diff --git a/docs/getting-started/images/IP-detail-pg.png b/docs/getting-started/images/IP-detail-pg.png index e11f645665..cc18fd1d14 100644 Binary files a/docs/getting-started/images/IP-detail-pg.png and b/docs/getting-started/images/IP-detail-pg.png differ diff --git a/docs/getting-started/images/users/user-details-pg.png b/docs/getting-started/images/users/user-details-pg.png new file mode 100644 index 0000000000..7bec72a6ad Binary files /dev/null and b/docs/getting-started/images/users/user-details-pg.png differ diff --git a/docs/getting-started/images/users/users-page.png b/docs/getting-started/images/users/users-page.png index a0f91d3d36..4d90919223 100644 Binary files a/docs/getting-started/images/users/users-page.png and b/docs/getting-started/images/users/users-page.png differ diff --git a/docs/getting-started/network-page-overview.asciidoc b/docs/getting-started/network-page-overview.asciidoc index 38b100926a..31069250ca 100644 --- a/docs/getting-started/network-page-overview.asciidoc +++ b/docs/getting-started/network-page-overview.asciidoc @@ -1,16 +1,37 @@ [[network-page-overview]] = Network page -The Network view provides key network activity metrics in an interactive map -and provides network event tables that enable interaction with the Timeline. You -can drag and drop items of interest from the Network view to Timeline for -further investigation. +The Network page provides key network activity metrics in an interactive map, and network event tables that enable interaction with the Timeline. You can drag and drop items of interest from the Network view to Timeline for further investigation. [role="screenshot"] image::images/network-ui.png[] + +[discrete] +[[map-ui]] +== Map + +The map provides an interactive visual overview of your network traffic. Hover over source and destination points to show more information, such as host names and IP addresses. + NOTE: To access the interactive map, you need either `Read` or `All` privileges for `Maps` (*Kibana Privileges* -> *Analytics* -> *Maps*). To learn more about map setup, refer to <>. +There are several ways to drill down: + +* Click a point, hover over the host name or destination IP, then use the filter icon to add a field to the filter bar. +* Drag a field from the map to Timeline. +* Click a host name to go to the Hosts page. +* Click an IP address to open its details page. + +You can start an investigation using the map, and the map refreshes to show related data when you run a query or update the time range. + + +TIP: To add and remove layers, click on the *Options* menu (*...*) in the top right +corner of the map. + +[[map-widgets-tables]] +[discrete] +== Widgets and data tables* + Interactive widgets let you drill down for deeper insights: * Network events @@ -21,40 +42,37 @@ Interactive widgets let you drill down for deeper insights: There are also tabs for viewing and investigating specific types of data: -* *Flows*: Source and destination IP addresses and countries -* *DNS*: DNS network queries +* *Flows*: Source and destination IP addresses and countries. +* *DNS*: DNS network queries. * *HTTP*: Received HTTP requests (HTTP requests for applications using -{apm-app-ref}/apm-getting-started.html[Elastic APM] are monitored by default) -* *TLS*: Handshake details -* *Anomalies*: Anomalies discovered by <> +{apm-app-ref}/apm-getting-started.html[Elastic APM] are monitored by default). +* *TLS*: Handshake details. +* *Anomalies*: Anomalies discovered by <>. * *Events*: All network events. To display <> received from external monitoring tools, scroll down to the Events table and select *Show only external alerts* on the right. The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <>. +[[ip-details-page]] +[discrete] +== IP details page -*IP detail pages* +An IP's details page shows related network information for the selected IP address. -An IP's detail page shows information for the selected IP address, including links -to external sites for verifying the IP address's reputation. By default, -the external sites are https://talosintelligence.com/[TALOS] and -https://www.virustotal.com/[VIRUSTOTAL]. <> describes how -to configure IP reputation links. +To view an IP's details page, click its IP address link from the Source IPs or Destination IPs table. -To view an IP's detail page, select an IP address from the Source IPs or Destination IPs table. +The IP's details page includes the following sections: -[role="screenshot"] -image::images/IP-detail-pg.png[IP details page] +* *Summary*: General details such as the location, when the IP address was first and last seen, the associated host ID and host name, and links to external sites for verifying the IP address's reputation. ++ +NOTE: By default, the external sites are https://talosintelligence.com/[Talos] and +https://www.virustotal.com/[VirusTotal]. Refer to <> to learn how to configure IP reputation links. ++ +* *Alert metrics*: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). ++ +* *Data tables*: The same data tables as on the main Network page, except with values for the selected IP address instead of all IP addresses. -[discrete] -[[map-ui]] -== Map - -The map provides a visual overview of your network traffic. It is interactive, so you can start exploring data directly from the map. Hover over source and destination points to observe more information, such as hostnames and IP addresses. -To drill down, click a point and use the filter icon to add a field to the filter bar or drag a field to Timeline. You can also click a hostname to jump to the Hosts page, or click an IP address to open the relevant network details. - -Just as you can start an investigation using the map, the map refreshes to show relevant data when you run a query or update the time frame. +[role="screenshot"] +image::images/IP-detail-pg.png[IP details page] -TIP: To add and remove layers, click on the *Options* menu (*...*) in the top right -corner of the map. diff --git a/docs/getting-started/users-page.asciidoc b/docs/getting-started/users-page.asciidoc index fc9bc00722..a60260fe4d 100644 --- a/docs/getting-started/users-page.asciidoc +++ b/docs/getting-started/users-page.asciidoc @@ -1,29 +1,46 @@ [[users-page]] = Users page -The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights. Here's some of the information available to you: +The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights. [role="screenshot"] image::images/users/users-page.png[User's page] -*User KPI charts* +The Users page has the following sections: + +[discrete] +== User KPI (key performance indicator) charts* KPI charts show the total number of users and successful and failed user authentications within the time range specified in the date picker. Data in the KPI charts is visualized through linear and bar graphs. TIP: Hover inside a KPI chart to display the actions menu (*...