b/docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png differ diff --git a/docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png b/docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png index 4149116feb..63450436cd 100644 Binary files a/docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png and b/docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-ai-assistant-chat.png b/docs/serverless/images/view-alert-details/-detections-ai-assistant-chat.png new file mode 100644 index 0000000000..2e5b9450ad Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-ai-assistant-chat.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif index 52f91aaf38..0e27cbf7dc 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif and b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif differ diff --git a/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png index 1f01cda76a..e1072a26f5 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png and b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expand-details-button.png b/docs/serverless/images/view-alert-details/-detections-expand-details-button.png index 2a53fac260..3152e9cad2 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-expand-details-button.png and b/docs/serverless/images/view-alert-details/-detections-expand-details-button.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png index 2aa9b75275..7679fa88c5 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png and b/docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png index e7f05fe2ed..6a37b0cb0e 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png and b/docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png index 48c44f6a18..2bfe84fa1a 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png and b/docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png index da4632101c..0fff543aa7 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png and b/docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif b/docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif index 462ff9f429..29a156e35c 100644 Binary files a/docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif and b/docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif differ diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc index 353d48a090..d0c7c1d8f9 100644 --- a/docs/serverless/index.asciidoc +++ b/docs/serverless/index.asciidoc @@ -178,12 +178,12 @@ include::./osquery/invest-guide-run-osquery.asciidoc[leveloffset=+4] include::./osquery/alerts-run-osquery.asciidoc[leveloffset=+4] include::./osquery/view-osquery-results.asciidoc[leveloffset=+4] include::./osquery/osquery-placeholder-fields.asciidoc[leveloffset=+4] +include::./investigate/add-manage-notes.asciidoc[leveloffset=+3] include::./investigate/indicators-of-compromise.asciidoc[leveloffset=+3] include::./investigate/cases-overview.asciidoc[leveloffset=+3] include::./investigate/case-permissions.asciidoc[leveloffset=+4] include::./investigate/cases-open-manage.asciidoc[leveloffset=+4] include::./investigate/cases-settings.asciidoc[leveloffset=+4] -include::./investigate/add-manage-notes.asciidoc[leveloffset=+4] include::./assets/asset-management.asciidoc[leveloffset=+2] diff --git a/docs/serverless/investigate/investigate-events.asciidoc b/docs/serverless/investigate/investigate-events.asciidoc index 59ee11f928..c3f627d562 100644 --- a/docs/serverless/investigate/investigate-events.asciidoc +++ b/docs/serverless/investigate/investigate-events.asciidoc @@ -14,3 +14,4 @@ These features are available in the {security-app}'s side navigation menu: * **Investigations** → <>: Workspace for investigations and threat hunting. * **Investigations** → <>: Run live and scheduled queries on operating systems. * <>: Indicators of compromise used for threat intelligence. +* <>: Use notes to coordinate responses, conduct threat hunting, and share investigative findings. diff --git a/docs/serverless/investigate/timeline-templates-ui.asciidoc b/docs/serverless/investigate/timeline-templates-ui.asciidoc index e47ee77405..4356ad7c86 100644 --- a/docs/serverless/investigate/timeline-templates-ui.asciidoc +++ b/docs/serverless/investigate/timeline-templates-ui.asciidoc @@ -55,17 +55,17 @@ Regular Timeline filter:: Clicking **Convert to template field** changes the filter to a template filter: + [role="screenshot"] -image::images/timeline-templates-ui/-events-template-filter-value.png[] +image::images/timeline-templates-ui/-events-template-filter-value.png[width=30%] Template filter:: + [role="screenshot"] -image:images/timeline-templates-ui/-events-timeline-template-filter.png[] +image:images/timeline-templates-ui/-events-timeline-template-filter.png[width=30%] + When you <>, template filters with placeholders are disabled: + [role="screenshot"] -image::images/timeline-templates-ui/-events-invalid-filter.png[] +image::images/timeline-templates-ui/-events-invalid-filter.png[width=30%] + To enable the filter, either specify a value or change it to a field's existing filter (refer to <>). diff --git a/docs/serverless/investigate/timelines-ui.asciidoc b/docs/serverless/investigate/timelines-ui.asciidoc index bd8ec2aaa7..6eef1cbd27 100644 --- a/docs/serverless/investigate/timelines-ui.asciidoc +++ b/docs/serverless/investigate/timelines-ui.asciidoc @@ -66,7 +66,7 @@ Many types of events automatically appear in preconfigured views that provide re contextual information, called **Event Renderers**. