diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 9c35e8b79f..deb6719f55 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -52,7 +52,7 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo [[preview-panel]] === Preview panel -Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **x**. +Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. [role="screenshot"] image::images/alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%] @@ -67,13 +67,13 @@ The left panel provides an expanded view of what's shown in the right panel. To + [role="screenshot"] -image::images/expand-details-button.png[Expand details button at the top of the alert details flyout, 45%] +image::images/expand-details-button.png[Expand details button at the top of the alert details flyout, 65%] * Click one of the section titles on the **Overview** tab within the right panel. + [role="screenshot"] -image::images/alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 45%] +image::images/alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%] [discrete] [[about-section]] @@ -201,7 +201,7 @@ From the right panel, click **Threat intelligence** to open the expanded Threat NOTE: The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to <> to learn more about threat intelligence indices. [role="screenshot"] -image::images/expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 70%] +image::images/expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%] The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. @@ -256,7 +256,7 @@ NOTE: To access data about alerts related by process ancestry, you must have a h From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. [role="screenshot"] -image::images/expanded-correlations-view.png[Expanded view of correlation data, 65%] +image::images/expanded-correlations-view.png[Expanded view of correlation data, 75%] In the expanded view, corelation data is organized into several tables: diff --git a/docs/detections/images/alert-details-flyout-preview-panel.gif b/docs/detections/images/alert-details-flyout-preview-panel.gif index 52f91aaf38..0e27cbf7dc 100644 Binary files a/docs/detections/images/alert-details-flyout-preview-panel.gif and b/docs/detections/images/alert-details-flyout-preview-panel.gif differ diff --git a/docs/detections/images/alert-details-flyout-right-panel.png b/docs/detections/images/alert-details-flyout-right-panel.png index 1f01cda76a..e1072a26f5 100644 Binary files a/docs/detections/images/alert-details-flyout-right-panel.png and b/docs/detections/images/alert-details-flyout-right-panel.png differ diff --git a/docs/detections/images/expand-details-button.png b/docs/detections/images/expand-details-button.png index 2a53fac260..3152e9cad2 100644 Binary files a/docs/detections/images/expand-details-button.png and b/docs/detections/images/expand-details-button.png differ diff --git a/docs/detections/images/expanded-correlations-view.png b/docs/detections/images/expanded-correlations-view.png index 2aa9b75275..7679fa88c5 100644 Binary files a/docs/detections/images/expanded-correlations-view.png and b/docs/detections/images/expanded-correlations-view.png differ diff --git a/docs/detections/images/expanded-entities-view.png b/docs/detections/images/expanded-entities-view.png index e7f05fe2ed..6a37b0cb0e 100644 Binary files a/docs/detections/images/expanded-entities-view.png and b/docs/detections/images/expanded-entities-view.png differ diff --git a/docs/detections/images/expanded-prevalence-view.png b/docs/detections/images/expanded-prevalence-view.png index 48c44f6a18..2bfe84fa1a 100644 Binary files a/docs/detections/images/expanded-prevalence-view.png and b/docs/detections/images/expanded-prevalence-view.png differ diff --git a/docs/detections/images/expanded-threat-intelligence-view.png b/docs/detections/images/expanded-threat-intelligence-view.png index da4632101c..0fff543aa7 100644 Binary files a/docs/detections/images/expanded-threat-intelligence-view.png and b/docs/detections/images/expanded-threat-intelligence-view.png differ diff --git a/docs/detections/images/ig-alert-flyout-invest-tab.png b/docs/detections/images/ig-alert-flyout-invest-tab.png index b686a3f4c0..b778699fb1 100644 Binary files a/docs/detections/images/ig-alert-flyout-invest-tab.png and b/docs/detections/images/ig-alert-flyout-invest-tab.png differ diff --git a/docs/detections/images/ig-alert-flyout.png b/docs/detections/images/ig-alert-flyout.png index eb6a4eee6a..a7a8bbe744 100644 Binary files a/docs/detections/images/ig-alert-flyout.png and b/docs/detections/images/ig-alert-flyout.png differ diff --git a/docs/detections/images/ig-timeline-query.png b/docs/detections/images/ig-timeline-query.png index 48f3029494..3999031407 100644 Binary files a/docs/detections/images/ig-timeline-query.png and b/docs/detections/images/ig-timeline-query.png differ diff --git a/docs/detections/images/ig-timeline.png b/docs/detections/images/ig-timeline.png index 706891bb91..d5ad773504 100644 Binary files a/docs/detections/images/ig-timeline.png and b/docs/detections/images/ig-timeline.png differ diff --git a/docs/detections/images/open-alert-details-flyout.gif b/docs/detections/images/open-alert-details-flyout.gif index 462ff9f429..29a156e35c 100644 Binary files a/docs/detections/images/open-alert-details-flyout.gif and b/docs/detections/images/open-alert-details-flyout.gif differ diff --git a/docs/events/images/correlation-tab-eql-query.png b/docs/events/images/correlation-tab-eql-query.png index 2c2a104489..56d45538a3 100644 Binary files a/docs/events/images/correlation-tab-eql-query.png and b/docs/events/images/correlation-tab-eql-query.png differ diff --git a/docs/events/images/create-a-timeline-template-field.png b/docs/events/images/create-a-timeline-template-field.png index 6b2fd0ea1c..5a13242d44 100644 Binary files a/docs/events/images/create-a-timeline-template-field.png and b/docs/events/images/create-a-timeline-template-field.png differ diff --git a/docs/events/images/timeline-sidebar.png b/docs/events/images/timeline-sidebar.png index 2c4152ffeb..76d45ff77a 100644 Binary files a/docs/events/images/timeline-sidebar.png and b/docs/events/images/timeline-sidebar.png differ diff --git a/docs/events/images/timeline-ui-renderer.png b/docs/events/images/timeline-ui-renderer.png index e799fe2236..207d5e5ccb 100644 Binary files a/docs/events/images/timeline-ui-renderer.png and b/docs/events/images/timeline-ui-renderer.png differ diff --git a/docs/events/images/timeline-ui-updated.png b/docs/events/images/timeline-ui-updated.png index 4149116feb..63450436cd 100644 Binary files a/docs/events/images/timeline-ui-updated.png and b/docs/events/images/timeline-ui-updated.png differ diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 9d2dc54ef6..761812891c 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -58,7 +58,7 @@ Many types of events automatically appear in preconfigured views that provide re contextual information, called *Event renderers*. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (image:images/customize-event-renderers.png[The customize event renderer button,20,20]) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you're done. Your changes are automatically applied to Timeline. [role="screenshot"] -image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted] +image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted, 70%] The example above displays the Flow event renderer, which highlights the movement of data between its source and destination. If you see a particular part of the rendered event that @@ -102,7 +102,7 @@ TIP: Collapse the query builder to provide more space for Timeline results by cl Click a filter to access additional operations such as *Add filter*, *Clear all*, *Load saved query*, and more: [role="screenshot"] -image::images/timeline-ui-filter-options.png[width=30%] +image::images/timeline-ui-filter-options.png[width=60%] Here are examples of various types of filters: diff --git a/docs/serverless/alerts/view-alert-details.asciidoc b/docs/serverless/alerts/view-alert-details.asciidoc new file mode 100644 index 0000000000..a845ddc8f3 --- /dev/null +++ b/docs/serverless/alerts/view-alert-details.asciidoc @@ -0,0 +1,328 @@ +[[security-view-alert-details]] += View detection alert details + +// :description: Expand an alert to view detailed alert data. +// :keywords: serverless, security, defend, reference, manage + +++++ +View alert details +++++ + +preview:[] + +To learn more about an alert, click the **View details** button from the Alerts table. This opens the alert details flyout, which helps you understand and manage the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-open-alert-details-flyout.gif[Expandable flyout, 90%] + +Use the alert details flyout to begin an investigation, open a case, or plan a response. Click **Take action** at the bottom of the flyout to find more options for interacting with the alert. + +[discrete] +[[alert-details-flyout-ui]] +== Alert details flyout UI + +The alert details flyout has a right panel, a preview panel, and a left panel. Each panel provides a different perspective of the alert. + +[discrete] +[[right-panel]] +=== Right panel + +The right panel provides an overview of the alert. Expand any of the collapsed sections to learn more about the alert. You can also hover over fields on the **Overview** and **Table** tabs to display available <>. + +[role="screenshot"] +image::images/view-alert-details/-detections-alert-details-flyout-right-panel.png[Right panel of the alert details flyout, 65%] + +From the right panel, you can also: + +* Click **Expand details** to open the <>, which shows more information about sections in the right panel. +* Click the **Chat** icon (image:images/view-alert-details/-detections-ai-assistant-chat.png[AI assistant chat icon,15,15]) to access the <>. +* Click the **Share alert** icon (image:images/icons/share.svg[Share alert]) to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. ++ +[NOTE] +==== +If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[`server.publicBaseUrl`] setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the **Table** tab. +==== ++ +[IMPORTANT] +==== +If you've enabled grouping on the Alerts page, the alert details flyout won't open until you expand a collapsed group and select an individual alert. +==== +* Find basic details about the alert, such as the: ++ +** Associated rule +** Alert status and when the alert was created +** Date and time the alert was created +** Alert severity and risk score (these are inherited from rule that generated the alert) +** Users assigned to the alert (click the image:images/icons/plusInCircle.svg[Assign alert] icon to assign more users) +** Notes attached to the alert (click the image:images/icons/plusInCircle.svg[Add note] icon to create a new note) +* Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. + +[discrete] +[[preview-panel]] +=== Preview panel + +Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. + +[role="screenshot"] +image::images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%] + +[discrete] +[[left-panel]] +=== Left panel + +The left panel provides an expanded view of what's shown in the right panel. To open the left panel, do one of the following: + +* Click **Expand details** at the top of the right panel. ++ +[role="screenshot"] +image:images/view-alert-details/-detections-expand-details-button.png[Expand details button at the top of the alert details flyout, 65%] +* Click one of the section titles on the **Overview** tab within the right panel. ++ +[role="screenshot"] +image:images/view-alert-details/-detections-alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%] + +[discrete] +[[about-section]] +== About + +The About section is located on the **Overview** tab in the right panel. It provides a brief description of the rule that's related to the alert and an explanation of what generated the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-about-section-rp.png[About section of the Overview tab, 65%] + +The About section has the following information: + +* **Rule description**: Describes the rule's purpose or detection goals. Click **Show rule summary** to display a preview of the rule's details. From the preview, click **Show rule details** to view the rule's details page. +* **Alert reason**: Describes the source event that generated the alert. Event details are displayed in plain text and ordered logically to provide context for the alert. Click **Show full reason** to display the alert reason in the event rendered format within the <>. ++ +[NOTE] +==== +The event renderer only displays if an event renderer exists for the alert type. Fields are interactive; hover over them to access the available actions. +==== +* **Last Alert Status Change**: Shows the last time the alert's status was changed, along with the user who changed it. +* **MITRE ATT&CK**: Provides relevant https://attack.mitre.org/[MITRE ATT&CK] framework tactics, techniques, and sub-techniques. + +[discrete] +[[investigation-section]] +== Investigation + +The Investigation section is located on the **Overview** tab in the right panel. It offers a couple of ways to begin investigating the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-investigation-section-rp.png[Investigation section of the Overview tab, 65%] + +The Investigation section provides the following information: + +* **Investigation guide**: The **Show investigation guide** button displays if the rule associated with the alert has an investigation guide. Click the button to open the expanded Investigation view in the left panel. ++ +[TIP] +==== +Add an <> to a rule when creating a new custom rule or modifying an existing custom rule's settings. +==== +* **Highlighted fields**: Shows relevant fields for the alert and any <> you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added. + +[discrete] +[[visualizations-section]] +== Visualizations + +The Visualizations section is located on the **Overview** tab in the right panel. It offers a glimpse of the processes that led up to the alert and occurred after it. + +[role="screenshot"] +image::images/view-alert-details/-detections-visualizations-section-rp.png[Visualizations section of the Overview tab, 65%] + +Click **Visualizations** to display the following previews: + +* **Session view preview**: Shows a preview of <> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. +* **Analyzer preview**: Shows a preview of the <>. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline. + +[discrete] +[[expanded-visualizations-view]] +=== Expanded visualizations view + +preview::[] + +.Requirements +[NOTE] +==== +To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` <>. +==== + +The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session view preview** or **Analyzer preview** from the right panel. + +[role="screenshot"] +image::images/view-alert-details/-detections-visualize-tab-lp.png[Expanded view of visualization details, 80%] + +As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout. + +[role="screenshot"] +image::images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer] + +[discrete] +[[insights-section]] +== Insights + +The Insights section is located on the **Overview** tab in the right panel. It offers different perspectives from which you can assess the alert. Click **Insights** to display overviews for <>, <>, <>, and <>. + +[role="screenshot"] +image::images/view-alert-details/-detections-insights-section-rp.png[Insights section of the Overview tab, 65%] + +[discrete] +[[entities-overview]] +=== Entities + +The Entities overview provides high-level details about the user and host that are related to the alert. Host and user risk classifications are also available if you have the Security Analytics Complete <>. + +[role="screenshot"] +image::images/view-alert-details/-detections-entities-overview.png[Overview of the entity details section in the right panel, 60%] + +[discrete] +[[expanded-entities-view]] +==== Expanded entities view + +From the right panel, click **Entities** to open a detailed view of the host and user associated with the alert. The expanded view also includes risk scores and classifications (if you have the Security Analytics Complete <>) and activity on related hosts and users. + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-entities-view.png[Expanded view of entity details, 70%] + +[discrete] +[[threat-intelligence-overview]] +=== Threat intelligence + +The Threat intelligence overview shows matched indicators, which provide threat intelligence relevant to the alert. + +[role="screenshot"] +image::images/view-alert-details/-detections-threat-intelligence-overview.png[Overview of threat intelligence on the alert, 70%] + +The Threat intelligence overview provides the following information: + +* **Threat match detected**: Only available when examining an alert generated from an <> rule. Shows the number of matched indicators that are present in the alert document. Shows zero if there are no matched indicators or you're examining an alert generated by another type of rule. +* **Fields enriched with threat intelligence**: Shows the number of matched indicators that are present on an alert that _wasn't_ generated from an indicator match rule. If none exist, the total number of matched indicators is zero. + +[discrete] +[[expanded-threat-intel-view]] +==== Expanded threat intelligence view + +From the right panel, click **Threat intelligence** to open the expanded Threat intelligence view within the left panel. + +[NOTE] +==== +The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to <> to learn more about threat intelligence indices. +==== + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%] + +The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. + +Matched threats are organized into two sections, described below. Within each section, matched threats are shown in reverse chronological order, with the most recent at the top. All mapped fields are displayed for each matched threat. + +**Threat match detected** + +The Threat match detected section is only populated with indicator match details if you're examining an alert that was generated from an indicator match rule. Indicator matches occur when alert field values match with threat intelligence data you've ingested. + +**Fields