From 7a06d7da9032020defd6055dfa63986ed1845eaf Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 24 Jun 2022 18:20:24 -0400 Subject: [PATCH] [DOCS] Add the "investigate in timeline" button to the alert prevalence section (#2077) Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Joe Peeples (cherry picked from commit 9da2d9db26340c5b0e5674b0cc4fb4292439a611) --- docs/detections/alerts-ui-manage.asciidoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index 824f8c4d06..907df47311 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -111,7 +111,11 @@ The *Highlighted Fields* section displays the most relevant fields for the alert NOTE: The *Session ID* field provides a unique ID for tracking a given Linux session and is stored in the `process.entry_leader.entity_id` field in the alert's document. To collect the session ID and other session data, you must enable the *Include session data* setting on your {endpoint-cloud-sec} integration policy. Refer to <> for more information. -The *Alert prevalence* column shows the total number of alerts within the selected time frame that have identical values. For example, an alert with an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given time frame. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. +The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for `host.name` means three alerts with the same `host.name` value exist within the timeframe. + +Alert prevalence data can help you investigate relationships with other alerts and gain context about the events producing alerts. You can also click the alert prevalence count to explore the alerts in Timeline. + +IMPORTANT: Before investigating alert prevalence data in Timeline, save any Timelines you're working on to ensure you can access them later. The *Enriched data* section displays available threat indicator matches and threat intelligence data. Click the info icon to learn more about what data is collected.