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (image:images/icons/gear.svg[The customize event renderer button]) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you're done. Your changes are automatically applied to Timeline. [role="screenshot"] -image::images/timelines-ui/-events-timeline-ui-renderer.png[example timeline with the event renderer highlighted] +image::images/timelines-ui/-events-timeline-ui-renderer.png[example timeline with the event renderer highlighted, 70%] The example above displays the Flow event renderer, which highlights the movement of data between its source and destination. If you see a particular part of the rendered event that @@ -112,7 +112,7 @@ Collapse the query builder and provide more space for Timeline results by clicki Click a filter to access additional operations such as **Add filter**, **Clear all**, **Load saved query**, and more: [role="screenshot"] -image::images/timelines-ui/-events-timeline-ui-filter-options.png[] +image::images/timelines-ui/-events-timeline-ui-filter-options.png[width=60%] Here are examples of various types of filters: @@ -120,26 +120,26 @@ Field with value:: Filters for events with the specified field value: + [role="screenshot"] -image::images/timelines-ui/-events-timeline-filter-value.png[] +image::images/timelines-ui/-events-timeline-filter-value.png[width=30%] Field exists:: Filters for events containing the specified field: + [role="screenshot"] -image::images/timelines-ui/-events-timeline-field-exists.png[] +image::images/timelines-ui/-events-timeline-field-exists.png[width=30%] Exclude results:: Filters for events that do not contain the specified field value (`field with value` filter) or the specified field (`field exists` filter): + [role="screenshot"] -image::images/timelines-ui/-events-timeline-filter-exclude.png[] +image::images/timelines-ui/-events-timeline-filter-exclude.png[width=30%] Temporarily disable:: The filter is not used in the query until it is enabled again: + [role="screenshot"] -image::images/timelines-ui/-events-timeline-disable-filter.png[] +image::images/timelines-ui/-events-timeline-disable-filter.png[width=30%] Filter for field present:: Converts a `field with value` filter to a `field exists` filter. diff --git a/docs/serverless/osquery/invest-guide-run-osquery.asciidoc b/docs/serverless/osquery/invest-guide-run-osquery.asciidoc index d969b43452..bc536194fc 100644 --- a/docs/serverless/osquery/invest-guide-run-osquery.asciidoc +++ b/docs/serverless/osquery/invest-guide-run-osquery.asciidoc @@ -47,7 +47,7 @@ Overwriting the query's default timeout period allows you to support queries tha ==== + [role="screenshot"] -image:images/invest-guide-run-osquery/-osquery-setup-osquery-investigation-guide.png[Shows results from running a query from an investigation guide] +image:images/invest-guide-run-osquery/-osquery-setup-osquery-investigation-guide.png[width=70%][height=70%][Shows results from running a query from an investigation guide] . Click **Save changes** to add the query to the rule's investigation guide. [discrete] @@ -74,4 +74,4 @@ Refer to <> for more i . Click **Save for later** to save the query for future use (optional). + [role="screenshot"] -image:images/invest-guide-run-osquery/-osquery-run-query-investigation-guide.png[Shows results from running a query from an investigation guide] +image:images/invest-guide-run-osquery/-osquery-run-query-investigation-guide.png[width=80%][height=80%][Shows results from running a query from an investigation guide] diff --git a/docs/serverless/rules/interactive-investigation-guides.asciidoc b/docs/serverless/rules/interactive-investigation-guides.asciidoc index 2ddbef6d4e..7ec6a3cfae 100644 --- a/docs/serverless/rules/interactive-investigation-guides.asciidoc +++ b/docs/serverless/rules/interactive-investigation-guides.asciidoc @@ -9,7 +9,7 @@ preview:[] Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. For custom rules, you can create an interactive investigation guide that includes buttons for launching runtime queries in <>, using alert data and hard-coded literal values. This allows you to start detailed Timeline investigations directly from an alert using relevant data. [role="screenshot"] -image::images/interactive-investigation-guides/-detections-ig-alert-flyout.png[Alert details flyout with interactive investigation guide] +image::images/interactive-investigation-guides/-detections-ig-alert-flyout.png[Alert details flyout with interactive investigation guide,400] Under the Investigation section, click **Show investigation guide** to open the **Investigation** tab in the left panel of the alert details flyout.