Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Docs]Timeline and Template UI updates #84

Merged
merged 7 commits into from
Aug 4, 2020
Merged

[Docs]Timeline and Template UI updates #84

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
eab1028
timeline and template updates
Aug 3, 2020
496333d
uncomments out original timeline section in SIEM UI
Aug 3, 2020
faffec8
removes original timeline IDs to avoid build conflict
Aug 3, 2020
1149f58
add all actions screenshot
Aug 4, 2020
02e0bae
add all actions screenshot
Aug 4, 2020
b8a7d8c
corrections
Aug 4, 2020
75c3bbf
adds filter explanation and legend
Aug 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified docs/siem/images/timeline-ui.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 4 additions & 0 deletions docs/siem/index.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,8 @@ include::detections/machine-learning/ml-index.asciidoc[]

include::detections/detections-index.asciidoc[]

include::timeline/timeline-ui-overview.asciidoc[]

include::timeline/timeline-templates.asciidoc[]

include::cases/cases-index.asciidoc[]
7 changes: 0 additions & 7 deletions docs/siem/siem-ui.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,6 @@ The Cases page is used to open and track security issues directly in the
image::images/cases-ui-home.png[]

[float]
[[timelines-ui]]
== Timelines

Use Timeline as your workspace for alert investigations or threat hunting.
Expand All @@ -260,7 +259,6 @@ can also link to timelines from Cases and external ticketing systems.


[discrete]
[[raw]]
==== Focus on signals or raw events

Many security events in Timeline are presented in an easy-to-follow rendered
Expand All @@ -272,7 +270,6 @@ You can click and expand events from within Timeline to see the underlying
event data, either in tabular form, as as {es} JSON.

[discrete]
[[narrow-expand]]
==== Narrow or expand your query

You can specify logical `AND` and `OR` operations with an item's placement in
Expand All @@ -281,7 +278,6 @@ sets are `OR`-ed together. As you hover the item over the drop area, you can see
whether your placement is on target to create an `AND` or `OR` filters.

[discrete]
[[pivot]]
==== Pivot on a data point

Click a filter to access additional operations such as exclude, temporarily
Expand All @@ -290,7 +286,6 @@ item so that it is excluded.

[discrete]
[[row-renderer]]
==== Get more context for each event

As you build and modify your queries, you can see the results of your
interactions in the details pane below.
Expand All @@ -301,7 +296,6 @@ event. If you see a particular item that interests you, you can drag it to the
drop area for further introspection.

[discrete]
[[import-export-timelines]]
==== Export and import timelines

You can import and export timelines, which enables importing timelines from one
Expand All @@ -320,7 +314,6 @@ then select _Export selected_.
the timeline `ndjson` file.

[discrete]
[[other]]
==== Other actions

The Timeline is flexible and highly interactive. As you would expect, the
Expand Down
Binary file added docs/siem/timeline/images/all-actions-timeline-ui.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/create-template-ui.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/invalid-filter.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/template-filter-value.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/template-query-example.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-disable-filter.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-field-exists.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-filter-exclude.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-filter-value.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-template-filter.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-ui-filter-options.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-ui-renderer.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/siem/timeline/images/timeline-ui.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
146 changes: 146 additions & 0 deletions docs/siem/timeline/timeline-templates.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
[[timeline-templates-ui]]
== About Timeline templates

You can attach Timeline templates to detection rules. When attached, the rule's
alerts use the template when they are investigated in Timeline. This enables
immediately viewing the alert's most interesting fields when you start an
investigation.

Templates can include two type of filters:

* *'Regular' filter*: Like other {kib} KQL filters, defines both the source
event field and its value. For example: `host.name : "win-server"`.
* *Template filter*: Only defines the event field, and uses a placeholder
for the field's value. When you investigate an alert in Timeline, the field's
value is taken from the alert.

For example, if you define the `host.name: "{host.name}"` template filter, when
alerts generated by the rule are investigated in Timeline, the alert's
`host.name` value is used in the filter. If the alert's `host.name` value is
`Linux_stafordshire-061`, the Timeline filter is:
`host.name: "Linux_stafordshire-061"`.

NOTE: For information on how to add Timeline templates to rules, see
<<create-rule-ui>>.