enriched with threat intelligence** + +Threat intelligence can also be found on alerts that weren't generated from indicator match rules. To find this information, {elastic-sec} queries alert documents from the past 30 days and searches for fields that contain known threat intelligence. If any are found, they're logged in this section. + +[TIP] +==== +Use the date time picker to modify the query time frame, which looks at the past 30 days by default. You can also click the **Inspect** button to examine the query that the Fields enriched with threat intelligence section uses. +==== + +When searching for threat intelligence, {elastic-sec} queries the alert document for the following fields: + +* `file.hash.md5`: The MD5 hash +* `file.hash.sha1`: The SHA1 hash +* `file.hash.sha256`: The SHA256 hash +* `file.pe.imphash`: Imports in a PE file +* `file.elf.telfhash`: Imports in an ELF file +* `file.hash.ssdeep`: The SSDEEP hash +* `source.ip`: The IP address of the source (IPv4 or IPv6) +* `destination.ip`: The event's destination IP address +* `url.full`: The full URL of the event source +* `registry.path`: The full registry path, including the hive, key, and value + +[discrete] +[[correlations-overview]] +=== Correlations + +The Correlations overview shows how an alert is related to other alerts and offers ways to investigate related alerts. Use this information to quickly find patterns between alerts and then take action. + +[role="screenshot"] +image::images/view-alert-details/-detections-correlations-overview.png[Overview of available correlation data, 60%] + +The Correlations overview provides the following information: + +* **Suppressed alerts**: Indicates that the alert was created with alert suppression, and shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. +* **Alerts related by source event**: Shows the number of alerts that were created by the same source event. +* **Cases related to the alert**: Shows the number of cases to which the alert has been added. +* **Alerts related by session ID**: Shows the number of alerts generated by the same session. +* **Alerts related by process ancestry**: Shows the number of alerts that are related by process events on the same linear branch. + +[discrete] +[[expanded-correlations-view]] +==== Expanded correlations view + +From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-correlations-view.png[Expanded view of correlation data, 75%] + +In the expanded view, corelation data is organized into several tables: + +* **Suppressed alerts**: preview:[] Shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. +* **Related cases**: Shows cases to which the alert has been added. Click a case's name to open its details. +* **Alerts related by source event**: Shows alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the **Investigate in timeline** button to examine related alerts in Timeline. +* **Alerts related by session**: Shows alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the **Collect session data** setting in your {elastic-defend} integration policy. Refer to <> for more information. +* **Alerts related by ancestry**: Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click **Investigate in timeline**. + +[discrete] +[[prevalence-overview]] +=== Prevalence + +The Prevalence overview shows whether data from the alert was frequently observed on other host events from the last 30 days. Prevalence calculations use values from the alert’s highlighted fields. Highlighted field values that are observed on less than 10% of hosts in your environment are considered uncommon (not prevalent) and are listed individually in the Prevalence overview. Highlighted field values that are observed on more than 10% of hosts in your environment are considered common (prevalent) and are described as frequently observed in the Prevalence overview. + +[discrete] +[[expanded-prevalence-view]] +==== Expanded prevalence view + +From the right panel, click **Prevalence** to open the expanded Prevalence view within the left panel. Examine the table to understand the alert's relationship with other alerts, events, users, and hosts. + +[TIP] +==== +Update the date time picker for the table to show data from a different time range. +==== + +[role="screenshot"] +image::images/view-alert-details/-detections-expanded-prevalence-view.png[Expanded view of prevalence data] + +The expanded Prevalence view provides the following details: + +* **Field**: Shows <> for the alert and any custom highlighted fields that were added to the alert's rule. +* **Value**: Shows values for highlighted fields and any custom highlighted fields that were added to the alert's rule. +* **Alert count**: Shows the total number of alert documents that have identical highlighted field values, including the alert you're currently examining. For example, if the `host.name` field has an alert count of 5, that means there are five total alerts with the same `host.name` value. The Alert count column only retrieves documents that contain the {ecs-ref}/ecs-allowed-values-event-kind.html#ecs-event-kind-signal[`event.kind:signal`] field-value pair. +* **Document count**: Shows the total number of event documents that have identical field values. A dash (`——`) displays if there are no event documents that match the field value. The Document count column only retrieves documents that don't contain the {ecs-ref}/ecs-allowed-values-event-kind.html#ecs-event-kind-signal[`event.kind:signal`] field-value pair. +* **Host prevalence**: Shows the percentage of unique hosts that have identical field values. Host prevalence for highlighted fields is calculated by taking the number of unique hosts with identical highlighted field values and dividing that number by the total number of unique hosts in your environment. +* **User prevalence**: Shows the percentage of unique users that have identical highlighted field values. User prevalence for highlighted fields is calculated by taking the number of unique users with identical field values and dividing that number by the total number of unique users in your environment. + +[discrete] +[[response-overview]] +== Response + +The **Response** section is located on the **Overview** tab in the right panel. It shows <> that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel. + +[role="screenshot"] +image::images/view-alert-details/-detections-response-action-rp.png[Response section of the Overview tab, 50%] + +[discrete] +[[expanded-notes-view]] +== Notes + +The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. + +[TIP] +==== +Go to the **Notes** <> to find notes that were added to other alerts. +==== + +image::images/view-alert-details/-detections-notes-tab-lp.png[Notes tab in the left panel, 70%] diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png new file mode 100644 index 0000000000..b778699fb1 Binary files /dev/null and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png differ diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png new file mode 100644 index 0000000000..a7a8bbe744 Binary files /dev/null and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png differ diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png new file mode 100644 index 0000000000..3999031407 Binary files /dev/null and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png differ diff --git a/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png new file mode 100644 index 0000000000..d5ad773504 Binary files /dev/null and b/docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png differ diff --git a/docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png b/docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png new file mode 100644 index 0000000000..5a13242d44 Binary files /dev/null and b/docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png differ diff --git a/docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png b/docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png new file mode 100644 index 0000000000..56d45538a3 Binary files /dev/null and b/docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png differ diff --git a/docs/serverless/images/timelines-ui/-events-timeline-sidebar.png b/docs/serverless/images/timelines-ui/-events-timeline-sidebar.png new file mode 100644 index 0000000000..76d45ff77a Binary files /dev/null and b/docs/serverless/images/timelines-ui/-events-timeline-sidebar.png differ diff --git a/docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png b/docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png new file mode 100644 index 0000000000..207d5e5ccb Binary files /dev/null and b/docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png differ diff --git a/docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png b/docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png new file mode 100644 index 0000000000..63450436cd Binary files /dev/null and b/docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-ai-assistant-chat.png b/docs/serverless/images/view-alert-details/-detections-ai-assistant-chat.png new file mode 100644 index 0000000000..2e5b9450ad Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-ai-assistant-chat.