From daa61c42b1d47d841dde2a3055f09e4ab2fabc8b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 3 Oct 2022 09:45:24 -0400 Subject: [PATCH 1/4] First draft --- docs/detections/alerts-view-details.asciidoc | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index a3bd6da716..0a8b4c20a0 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -58,18 +58,13 @@ The Insights section provides the following details: * *Cases related to the alert* - Shows the total number and names of cases to which the alert has been added. Click a case's name to open its details. * *Alerts related by source event* - Shows the ten most recent alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the *Investigate in timeline* button to examine related alerts in Timeline. -* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same Session ID, which is a unique ID for tracking a given Linux session. +* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same Session ID, which is a unique ID for tracking a given Linux session. To use this feature, the *Include session data* setting must be enabled on your {elastic-defend} integration policy. Refer to <> for more information. + -beta::[] -+ -NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. In addition, the *Include session data* setting must be enabled on your {elastic-defend} integration policy. Refer to <> for more information. +NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. * *Alerts related by process ancestry* - Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click *Investigate in timeline*. + -beta::[] -+ -NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. In addition, to display it within the Insights section, you must also add the following feature flag to the `kibana.yml` file: -`xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']` +NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. [discrete] [[enriched-data-overview]] From c1d3bb625a44f4d680b41d44cc97e576ef4b31b8 Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 4 Oct 2022 16:09:51 -0400 Subject: [PATCH 2/4] Update docs/detections/alerts-view-details.asciidoc Co-authored-by: Joe Peeples --- docs/detections/alerts-view-details.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 0a8b4c20a0..b358cb840c 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -58,7 +58,7 @@ The Insights section provides the following details: * *Cases related to the alert* - Shows the total number and names of cases to which the alert has been added. Click a case's name to open its details. * *Alerts related by source event* - Shows the ten most recent alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the *Investigate in timeline* button to examine related alerts in Timeline. -* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same Session ID, which is a unique ID for tracking a given Linux session. To use this feature, the *Include session data* setting must be enabled on your {elastic-defend} integration policy. Refer to <> for more information. +* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the *Include session data* setting on your {elastic-defend} integration policy. Refer to <> for more information. + NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. From 86829ca7ab6cbe007b394f199cd9a54c5638f74e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 4 Oct 2022 16:16:56 -0400 Subject: [PATCH 3/4] Joe's suggestion --- docs/detections/alerts-view-details.asciidoc | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index b358cb840c..98907dec99 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -58,13 +58,11 @@ The Insights section provides the following details: * *Cases related to the alert* - Shows the total number and names of cases to which the alert has been added. Click a case's name to open its details. * *Alerts related by source event* - Shows the ten most recent alerts created by the same source event. This can help you find alerts with a shared origin and provide more context about the source event. Click the *Investigate in timeline* button to examine related alerts in Timeline. -* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the *Include session data* setting on your {elastic-defend} integration policy. Refer to <> for more information. -+ -NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. +If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], these details are also included: + +* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the *Include session data* setting on your {elastic-defend} integration policy. Refer to <> for more information. * *Alerts related by process ancestry* - Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click *Investigate in timeline*. -+ -NOTE: This feature requires a https://www.elastic.co/pricing[Platinum or Enterprise subscription]. [discrete] [[enriched-data-overview]] @@ -113,15 +111,3 @@ Matched threats are organized into several sections, described below. Within eac * *Enriched with Threat Intelligence*: This section shows indicator matches that {elastic-sec} found when querying the alert for fields with threat intelligence. You can use the date time picker to modify the query time frame, which looks at the past 30 days by default. Click the **Inspect** button, located on the far right of the threat label, to view more information on the query. If threat matches are not discovered within the selected time frame, the section displays a message that none are available. NOTE: The event enrichment query uses the indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, refer to <>. - -//// -[discrete] -=== Table tab - -The *Table* tab shows the alert details in table format. Alert details are organized into field value pairs. - -[float] -=== JSON tab - -The *JSON* tab shows the alert details in JSON format. -//// From 9a2c3af4e49592b895353c161f1fc1d48740408e Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 6 Oct 2022 14:41:52 -0400 Subject: [PATCH 4/4] Update docs/detections/alerts-view-details.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> --- docs/detections/alerts-view-details.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 98907dec99..ca1b532c0b 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -61,7 +61,7 @@ The Insights section provides the following details: If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], these details are also included: -* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the *Include session data* setting on your {elastic-defend} integration policy. Refer to <> for more information. +* *Alerts related by session ID* - Shows the ten most recent alerts generated during the same <>. These alerts share the same session ID, which is a unique ID for tracking a given Linux session. To use this feature, you must enable the *Include session data* setting in your {elastic-defend} integration policy. Refer to <> for more information. * *Alerts related by process ancestry* - Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click *Investigate in timeline*. [discrete]