When you load {es-sec} prebuilt rules, some prebuilt Timeline templates are
also loaded. You can attach these templates to detection rules. The following
templates are loaded:

* `Generic Endpoint Timeline`: Useful for investigating Elastic Endpoint
security alerts.
* `Generic Process Timeline`: Useful for investigating process-related alerts.
* `Generic Network Timeline`: Useful for investigating network-related alerts.

TIP: You can <<man-templates-ui, duplicate prebuilt templates>> and use them as
a starting point for your own custom templates.

[discrete]
[[template-legend-ui]]
=== Timeline template legend

When you add filters to a Timelime template, the items are color coded to
indicate which type of filter is added. Additionally, you change Timeline
filters to template filters as you build your template.

'Regular' Timeline filter::
Click `Convert to template field` changes the filter to a template filter:
+
[role="screenshot"]
image::images/template-filter-value.png[width=30%]

Template filter::
+
[role="screenshot"]
image::images/timeline-template-filter.png[width=30%]

When you <<man-templates-ui, convert a template to a Timeline>>, template
filters with placeholders are disabled:

[role="screenshot"]
image::images/invalid-filter.png[width=30%]

To enable the filter, either specify a value or change it to a field exists
filter (see <<pivot>>).


[discrete]
=== Create a Timeline template

. Go to *Security* -> *Timelines*.
. Click the *Templates* tab, and then *Create new timeline template*.
+
[role="screenshot"]
image::images/create-template-ui.png[]

. Give the template a title.
. Optionally, add a description and notes.
. To add filters, click *Add field*, and then select the required option:

* _Add field_: Add a `regular` Timeline filter.
* _Add template field_: Add a template filter with a value placeholder.

TIP: You can also drag and send items to the template from the *Overview*,
*Hosts*, *Network*, and *Detections* pages.

*Example*

To create a template for process-related alerts on a specific host:

* Add an 'ordinary' filter for the host name:
`host.name: "Linux_stafordshire-061"`
* Add template filter for process names: `process.name: "{process.name}"`

[role="screenshot"]
image::images/template-query-example.png[]

When alerts generated by rules associated with this template are investigated
in Timeline, the host name is `Linux_stafordshire-061`, whereas the process name
value is retrieved from the alert's `process.name` field.

[discrete]
[[man-templates-ui]]
=== Manage existing Timeline templates

You can view, duplicate, delete, and create templates from existing Timelines:

. Go to *Security* -> *Timelines*.
. Click the *Templates* tab.
+
[role="screenshot"]
image::images/all-actions-timeline-ui.png[]

. Click the *All actions* icon in the relevant row, and then select the action:

* _Create timeline from template_
* _Duplicate template_
* _Delete template_

TIP: To perform the same action on multiple templates, select templates and
then the required action from the _Bulk actions_ menu.

NOTE: You cannot delete prebuilt templates.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

users cannot favourite it, or edit it either.
I think it would be nice to let them know that if they want to update the elastic prebuilt templates, they can duplicate them first and then they becomes custom templates, and they can do all the changes.


[discrete]
=== Export and import Timeline templates

You can import and export Timeline templates, which enables importing templates
from one {kib} space or instance to another. Exported templates are saved in an
http://ndjson.org[`ndjson`] file.

. Go to *Security* -> *Timelines*.
. Click the *Templates* tab.
. To export templates, do one of the following:

* To export one template, click the *All actions* icon in the relevant row and
then select _Export selected_.
* To export multiple templates, select all the required templates and then click
*Bulk actions* -> _Export selected_.

. To import templates, click *Import Timeline* and then select or drap-and-drop
the template `ndjson` file.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we put a note here to let them know the content of the ndjson has to be in minimised format to import it properly.

e.g.