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif new file mode 100644 index 0000000000..0e27cbf7dc Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif differ diff --git a/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png new file mode 100644 index 0000000000..e1072a26f5 Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expand-details-button.png b/docs/serverless/images/view-alert-details/-detections-expand-details-button.png new file mode 100644 index 0000000000..3152e9cad2 Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-expand-details-button.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png new file mode 100644 index 0000000000..7679fa88c5 Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png new file mode 100644 index 0000000000..6a37b0cb0e Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png new file mode 100644 index 0000000000..2bfe84fa1a Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png b/docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png new file mode 100644 index 0000000000..0fff543aa7 Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png differ diff --git a/docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif b/docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif new file mode 100644 index 0000000000..29a156e35c Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif differ diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc new file mode 100644 index 0000000000..d0c7c1d8f9 --- /dev/null +++ b/docs/serverless/index.asciidoc @@ -0,0 +1,198 @@ +:doctype: book + +include::{asciidoc-dir}/../../shared/versions/stack/master.asciidoc[] +include::{asciidoc-dir}/../../shared/attributes.asciidoc[] + +[[what-is-security-serverless]] +== Elastic Security serverless + +++++ +Elastic Security +++++ + +include::./what-is-security-serverless.asciidoc[leveloffset=+2] + +include::./security-overview.asciidoc[leveloffset=+2] + +include::./billing.asciidoc[leveloffset=+2] + +include::./projects-create/create-project.asciidoc[leveloffset=+2] + +include::./sec-requirements.asciidoc[leveloffset=+2] + +include::./security-ui.asciidoc[leveloffset=+2] +include::./security-spaces.asciidoc[leveloffset=+3] + +include::./AI-for-security/ai-for-security-landing-pg.asciidoc[leveloffset=+2] +include::./AI-for-security/ai-assistant.asciidoc[leveloffset=+3] +include::./AI-for-security/attack-discovery.asciidoc[leveloffset=+3] +include::./AI-for-security/llm-connector-guides.asciidoc[leveloffset=+3] +include::./AI-for-security/llm-performance-matrix.asciidoc[leveloffset=+4] +include::./AI-for-security/connect-to-azure-openai.asciidoc[leveloffset=+4] +include::./AI-for-security/connect-to-bedrock.asciidoc[leveloffset=+4] +include::./AI-for-security/connect-to-openai.asciidoc[leveloffset=+4] +include::./AI-for-security/connect-to-vertex.asciidoc[leveloffset=+4] +include::./AI-for-security/connect-to-byo-llm.asciidoc[leveloffset=+4] +include::./AI-for-security/ai-use-cases.asciidoc[leveloffset=+3] +include::./AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc[leveloffset=+4] +include::./AI-for-security/ai-assistant-alert-triage.asciidoc[leveloffset=+4] +include::./AI-for-security/ai-assistant-esql-queries.asciidoc[leveloffset=+4] + +include::./ingest/ingest-data.asciidoc[leveloffset=+2] +include::./ingest/threat-intelligence.asciidoc[leveloffset=+3] +include::./ingest/auto-import.asciidoc[leveloffset=+3] + +include::./edr-install-config/endpoint-protection-intro.asciidoc[leveloffset=+2] +include::./edr-install-config/deploy-endpoint-reqs.asciidoc[leveloffset=+3] +include::./edr-install-config/install-elastic-defend.asciidoc[leveloffset=+3] +include::./edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc[leveloffset=+4] +include::./edr-install-config/deploy-endpoint-macos-ven.asciidoc[leveloffset=+4] +include::./edr-install-config/deploy-with-mdm.asciidoc[leveloffset=+4] +include::./edr-install-config/agent-tamper-protection.asciidoc[leveloffset=+4] +include::./edr-install-config/defend-feature-privs.asciidoc[leveloffset=+3] +include::./edr-install-config/configure-endpoint-integration-policy.asciidoc[leveloffset=+3] +include::./edr-install-config/artifact-control.asciidoc[leveloffset=+4] +include::./edr-install-config/endpoint-diagnostic-data.asciidoc[leveloffset=+4] +include::./edr-install-config/self-healing-rollback.asciidoc[leveloffset=+4] +include::./edr-install-config/linux-file-monitoring.asciidoc[leveloffset=+4] +include::./edr-install-config/endpoint-data-volume.asciidoc[leveloffset=+4] +include::./edr-install-config/uninstall-agent.asciidoc[leveloffset=+3] + +include::./edr-manage/manage-endpoint-protection.asciidoc[leveloffset=+2] +include::./edr-manage/endpoints-page.asciidoc[leveloffset=+3] +include::./edr-manage/policies-page-ov.asciidoc[leveloffset=+3] +include::./edr-manage/trusted-apps-ov.asciidoc[leveloffset=+3] +include::./edr-manage/event-filters.asciidoc[leveloffset=+3] +include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3] +include::./edr-manage/blocklist.asciidoc[leveloffset=+3] +include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3] +include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3] +include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3] +include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3] +include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3] + +include::./endpoint-response-actions/response-actions.asciidoc[leveloffset=+2] +include::./endpoint-response-actions/automated-response-actions.asciidoc[leveloffset=+3] +include::./endpoint-response-actions/host-isolation-ov.asciidoc[leveloffset=+3] +include::./endpoint-response-actions/response-actions-history.asciidoc[leveloffset=+3] +include::./endpoint-response-actions/third-party-actions.asciidoc[leveloffset=+3] +include::./endpoint-response-actions/response-actions-config.asciidoc[leveloffset=+3] + +include::./cloud-native-security/cloud-native-security-overview.asciidoc[leveloffset=+2] +include::./cloud-native-security/security-posture-management.asciidoc[leveloffset=+3] +include::./cloud-native-security/enable-cloudsec.asciidoc[leveloffset=+3] +include::./cloud-native-security/cspm.asciidoc[leveloffset=+3] +include::./cloud-native-security/cspm-get-started.asciidoc[leveloffset=+4] +include::./cloud-native-security/cspm-get-started-gcp.asciidoc[leveloffset=+4] +include::./cloud-native-security/cspm-get-started-azure.asciidoc[leveloffset=+4] +include::./cloud-native-security/cspm-findings-page.asciidoc[leveloffset=+4] +include::./cloud-native-security/benchmark-rules.asciidoc[leveloffset=+4] +include::./cloud-native-security/cspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4] +include::./cloud-native-security/cspm-security-posture-faq.asciidoc[leveloffset=+4] +include::./cloud-native-security/kspm.asciidoc[leveloffset=+3] +include::./cloud-native-security/get-started-with-kspm.asciidoc[leveloffset=+4] +include::./cloud-native-security/kspm-cspm-findings-page.asciidoc[leveloffset=+4] +include::./cloud-native-security/kspm-benchmark-rules.asciidoc[leveloffset=+4] +include::./cloud-native-security/kspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4] +include::./cloud-native-security/security-posture-faq.asciidoc[leveloffset=+4] +include::./cloud-native-security/vuln-management-overview.asciidoc[leveloffset=+3] +include::./cloud-native-security/vuln-management-get-started.asciidoc[leveloffset=+4] +include::./cloud-native-security/vuln-management-findings.asciidoc[leveloffset=+4] +include::./cloud-native-security/vuln-management-dashboard-dash.asciidoc[leveloffset=+4] +include::./cloud-native-security/vuln-management-faq.asciidoc[leveloffset=+4] +include::./cloud-native-security/d4c-overview.asciidoc[leveloffset=+3] +include::./cloud-native-security/d4c-get-started.asciidoc[leveloffset=+4] +include::./cloud-native-security/d4c-policy-guide.asciidoc[leveloffset=+4] +include::./cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc[leveloffset=+4] +include::./cloud-native-security/cloud-workload-protection.asciidoc[leveloffset=+3] +include::./cloud-native-security/environment-variable-capture.asciidoc[leveloffset=+4] + +include::./explore/explore-your-data.asciidoc[leveloffset=+2] +include::./explore/hosts-overview.asciidoc[leveloffset=+3] +include::./explore/network-page-overview.asciidoc[leveloffset=+3] +include::./explore/conf-map-ui.asciidoc[leveloffset=+4] +include::./explore/users-page.asciidoc[leveloffset=+3] +include::./explore/data-views-in-sec.asciidoc[leveloffset=+3] +include::./explore/runtime-fields.asciidoc[leveloffset=+3] +include::./explore/siem-field-reference.asciidoc[leveloffset=+3] + +include::./dashboards/dashboards-overview.asciidoc[leveloffset=+2] +include::./dashboards/overview-dashboard.asciidoc[leveloffset=+3] +include::./dashboards/detection-response-dashboard.asciidoc[leveloffset=+3] +include::./dashboards/kubernetes-dashboard-dash.asciidoc[leveloffset=+3] +include::./dashboards/cloud-posture-dashboard-dash.asciidoc[leveloffset=+3] +include::./dashboards/detection-entity-dashboard.asciidoc[leveloffset=+3] +include::./dashboards/data-quality-dash.asciidoc[leveloffset=+3] +include::./