diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index b8707f52d2..e09e870735 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -22,29 +22,54 @@ image::images/alert-details-flyout.png[Alert details flyout] The *Overview* tab summarizes the alert and shows relevant threat intelligence details. Use this information to understand what generated the alert so you can triage and resolve it. -The Overview tab contains these features: +The *Overview* tab contains these features: -* *Summary*: General details such as the alert's status, severity, risk score, and a link to the detection rule that produced the alert. +* *Summary*: Displays general details such as the alert's status, severity, risk score, and a link to the detection rule that produced the alert. -* *Reason statement*: A description of what generated the alert and provides general alert details. You can use this to understand the alert's origin and determine if the alert is relevant to your investigation. +* *Reason statement*: Provides a description of what generated the alert and provides general alert details. You can use this to understand the alert's origin and determine if the alert is relevant to your investigation. -* *Cases*: The total number and names of cases to which the alert has been added. Click a case's name to open its details. +* *Highlighted fields*: Surfaces the most relevant fields for the alert type. Use this to inform your triage efforts as you investigate the alert. -* *Highlighted fields*: The most relevant fields for the alert type. Use this section to inform your triage efforts as you investigate the alert. -+ -NOTE: The *Session ID* field provides a unique ID for tracking a given Linux session and is stored in the `process.entry_leader.entity_id` field in the alert's document. To collect the session ID and other session data, you must enable the *Include session data* setting on your {endpoint-cloud-sec} integration policy. Refer to <> for more information. - -* *Alert prevalence*: The total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for `host.name` means three alerts with the same `host.name` value exist within the timeframe. +* *Alert prevalence*: Shows the total number of alerts within the selected time frame that have identical values. For example, an alert prevalence of 3 for `host.name` means three alerts with the same `host.name` value exist within the time frame. + Alert prevalence data can help you investigate relationships with other alerts and gain context about the events producing alerts. You can also click the alert prevalence count to explore the alerts in Timeline. + IMPORTANT: Before investigating alert prevalence data in Timeline, save any Timelines you're working on to ensure you can access them later. -* *Enriched data*: Available threat indicator matches and threat intelligence data. This section only displays for alerts with intelligence data. Click the info icon to learn more about what data is collected. Refer to <> for more information. +* *Insights*: Shows relationships with associated alerts to help you quickly identify patterns. Refer to <> for more information. + +* *Enriched data*: Displays available threat indicator matches and threat intelligence data. This section only displays when examining alerts with intelligence data. Click the info icon to learn more about what data is collected. Refer to <> for more information. + [role="screenshot"] image::images/enriched-data-info-icon.png[Informational message on enriched data, 600] +[discrete] +[[alert-details-insights]] +==== Insights on alerts + +The Insights section shows you how an alert is related to other alerts and offers ways to investigate related alerts. You can use this information to quickly find patterns between alerts and then take action. + +Within the Insights section, you can click on the title for each insight to expand or collapse it. + +[role="screenshot"] +image::images/insights-section.png[Insights section in Alert details flyout, 600] + +The Insights section provides the following details: + +* *Cases related to the alert* - Shows the total number and names of cases to which the alert has been added. Click a case's name to open its details. +* *Alerts related by source event* - Shows the ten most recent alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the *Investigate in timeline* button to examine related alerts in Timeline. +* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same Session ID, which is a unique ID for tracking a given Linux session. ++ +beta::[] ++ +NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. In addition, the *Include session data* setting must be enabled on your {endpoint-cloud-sec} integration policy. Refer to <> for more information. + +* *Alerts related by process ancestry* - Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click *Investigate in timeline*. ++ +beta::[] ++ +NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. In addition, to display it within the Insights section, you must also add the following feature flag to the `kibana.yml` file: `xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']`. + [discrete] [[enriched-data-overview]] ==== Enriched data on alerts diff --git a/docs/detections/images/alert-details-flyout.png b/docs/detections/images/alert-details-flyout.png index ed941bd1dc..096f0410b6 100644 Binary files a/docs/detections/images/alert-details-flyout.png and b/docs/detections/images/alert-details-flyout.png differ diff --git a/docs/detections/images/insights-section.png b/docs/detections/images/insights-section.png new file mode 100644 index 0000000000..7acc410143 Binary files /dev/null and b/docs/detections/images/insights-section.png differ