This is ok

{"savedObjectId":"67664480-d191-11ea-ae67-4f4be8c1847b","version":"WzU1NSwxXQ==","columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"message","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.category","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"source.ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"user.name","searchable":null}],"dataProviders":[],"description":"","eventType":"all","filters":[],"kqlMode":"filter","timelineType":"default","kqlQuery":{"filterQuery":{"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"@timestamp\"}}],\"minimum_should_match\":1}}","kuery":{"expression":"@timestamp : * ","kind":"kuery"}}},"title":"x2","sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1596036895488,"createdBy":"angela","updated":1596491470411,"updatedBy":"angelachuang","templateTimelineId":null,"templateTimelineVersion":null,"dateRange":{"start":"2020-04-10T14:10:58.373Z","end":"2020-05-30T14:16:58.373Z"},"savedQueryId":null,"eventNotes":[{"noteId":"7d875ba0-d5d3-11ea-9899-ebec3d084fe0","version":"WzU1NiwxXQ==","eventId":"8KtMKnIBOS_moQ_K9fAe","note":"hi Xavier","timelineId":"67664480-d191-11ea-ae67-4f4be8c1847b","created":1596491490806,"createdBy":"angelachuang","updated":1596491490806,"updatedBy":"angelachuang"}],"globalNotes":[],"pinnedEventIds":["K99zy3EBDTDlbwBfpf6x","GKpFKnIBOS_moQ_Ke5AO","8KtMKnIBOS_moQ_K9fAe"]}

This will fail

{
  "savedObjectId": "67664480-d191-11ea-ae67-4f4be8c1847b",
  "version": "WzU1NSwxXQ==",
  "columns": [
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "@timestamp",
      "searchable": null
    },
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "message",
      "searchable": null
    },
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "event.category",
      "searchable": null
    },
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "event.action",
      "searchable": null
    },
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "host.name",
      "searchable": null
    },
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "source.ip",
      "searchable": null
    },
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "destination.ip",
      "searchable": null
    },
    {
      "indexes": null,
      "name": null,
      "columnHeaderType": "not-filtered",
      "id": "user.name",
      "searchable": null
    }
  ],
  "dataProviders": [],
  "description": "",
  "eventType": "all",
  "filters": [],
  "kqlMode": "filter",
  "timelineType": "default",
  "kqlQuery": {
    "filterQuery": {
      "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"@timestamp\"}}],\"minimum_should_match\":1}}",
      "kuery": {
        "expression": "@timestamp : * ",
        "kind": "kuery"
      }
    }
  },
  "title": "x2",
  "sort": {
    "columnId": "@timestamp",
    "sortDirection": "desc"
  },
  "created": 1596036895488,
  "createdBy": "angela",
  "updated": 1596491470411,
  "updatedBy": "angelachuang",
  "templateTimelineId": null,
  "templateTimelineVersion": null,
  "dateRange": {
    "start": "2020-04-10T14:10:58.373Z",
    "end": "2020-05-30T14:16:58.373Z"
  },
  "savedQueryId": null,
  "eventNotes": [
    {
      "noteId": "7d875ba0-d5d3-11ea-9899-ebec3d084fe0",
      "version": "WzU1NiwxXQ==",
      "eventId": "8KtMKnIBOS_moQ_K9fAe",
      "note": "hi Xavier",
      "timelineId": "67664480-d191-11ea-ae67-4f4be8c1847b",
      "created": 1596491490806,
      "createdBy": "angelachuang",
      "updated": 1596491490806,
      "updatedBy": "angelachuang"
    }
  ],
  "globalNotes": [],
  "pinnedEventIds": [
    "K99zy3EBDTDlbwBfpf6x",
    "GKpFKnIBOS_moQ_Ke5AO",
    "8KtMKnIBOS_moQ_K9fAe"
  ]
}

+
NOTE: Each template object in the file must be represented in a single line.
Multiple template objects are delimited with newlines.

NOTE: You cannot export prebuilt templates.
165 changes: 165 additions & 0 deletions docs/siem/timeline/timeline-ui-overview.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
[[timelines-ui]]
[role="xpack"]
= Investigating events in Timeline

Use Timeline as your workspace for investigations and threat hunting.
Data from multiple indices can be added to a Timeline, which enables
investigating complex threats.

You can drag or send items of interest to Timeline to create the query you need
to investigate an alert or event. You can add items from tables and histograms
on the *Overview*, *Detections*, *Hosts* and *Network* pages, as well as from
within a Timeline itself. Additionally, you can add a query directly in Timeline
(click `+ Add field`).

[role="screenshot"]
image::images/timeline-ui.png[]

Timelines are responsive, and they persist as you move through the {es-sec-app}
collecting data. Auto-saving ensures that the results of your investigation are
available for review by other analysts and incident response teams. To record
and share your findings with others, attach your Timeline to a
<<cases-overview, case>>.

