Visual event analyzer updates for 7.10 (#347) (#364)

* Visual event analyzer updates for 7.10

* Grammar edits

* Add note about analyzing events from timelines

* Rename header. Fix link. Merge Michael's feedback

* Fix small error

* Fix small formatting issues

* Update docs/detections/visual-event-analyzer.asciidoc

Co-authored-by: Robert Austin <robert.austin@elastic.co>

* Address additional feedback

* Remove additional information about event.category

Co-authored-by: Robert Austin <robert.austin@elastic.co>

Co-authored-by: Robert Austin <robert.austin@elastic.co>

docs/detections/alerts-ui-manage.asciidoc

@@ -100,26 +100,4 @@ For information about exceptions and how to use them, see
 === Visually analyze process relationships
 
 For process events received from the Elastic Endpoint agent, you can open a
-visual mapping of the relationships and hierarchy connecting related processes.
-
-NOTE: You can only visualize events triggered from hosts configured with the Elastic Endpoint Security Integration.
-
-To visualize process relationships, select the **Analyze Event** icon next to the event. The Analyze Event view appears.
-
-[role="screenshot"]
-image::images/analyze-event.png[]
-
-Inside the view, each cube represents either a node, process, or alert. If a process contains events, you can select any event associated with the process based on the event type.
-
-[role="screenshot"]
-image::images/analyze-event-view.png[]
-
-Once selected, the left-panel gives details about the event and associated processes.
-
-[role="screenshot"]
-image::images/event-panel.png[]
-
-For further investigation of the relationship between processes and events, users can:
-
-- Zoom in and out of the timeline view using the slider to the right of the timeline.
-- See the time passed between each node.
+visual mapping of the relationships and hierarchy connecting related processes. For more information see, <<visual-event-analyzer>>.

docs/detections/detections-index.asciidoc

@@ -16,6 +16,8 @@ include::building-block-rule.asciidoc[]
 
 include::alerts-ui-manage.asciidoc[]
 
+include::visual-event-analyzer.asciidoc[]
+
 include::prebuilt-rules/tune-rule-signals.asciidoc[]
 
 include::prebuilt-rules/prebuilt-rules-changelog.asciidoc[]

docs/detections/visual-event-analyzer.asciidoc

@@ -0,0 +1,93 @@
+[[visual-event-analyzer]]
+[role="xpack"]
+== Visual event analyzer 
+
+Elastic Security allows any event detected by Elastic Endpoint to be analyzed using a process-based visual analyzer. This enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. 
+
+[float]
+[[find-events-analyze]]
+=== Find events to analyze
+
+You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration. In KQL, this translates to any event with the `agent.type` set to `endpoint`.
+
+To access events that can be visually analyzed:
+
+1. In Elastic Security, select **Hosts** > **Events**. A list of all your host's events appears in the bottom panel of the host's view.
+
+2. Create a KQL query that filters all `endpoint` detected events by entering `agent.type: endpoint and process.entity_id : *` into the KQL search bar, and then select **Update**.
++
+[role="screenshot"]
+image::images/kql-agent-type.png[]
++
+A list of all `endpoint` related events appears.
+
+3. Select the **Analyze Event** icon next to the event you want to analyze. 
++
+[role="screenshot"]
+image::images/analyze-event.png[]
+
+The visual **Analyzer** view appears.
+
+[role="screenshot"]
+image::images/analyze-event-view.png[]
+
+You can also analyze events from <<timelines-ui,Timelines>>
+
+
+[discrete]
+[[visual-analyzer-ui]]
+=== Visual event analyzer UI
+
+Inside the visual analyzer, each cube represents a process (i.e. an executable file or network event). Click and drag in timeline view to see all process relationships. 
+
+To make the analyzer full screen, select the **Full Screen** icon above the left-panel. 
+
+[role="screenshot"]
+image::images/full-screen-analyzer.png[]
+
+The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events**, as in the event you selected to analyze from either the events list or your timeline, are highlighted by a light blue outline around the cube. 
+
+[role="screenshot"]
+image::images/process-list.png[]
+
+In the graphical view, you can:
+
+- Zoom in and out of the graphical view using the slider to the right of the timeline.
+- Click and drag around the graphical view to more process relationships.
+- See the time passed between each process.
+- See all events related to each process. 
+
+[role="screenshot"]
+image::images/graphical-view.png[]
+
+
+[discrete]
+[[process-and-event-details]]
+=== Process and event details
+
+To see more details about each related process, select the process either in the left panel or the graphical view. The information on the process appears in the left panel, which typically includes but isn't limited to:
+
+- The number of events associated with the process.
+- The timestamp when the process was executed.
+- The file path of the process within the host.
+- The `process-pid`.
+- The user name and domain that ran the process.
+- Any other relevant process information. 
+
+[role="screenshot"]
+image::images/process-details.png[]
+
+See event details by selecting the **# events** URL at the top of the process details view or choosing one of the event pills in the graphical view.
+
+
+Events are categorized based on their `event.category`. 
+
+[role="screenshot"]
+image::event-type.png[]
+
+When selecting an `event.type`, a list of all those types of events appears in the left panel. If you want further details on the event, choose the event from the list. Event details appear in the left panel. 
+
+[role="screenshot"]
+image::event-details.png[]
+
+In Elastic Security 7.10 and later, there is no limit to the number of events that can be associated with a process. However, in 7.9, each process is limited to only 100 events.