[8.5] [DOCS] Add Terminal output view information to Session view doc (backport #2566)

docs/detections/session-view.asciidoc

@@ -1,35 +1,42 @@
 [[session-view]]
 == Session View
 
-beta::[]
-
 Session View is an investigation tool that allows you to examine Linux process data organized
 in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution.
 It displays events in a highly readable format that is inspired by the terminal. This makes it a powerful tool for monitoring
 and investigating session activity on your Linux infrastructure and understanding user and service behavior.
 
+NOTE: Session View requires an https://www.elastic.co/pricing[Enterprise subscription].
+
 [float]
 [[session-view-data]]
 ====== Session View displays:
-* *Interactive and non-interactive processes:* Processes and services with or without a controlling tty.
+* *Interactive and non-interactive processes:* Processes and services with or without a controlling terminal.
 * *User information:* The Linux user that executed each session or process, and any exec user changes.
 * *Process and event telemetry:* Process information included in the Linux logical event model.
 * *Nested sessions:* Sessions started by processes descended from the entry session.
 * *Alerts:* Alerts in the context of the processes which caused them.
+* *Terminal output:* Terminal output associated with each process in the session.
 
 NOTE: To view Linux session data from your Kubernetes infrastructure, you'll need to set up the <<kubernetes-dashboard,Kubernetes dashboard>>.
 
 [float]
 [[enable-session-view]]
 === Enable Session View data
 Session View uses process data collected by the {elastic-defend} integration,
-but this data is not collected by default. To enable Session View data, go to *Manage* -> *Policies*
-and edit one or more of your {elastic-defend} integration policies. On the *Policy settings* tab,
-scroll down to the Linux event collection section near the bottom of the page
-and turn on the *Include session data* toggle. Session View can only display data that was
-collected by {elastic-defend} when this setting was enabled. For more information about the additional
+but this data is not always collected by default. To confirm that Session View data is enabled:
+
+. Go to *Manage* -> *Policies*, and edit one or more of your {elastic-defend} integration policies.
+. Select the *Policy settings* tab, then
+scroll down to the Linux event collection section near the bottom.
+Turn on the *Include session data* toggle if it isn't on already.
+. To enable terminal output capture, turn on the *Capture terminal output* toggle.
+
+Session View can only display data that was collected by {elastic-defend} when *Include session data* was enabled. For more information about the additional
 fields collected by {elastic-defend} when this setting is enabled, refer to the https://github.com/elastic/ecs/blob/main/rfcs/text/0030-linux-event-model.md[Linux event model RFC].
 
+
+
 [float]
 [[open-session-view]]
 === Open Session View
@@ -40,13 +47,10 @@ Events and sessions that you can investigate in Session View have a rectangular
 * On the Alerts page, scroll down to view the Alerts table.
 Look for alerts that have the **Open Session View** button in the **Actions** column:
 [role="screenshot"]
-image::images/session-view-action-icon-detail.png[Detail of the Open Session View icon,width=75%]
+image::images/session-view-action-icon-detail.png[Detail of the Open Session View button,width=75%]
 
 * On the Hosts page (*Explore* -> *Hosts*), select the *Sessions* or the *Events* tab.
-From either of these tabs, click the *Open Session View* icon for an event or session.
-Labeled below are 1) the *Sessions* tab, and 2) the *Open Session View* icon:
-[role="screenshot"]
-image::images/session-view-hosts-page-sessions-tab-labeled.png[Detail of the Hosts page's Sessions tab]
+From either of these tabs, click the *Open Session View* button for an event or session.
 
 [discrete]
 [[session-view-ui]]
@@ -58,7 +62,7 @@ image::images/session-view-terminal-labeled.png[Detail of Session view with labe
 
 1. The *Close Session* and *Full screen* buttons.
 2. The search bar. Use it to find and highlight search terms within the current session.
-The buttons on the right side of the search bar allow you to jump through search results.
+The left and right arrows allow you to navigate through search results.
 3. The *display settings* button. Click to toggle Timestamps and Verbose mode.
 With Verbose mode enabled, Session View shows all processes created in a session, including shell startup,
 shell completion, and forks caused by built-in commands.
@@ -73,8 +77,10 @@ You can also expand collapsed alerts and scripts where they appear.
 Collapsed processes will automatically expand when their contents match a search.
 7. The *Alerts* button. Click to show alerts caused by the parent process. Note the red line to the left
 of the process that caused the alert.
+8. The *Terminal output* button. Hover to see how much output data has been captured from the session. Click to open the terminal output view, which is described in detail below.
+9. The *Refresh session* button. Click to check for any new data from the current session.
 
