Skip to content

Commit

Permalink
First draft
Browse files Browse the repository at this point in the history
  • Loading branch information
nastasha-solomon committed Dec 14, 2023
1 parent 5d9325f commit 3924db8
Show file tree
Hide file tree
Showing 11 changed files with 84 additions and 3 deletions.
68 changes: 67 additions & 1 deletion docs/detections/alerts-ui-manage.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ From the Alerts table or the alert details flyout, you can:
* <<detection-alert-status>>
* <<add-exception-from-alerts>>
* <<apply-alert-tags>>
* <<assign-users-to-alerts>>
* <<filter-assigned-alerts>>
* <<endpoint-rule-exceptions,Add an endpoint exception from an alert>>
* <<host-isolation-ov,Isolate an alert's host>>
* <<response-actions,Perform response actions on an alert's host>> (Alert details flyout only)
Expand All @@ -163,6 +165,8 @@ To change an alert's status, do one of the following:
[role="screenshot"]
image::images/alert-change-status.png[Bulk action menu with multiple alerts selected, 225]

<DocImage size="l" url="../images/alerts-ui-manage/-detections-alert-change-status.png" alt="Bulk action menu with multiple alerts selected"/>

* beta:[] To bulk-change the status of <<group-alerts,grouped alerts>>, select the *Take actions* menu for the group, then select a status.

* In an alert's details flyout, click *Take action* and select a status.
Expand All @@ -184,10 +188,72 @@ To apply or remove alert tags on individual alerts, do one of the following:

To apply or remove alert tags on multiple alerts, select the alerts you want to change, then click *Selected _x_ alerts* at the upper-left above the table. Click *Apply alert tags*, select or unselect tags, then click *Apply tags*.


[role="screenshot"]
image::images/bulk-apply-alert-tag.png[Bulk action menu with multiple alerts selected, 450]

[float]
[[assign-alerts-to-users]]
==== Assign users to alerts

Assign users to alerts that you want them to investigate, and manage alert assignees throughout an alert's lifecycle.

.Requirements
[sidebar]
--
All Security roles, except for the Viewer role, can assign and unassign users to alerts.
//Need to update this for ESS
--

IMPORTANT: Users are not notified when they've been assigned to, or unassigned from, alerts.

|==============================================
| Action | Instructions

| ssign users to an alert

a| Choose one of the following:

* **Alerts table** - Click **More actions** (**...**) in an alert's row, then click **Assign alert**. Select users, then click **Apply**.
* **Alert details flyout** - Click **Take action → Assign alert**. Alternatively, click the **Assign alert** filter (<DocIcon type="plusInCircle" title="Assign alert" />) at the top of the alert details flyout, select users, then click **Apply**.

NOTE: Users assigned to some of the selected alerts will be displayed as unassigned in the selection list. Selecting said users will assign them to all alerts they haven't been assigned to yet.

|Unassign users from an alert

a| Choose one of the following:

* **Alerts table** - Click **More actions** (**...**) in an alert's row, then click **Unassign alert**.
* **Alert details flyout** - Click **Take action → Unassign alert**.

| Assign users to multiple alerts

| From the Alerts table, select the alerts you want to change. Click **Selected _x_ alerts** at the upper-left above the table, then click **Assign alert**. Select users, then click **Apply**.

| Unassign users from multiple alerts

| From the Alerts table, select the alerts you want to change and click **Selected _x_ alerts** at the upper-left above the table. Click **Unassign alert** to remove users from the alert.

|==============================================

Show users that have been assigned to alerts by adding the **Assignees** column to the Alerts table (**Fields** → `kibana.alert.workflow_assignee_ids`). Up to four assigned users can appear in the **Assignees** column. If an alert is assigned to five or more users, a number appears instead.

[role="screenshot"]
image::images/alert-assigned-alerts.png[Alert assignees in the Alerts table, 650]

Assigned users are automatically displayed in the alert details flyout. Up to two assigned users can be shown in the flyout. If an alert is assigned to three or more users, a numbered badge displays instead.

[role="screenshot"]
image::images/alert-flyout-assignees.png[Alert assignees in the alert details flyout, 450]

[float]
[[filter-assigned-alerts]]
==== Filter assigned alerts

Click the **Assignees** filter above the Alerts table, then select the users you want to filter by.

[role="screenshot"]
image::images/alert-filter-assigned-alerts.png[Filtering assigned alerts, 650]

[float]
[[add-exception-from-alerts]]
==== Add a rule exception from an alert
Expand Down
11 changes: 9 additions & 2 deletions docs/detections/alerts-view-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,12 @@ image::images/alert-details-flyout-right-panel.png[Right panel of the alert deta
From the right panel, you can also:

* Click **Expand details** to open the <<left-panel,left panel>>, which shows more information about sections in the right panel.
* Click **Chat** to access the <<security-assistant>>.
* Click **Share alert** to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page.
* Click the **Chat** icon
//grab screenshot of icon
to access the <<security-assistant>>.
* Click the **Share alert** icon
//grab screenshot of icon
to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page.
+
NOTE: If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[`server.publicBaseUrl`] setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the *Table* tab.
+
Expand All @@ -46,6 +50,9 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo
** Alert status
** Date and time the alert was created
** Alert severity and risk score (these are inherited from rule that generated the alert)
** Users assigned to the alert
//grab screenshot of icon
icon to assign more users

* Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs.

Expand Down
Binary file added docs/detections/images/alert-assigned-alerts.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/detections/images/alert-change-status.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/detections/images/alert-details-flyout-preview-panel.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/detections/images/alert-details-flyout-right-panel.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/alert-flyout-assignees.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/detections/images/bulk-add-alerts-to-timeline.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/detections/images/open-alert-details-flyout.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
8 changes: 8 additions & 0 deletions docs/reference/alert-schema.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -180,4 +180,12 @@ This field can contain an array of values, for example: `["False Positive", "pro

Type: keyword

|N/A | `kibana.alert.workflow_assignee_ids` a| List of users assigned to an alert.

An array of unique identifiers (UIDs) for user profiles, for example: `["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]`

UIDs are linked to user profiles that are automatically created when users first log into a project. These profiles contain names, emails, profile avatars, and other user settings.

Type: string[]

|==============================================

0 comments on commit 3924db8

Please sign in to comment.