*), where you can perform these actions: inspect, open in Lens, and add to a new or existing case. -[role="screenshot"] -image::images/users/chart-menu.png[Chart menu] -*Data tables* +[discrete] +== Data tables Beneath the KPI charts are data tables, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following details: * *All users*: A chronological list of unique user names, when they were last active, and the associated domains. -* *Authentications*: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the hostname of the last successful destination. +* *Authentications*: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination. * *Anomalies*: Unusual activity discovered by machine learning jobs that contain user data. * *Events*: Ingested events that contain the `user.name` field. You can stack by the `event.action`, `event.dataset`, or `event.module` field. To display <> received from external monitoring tools, scroll down to the Events table and select *Show only external alerts* on the right. -* *User risk*: Shows the user risk score and user risk classification of each user name. -+ -NOTE: User risk score is a technical preview feature that must have the `riskyUsersEnabled` feature flag enabled to display. For more information, refer to <>. +* *User risk*: The latest recorded user risk score for each user, and its user risk classification. This feature requires a www.elastic.co/pricing[Platinum subscription] or higher and must be enabled to display the data. Click *Enable* on the *User risk* tab to get started. To learn more, refer to our <>. The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <>. + +[discrete] +== User details page + + +A user's details page displays all relevant information for the selected user. To view a user's details page, click its *User name* link from the *All users* table. + +The user details page includes the following sections: + +* *Summary*: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the user risk score feature is enabled, this section also displays user risk score data. + +* *Alert metrics*: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). + +* *Data tables*: The same data tables as on the main Users page, except with values for the selected user instead of for all users. + +[role="screenshot"] +image::images/users/user-details-pg.png[User details page] diff --git a/docs/management/hosts/hosts-overview.asciidoc b/docs/management/hosts/hosts-overview.asciidoc index 9653b21633..443213e314 100644 --- a/docs/management/hosts/hosts-overview.asciidoc +++ b/docs/management/hosts/hosts-overview.asciidoc @@ -6,13 +6,19 @@ The Hosts page provides a comprehensive overview of all hosts and host-related s [role="screenshot"] image::images/hosts-ov-pg.png[Hosts page] -*Host KPI charts* +The Hosts page has the following sections: -KPI charts show metrics for hosts and unique IPs within the time range specified in the date picker. Data in the KPI charts is depicted through linear or bar graphs. +[[host-KPI-charts]] +[discrete] +== Host KPI (key performance indicator) charts -NOTE: The default time range is within the last 15 minutes. +KPI charts show metrics for hosts and unique IPs within the time range specified in the date picker. This data is visualized using linear or bar graphs. -*Data tables* +TIP: Hover inside a KPI chart to display the actions menu (*...*), where you can perform these actions: inspect, open in Lens, and add to a new or existing case. + +[[host-data-tables]] +[discrete] +== Data tables Beneath the KPI charts are data tables, categorized by individual tabs, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following data: @@ -20,6 +26,7 @@ Beneath the KPI charts are data tables, categorized by individual tabs, which ar * *Uncommon processes*: Uncommon processes running on hosts. * *Anomalies*: Anomalies discovered by machine learning jobs. * *Events*: All host events. To display <> received from external monitoring tools, scroll down to the Events table and select *Show only external alerts* on the right. +* *Host risk*: The latest recorded host risk score for each host, and its host risk classification. This feature requires a www.elastic.co/pricing[Platinum subscription] or higher and must be enabled to display the data. Click *Enable* on the *Host risk* tab to get started. To learn more, refer to our <>. * *Sessions*: Linux process events that you can open in <>, an investigation tool that allows you to examine Linux process data at a hierarchal level. The tables within the *Events* and *Sessions* tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <>. @@ -27,10 +34,17 @@ The tables within the *Events* and *Sessions* tabs include inline actions and se [role="screenshot"] image::images/events-table.png[Events table] +[[host-details-page]] +[discrete] +== Host details page + +A host's details page displays all relevant information for the selected host. To view a host's details page, click its *Host name* link in the *All hosts* table. -*Host detail pages* +The host details page includes the following sections: -A host's detail page displays all relevant information for the selected host, such as when the host was first and last seen, associated IP addresses, and operating system. It also displays graphs for unique IPs, destinations, and user authentications. To view a host's detail page, click its *Host name* link from the *All hosts* list. +* *Summary*: Details such as the user ID, when the user was first and last seen, the associated IP addresses, and associated operating system. If the user risk score feature is enabled, this section also displays user risk score data. +* *Alert metrics*: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). +* *Data tables*: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. [role="screenshot"] -image::images/hosts-detail-pg.png[Hosts detail page] +image::images/hosts-detail-pg.png[Host's details page] diff --git a/docs/management/hosts/images/hosts-detail-pg.png b/docs/management/hosts/images/hosts-detail-pg.png index 22dfb23c98..c9226079c9 100644 Binary files a/docs/management/hosts/images/hosts-detail-pg.png and b/docs/management/hosts/images/hosts-detail-pg.png differ