From 83b2962b2b83183d9b40429e7648435cc112b1bb Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 24 Oct 2024 22:51:43 -0400 Subject: [PATCH 1/9] First draft --- docs/events/timeline-templates.asciidoc | 5 +++-- docs/events/timeline-ui-overview.asciidoc | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/events/timeline-templates.asciidoc b/docs/events/timeline-templates.asciidoc index b4e90f9535..657904ccdc 100644 --- a/docs/events/timeline-templates.asciidoc +++ b/docs/events/timeline-templates.asciidoc @@ -74,7 +74,8 @@ filter (refer to <>). . Choose one of the following: + -** Go to **Timelines** → **Templates**, then click **Create new Timeline template**. +** Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +** Select the **Templates** tab, then click **Create new Timeline template**. ** Go to the Timeline bar (which is at the bottom of most pages), click the image:images/add-new-timeline-button.png[Click the add new button,20,20] button, then click **Create new Timeline template**. ** From an open Timeline or Timeline template, click **New** -> **New Timeline template**. @@ -138,7 +139,7 @@ NOTE: You cannot delete prebuilt templates. You can import and export Timeline templates, which enables importing templates from one {kib} space or instance to another. Exported templates are saved in an `ndjson` file. -. Go to *Timelines* -> *Templates*. +. Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select the **Templates** tab. . To export templates, do one of the following: * To export one template, click the *All actions* icon in the relevant row and diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index fe3d534f8e..09ebfa7590 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -25,7 +25,7 @@ retrieved from the alert. For more information, refer to < **New Timeline**. @@ -175,7 +175,7 @@ You can export and import Timelines, which enables you to share Timelines from o To export Timelines: -* Go to *Timelines*. +* Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. * Either click the *All actions* menu in the relevant row and select *Export selected*, or select multiple Timelines and then click *Bulk actions* -> *Export selected*. To import Timelines: From 8ba91a1de0952865d1a578505f044fc8a4054e17 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 24 Oct 2024 23:04:24 -0400 Subject: [PATCH 2/9] Fixed outdated instruction --- docs/events/timeline-templates.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/events/timeline-templates.asciidoc b/docs/events/timeline-templates.asciidoc index 657904ccdc..dcda6cb2cd 100644 --- a/docs/events/timeline-templates.asciidoc +++ b/docs/events/timeline-templates.asciidoc @@ -113,13 +113,13 @@ value is retrieved from the alert's `process.name` field. You can view, duplicate, export, delete, and create templates from existing Timelines: -. Go to *Timelines* -> *Templates*. +. Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select the **Templates** tab. + [role="screenshot"] image::images/all-actions-timeline-ui.png[] -. Click the *All actions* icon in the relevant row, and then select the action: +. Click the *All actions* icon in the relevant row, and then select the action: * *Create timeline from template* (refer to <>) * *Duplicate template* From 82a3d3a8fedc640956569637a9a2654084751965 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 24 Oct 2024 23:21:08 -0400 Subject: [PATCH 3/9] More updates --- docs/cloud-native-security/session-view.asciidoc | 2 ++ docs/detections/visual-event-analyzer.asciidoc | 4 ++-- docs/osquery/invest-guide-run-osquery.asciidoc | 5 ++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/cloud-native-security/session-view.asciidoc b/docs/cloud-native-security/session-view.asciidoc index 9423e8be17..b73ec7f38c 100644 --- a/docs/cloud-native-security/session-view.asciidoc +++ b/docs/cloud-native-security/session-view.asciidoc @@ -31,6 +31,7 @@ Session View uses process data collected by the {elastic-defend} integration, but this data is not always collected by default. To confirm that Session View data is enabled: . Go to *Manage* -> *Policies*, and edit one or more of your {elastic-defend} integration policies. +//Update the first step. . Select the *Policy settings* tab, then scroll down to the Linux event collection section near the bottom. . Check the box for *Process* events, and turn on the *Collect session data* toggle. . If you want to include file and network alerts in Session View, check the boxes for *Network* and *File* events. @@ -125,6 +126,7 @@ From a security perspective, terminal output is important because it offers a me To enable terminal output data capture: . Go to *Manage* -> *Policies*, then select one or more of your {elastic-defend} integration policies to edit. +//Update the first step. . On the *Policy settings* tab, scroll down to the Linux event collection section near the bottom of the page and select the *Collect session data* and *Capture terminal output* options. diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index 4e422292e5..7356f73eb8 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -20,8 +20,8 @@ In KQL, this translates to any event with the `agent.type` set to either: To find events that can be visually analyzed: . First, display a list of events by doing one of the following: -* Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page. -* Go to *Alerts*, then scroll down to the Alerts table. +* Find **Hosts** in the main menu, or search for `Security/Explore/Hosts` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page. +* Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then scroll down to the Alerts table. . Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*: ** `agent.type:"endpoint" and process.entity_id :*` + diff --git a/docs/osquery/invest-guide-run-osquery.asciidoc b/docs/osquery/invest-guide-run-osquery.asciidoc index 2419a9e489..103a67f073 100644 --- a/docs/osquery/invest-guide-run-osquery.asciidoc +++ b/docs/osquery/invest-guide-run-osquery.asciidoc @@ -19,7 +19,8 @@ image::images/osquery-investigation-guide.png[Shows a live query in an investiga NOTE: You can only add Osquery to investigation guides for custom rules because prebuilt rules cannot be edited. -. Go to *Rules* -> *Detection rules (SIEM)*, select a rule, then click *Edit rule settings* on the rule details page. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Select a rule to open the its details, then click *Edit rule settings*. . Select the *About* tab, then expand the rule's advanced settings. . Scroll down to the Investigation guide section. In the toolbar, click the *Osquery* button (image:images/osquery-button.png[Click the Osquery button,20,20]). .. Add a descriptive label for the query; for example, `Search for executables`. @@ -39,6 +40,8 @@ image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows [[run-live-queries-ig]] === Run live queries from an investigation guide +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Select a rule to open the its details. . Go to *Rules* -> *Detection rules (SIEM)*, then select a rule to open its details. . Go to the About section of the rule details page and click *Investigation guide*. . Click the query. The Run Osquery pane displays with the *Query* field autofilled. Do the following: From 26f2c549bfd4ea2ce819d328c1a7e0ccb5d1271a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 30 Oct 2024 00:03:21 -0400 Subject: [PATCH 4/9] Updates to cases --- docs/cases/cases-manage-settings.asciidoc | 2 +- docs/cases/cases-manage.asciidoc | 6 +++--- docs/cloud-native-security/session-view.asciidoc | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/cases/cases-manage-settings.asciidoc b/docs/cases/cases-manage-settings.asciidoc index f1ed423dba..3b63dc26a4 100644 --- a/docs/cases/cases-manage-settings.asciidoc +++ b/docs/cases/cases-manage-settings.asciidoc @@ -5,7 +5,7 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [analyze] -To change case closure options and add custom fields, templates, and connectors for external incident management systems, go to *Cases* -> *Settings*. +To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. [role="screenshot"] image::images/cases-settings.png[Shows the case settings page] diff --git a/docs/cases/cases-manage.asciidoc b/docs/cases/cases-manage.asciidoc index 4436afeb22..eb8906a010 100644 --- a/docs/cases/cases-manage.asciidoc +++ b/docs/cases/cases-manage.asciidoc @@ -14,7 +14,7 @@ You can create and manage cases using the UI or the <>. Open a new case to keep track of security issues and share their details with colleagues. -. Go to *Cases*, then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table. +. Find **Cases** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table. . If you defined <>, you can optionally select one to use its default field values. preview:[] @@ -232,7 +232,7 @@ The following attachments are _not_ exported: To export a case: -. Open the main menu, go to *Stack Management -> {kib}*, then select the *Saved Objects* tab. +. Find *Saved Objects* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Search for the case by choosing a saved object type or entering the case title in the search bar. . Select one or more cases, then click the *Export* button. . Click *Export*. A confirmation message that your file is downloading displays. @@ -249,7 +249,7 @@ image::images/cases-export-button.png[Shows the export saved objects workflow] To import a case: -. Open the main menu, go to *Stack Management -> {kib}*, then select the *Saved Objects* tab. +. Find *Saved Objects* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Import*. . Select the NDJSON file containing the exported case and configure the import options. . Click *Import*. diff --git a/docs/cloud-native-security/session-view.asciidoc b/docs/cloud-native-security/session-view.asciidoc index b73ec7f38c..362ffddeb2 100644 --- a/docs/cloud-native-security/session-view.asciidoc +++ b/docs/cloud-native-security/session-view.asciidoc @@ -30,8 +30,8 @@ NOTE: To view Linux session data from your Kubernetes infrastructure, you'll nee Session View uses process data collected by the {elastic-defend} integration, but this data is not always collected by default. To confirm that Session View data is enabled: -. Go to *Manage* -> *Policies*, and edit one or more of your {elastic-defend} integration policies. -//Update the first step. +. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Select one or more of your {elastic-defend} integration policies to edit. . Select the *Policy settings* tab, then scroll down to the Linux event collection section near the bottom. . Check the box for *Process* events, and turn on the *Collect session data* toggle. . If you want to include file and network alerts in Session View, check the boxes for *Network* and *File* events. @@ -125,8 +125,8 @@ From a security perspective, terminal output is important because it offers a me To enable terminal output data capture: -. Go to *Manage* -> *Policies*, then select one or more of your {elastic-defend} integration policies to edit. -//Update the first step. +. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Select one or more of your {elastic-defend} integration policies to edit. . On the *Policy settings* tab, scroll down to the Linux event collection section near the bottom of the page and select the *Collect session data* and *Capture terminal output* options. From 5b34a8a62238c1a897120d6a7e6c936207a491b9 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 30 Oct 2024 17:03:17 -0400 Subject: [PATCH 5/9] Last update --- docs/cases/indicators-of-compromise.asciidoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/cases/indicators-of-compromise.asciidoc b/docs/cases/indicators-of-compromise.asciidoc index c7d25f852c..d75e3e01fc 100644 --- a/docs/cases/indicators-of-compromise.asciidoc +++ b/docs/cases/indicators-of-compromise.asciidoc @@ -29,9 +29,7 @@ An indicator, also referred to as an IoC, is a piece of information associated w Install a threat intelligence integration to add indicators to the Indicators page. -. Choose one of the following: -* From the {security-app} main menu, go to *Intelligence* -> *Indicators* -> *Add Integrations*. -* From the {kib} main menu, click *Add integrations*. +. From the {security-app}, click *Add Integrations*. . In the search bar, search for `Threat Intelligence` to get a list of threat intelligence integrations. . Select a threat intelligence integration, then complete the integration's guided installation. + From 31a32ab9dc4cd337d64d38c9ccd649f1e85d8a1a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 4 Nov 2024 13:57:24 -0500 Subject: [PATCH 6/9] Updates instructions for cases --- docs/cases/cases-manage-settings.asciidoc | 2 +- docs/cases/cases-manage.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/cases/cases-manage-settings.asciidoc b/docs/cases/cases-manage-settings.asciidoc index 3b63dc26a4..1c692cfb2f 100644 --- a/docs/cases/cases-manage-settings.asciidoc +++ b/docs/cases/cases-manage-settings.asciidoc @@ -5,7 +5,7 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [analyze] -To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. +To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. [role="screenshot"] image::images/cases-settings.png[Shows the case settings page] diff --git a/docs/cases/cases-manage.asciidoc b/docs/cases/cases-manage.asciidoc index eb8906a010..f1f85c6025 100644 --- a/docs/cases/cases-manage.asciidoc +++ b/docs/cases/cases-manage.asciidoc @@ -14,7 +14,7 @@ You can create and manage cases using the UI or the <>. Open a new case to keep track of security issues and share their details with colleagues. -. Find **Cases** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table. +. Find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table. . If you defined <>, you can optionally select one to use its default field values. preview:[] From 9ab62f6e453420da6ffea7223a14855b09171fda Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 8 Nov 2024 09:11:56 -0500 Subject: [PATCH 7/9] Update docs/osquery/invest-guide-run-osquery.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/osquery/invest-guide-run-osquery.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/invest-guide-run-osquery.asciidoc b/docs/osquery/invest-guide-run-osquery.asciidoc index 103a67f073..91577efe02 100644 --- a/docs/osquery/invest-guide-run-osquery.asciidoc +++ b/docs/osquery/invest-guide-run-osquery.asciidoc @@ -40,7 +40,7 @@ image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows [[run-live-queries-ig]] === Run live queries from an investigation guide -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Select a rule to open the its details. . Go to *Rules* -> *Detection rules (SIEM)*, then select a rule to open its details. . Go to the About section of the rule details page and click *Investigation guide*. From 4463237d8c8f0b0e5f40fd8dbe47a9abc7c406ba Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 8 Nov 2024 09:12:02 -0500 Subject: [PATCH 8/9] Update docs/osquery/invest-guide-run-osquery.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/osquery/invest-guide-run-osquery.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/osquery/invest-guide-run-osquery.asciidoc b/docs/osquery/invest-guide-run-osquery.asciidoc index 91577efe02..ceac0931ac 100644 --- a/docs/osquery/invest-guide-run-osquery.asciidoc +++ b/docs/osquery/invest-guide-run-osquery.asciidoc @@ -19,7 +19,7 @@ image::images/osquery-investigation-guide.png[Shows a live query in an investiga NOTE: You can only add Osquery to investigation guides for custom rules because prebuilt rules cannot be edited. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Select a rule to open the its details, then click *Edit rule settings*. . Select the *About* tab, then expand the rule's advanced settings. . Scroll down to the Investigation guide section. In the toolbar, click the *Osquery* button (image:images/osquery-button.png[Click the Osquery button,20,20]). From 107cca71c8fde6f77895116eeced46094f42c70c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sat, 9 Nov 2024 19:36:03 -0500 Subject: [PATCH 9/9] Nat's edit --- docs/events/timeline-templates.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/events/timeline-templates.asciidoc b/docs/events/timeline-templates.asciidoc index 4b5947f871..3e639c8d5a 100644 --- a/docs/events/timeline-templates.asciidoc +++ b/docs/events/timeline-templates.asciidoc @@ -74,8 +74,7 @@ filter (refer to <>). . Choose one of the following: + -** Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -** Select the **Templates** tab, then click **Create new Timeline template**. +** Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Next, select the **Templates** tab, then click **Create new Timeline template**. ** Go to the Timeline bar (which is at the bottom of most pages), click the image:images/add-new-timeline-button.png[Click the add new button,20,20] button, then click **Create new Timeline template**. ** From an open Timeline or Timeline template, click **New** -> **New Timeline template**.