Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request][Serverless][8.16] New notes experience #5441

Closed
23 tasks done
nastasha-solomon opened this issue Jun 13, 2024 · 3 comments · Fixed by #6072
Closed
23 tasks done

[Request][Serverless][8.16] New notes experience #5441

nastasha-solomon opened this issue Jun 13, 2024 · 3 comments · Fixed by #6072
Assignees
Labels
Effort: Large Issues that require significant planning, research, writing, and testing Feature: Timeline Priority: High Issues that are time-sensitive and/or are of high customer importance Team: Threat Hunting Formerly Data Visibility v8.16.0

Comments

@nastasha-solomon
Copy link
Contributor

nastasha-solomon commented Jun 13, 2024

Description

In 8.16, you no longer need to create a Timeline just to add notes to alerts or events. Now, you can add notes to alerts and events from outside of Timeline (e.g., from the Alerts table or the Events tab on the Hosts or Users pages) and attach those alert/event notes to Timeline if you so wish.

In addition to the expanded functionality, the Notes tab UI was modified, a new page for managing all notes has being introduced, and an advanced setting that lets users specify a maximum number of notes that can be added to an event or alert (securitySolution:maxUnassociatedNotes) was created.

Updated Notes Timeline tab

You can still add notes to Timeline from the Timeline tab. The tab's UI contains the following:

  • Details about the user who created the Timeline (shown in the Created by field) and users who added notes to the Timeline (shown in the Participants field)

  • The Timeline description (shown in the text box at the top of the Notes tab)

  • All notes added to the Timeline
    !

  • An option for saving the Timeline if you're adding a note to an unsaved Timeline!

Notes management page

In ESS, the Notes page is located at Manage -> Investigations -> Notes. In Serverless, it's under ???. On the Notes page, users can do the following:

  • Search for keywords and phrases in existing notes
  • Filter by users who created notes
  • Filter by notes association type to find notes that were added to alerts/events only, Timelines only, or alerts and Timelines

Advanced setting for limiting notes added to alerts/events

The securitySolution:maxUnassociatedNotes advanced setting lets users specify a maximum number of notes that can be added to an event or alert. The default value is 1000. Users can add 1000 notes to 1k alerts (1 note per alert) or 1000 notes to a single alert.

Additional details feature/functionality

What can you add notes to?

  • Alerts and events
  • Timeline

How do you add notes?

  • Alerts and events: Two ways -

    • Can add notes from the Alerts table or event tables on the Explore pages (Hosts and Users). To do this, use the notes button (not sure if there will be an option to bulk-add notes)
      NOTE: A notifications icon (a red dot) appears on the Notes button when an alert or event has one or more notes.

    • Details flyout: Expand the flyout and directly add a note from the Notes tab or click the add icon in the Notes card in the flyout header (for alerts only)

  • Timeline: Two ways -

    • Attach an alert’s notes to Timeline (Timeline must be saved)
    • Add notes directly to Timeline (these are only associated with the Timeline, not any alerts/events being investigated in Timeline)

How do you manage notes?

  • Use the Notes management page to do the following:
    • View all notes that were created (including those that were only added to Timelines?)
    • Delete individual or multiple notes
    • Export notes (verify this)
    • Examine alerts that have notes (verify this)
  • Use the Notes tab in the alert and event flyouts to do the following:
    • Add, delete, and view notes
    • View who added notes to the alert or event (names will appear in the Participants section on the right side)
      • Created by section shows who created the Timeline (name is logged in the section when someone saves the Timeline)

What should you be aware of?

  • Before you can add a note to an alert or event that you're investigating in an unsaved Timeline, you must first save the Timeline. You can do this from the Timeline tab by opting to save the Timeline before adding a new note. Alternatively, you can save the Timeline the typical way.
  • Adding a note to an alert or event and attaching it to a saved Timeline automatically pins the event in Timeline. To unpin the alert or event, you must delete the note associated with the Timeline.
  • TBD

Doc plan

Background & resources

Which documentation set does this change impact?

ESS and serverless

ESS release

8.16

Serverless release

November 4, 2024

Feature differences

N/A

API docs impact

N/A (Not updating 8.16 API docs anymore)

Prerequisites, privileges, feature flags

None

@nastasha-solomon nastasha-solomon added Team: Threat Hunting Formerly Data Visibility Feature: Timeline Priority: Medium Issues that have relevance, but aren't urgent Effort: Large Issues that require significant planning, research, writing, and testing v8.15.0 labels Jun 13, 2024
@nastasha-solomon nastasha-solomon self-assigned this Jun 13, 2024
@nastasha-solomon nastasha-solomon changed the title [Request] Enhancement to notes [Request] New notes experience Jun 13, 2024
@nastasha-solomon
Copy link
Contributor Author

Moving to a future sprint since this feature will be behind a feature flag in 8.15 and Serverless.

@nastasha-solomon nastasha-solomon added Priority: High Issues that are time-sensitive and/or are of high customer importance and removed Priority: Medium Issues that have relevance, but aren't urgent labels Sep 25, 2024
@nastasha-solomon nastasha-solomon changed the title [Request] New notes experience [Request][Serverless][8.16] New notes experience Oct 7, 2024
@nastasha-solomon
Copy link
Contributor Author

Notes from meeting with @PhilippeOberti this week:

  • The description for the notes advanced setting will be revised. It might need to point to the note feature docs, so I might need to add a stub link to main/8.16 to allow the link to resolve properly.
  • Users might be presented with a warning or error message when they reach the max limit for the number of alerts that they can add to a document (event or timeline). While the instruction would be to delete irrelevant/outdated notes, there might also be a reference to the note feature docs.

The copy reviews and doc work (setting up the stub link) for both items must be completed by or before BC3.

@nastasha-solomon
Copy link
Contributor Author

nastasha-solomon commented Oct 28, 2024

Core docs are being added in #6006. To keep the PR reviews on track, I'll file a separate PR to refresh impacted screenshots that are not Note-specific.
cc: @PhilippeOberti

Update: Screenshots are being refreshed in #6072.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Effort: Large Issues that require significant planning, research, writing, and testing Feature: Timeline Priority: High Issues that are time-sensitive and/or are of high customer importance Team: Threat Hunting Formerly Data Visibility v8.16.0
Projects
None yet
1 participant