[DOCS] Reason statement shown in alert rendered view #2479
Description
Description
In 8.5, the alert reason statement will display in the alert rendered view. This is different from the templated/conditional string view that was used in 8.4 and allows users to take actions on individual parts of the statement.
The reason statement will be shown in the alert rendered view within the Alerts table:
- From the grid view, an alert's reason statement displays as plain text. To view the statement in the event rendered view, users need to click the expand icon.
- From the event rendered view, an alert's reason statement will always display as a rendered event if an event renderer exists for the event. If one doesn't, the reason statement displays as plain text.
Other places where an an alert's reason statement shows in the event renderer:
- The Overview tab in the Alert details flyout
- Timeline (could use an example - am not seeing the event reason being rendered when I enable the
event.reasonfield in Timeline)
Related issues/PRs
Notes:
- When previewing rule results, users can view an alert's reason statement by opening an alert's details in the alert table. They can't take action on the reason statement from that table though.
Required doc updates
- Update tip here about viewing the event rendering for a specific alert.
- Refresh screenshot as well (
event-rendered-view.png)
- Refresh screenshot as well (
- Refresh screenshot of Alert details flyout (
alert-details-flyout.png) in the View detection alert details topic. - Revise the reason statement definition in the Overview tab section.