[DOCS] Changes to Alert details flyout and new Insights section #2265
Description
Description
Multiple changes have been made to the alert details flyout in 8.4.
Linked cases moved to new Insights section
One major change is that linked cases are no longer included under the alert's Reason statement on the overview tab. In 8.4, this was moved to the new Insights section.
Doc updates/notes
- Remove the third bullet in the list of features that the Overview tab contains.
- Create a new section in the View detection alert details topic for the Insights section. Can use a 4th level header. (See notes under Change [DOCS]: Attempt to see if build process is working #2 for more info about what belongs in this section)
- NOTE: Need to figure out whether the Insights section appears above or below the Enriched data section.
New Insights section added to Alert details flyout
As mentioned above, the Insights section a new section in the Alert details flyout. The purpose of this section is to surface certain information that was formerly contained within the highlighted fields section or under the alert Reason statement. When users open an alert's details, they should be able be able to quickly gain an overview of important details (insights) about the alert. Information within the Insights section is organized into collapsable segments. Some segments, such as the related source events segment, contain simplified tables to organize data and the option to investigate data in Timeline. In total, four segments will display within the Insights section -- though it should be noted that two of these segments will only display if certain conditions are met:
- Related cases by alert
- Related alerts by source event
- Related alerts by session [if entry leader exists - requires cloud security enabled for endpoint integration]
- Related alerts by ancestry [feature flag and plat license required]
Doc updates/notes
- Make sure to update the screenshot of alert details flyout in View alert details to show the segments that are available by default. Might be able to separate screenshot for the segment showing related alerts by ancestry. Refer to screenshot for enriched data segments for an example.
- Within the new Insights doc section, explain the information shown in each of the sub-sections and any pre-reqs/dependencies.
The Source event id field moved into a new source events insights section
The source events insights section takes the values that were formerly stored in the Source event id field in the Highlighted fields section. The source events insights section refers to the value found in the kibana.alert.original_event.id field. This field identifies the event that caused the alert. For example, the event could be that a process was started and that event could then trigger multiple alerts depending on the rules that have been set up in that environment. The related alerts by source events insights section give you a list of all these (related) alerts. You can then learn more about these alerts by clicking Investigate in timeline to open them in Timeline.
Also note that this section isn’t specific to any type of rule or alert and will display as long as an event has created one or more related alerts.
Doc updates/notes
- Already described above
The session.ID field was moved to the Insights section
In 8.4, the session.ID field was moved from the Highlighted fields section to the new Insights section. If more than 10 alerts are related, the ten most recent alerts are shown in the table. A Beta tag will be added to session for alerts related by session.
Doc updates/notes
- Make sure to include the
betatag for this section to match the UI. - Re-use content from the note under the third bullet in the "Overview tab" section about the Session ID.
Alerts related by process event are shown in the Insights section
The insights section for related alerts by ancestry only shows alerts on the same "linear" branch. Alerts on other, separate branches are not included. This section can only be accessed if the following feature flag is enabled and the user has a platinum license: xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']. Also because of a tagging issue in the UI, the UI shows that this section is in beta, even though it's actually in technical preview for 8.4.
Doc updates/notes:
- Make sure to include the
betatag for this section to match the UI. - Add a note about the required license and feature flag.
Related
- [Engineering][Security Solution][Investigations] - Related Alerts by ancestry + consolidation into
Insightskibana#133315 - [SecuritySolution] Introduce Insights and related alerts by process ancestry kibana#136009
- [Security Solution][Analyzer] Add alerts to analyzer, display alerts by process ancestry in alert flyout kibana#135340