From 50af2bba71cd24f0af90e240ae4356153e3594a4 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 4 Oct 2022 11:03:49 -0400 Subject: [PATCH 1/3] First draft --- docs/detections/visual-event-analyzer.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index c112457b3c..97649d0006 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -126,8 +126,7 @@ In the example screenshot below, five alerts were generated by the analyzed even preview::[] -NOTE: Displaying alerts in the process tree is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. In addition, to display it in {elastic-sec} you must add the following feature flag to the `kibana.yml` file: -`xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']` +NOTE: Displaying alerts in the process tree is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. [role="screenshot"] image::images/alert-pill.png[] From 7c53e4e7e2fff920e875c63cd0bed494f78f5684 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 4 Oct 2022 11:05:38 -0400 Subject: [PATCH 2/3] Removed tech prev tag --- docs/detections/visual-event-analyzer.asciidoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index 97649d0006..0d29f74330 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -124,9 +124,7 @@ To examine alerts associated with the event, select the alert pill (*_x_ alert*) In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one. -preview::[] - -NOTE: Displaying alerts in the process tree is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. +NOTE: Displaying alerts in the process tree is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. [role="screenshot"] image::images/alert-pill.png[] From 1c84cbab3f7afae0b8fa2ec47afea9e13061533c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 5 Oct 2022 17:12:27 -0400 Subject: [PATCH 3/3] Joe's suggestion --- docs/detections/visual-event-analyzer.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index 0d29f74330..0695f9a15d 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -120,11 +120,11 @@ image::images/event-details.png[] NOTE: In {stack} versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in {stack} versions 7.9.0 and earlier, each process is limited to only 100 events. +If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also examine alerts associated with events. + To examine alerts associated with the event, select the alert pill (*_x_ alert*). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert's details. In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one. -NOTE: Displaying alerts in the process tree is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. - [role="screenshot"] image::images/alert-pill.png[]