-Session View includes an additional badge not pictured above:
+Session View includes additional badges not pictured above:
 //
 //* The *Script* button allows you to expand or collapse executed scripts:
 //
@@ -84,4 +90,53 @@ Session View includes an additional badge not pictured above:
 * The *Exec user change* badge highlights exec user changes, such as when a user escalates to root:
 +
 [role="screenshot"]
-image::images/session-view-exec-user-change-badge.png[The Exec user change button,width=80%,height=80%]
+image::images/session-view-exec-user-change-badge.png[The Exec user change badge,width=80%,height=80%]
+
+* The *Output* badge appears next to commands that generated terminal output. Click it to view that command's output in terminal output view.
++
+[role="screenshot"]
+image::images/session-view-output-badge.png[The Output badge,width=80%,height=80%]
+
+[[session-view-output]]
+[discrete]
+=== Terminal output view UI
+
+beta::[]
+
+In general, terminal output is the text that appears in interactive Linux shell sessions. This generally includes user-entered text (terminal input), which appears as output to facilitate editing commands, as well as the text output of executed programs. In certain cases such as password entry, terminal input is not captured as output.
+
+From a security perspective, terminal output is important because it offers a means of exfiltrating data. For example, a command like `cat tls-private-key.pem` could output a web server's private key. Thus, terminal output view can improve your understanding of commands executed by users or adversaries, and assist with auditing and compliance.
+
+To enable terminal output data capture:
+
+. Go to *Manage* -> *Policies*, then select one or more of your {elastic-defend} integration policies to edit.
+. On the *Policy settings* tab, scroll down to the Linux event collection section near the bottom of the page
+and select the *Include session data* and *Capture terminal output* options.
+
+You can configure several additional settings by clicking *Advanced settings* at the bottom of the page:
+
+* `linux.advanced.tty_io.max_kilobytes_per_process`: The maximum number of kilobytes of output to record from a single process. Default: 512 KB. Process output exceeding this value will not be recorded.
+* `linux.advanced.tty_io.max_kilobytes_per_event`: The maximum number of kilobytes of output to send to {es} as a single event. Default: 512 KB. Additional data is captured as a new event.
+* `linux.advanced.tty_io.max_event_interval_seconds`: The maximum interval (in seconds) during which output is batched. Default: 30 seconds. Output will be sent to {es} at this interval (unless it first exceeds the `max_kilobytes_per_event` value, in which case it might be sent sooner).
+
+[role="screenshot"]
+image::images/session-view-output-viewer.png[Terminal output view]
+
+1. Search bar. Use to find and highlight search terms within the current session.
+The left and right arrows allow you to navigate through search results.
+2. Right-side scroll bar. Use along with the bottom scroll bar to navigate output data that doesn't fit on a single screen.
+3. Playback controls and progress bar. Use to advance or rewind the session's commands and output. Click anywhere on the progress bar to jump to that part of the session. The marks on the bar represent processes that generated output. Click them or the *Prev* and *Next* buttons to skip between processes.
+4. *Fit screen*, *Zoom in*, and *Zoom out* buttons. Use to adjust the text size.
+
+TIP: Use Session view's *Fullscreen* button (located next to the *Close session viewer* button) to better fit output with long lines, such as for graphical programs like `vim`.
+
+[discrete]
+[[terminal-output-limitations]]
+==== Terminal output limitations for search and alerting
+You should understand several current limitations before building rules based on terminal output data:
+
+* Terminal output that appears in the `process.io.text` field includes https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797[ANSI codes] that represent, among other things, text color, text weight, and escape sequences. This can prevent EKS queries from matching as expected. Queries of this data will have more success matching single words than more complex strings.
+* Queries of this data should include leading and trailing wildcards (for example `process where process.io.text : "*sudo*"`), since output events typically include multiple lines of output.
+* The search functionality built into terminal output view is subject to similar limitations. For example, if a user accidentally entered `sdo` instead of `sudo`, then pressed backspace twice to fix the typo, the recorded output would be `sdo\b\budo`. This would appear in the terminal output view as `sudo`, but searching terminal output view for `sudo` would not result in a match.
+* Output that seems like it should be continuous may be split into multiple events due to the advanced settings described above, which may prevent a query or search from matching as expected.
+* Rules based on output data will identify which output event's `process.io.text` value matched the alert query, without identifying which specific part of that value matched. For example, the rule query `process.io.text: "*test*"` could match a large, multi-line log file due to a single instance of `test`, without identifying where in the file the instance occurred.