From 0aa9dc43f5bf0df9409204723b0eee00c428b6f8 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 16 Jun 2022 15:43:05 -0400 Subject: [PATCH 1/4] First draft --- docs/detections/alerts-ui-manage.asciidoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index 4bf4bef9a9..857360de82 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -62,7 +62,7 @@ image::images/additional-filters.png[Shows multiple ways to filter information] === Customize the Alerts table Use the toolbar buttons in the upper-left of the Alerts table to customize the columns you want displayed: -* **Columns**: Reorder the columns. +* **Columns**: Reorder the columns. * **_x_ fields sorted**: Sort the table by one or more columns. * **Fields**: Select the fields to display in the table. You can also add <> to detection alerts and display them in the Alerts table. @@ -109,7 +109,9 @@ The alert details flyout also lists the number and names of cases to which the a The *Highlighted Fields* section displays the most relevant fields for the alert type. Use this section to inform your triage efforts as you investigate the alert. -The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert with an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given timeframe. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. +The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert with an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given timeframe. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. Click the alert prevalence count to explore the alerts in Timeline. + +IMPORTANT: Before investigating alert prevalence data in Timeline, save any Timelines you're working on to ensure you can access them later. The *Enriched data* section displays available threat indicator matches and threat intelligence data. Click the info icon to learn more about what data is collected. From dd3b70fc7de7ab2cda1ec1afed22fa18a8fb53a0 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sat, 18 Jun 2022 09:39:37 -0400 Subject: [PATCH 2/4] Update docs/detections/alerts-ui-manage.asciidoc Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> --- docs/detections/alerts-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index 857360de82..ea338de9d5 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -109,7 +109,7 @@ The alert details flyout also lists the number and names of cases to which the a The *Highlighted Fields* section displays the most relevant fields for the alert type. Use this section to inform your triage efforts as you investigate the alert. -The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert with an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given timeframe. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. Click the alert prevalence count to explore the alerts in Timeline. +The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given timeframe. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. Click the alert prevalence count to explore the alerts in Timeline. IMPORTANT: Before investigating alert prevalence data in Timeline, save any Timelines you're working on to ensure you can access them later. From e17750cadd95ac8c26735586726b734e49ca12d2 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 20 Jun 2022 13:21:33 -0400 Subject: [PATCH 3/4] Update docs/detections/alerts-ui-manage.asciidoc Co-authored-by: Joe Peeples --- docs/detections/alerts-ui-manage.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index ea338de9d5..b324eb7bce 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -109,7 +109,9 @@ The alert details flyout also lists the number and names of cases to which the a The *Highlighted Fields* section displays the most relevant fields for the alert type. Use this section to inform your triage efforts as you investigate the alert. -The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given timeframe. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. Click the alert prevalence count to explore the alerts in Timeline. +The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for `host.name` means three alerts with the same `host.name` value exist within the timeframe. + +Alert prevalence data can help you investigate relationships with other alerts and gain context about the events producing alerts. You can also click the alert prevalence count to explore the alerts in Timeline. IMPORTANT: Before investigating alert prevalence data in Timeline, save any Timelines you're working on to ensure you can access them later. From 2d7155daf67aacf673366b6316fd85477fc7cacc Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 24 Jun 2022 18:01:49 -0400 Subject: [PATCH 4/4] Fixed order --- docs/detections/alerts-ui-manage.asciidoc | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index cc8f8d357f..907df47311 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -109,18 +109,14 @@ The Alert details flyout also lists the number and names of cases to which the a The *Highlighted Fields* section displays the most relevant fields for the alert type. Use this section to inform your triage efforts as you investigate the alert. +NOTE: The *Session ID* field provides a unique ID for tracking a given Linux session and is stored in the `process.entry_leader.entity_id` field in the alert's document. To collect the session ID and other session data, you must enable the *Include session data* setting on your {endpoint-cloud-sec} integration policy. Refer to <> for more information. -The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for `host.name` means three alerts with the same `host.name` value exist within the timeframe. +The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for `host.name` means three alerts with the same `host.name` value exist within the timeframe. -Alert prevalence data can help you investigate relationships with other alerts and gain context about the events producing alerts. You can also click the alert prevalence count to explore the alerts in Timeline. +Alert prevalence data can help you investigate relationships with other alerts and gain context about the events producing alerts. You can also click the alert prevalence count to explore the alerts in Timeline. IMPORTANT: Before investigating alert prevalence data in Timeline, save any Timelines you're working on to ensure you can access them later. -NOTE: The *Session ID* field provides a unique ID for tracking a given Linux session and is stored in the `process.entry_leader.entity_id` field in the alert's document. To collect the session ID and other session data, you must enable the *Include session data* setting on your {endpoint-cloud-sec} integration policy. Refer to <> for more information. - -The *Alert prevalence* column shows the total number of alerts within the selected time frame that have identical values. For example, an alert with an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given time frame. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. - - The *Enriched data* section displays available threat indicator matches and threat intelligence data. Click the info icon to learn more about what data is collected. [role="screenshot"]