dashboards/vuln-management-dashboard-dash.asciidoc[leveloffset=+3] +include::./dashboards/rule-monitoring-dashboard.asciidoc[leveloffset=+3] + +include::./rules/detection-engine-overview.asciidoc[leveloffset=+2] +include::./rules/detections-permissions-section.asciidoc[leveloffset=+3] + +include::./rules/about-rules.asciidoc[leveloffset=+2] +include::./rules/rules-ui-create.asciidoc[leveloffset=+3] +include::./rules/interactive-investigation-guides.asciidoc[leveloffset=+4] +include::./rules/building-block-rule.asciidoc[leveloffset=+4] +include::./rules/prebuilt-rules/prebuilt-rules-management.asciidoc[leveloffset=+3] +include::./rules/rules-ui-management.asciidoc[leveloffset=+3] +include::./rules/alerts-ui-monitor.asciidoc[leveloffset=+3] +include::./rules/detections-ui-exceptions.asciidoc[leveloffset=+3] +include::./rules/value-lists-exceptions.asciidoc[leveloffset=+4] +include::./rules/add-exceptions.asciidoc[leveloffset=+4] +include::./rules/shared-exception-lists.asciidoc[leveloffset=+4] +include::./rules/rules-coverage.asciidoc[leveloffset=+3] +include::./rules/tuning-detection-signals.asciidoc[leveloffset=+3] +include::./rules/prebuilt-rules/prebuilt-rules.asciidoc[leveloffset=+3] + +include::./alerts/alerts-ui-manage.asciidoc[leveloffset=+2] +include::./alerts/visualize-alerts.asciidoc[leveloffset=+3] +include::./alerts/view-alert-details.asciidoc[leveloffset=+3] +include::./alerts/signals-to-cases.asciidoc[leveloffset=+3] +include::./alerts/alert-suppression.asciidoc[leveloffset=+3] +include::./alerts/reduce-notifications-alerts.asciidoc[leveloffset=+3] +include::./alerts/query-alert-indices.asciidoc[leveloffset=+3] +include::./alerts/alert-schema.asciidoc[leveloffset=+3] + +include::./advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc[leveloffset=+2] +include::./advanced-entity-analytics/entity-risk-scoring.asciidoc[leveloffset=+3] +include::./advanced-entity-analytics/ers-req.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/turn-on-risk-engine.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/analyze-risk-score-data.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/advanced-behavioral-detections.asciidoc[leveloffset=+3] +include::./advanced-entity-analytics/ml-requirements.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/machine-learning.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/tuning-anomaly-results.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/behavioral-detection-use-cases.asciidoc[leveloffset=+4] +include::./advanced-entity-analytics/prebuilt-ml-jobs.asciidoc[leveloffset=+4] + +include::./investigate/investigate-events.asciidoc[leveloffset=+2] +include::./investigate/timelines-ui.asciidoc[leveloffset=+3] +include::./investigate/timeline-templates-ui.asciidoc[leveloffset=+4] +include::./investigate/timeline-object-schema.asciidoc[leveloffset=+4] +include::./alerts/visual-event-analyzer.asciidoc[leveloffset=+3] +include::./cloud-native-security/session-view.asciidoc[leveloffset=+3] +include::./osquery/use-osquery.asciidoc[leveloffset=+3] +include::./osquery/osquery-response-action.asciidoc[leveloffset=+4] +include::./osquery/invest-guide-run-osquery.asciidoc[leveloffset=+4] +include::./osquery/alerts-run-osquery.asciidoc[leveloffset=+4] +include::./osquery/view-osquery-results.asciidoc[leveloffset=+4] +include::./osquery/osquery-placeholder-fields.asciidoc[leveloffset=+4] +include::./investigate/add-manage-notes.asciidoc[leveloffset=+3] +include::./investigate/indicators-of-compromise.asciidoc[leveloffset=+3] +include::./investigate/cases-overview.asciidoc[leveloffset=+3] +include::./investigate/case-permissions.asciidoc[leveloffset=+4] +include::./investigate/cases-open-manage.asciidoc[leveloffset=+4] +include::./investigate/cases-settings.asciidoc[leveloffset=+4] + +include::./assets/asset-management.asciidoc[leveloffset=+2] + +include::./settings/manage-settings.asciidoc[leveloffset=+2] +include::./settings/project-settings.asciidoc[leveloffset=+3] +include::./settings/advanced-settings.asciidoc[leveloffset=+3] + +include::./troubleshooting/troubleshooting-intro.asciidoc[leveloffset=+2] +include::./troubleshooting/ts-detection-rules.asciidoc[leveloffset=+3] +include::./troubleshooting/troubleshoot-endpoints.asciidoc[leveloffset=+3] + +include::./technical-preview-limitations.asciidoc[leveloffset=+2] diff --git a/docs/serverless/investigate/investigate-events.asciidoc b/docs/serverless/investigate/investigate-events.asciidoc new file mode 100644 index 0000000000..c3f627d562 --- /dev/null +++ b/docs/serverless/investigate/investigate-events.asciidoc @@ -0,0 +1,17 @@ +[[security-investigate-events]] += Investigation tools + +// :description: Investigate security events and track security issues in {elastic-sec}. +// :keywords: serverless, security, overview + +preview:[] + +The following sections describe tools for investigating security events and tracking security issues directly in {elastic-sec}. + +These features are available in the {security-app}'s side navigation menu: + +* <>: Track investigation details about security issues. +* **Investigations** → <>: Workspace for investigations and threat hunting. +* **Investigations** → <>: Run live and scheduled queries on operating systems. +* <>: Indicators of compromise used for threat intelligence. +* <>: Use notes to coordinate responses, conduct threat hunting, and share investigative findings. diff --git a/docs/serverless/investigate/timeline-templates-ui.asciidoc b/docs/serverless/investigate/timeline-templates-ui.asciidoc new file mode 100644 index 0000000000..4356ad7c86 --- /dev/null +++ b/docs/serverless/investigate/timeline-templates-ui.asciidoc @@ -0,0 +1,161 @@ +[[security-timeline-templates-ui]] += Timeline templates + +// :description: Attach Timeline templates to detection rules to streamline investigations. +// :keywords: serverless, security, how-to, analyze, manage + +preview:[] + +You can attach Timeline templates to detection rules. When attached, the rule's alerts use the template when they are investigated in Timeline. This enables immediately viewing the alert's most interesting fields when you start an investigation. + +Templates can include two types of filters: + +* **Regular filter**: Like other KQL filters, defines both the source event field and its value. For example: `host.name : "win-server"`. +* **Template filter**: Only defines the event field and uses a placeholder +for the field's value. When you investigate an alert in Timeline, the field's value is taken from the alert. + +For example, if you define the `host.name: "{host.name}"` template filter, when alerts generated by the rule are investigated in Timeline, the alert's +`host.name` value is used in the filter. If the alert's `host.name` value is +`Linux_stafordshire-061`, the Timeline filter is: +`host.name: "Linux_stafordshire-061"`. + +[NOTE] +==== +For information on how to add Timeline templates to rules, refer to <>. +==== + +When you load {elastic-sec} prebuilt rules, {elastic-sec} also loads a selection of prebuilt Timeline templates, which you can attach to detection rules. **Generic** templates use broad KQL queries to retrieve event data, and **Comprehensive** templates use detailed KQL queries to retrieve additional information. The following prebuilt templates appear by default: + +* **Alerts Involving a Single Host Timeline**: Investigate detection alerts involving a single host. +* **Alerts Involving a Single User Timeline**: Investigate detection alerts involving a single user. +* **Generic Endpoint Timeline**: Investigate {elastic-endpoint} detection alerts. +* **Generic Network Timeline**: Investigate network-related detection alerts. +* **Generic Process Timeline**: Investigate process-related detection alerts. +* **Generic Threat Match Timeline**: Investigate threat indicator match detection alerts. +* **Comprehensive File Timeline**: Investigate file-related detection alerts. +* **Comprehensive Network Timeline**: Investigate network-related detection alerts. +* **Comprehensive Process Timeline**: Investigate process-related detection alerts. +* **Comprehensive Registry Timeline**: Investigate registry-related detection alerts. + +[TIP] +==== +You can <> and use them as +a starting point for your own custom templates. +==== + +[discrete] +[[template-legend-ui]] +== Timeline template legend + +When you add filters to a Timeline template, the items are color coded to +indicate which type of filter is added. Additionally, you change Timeline +filters to template filters as you build your template. + +Regular Timeline filter:: +Clicking **Convert to template field** changes the filter to a template filter: ++ +[role="screenshot"] +image::images/timeline-templates-ui/-events-template-filter-value.png[width=30%] + +Template filter:: ++ +[role="screenshot"] +image:images/timeline-templates-ui/-events-timeline-template-filter.png[width=30%] ++ +When you <>, template filters with placeholders are disabled: ++ +[role="screenshot"] +image::images/timeline-templates-ui/-events-invalid-filter.png[width=30%] ++ +To enable the filter, either specify a value or change it to a field's existing filter (refer to <>). + +[discrete] +[[create-timeline-template]] +== Create a Timeline template + +. Choose one of the following: ++ +** Go to **Investigations** → **Timelines**. Click the **Templates** tab, then click **Create new Timeline template**. +** Go to the Timeline bar (which is at the bottom of most pages), click the image:images/icons/plusInCircle.svg[New Timeline] button, then click **Create new Timeline template**. +** From an open Timeline or Timeline template, click **New** → **New Timeline template**. +. Add filters to the new Timeline template. Click **Add field**, and select the required option: ++ +** **Add field**: Add a regular Timeline filter. +** **Add template field**: Add a template filter with a value placeholder. ++ +[TIP] +==== +You can also drag and send items to the template from the **Overview**, **Hosts**, **Network**, and **Alerts** pages. +==== ++ +[role="screenshot"] +image::images/timeline-templates-ui/-events-create-a-timeline-template-field.png[An example of a Timeline filter] +. Click **Save** to give the template a title and description. + +**Example** + +To create a template for process-related alerts on a specific host: + +* Add a regular filter for the host name: +`host.name: "Linux_stafordshire-061"` +* Add template filter for process names: `process.name: "{process.name}"` + +[role="screenshot"] +image::images/timeline-templates-ui/-events-template-query-example.png[] + +When alerts generated by rules associated with this template are investigated +in Timeline, the host name is `Linux_stafordshire-061`, whereas the process name +value is retrieved from the alert's `process.name` field. + +[discrete] +[[man-templates-ui]] +== Manage existing Timeline templates + +You can view, duplicate, export, delete, and create templates from existing Timelines: + +. Go to **Investigations** → **Timelines** → **Templates**. ++ +[role="screenshot"] +image::images/timeline-templates-ui/-events-all-actions-timeline-ui.png[] +. Click the **All actions** icon in the relevant row, and then select the action: ++ +** **Create timeline from template** (refer to <>) +** **Duplicate template** +** **Export selected** (refer to <>) +** **Delete selected** +** **Create query rule from timeline** (only available if the Timeline contains a KQL query) +** **Create EQL rule from timeline** (only available if the Timeline contains an EQL query) + +[TIP] +==== +To perform the same action on multiple templates, select templates, then the required action from the **Bulk actions** menu. +==== + +[NOTE] +==== +You cannot delete prebuilt templates. +==== + +[discrete] +[[import-export-timeline-templates]] +== Export and import Timeline templates + +You can import and export Timeline templates, which enables importing templates from one space or {elastic-sec} instance to another. Exported templates are saved in an `ndjson` file. + +. Go to **Investigations** → **Timelines** → **Templates**. +. To export templates, do one of the following: ++ +** To export one template, click the **All actions** icon in the relevant row and then select **Export selected**. +** To export multiple templates, select all the required templates and then click **Bulk actions** → **Export selected**. +. To import templates, click **Import**, then select or drag and drop the template `ndjson` file. ++ +[NOTE] +==== +Each template object in the file must be represented in a single line. +Multiple template objects are delimited with newlines. +==== + +[NOTE] +==== +You cannot export prebuilt templates. +==== diff --git a/docs/serverless/investigate/timelines-ui.asciidoc b/docs/serverless/investigate/timelines-ui.asciidoc new file mode 100644 index 0000000000..6eef1cbd27 --- /dev/null +++ b/docs/serverless/investigate/timelines-ui.asciidoc @@ -0,0 +1,269 @@ +[[security-timelines-ui]] += Timeline + +// :description: Investigate events and complex threats in your network. +// :keywords: serverless, security, how-to, analyze, manage + +preview:[] + +Use Timeline as your workspace for investigations and threat hunting. +You can add alerts from multiple indices to a Timeline to facilitate advanced investigations. + +You can drag or send fields of interest to a Timeline to create the desired query. For example, you can add fields from tables and histograms +on the **Overview**, **Alerts**, **Hosts**, and **Network** pages, as well as from +other Timelines. Alternatively, you can add a query directly in Timeline +by expanding the <> and clicking **+ Add field**. + +[role="screenshot"] +image::images/timelines-ui/-events-timeline-ui-updated.png[example Timeline with several events] + +In addition to Timelines, you can create and attach Timeline templates to +<>. Timeline templates allow you to +define the source event fields used when you investigate alerts in +Timeline. You can select whether the fields use predefined values or values +retrieved from the alert. For more information, refer to <>. + +[discrete] +[[open-create-timeline]] +== Create new or open existing Timeline + +To make a new Timeline, choose one of the following: + +* Go to the Timelines page (**Investigations** → **Timelines**), then click **Create new Timeline**. +* Go to the Timeline bar (which is at the bottom of most pages), click the image:images/icons/plusInCircle.svg[New Timeline] button, then click **Create new Timeline**. +* From an open Timeline or Timeline template, click **New** → **New Timeline**. + +To open an existing Timeline, choose one of the following: + +* Go to the Timelines page, then click a Timeline's title. +* Go to the Timeline bar, click the image:images/icons/plusInCircle.svg[New Timeline] button, then click **Open Timeline**. +* From an open Timeline or Timeline template, click **Open**, then select the appropriate Timeline. + +To avoid losing your changes, you must save the Timeline before moving to a different {security-app} page. If you change an existing Timeline, you can use the **Save as new timeline** toggle to make a new copy of the Timeline, without overwriting the original one. + +[TIP] +==== +Click the star icon (image:images/icons/starEmpty.svg[Favorite]) to favorite your Timeline and quickly find it later. +==== + +[discrete] +[[refine-timeline-results]] +== View and refine Timeline results + +You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only, click **Data view** to the left of the KQL query bar, then select **Show only detection alerts**. + +[discrete] +[[timeline-inspect-events-alerts]] +== Inspect an event or alert + +To further inspect an event or detection alert, click the **View details** button. A flyout with event or <> appears. + +[discrete] +[[conf-timeline-display]] +== Configure Timeline event context and display + +Many types of events automatically appear in preconfigured views that provide relevant +contextual information, called **Event Renderers**. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (image:images/icons/gear.svg[The customize event renderer button]) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you're done. Your changes are automatically applied to Timeline. + +[role="screenshot"] +image::images/timelines-ui/-events-timeline-ui-renderer.png[example timeline with the event renderer highlighted, 70%] + +The example above displays the Flow event renderer, which highlights the movement of +data between its source and destination. If you see a particular part of the rendered event that +interests you, you can drag it up to the drop zone below the query bar for further investigation. + +You can also modify a Timeline's display in other ways: + +* <> from Timeline +* Create <> and display them in the Timeline +* Reorder and resize columns +* Copy a column name or values to a clipboard +* Change how the name, value, or description of a field are displayed in Timeline +* View the Timeline in full screen mode +* Add or delete <> attached to alerts, events, or Timeline +* Pin interesting events to the Timeline + +[discrete] +[[add-remove-timeline-fields]] +== Add and remove fields from Timeline + +The Timeline table shows fields that are available for alerts and events in the selected data view. You can modify the table to display fields that interest you. Use the sidebar to search for specific fields or scroll through it to find fields of interest. Fields that you select display as columns in the table. + +To add a field from the sidebar, hover over it, and click the **Add field as a column** button (image:images/icons/plusInCircle.svg[The button that lets you to add a field as a column]), or drag and drop the field into the table. To remove a field, hover over it, and click the **Remove field as a column** button (image:images/icons/cross.svg[The button that lets you to remove a field as a column]). + +[role="screenshot"] +image::images/timelines-ui/-events-timeline-sidebar.png[Shows the sidebar that allows you to configure the columns that display in Timeline] + +[discrete] +[[narrow-expand]] +== Use the Timeline query builder + +Expand the query builder by clicking the query builder button (image:images/icons/timeline.svg[Query builder]) to the right of the KQL query bar. Drop in fields to build a query that