diff --git a/docs/detections/images/alert-pill.png b/docs/detections/images/alert-pill.png new file mode 100644 index 0000000000..047844e1b7 Binary files /dev/null and b/docs/detections/images/alert-pill.png differ diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index c9ed998d59..44079c5771 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -2,7 +2,7 @@ [role="xpack"] == Visual event analyzer -{elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Viewing events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. +{elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. [float] [[find-events-analyze]] @@ -17,9 +17,9 @@ In KQL, this translates to any event with the `agent.type` set to either: To find events that can be visually analyzed: -. First, view a list of events by doing one of the following: +. First, display a list of events by doing one of the following: * Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page. -* Go to *Alerts*, then scroll down to view the Alerts table. +* Go to *Alerts*, then scroll down to the Alerts table. . Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*: ** `agent.type:"endpoint" and process.entity_id :*` + @@ -49,7 +49,7 @@ TIP: You can also analyze events from <>. Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to explore the hierarchy of all process relationships. -To understand what fields were used to create the process, select the **Process Tree** to view the schema that created the graphical view. The fields included are: +To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are: * `SOURCE`: Can be either `endpoint` or `winlogbeat` * `ID`: Event field that uniquely identifies a node @@ -58,7 +58,7 @@ To understand what fields were used to create the process, select the **Process [role="screenshot"] image::images/process-schema.png[] -View the **Legend** to understand the state of each process node. +Click the **Legend** to show the state of each process node. [role="screenshot"] image::images/node-legend.png[] @@ -96,6 +96,7 @@ To learn more about each related process, select the process in the left panel o * The `process-pid` * The user name and domain that ran the process * Any other relevant process information +* Any associated alerts [role="screenshot"] image::images/process-details.png[] @@ -109,9 +110,20 @@ Events are categorized based on the `event.category` value. [role="screenshot"] image::images/event-type.png[] -When you select an `event.category` pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list. +When you select an `event.category` pill, all the events within that category are listed in the left panel. To display more details about a specific event, select it from the list. [role="screenshot"] image::images/event-details.png[] NOTE: In {stack} versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in {stack} versions 7.9.0 and earlier, each process is limited to only 100 events. + +To examine alerts associated with the event, select the alert pill (*_x_ alert*). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert's details. + +In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one. + +preview::[] + +NOTE: This is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. In addition, to display it in {elastic-security} you must add the `xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']` feature flag to the `kibana.yml` file. + +[role="screenshot"] +image::images/alert-pill.png[]