[Request][Serverless][8.16] New notes experience #5441
Labels
Effort: Large
Issues that require significant planning, research, writing, and testing
Feature: Timeline
Priority: High
Issues that are time-sensitive and/or are of high customer importance
Team: Threat Hunting
Formerly Data Visibility
v8.16.0
Description
In 8.16, you no longer need to create a Timeline just to add notes to alerts or events. Now, you can add notes to alerts and events from outside of Timeline (e.g., from the Alerts table or the Events tab on the Hosts or Users pages) and attach those alert/event notes to Timeline if you so wish.
In addition to the expanded functionality, the Notes tab UI was modified, a new page for managing all notes has being introduced, and an advanced setting that lets users specify a maximum number of notes that can be added to an event or alert (
securitySolution:maxUnassociatedNotes
) was created.Updated Notes Timeline tab
You can still add notes to Timeline from the Timeline tab. The tab's UI contains the following:
Details about the user who created the Timeline (shown in the Created by field) and users who added notes to the Timeline (shown in the Participants field)
The Timeline description (shown in the text box at the top of the Notes tab)
All notes added to the Timeline
!
An option for saving the Timeline if you're adding a note to an unsaved Timeline!
Notes management page
In ESS, the Notes page is located at Manage -> Investigations -> Notes. In Serverless, it's under ???. On the Notes page, users can do the following:
Advanced setting for limiting notes added to alerts/events
The
securitySolution:maxUnassociatedNotes
advanced setting lets users specify a maximum number of notes that can be added to an event or alert. The default value is1000
. Users can add 1000 notes to 1k alerts (1 note per alert) or 1000 notes to a single alert.Additional details feature/functionality
What can you add notes to?
How do you add notes?
Alerts and events: Two ways -
Can add notes from the Alerts table or event tables on the Explore pages (Hosts and Users). To do this, use the notes button (not sure if there will be an option to bulk-add notes)
NOTE:
A notifications icon (a red dot) appears on the Notes button when an alert or event has one or more notes.Details flyout: Expand the flyout and directly add a note from the Notes tab or click the add icon in the Notes card in the flyout header (for alerts only)
Timeline: Two ways -
How do you manage notes?
What should you be aware of?
Doc plan
IMPORTANT: Will need to coordinate with Phillipe or Christine to create a link to these docs. More info here.
securitySolution:maxUnassociatedNotes
advanced setting to the Configure advanced settings page.timeline-ui-updated.png
and-events-timeline-ui-updated.png
timeline-sidebar.png
and-events-timeline-sidebar.png
correlation-tab-eql-query.png
and-events-correlation-tab-eql-query.png
create-a-timeline-template-field.png
and-events-create-a-timeline-template-field.png
open-alert-details-flyout.gif
and-detections-open-alert-details-flyout.gif
alert-details-flyout-right-panel.png
and-detections-alert-details-flyout-right-panel.png
alert-details-flyout-preview-panel.gif
and-detections-alert-details-flyout-preview-panel.gif
expand-details-button.png
and-detections-expand-details-button.png
expanded-entities-view.png
and-detections-expanded-entities-view.png
expanded-threat-intelligence-view.png
and-detections-expanded-threat-intelligence-view.png
(need help recreating this image)expanded-correlations-view.png
and-detections-expanded-correlations-view.png
expanded-prevalence-view.png
and-detections-expanded-prevalence-view.png
ig-alert-flyout.png
and-detections-ig-timeline.png
ig-alert-flyout-invest-tab.png
and-detections-ig-alert-flyout-invest-tab.png
ig-timeline.png
and-detections-ig-timeline.png
ig-timeline-query.png
and-detections-ig-timeline-query.png
Background & resources
securitySolution:maxUnassociatedNotes
advanced setting: [Security Solution][Notes] Make MAX_UNASSOCIATED_NOTES an advanced Kibana setting kibana#194947Which documentation set does this change impact?
ESS and serverless
ESS release
8.16
Serverless release
November 4, 2024
Feature differences
N/A
API docs impact
N/A (Not updating 8.16 API docs anymore)
Prerequisites, privileges, feature flags
None
The text was updated successfully, but these errors were encountered: