diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index fa605a065f..1613a1074b 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -150,6 +150,7 @@ From the Alerts table or the alert details flyout, you can: * <> * <> * <> +* <> [float] [[detection-alert-status]] diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 9c35e8b79f..9ccb359d73 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -41,10 +41,10 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo * Find basic details about the alert, such as the: ** Associated rule -** Alert status -** Date and time the alert was created +** Alert status and when the alert was created ** Alert severity and risk score (these are inherited from rule that generated the alert) ** Users assigned to the alert (click the **Assign alert** image:images/assign-alert.png[Assign alert,15,15] icon to assign more users) +** Notes attached to the alert (click the **Add note** image:images/add-note-icon.png[Add note,15,15] icon to create a new note) * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. @@ -312,3 +312,13 @@ The **Response** section is located on the **Overview** tab in the right panel. image::images/response-action-rp.png[Response section of the Overview tab, 50%] +[discrete] +[[expanded-notes-view]] +== Notes + +The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. + +TIP: Go to the **Notes** <> to find notes that were added to other alerts. + +[role="screenshot"] +image::images/notes-tab-lp.png[Notes tab in the left panel, 70%] diff --git a/docs/detections/images/add-note-icon.png b/docs/detections/images/add-note-icon.png new file mode 100644 index 0000000000..e854c2b52c Binary files /dev/null and b/docs/detections/images/add-note-icon.png differ diff --git a/docs/detections/images/notes-tab-lp.png b/docs/detections/images/notes-tab-lp.png new file mode 100644 index 0000000000..e277a109f7 Binary files /dev/null and b/docs/detections/images/notes-tab-lp.png differ diff --git a/docs/detections/notes-page-timeline-details.png b/docs/detections/notes-page-timeline-details.png new file mode 100644 index 0000000000..1c83c81df4 Binary files /dev/null and b/docs/detections/notes-page-timeline-details.png differ diff --git a/docs/events/add-manage-notes.asciidoc b/docs/events/add-manage-notes.asciidoc new file mode 100644 index 0000000000..721b2874eb --- /dev/null +++ b/docs/events/add-manage-notes.asciidoc @@ -0,0 +1,46 @@ +[[add-manage-notes]] += Notes + +Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. + +NOTE: Configure the `securitySolution:maxUnassociatedNotes` <> to specify the maximum number of notes that you can attach to alerts and events. + +[discrete] +[[notes-alerts-events]] +== View and add notes to alerts and events + +Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (image:images/create-note-icon.png[Add note action,15,15]) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it. + +After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert. + +[role="screenshot"] +image::images/new-note-alert-event.png[New note added to an alert] + +[discrete] +[[notes-timelines]] +== View and add notes to Timelines + +IMPORTANT: You can only add notes to saved Timelines. + +Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option. + +After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline. + +[role="screenshot"] +image::images/new-note-timeline-tab.png[New note added to a Timeline] + +[discrete] +[[manage-notes]] +== Manage all notes + +Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to *Investigations* in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **Notes**. From the **Notes** page, you can: + +* Search for specific notes +* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines) +* Examine the contents of a note (click the text in the **Note content** column) +* Delete one or more notes +* Examine the alert or event that a note is attached to (click the **Expand alert/event details** image:images/notes-page-document-details.png[Preview alert or event action,15,15] icon) +* Open the Timeline that the note is attached to (click the **Open saved timeline** image:images/notes-page-timeline-details.png[Open Timeline action,15,15] icon) + +[role="screenshot"] +image::images/notes-management-page.png[Notes management page] \ No newline at end of file diff --git a/docs/events/images/add-note-icon.png b/docs/events/images/add-note-icon.png new file mode 100644 index 0000000000..e854c2b52c Binary files /dev/null and b/docs/events/images/add-note-icon.png differ diff --git a/docs/events/images/create-note-icon.png b/docs/events/images/create-note-icon.png new file mode 100644 index 0000000000..7c0b44955e Binary files /dev/null and b/docs/events/images/create-note-icon.png differ diff --git a/docs/events/images/new-note-alert-event.png b/docs/events/images/new-note-alert-event.png new file mode 100644 index 0000000000..33e47fd17e Binary files /dev/null and b/docs/events/images/new-note-alert-event.png differ diff --git a/docs/events/images/new-note-timeline-tab.png b/docs/events/images/new-note-timeline-tab.png new file mode 100644 index 0000000000..72e9c36826 Binary files /dev/null and b/docs/events/images/new-note-timeline-tab.png differ diff --git a/docs/events/images/notes-management-page.png b/docs/events/images/notes-management-page.png new file mode 100644 index 0000000000..78ee8f55bb Binary files /dev/null and b/docs/events/images/notes-management-page.png differ diff --git a/docs/events/images/notes-page-document-details.png b/docs/events/images/notes-page-document-details.png new file mode 100644 index 0000000000..4070d1e3d0 Binary files /dev/null and b/docs/events/images/notes-page-document-details.png differ diff --git a/docs/events/images/notes-page-timeline-details.png b/docs/events/images/notes-page-timeline-details.png new file mode 100644 index 0000000000..1c83c81df4 Binary files /dev/null and b/docs/events/images/notes-page-timeline-details.png differ diff --git a/docs/events/investigations-index.asciidoc b/docs/events/investigations-index.asciidoc index 6638374f36..a6ea126728 100644 --- a/docs/events/investigations-index.asciidoc +++ b/docs/events/investigations-index.asciidoc @@ -9,3 +9,4 @@ include::timeline-templates.asciidoc[leveloffset=+2] include::../detections/visual-event-analyzer.asciidoc[leveloffset=+1] include::../cloud-native-security/session-view.asciidoc[leveloffset=+1] include::../osquery/osquery-index.asciidoc[leveloffset=+1] +include::add-manage-notes.asciidoc[leveloffset=+1] diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 9d2dc54ef6..ebaaa901f9 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -72,8 +72,7 @@ You can also modify a Timeline's display in other ways: * Copy a column name or values to a clipboard * Change how the name, value, and description of a field are displayed in Timeline * View the Timeline in full screen mode -* Add or delete notes on individual events -* Add or delete investigation notes on the entire Timeline +* Add or delete <> attached to alerts, events, or Timeline * Pin interesting events to the Timeline [discrete] diff --git a/docs/getting-started/advanced-setting.asciidoc b/docs/getting-started/advanced-setting.asciidoc index afde06a108..5b42c219fe 100644 --- a/docs/getting-started/advanced-setting.asciidoc +++ b/docs/getting-started/advanced-setting.asciidoc @@ -179,6 +179,12 @@ By default, Elastic prebuilt rules in the *Rules* and *Rule Monitoring* tables i The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <>. +[discrete] +[[max-notes-alerts-events]] +== Set the maximum notes limit for alerts and events + +The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <> that you can attach to alerts and events. The maximum limit and default value is 1000. + [discrete] [[exclude-cold-frozen-data-rule-executions]] == Exclude cold and frozen data from rule executions