diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index e677be8fb5..0d2c621346 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -139,6 +139,8 @@ From the Alerts table or the alert details flyout, you can: * <> * <> * <> +* <> +* <> * <> * <> * <> (Alert details flyout only) @@ -163,6 +165,8 @@ To change an alert's status, do one of the following: [role="screenshot"] image::images/alert-change-status.png[Bulk action menu with multiple alerts selected, 225] + + * beta:[] To bulk-change the status of <>, select the *Take actions* menu for the group, then select a status. * In an alert's details flyout, click *Take action* and select a status. @@ -184,10 +188,72 @@ To apply or remove alert tags on individual alerts, do one of the following: To apply or remove alert tags on multiple alerts, select the alerts you want to change, then click *Selected _x_ alerts* at the upper-left above the table. Click *Apply alert tags*, select or unselect tags, then click *Apply tags*. - [role="screenshot"] image::images/bulk-apply-alert-tag.png[Bulk action menu with multiple alerts selected, 450] +[float] +[[assign-alerts-to-users]] +==== Assign users to alerts + +Assign users to alerts that you want them to investigate, and manage alert assignees throughout an alert's lifecycle. + +.Requirements +[sidebar] +-- +All Security roles, except for the Viewer role, can assign and unassign users to alerts. +//Need to update this for ESS +-- + +IMPORTANT: Users are not notified when they've been assigned to, or unassigned from, alerts. + +|============================================== +| Action | Instructions + +| ssign users to an alert + +a| Choose one of the following: + +* **Alerts table** - Click **More actions** (**...**) in an alert's row, then click **Assign alert**. Select users, then click **Apply**. +* **Alert details flyout** - Click **Take action → Assign alert**. Alternatively, click the **Assign alert** filter () at the top of the alert details flyout, select users, then click **Apply**. + +NOTE: Users assigned to some of the selected alerts will be displayed as unassigned in the selection list. Selecting said users will assign them to all alerts they haven't been assigned to yet. + +|Unassign users from an alert + +a| Choose one of the following: + +* **Alerts table** - Click **More actions** (**...**) in an alert's row, then click **Unassign alert**. +* **Alert details flyout** - Click **Take action → Unassign alert**. + +| Assign users to multiple alerts + +| From the Alerts table, select the alerts you want to change. Click **Selected _x_ alerts** at the upper-left above the table, then click **Assign alert**. Select users, then click **Apply**. + +| Unassign users from multiple alerts + +| From the Alerts table, select the alerts you want to change and click **Selected _x_ alerts** at the upper-left above the table. Click **Unassign alert** to remove users from the alert. + +|============================================== + +Show users that have been assigned to alerts by adding the **Assignees** column to the Alerts table (**Fields** → `kibana.alert.workflow_assignee_ids`). Up to four assigned users can appear in the **Assignees** column. If an alert is assigned to five or more users, a number appears instead. + +[role="screenshot"] +image::images/alert-assigned-alerts.png[Alert assignees in the Alerts table, 650] + +Assigned users are automatically displayed in the alert details flyout. Up to two assigned users can be shown in the flyout. If an alert is assigned to three or more users, a numbered badge displays instead. + +[role="screenshot"] +image::images/alert-flyout-assignees.png[Alert assignees in the alert details flyout, 450] + +[float] +[[filter-assigned-alerts]] +==== Filter assigned alerts + +Click the **Assignees** filter above the Alerts table, then select the users you want to filter by. + +[role="screenshot"] +image::images/alert-filter-assigned-alerts.png[Filtering assigned alerts, 650] + [float] [[add-exception-from-alerts]] ==== Add a rule exception from an alert diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index c739ce4798..5a06094266 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -33,8 +33,12 @@ image::images/alert-details-flyout-right-panel.png[Right panel of the alert deta From the right panel, you can also: * Click **Expand details** to open the <>, which shows more information about sections in the right panel. -* Click **Chat** to access the <>. -* Click **Share alert** to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. +* Click the **Chat** icon +//grab screenshot of icon +to access the <>. +* Click the **Share alert** icon +//grab screenshot of icon +to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. + NOTE: If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[`server.publicBaseUrl`] setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the *Table* tab. + @@ -46,6 +50,9 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo ** Alert status ** Date and time the alert was created ** Alert severity and risk score (these are inherited from rule that generated the alert) +** Users assigned to the alert +//grab screenshot of icon +icon to assign more users * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. diff --git a/docs/detections/images/alert-assigned-alerts.png b/docs/detections/images/alert-assigned-alerts.png new file mode 100644 index 0000000000..1d63dccf53 Binary files /dev/null and b/docs/detections/images/alert-assigned-alerts.png differ diff --git a/docs/detections/images/alert-change-status.png b/docs/detections/images/alert-change-status.png index 98b1f50e53..333366d09f 100644 Binary files a/docs/detections/images/alert-change-status.png and b/docs/detections/images/alert-change-status.png differ diff --git a/docs/detections/images/alert-details-flyout-preview-panel.gif b/docs/detections/images/alert-details-flyout-preview-panel.gif index 4232ac09f3..c50d422882 100644 Binary files a/docs/detections/images/alert-details-flyout-preview-panel.gif and b/docs/detections/images/alert-details-flyout-preview-panel.gif differ diff --git a/docs/detections/images/alert-details-flyout-right-panel.png b/docs/detections/images/alert-details-flyout-right-panel.png index 005afb93e8..87eca75c43 100644 Binary files a/docs/detections/images/alert-details-flyout-right-panel.png and b/docs/detections/images/alert-details-flyout-right-panel.png differ diff --git a/docs/detections/images/alert-filter-assigned-alerts.png b/docs/detections/images/alert-filter-assigned-alerts.png new file mode 100644 index 0000000000..98f0833897 Binary files /dev/null and b/docs/detections/images/alert-filter-assigned-alerts.png differ diff --git a/docs/detections/images/alert-flyout-assignees.png b/docs/detections/images/alert-flyout-assignees.png new file mode 100644 index 0000000000..0f795ebf77 Binary files /dev/null and b/docs/detections/images/alert-flyout-assignees.png differ diff --git a/docs/detections/images/bulk-add-alerts-to-timeline.png b/docs/detections/images/bulk-add-alerts-to-timeline.png index 0bf1879fd7..bfcac3e402 100644 Binary files a/docs/detections/images/bulk-add-alerts-to-timeline.png and b/docs/detections/images/bulk-add-alerts-to-timeline.png differ diff --git a/docs/detections/images/open-alert-details-flyout.gif b/docs/detections/images/open-alert-details-flyout.gif index ea70b9dae7..7b1d715f70 100644 Binary files a/docs/detections/images/open-alert-details-flyout.gif and b/docs/detections/images/open-alert-details-flyout.gif differ diff --git a/docs/reference/alert-schema.asciidoc b/docs/reference/alert-schema.asciidoc index 558ffff60f..cb4cf76907 100644 --- a/docs/reference/alert-schema.asciidoc +++ b/docs/reference/alert-schema.asciidoc @@ -180,4 +180,12 @@ This field can contain an array of values, for example: `["False Positive", "pro Type: keyword +|N/A | `kibana.alert.workflow_assignee_ids` a| List of users assigned to an alert. + +An array of unique identifiers (UIDs) for user profiles, for example: `["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]` + +UIDs are linked to user profiles that are automatically created when users first log into a project. These profiles contain names, emails, profile avatars, and other user settings. + +Type: string[] + |==============================================