diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index ca1b532c0b..1642a25e04 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -38,7 +38,7 @@ IMPORTANT: Before investigating alert prevalence data in Timeline, save any Time * *Insights*: Shows relationships with associated alerts to help you quickly identify patterns. Refer to <> for more information. -* *Enriched data*: Displays available threat indicator matches and threat intelligence data. This section only displays when examining alerts with intelligence data. Click the info icon to learn more about what data is collected. Refer to <> for more information. +* *Enriched data*: Displays risk scores for users and hosts, as well as available threat intelligence. Refer to <> and <> to learn more. + [role="screenshot"] image::images/enriched-data-info-icon.png[Informational message on enriched data, 600] @@ -65,8 +65,26 @@ If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription * *Alerts related by process ancestry* - Shows alerts that are related by process events on the same linear branch. Note that alerts generated from processes on child or related branches are not shown. To further examine alerts, click *Investigate in timeline*. [discrete] -[[enriched-data-overview]] -==== Enriched data on alerts +[[alerts-enrich-host-user-risk-score]] +==== Alerts enriched with user and host risk scores +Alerts can be enriched with user and host risk scores, which convey the level of risk associated with a specific user and host. Risk levels are `Unknown`, `Low`, `Moderate`, `High`, or `Critical`. Refer to <> and <> to learn how risk scores are calculated. + +NOTE: User and host risk scores are technical preview features and require a www.elastic.co/pricing[Platinum subscription] or higher. You must enable user and host risk score features to access risk scores data. Refer to <> and <> to learn more. + +[role="screenshot"] +image::images/enriched-host-user-rs.png[Host and user risk score subsections with risk scores, 600] + +Two types of user and host risk scores can appear in the Enriched data section: + +* **Current user/host risk classification:** The current risk score of the user or host associated with the alert. +* **Original user/host risk classification:** The first risk score that was calculated for the user or host associated with the alert. ++ +The *Original user/host risk classification* field only displays if the current risk score no longer matches the original risk score. In this situation, both the current and original risk scores appear, showing how the risk changed. + +[discrete] +[[alerts-enrich-ti]] +==== Alerts enriched with threat intelligence +Alerts can be enriched with contextually relevant threat intelligence that you can use for triaging and investigating alerts. If available, this information appears in the Enriched data section. When gathering threat intelligence data for an alert, {elastic-sec} queries the alert for indicator matches from the past 30 days. The query looks for the following fields: @@ -83,12 +101,12 @@ When gathering threat intelligence data for an alert, {elastic-sec} queries the If these fields aren't available, {elastic-sec} does not perform the query and does not display threat intelligence data for the alert. -Discovered threat indicator match data is placed under the **Threat Match Detected** subsection of the Overview tab. +Available threat indicator match data appears in the **Threat Match Detected** subsection. [role="screenshot"] image::images/matched-indicator-sub-sec.png[Threat Match Detected subsection with matched file hash, 600] -All other available threat intelligence data is placed under the **Enriched with Threat Intelligence** subsection of the Overview tab. +All other available threat intelligence data appears in the **Enriched with Threat Intelligence** subsection. [role="screenshot"] image::images/threat-intel-sub-sec.png[Enriched with Threat Intelligence subsection with matched file hash, 700] diff --git a/docs/detections/images/enriched-host-user-rs.png b/docs/detections/images/enriched-host-user-rs.png new file mode 100644 index 0000000000..f3a5529b7a Binary files /dev/null and b/docs/detections/images/enriched-host-user-rs.png differ