diff --git a/solutions/images/security-dataview-button-highlighted.png b/solutions/images/security-dataview-button-highlighted.png index d78168a40a..e71c08e287 100644 Binary files a/solutions/images/security-dataview-button-highlighted.png and b/solutions/images/security-dataview-button-highlighted.png differ diff --git a/solutions/images/security-dataview-filter-example.gif b/solutions/images/security-dataview-filter-example.gif deleted file mode 100644 index f1c1e77411..0000000000 Binary files a/solutions/images/security-dataview-filter-example.gif and /dev/null differ diff --git a/solutions/images/security-timeline-sidebar.png b/solutions/images/security-timeline-sidebar.png index abfc753ba2..e68357e26b 100644 Binary files a/solutions/images/security-timeline-sidebar.png and b/solutions/images/security-timeline-sidebar.png differ diff --git a/solutions/images/security-timeline-ui-filter-options.png b/solutions/images/security-timeline-ui-filter-options.png index e3aeddcec9..a931989624 100644 Binary files a/solutions/images/security-timeline-ui-filter-options.png and b/solutions/images/security-timeline-ui-filter-options.png differ diff --git a/solutions/images/security-timeline-ui-renderer.png b/solutions/images/security-timeline-ui-renderer.png index 4521d982dc..e1085a5e84 100644 Binary files a/solutions/images/security-timeline-ui-renderer.png and b/solutions/images/security-timeline-ui-renderer.png differ diff --git a/solutions/images/security-timeline-ui-updated.png b/solutions/images/security-timeline-ui-updated.png index 6d589e71c7..5a348d6dd2 100644 Binary files a/solutions/images/security-timeline-ui-updated.png and b/solutions/images/security-timeline-ui-updated.png differ diff --git a/solutions/security/get-started/data-views-elastic-security.md b/solutions/security/get-started/data-views-elastic-security.md index 205d5a481c..bd7198c862 100644 --- a/solutions/security/get-started/data-views-elastic-security.md +++ b/solutions/security/get-started/data-views-elastic-security.md @@ -23,7 +23,7 @@ Custom indices are not included in the [default {{data-source}}](/solutions/secu ## Switch to another {{data-source}} [security-data-views-in-sec-switch-to-another-data-source] -You can tell which {{data-source}} is active by clicking the **{{data-source-cap}}** menu at the upper right of {{elastic-sec}} pages that display event or alert data, such as Overview, Alerts, Timelines, or Hosts. To switch to another {{data-source}}, click **Choose {{data-source}}**, select one of the options, and click **Save**. +The active {{data-source}} appears under **{{data-source-cap}}** in the upper-right corner of {{elastic-sec}} pages that display event or alert data, such as Overview, Alerts, Timelines, or Hosts. Click the menu to switch to another {{data-source}}. :::{image} /solutions/images/security-dataview-button-highlighted.png :alt: image highlighting how to open the data view selection menu @@ -32,17 +32,16 @@ You can tell which {{data-source}} is active by clicking the **{{data-source-cap ## Create or modify a {{data-source}} [security-data-views-in-sec-create-or-modify-a-data-source] +:::{note} +:applies_to: {"stack": "ga 9.2", "serverless": "ga"} +Some data views are managed by Elastic and cannot be edited. However, you can [duplicate them](/explore-analyze/find-and-organize/data-views.md#duplicate-managed-data-view) and make changes to duplicated versions without affecting managed data views. +::: + To learn how to modify the default **Security Default Data View**, refer to [Update default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices). To learn how to modify, create, or delete another {{data-source}} refer to [{{kib}} {{data-sources-cap}}](/explore-analyze/find-and-organize/data-views.md). -You can also temporarily modify the active {{data-source}} from the **{{data-source-cap}}** menu by clicking **Advanced options**, then adding or removing index patterns. - -:::{image} /solutions/images/security-dataview-filter-example.gif -:alt: video showing how to filter the active data view -::: - -This only allows you to add index patterns that match indices that currently contain data (other index patterns are unavailable). Note that any changes made are saved in the current browser window and won’t persist if you open a new tab. +{applies_to}`stack: removed 9.2` {applies_to}`serverless: removed` You can also temporarily modify the active {{data-source}} from the **{{data-source-cap}}** menu by clicking **Advanced options**, then adding or removing index patterns. This only allows you to add index patterns that match indices that currently contain data (other index patterns are unavailable). Note that any changes you make are saved in the browser and won’t persist if you open a new tab. ::::{note} You cannot update the data view for the Alerts page. This includes referencing a cross-cluster search (CCS) data view or any other data view. The Alerts page always shows data from `.alerts-security.alerts-default`. @@ -53,10 +52,15 @@ You cannot update the data view for the Alerts page. This includes referencing a ## The default {{data-source}} [default-data-view-security] The default {{data-source}} is defined by the `securitySolution:defaultIndex` setting, which you can modify in [advanced settings](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices). +::::{note} +If you modify this view directly in the Edit data view UI, the changes will not persist. +:::: + The first time a user visits {{elastic-sec}} within a given {{kib}} [space](/deploy-manage/manage-spaces.md), the default {{data-source}} generates in that space and becomes active. ::::{note} +:applies_to: stack: ga In {{stack}}, your {{kib}} space must have the **Data View Management** [feature visibility](/deploy-manage/manage-spaces.md) setting enabled for the default {{data-source}} to generate and become active in your space. :::: diff --git a/solutions/security/investigate/timeline.md b/solutions/security/investigate/timeline.md index 5807bc4327..95659dcbca 100644 --- a/solutions/security/investigate/timeline.md +++ b/solutions/security/investigate/timeline.md @@ -53,7 +53,9 @@ Click the star icon (![Favorite icon](/solutions/images/security-favorite-icon.p ## View and refine Timeline results [refine-timeline-results] -You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only, click **Data view** to the left of the KQL query bar, then select **Show only detection alerts**. +You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only: +* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Select the `Security solution alerts` data view. +* {applies_to}`stack: ga 9.0` Click **Data view** to the left of the KQL query bar, then select **Show only detection alerts**. ## Inspect an event or alert [timeline-inspect-events-alerts]