TIP: An untitled Timeline is saved as a draft. To attach a Timeline to a
<<cases-overview, case>>, you must give it a title.

In addition to Timelines, you can create and attach Timeline templates to
<<detection-engine-overview, detection rules>>. Timeline templates allow you to
define the source event fields used when you investigate a detections alert in
Timeline. You can select whether the fields use predefined values or values
retrieved from the alert. For more information, see <<timeline-templates-ui>>.


[discrete]
[[refine-timeline-results]]
== View and refine Timeline results

Using the drop-down options
by the KQL bar, you can select whether <<det-engine-terminology, alerts>>,
other raw events, or both are displayed in the Timeline.

[discrete]
[[conf-timeline-display]]
== Configure Timeline event context and display

Many events in Timeline are presented in easy-to-follow rendered views that
include relevant contextual information. These views are called
*Event Renderers*, and they can be configured via the Settings icon in the upper
left corner of the result's pane:

[role="screenshot"]
image::images/timeline-ui-renderer.png[]

The example above displays a flow event renderer. If you see a particular item
that interests you, you can drag it to the dropzone for further investigation.

Other display options include:

* View in full screen mode
* Add, remove, reorder, and resize columns
* Add notes to individual events
* Add investigation notes for the entire Timeline
* Pin interesting events in the Timeline

[discrete]
[[narrow-expand]]
== Narrow or expand your query

You can specify logical `AND` and `OR` operations with an item's placement in
the drop area. Multiple horizontal filters use `AND` logic, vertical filters use
`OR`.

[discrete]
[[pivot]]
== Edit existing filters

Click a filter to access additional operations such as exclude, temporarily
disable, or delete items from the query:

[role="screenshot"]
image::images/timeline-ui-filter-options.png[width=30%]

This is how the filters appear in the UI:

Field with value::
Filters for events with the specified field value:
+
[role="screenshot"]
image::images/timeline-filter-value.png[width=30%]

Field exists::
Filters for events containing the specified field:
+
[role="screenshot"]
image::images/timeline-field-exists.png[width=30%]

Exclude results::
Filters for events that do not contain the specified field value
(`field with value` filter) or the specified field (`field exists` filter):
+
[role="screenshot"]
image::images/timeline-filter-exclude.png[width=30%]

Temporarily disable::
The filter is not used in the query until it is enabled again:
+
[role="screenshot"]
image::images/timeline-disable-filter.png[width=30%]

Filter for field present::
Converts a `field with value` filter to a `field exists` filter.

NOTE: When you convert a <<timeline-templates-ui, Timeline template>> to a
Timeline, some fields may be disabled. For more information, see
<<template-legend-ui>>.

[discrete]
[[timeline-to-cases-ui]]
== Attach Timeline to a case

To attach a Timeline to a new or existing case, click the Settings in the upper
right corner, and then select one of these:

* _Attach timeline to new case_
* _Attach timeline to existing case_

For more information about cases, see <<cases-overview, Cases>>.

[discrete]
[[manage-timelines-ui]]
== Manage existing Timelines

You can view, duplicate, delete, and create templates from existing Timelines:

. Go to *Security* -> *Timelines*.
. Click the *All actions* icon in the relevant row, and then select the action:

* _Create template from timeline_ (see <<timeline-templates-ui>>)
* _Duplicate timeline_
* _Delete timeline_

TIP: To perform the same action on multiple Timelines, select Timelines and
then the required action from the _Bulk actions_ menu.

[discrete]
[[import-export-timelines]]
== Export and import Timelines

You can import and export Timelines, which enables importing Timelines from one
{kib} space or instance to another. Exported Timelines are saved in an
http://ndjson.org[`ndjson`] file.

. Go to *Security* -> *Timelines*.
. To export Timelines, do one of the following:

* To export one Timeline, click the *All actions* icon in the relevant row and
then select _Export selected_.
* To export multiple Timelines, select all the required Timelines and then click
*Bulk actions* -> _Export selected_.

. To import Timelines, click *Import Timeline* and then select or drap-and-drop
the Timeline `ndjson` file.
+
NOTE: Each Timeline object in the file must be represented in a single line.
Multiple Timeline objects are delimited with newlines.