filters Timeline results. The fields' relative placement specifies their logical relationships: horizontally adjacent filters use `AND`, while vertically adjacent filters use `OR`. + +[TIP] +==== +Collapse the query builder and provide more space for Timeline results by clicking the query builder button (image:images/icons/timeline.svg[Query builder]). +==== + +[discrete] +[[pivot]] +== Edit existing filters + +Click a filter to access additional operations such as **Add filter**, **Clear all**, **Load saved query**, and more: + +[role="screenshot"] +image::images/timelines-ui/-events-timeline-ui-filter-options.png[width=60%] + +Here are examples of various types of filters: + +Field with value:: +Filters for events with the specified field value: ++ +[role="screenshot"] +image::images/timelines-ui/-events-timeline-filter-value.png[width=30%] + +Field exists:: +Filters for events containing the specified field: ++ +[role="screenshot"] +image::images/timelines-ui/-events-timeline-field-exists.png[width=30%] + +Exclude results:: +Filters for events that do not contain the specified field value +(`field with value` filter) or the specified field (`field exists` filter): ++ +[role="screenshot"] +image::images/timelines-ui/-events-timeline-filter-exclude.png[width=30%] + +Temporarily disable:: +The filter is not used in the query until it is enabled again: ++ +[role="screenshot"] +image::images/timelines-ui/-events-timeline-disable-filter.png[width=30%] + +Filter for field present:: +Converts a `field with value` filter to a `field exists` filter. + +[NOTE] +==== +When you convert a <> to a +Timeline, some fields may be disabled. For more information, refer to +<>. +==== + +[discrete] +[[timeline-to-cases-ui]] +== Attach Timeline to a case + +To attach a Timeline to a new or existing case, open it, click **Attach to case** in the upper right corner, +then select either **Attach to new case** or **Attach to existing case**. + +To learn more about cases, refer to <>. + +[discrete] +[[manage-timelines-ui]] +== Manage existing Timelines + +You can view, duplicate, export, delete, and create templates from existing Timelines: + +. Go to **Investigations** → **Timelines**. +. Click the **All actions** menu in the desired row, then select an action: ++ +** **Create template from timeline** (refer to <>) +** **Duplicate timeline** +** **Export selected** (refer to <>) +** **Delete selected** +** **Create query rule from timeline** (only available if the Timeline contains a KQL query) +** **Create EQL rule from timeline** (only available if the Timeline contains an EQL query) + +[TIP] +==== +To perform an action on multiple Timelines, first select the Timelines, +then select an action from the **Bulk actions** menu. +==== + +[discrete] +[[import-export-timelines]] +== Export and import Timelines + +You can export and import Timelines, which enables you to share Timelines from one space or {elastic-sec} instance to another. Exported Timelines are saved as `.ndjson` files. + +To export Timelines: + +* Go to **Investigations** → **Timelines**. +* Either click the **All actions** menu in the relevant row and select **Export selected**, or select multiple Timelines and then click **Bulk actions** → **Export selected**. + +To import Timelines: + +* Click **Import**, then select or drag and drop the relevant `.ndjson` file. ++ +[NOTE] +==== +Multiple Timeline objects are delimited with newlines. +==== + +[discrete] +[[filter-with-eql]] +== Filter Timeline results with EQL + +Use the **Correlation** tab to investigate Timeline results with {ref}/eql.html[EQL queries]. + +When forming EQL queries, you can write a basic query to return a list of events and alerts. Or, you can create sequences of EQL queries to view matched, ordered events across multiple event categories. Sequence queries are useful for identifying and predicting related events. They can also provide a more complete picture of potential adversary behavior in your environment, which you can use to create or update rules and detection alerts. + +The following image shows what matched ordered events look like in the Timeline table. Events that belong to the same sequence are matched together in groups and shaded red or blue. Matched events are also ordered from oldest to newest in each sequence. + +[role="screenshot"] +image::images/timelines-ui/-events-correlation-tab-eql-query.png[a Timeline's correlation tab] + +From the **Correlation** tab, you can also do the following: + +* Specify the date and time range that you want to investigate. +* Reorder the columns and choose which fields to display. +* Choose a data view and whether to show detection alerts only. + +[discrete] +[[esql-in-timeline]] +== Use {esql} to investigate events + +The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful way to filter, transform, and analyze event data stored in {es}. {esql} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. + +You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can: + +* Write an {esql} query to explore your events. For example, start with the following query, then iterate on it to tailor your results: ++ +[source,esql] +---- +FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-* +| LIMIT 10 +| KEEP @timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, user.name +---- ++ +This query does the following: ++ +** It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. +** Then, the query limits the output to the top 10 results. +** Finally, it keeps the default Timeline fields (`@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name`) in the output. ++ +[TIP] +==== +When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. +==== ++ +[NOTE] +==== +* An error message displays when the query bar is empty. +* When specifying data sources for an {esql} query, autocomplete doesn't suggest hidden indices, such as `.alerts-*`. You must manually enter the index name or pattern. +==== +* Click the help icon (image:images/icons/iInCircle.svg[Click the ES|QL help icon]) on the far right side of the query editor to open the in-product reference documentation for all {esql} commands and functions. +* Visualize query results using <> functionality. + +[role="screenshot"] +image::images/timelines-ui/-events-esql-tab.png[Example of the ES|QL tab in Timeline] + +[discrete] +[[esql-in-timeline-resources]] +== Additional {esql} resources + +To get started using {esql}, read the tutorial for {ref}/esql-kibana.html[using {esql} in {kib}]. Much of the functionality available in {kib} is also available in Timeline. + +To find examples of using {esql} for threat hunting, check out https://www.elastic.co/blog/introduction-to-esql-new-query-language-flexible-iterative-analytics[our blog]. diff --git a/docs/serverless/osquery/invest-guide-run-osquery.asciidoc b/docs/serverless/osquery/invest-guide-run-osquery.asciidoc new file mode 100644 index 0000000000..bc536194fc --- /dev/null +++ b/docs/serverless/osquery/invest-guide-run-osquery.asciidoc @@ -0,0 +1,77 @@ +[[security-invest-guide-run-osquery]] += Run Osquery from investigation guides + +// :description: Add and run live queries from a rule's investigation guide. +// :keywords: serverless, security, how-to, analyze + +preview:[] + +Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. When you build a custom rule, you can also set up an investigation guide that incorporates Osquery. This allows you to run live queries from a rule's investigation guide as you analyze alerts produced by the rule. + +.Requirements +[NOTE] +==== +* The {kibana-ref}/manage-osquery-integration.html[Osquery manager integration] must be installed. +* {agent}'s {fleet-guide}/monitor-elastic-agent.html[status] must be `Healthy`. Refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} Troubleshooting] if it isn't. +* You must have the appropriate user role to use this feature. +==== + +[role="screenshot"] +image::images/invest-guide-run-osquery/-osquery-osquery-investigation-guide.png[Shows a live query in an investigation guide] + +[discrete] +[[add-live-queries-ig]] +== Add live queries to an investigation guide + +[NOTE] +==== +You can only add Osquery to investigation guides for custom rules because prebuilt rules cannot be edited. +==== + +. Go to **Rules** → **Detection rules (SIEM)**, select a rule, then click **Edit rule settings** on the rule details page. +. Select the **About** tab, then expand the rule's advanced settings. +. Scroll down to the Investigation guide section. In the toolbar, click the **Osquery** button (image:images/invest-guide-run-osquery/-osquery-osquery-button.png[Click the Osquery button,width=16]). ++ +.. Add a descriptive label for the query; for example, `Search for executables`. +.. Select a saved query or enter a new one. ++ +[TIP] +==== +Use <> to dynamically add existing alert data to your query. +==== +.. Expand the **Advanced** section to set a timeout period for the query, and view or set {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] included in the results from the live query (optional). ++ +[NOTE] +==== +Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. +==== ++ +[role="screenshot"] +image:images/invest-guide-run-osquery/-osquery-setup-osquery-investigation-guide.png[width=70%][height=70%][Shows results from running a query from an investigation guide] +. Click **Save changes** to add the query to the rule's investigation guide. + +[discrete] +[[run-live-queries-ig]] +== Run live queries from an investigation guide + +. Go to **Rules** → **Detection rules (SIEM)**, then select a rule to open its details. +. Go to the About section of the rule details page and click **Investigation guide**. +. Click the query. The Run Osquery pane displays with the **Query** field autofilled. Do the following: ++ +.. Select one or more {agent}s or groups to query. Start typing in the search field to get suggestions for {agent}s by name, ID, platform, and policy. +.. Expand the **Advanced** section to set a timeout period for the query, and view or set the {kibana-ref}/osquery.html#osquery-map-fields[mapped ECS fields] which are included in the live query's results (optional). ++ +[NOTE] +==== +Overwriting the query's default timeout period allows you to support queries that take longer to run. The default and minimum supported value for the **Timeout** field is `60`. The maximum supported value is `900`. +==== +. Click **Submit** to run the query. Query results display in the flyout. ++ +[NOTE] +==== +Refer to <> for more information about query results. +==== +. Click **Save for later** to save the query for future use (optional). ++ +[role="screenshot"] +image:images/invest-guide-run-osquery/-osquery-run-query-investigation-guide.png[width=80%][height=80%][Shows results from running a query from an investigation guide] diff --git a/docs/serverless/rules/interactive-investigation-guides.asciidoc b/docs/serverless/rules/interactive-investigation-guides.asciidoc new file mode 100644 index 0000000000..7ec6a3cfae --- /dev/null +++ b/docs/serverless/rules/interactive-investigation-guides.asciidoc @@ -0,0 +1,138 @@ +[[security-interactive-investigation-guides]] += Launch Timeline from investigation guides + +// :description: Pivot from detection alerts to investigations with interactive investigation guide actions. +// :keywords: serverless, security, how-to, analyze, configure + +preview:[] + +Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. For custom rules, you can create an interactive investigation guide that includes buttons for launching runtime queries in <>, using alert data and hard-coded literal values. This allows you to start detailed Timeline investigations directly from an alert using relevant data. + +[role="screenshot"] +image::images/interactive-investigation-guides/-detections-ig-alert-flyout.png[Alert details flyout with interactive investigation guide,400] + +Under the Investigation section, click **Show investigation guide** to open the **Investigation** tab in the left panel of the alert details flyout. + +[role="screenshot"] +image::images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png[Alert details flyout with interactive investigation guide] + +The **Investigation** tab displays query buttons, and each query button displays the number of event documents found. Click the query button to automatically load the query in Timeline, based on configuration settings in the investigation guide. + +[role="screenshot"] +image::images/interactive-investigation-guides/-detections-ig-timeline.png[Timeline with query pre-loaded from investigation guide action] + +[discrete] +[[add-ig-actions-rule]] +== Add investigation guide actions to a rule + +[NOTE] +==== +You can only create interactive investigation guides with custom rules because Elastic prebuilt rules can't be edited. However, you can duplicate a prebuilt rule, then configure the investigation guide for the duplicated rule. +==== + +You can configure an interactive investigation guide when you <> or <>. + +. When configuring the rule's settings (the **About rule** step for a new rule, or the **About** tab for an existing rule), expand the **Advanced settings**, then scroll down to the **Investigation guide** Markdown editor. ++ +[role="screenshot"] +image::images/interactive-investigation-guides/-detections-ig-investigation-guide-editor.png[Investigation guide editor field] +. Place the editor cursor where you want to add the query button in the investigation guide, then select the Investigate icon in the toolbar. The **Add investigation query** builder form appears. ++ +[role="screenshot"] +image:images/interactive-investigation-guides/-detections-ig-investigation-query-builder.png[Add investigation guide UI] +. Complete the query builder form to create an investigation query: ++ +.. **Label**: Enter the text to appear on the query button. +.. **Description**: (Optional) Enter additional text to include with the button. +.. **Filters**: Select fields, operators, and values to build the query. Click **OR** or **AND** to create multiple filters and define their relationships. ++ +To use a field value from the alert as a query parameter, enter the field name surrounded by double curly brackets — such as `{{kibana.alert.example}}` — as a custom option for the filter value. ++ +[role="screenshot"] +image:images/interactive-investigation-guides/-detections-ig-filters-field-custom-value.png[Add investigation guide UI] +.. **Relative time range**: (Optional) Select a time range to limit the query, relative to the alert's creation time. +. Click **Save changes**. The syntax is added to the investigation guide editor. ++ +[NOTE] +==== +If you need to change the query button's configuration, you can either edit the syntax directly in the editor (refer to the <> below), or delete the syntax and use the query builder form to recreate the query. +==== +. Save and enable the rule. + +[discrete] +[[query-button-syntax]] +=== Query button syntax + +The following syntax defines a query button in an interactive investigation guide. + +|=== +| Field | Description + +| `!{investigate{ }}` +| The container object holding all the query button's configuration attributes. + +| `label` +| Identifying text on the button. + +| `description` +| Additional text included with the button. + +| `providers` +a| A two-level nested array that defines the query to run in Timeline. Similar to the structure of queries in Timeline, items in the outer level are joined by an `OR` relationship, and items in the inner level are joined by an `AND` relationship. + +Each item in `providers` corresponds to a filter created in the query builder UI and is defined by these attributes: + +* `field`: The name of the field to query. +* `excluded`: Whether the query result is excluded (such as **is not one of**) or included (_is one of_). +* `queryType`: The query type used to filter events, based on the filter's operator. For example, `phrase` or `range`. +* `value`: The value to search for. Either a hard-coded literal value, or the name of an alert field (in double curly brackets) whose value you want to use as a query parameter. +* `valueType`: The data type of `value`, such as `string` or `boolean`. + +| `relativeFrom`, `relativeTo` +| (Optional) The start and end, respectively, of the relative time range for the query. Times are relative to the alert's creation time, represented as `now` in {ref}/common-options.html#date-math[date math] format. For example, selecting **Last 15 minutes** in the query builder form creates the syntax `"relativeFrom": "now-15m", "relativeTo": "now"`. +|=== + +[NOTE] +==== +Some characters must be escaped with a backslash, such as `\"` for a quotation mark and `\\` for a literal backslash. Divide Windows paths with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. A clickable error icon (image:images/icons/error.svg[Error]) displays below the Markdown editor if there are any syntax errors. +==== + +[discrete] +[[security-interactive-investigation-guides-example-syntax]] +=== Example syntax + +[source,json] +---- +!{investigate{ + "label": "Test action", + "description": "Click to investigate.", + "providers": [ + [ + {"field": "event.id", "excluded": false, "queryType": "phrase", "value": "{{event.id}}", "valueType": "string"} + ], + [ + {"field": "event.action", "excluded": false, "queryType": "phrase", "value": "rename", "valueType": "string"}, + {"field": "process.pid", "excluded": false, "queryType": "phrase", "value": "{{process.pid}}", "valueType": "string"} + ] + ], + "relativeFrom": "now-15m", + "relativeTo": "now" +}} +---- + +This example creates the following Timeline query, as illustrated below: + +`(event.id : )` +`OR (event.action : "rename" AND process.pid : )` + +[role="screenshot"] +image::images/interactive-investigation-guides/-detections-ig-timeline-query.png[Timeline query] + +[discrete] +[[security-interactive-investigation-guides-timeline-template-fields]] +=== Timeline template fields + +When viewing an interactive investigation guide in contexts unconnected to a specific alert (such a rule's details page), queries open as <>, and `parameter` fields are treated as Timeline template fields. + +[role="screenshot"] +image::images/interactive-investigation-guides/-detections-ig-timeline-template-fields.png[Timeline template]