From 5475ae522e4695fe2b63b4d369ee0b93992d1834 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 11 Sep 2023 17:20:38 +0100 Subject: [PATCH] Adds links from threat intel integrations guide to IoC page (#3857) (#3903) * Adds links from threat intel integrations guide to IoC page * Update docs/getting-started/threat-intel-integrations.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/getting-started/threat-intel-integrations.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Updates after TW review --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit bc8d109eb4b35752ba2014e4f19f47ec06b4283a) Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/cases/indicators-of-compromise.asciidoc | 2 ++ docs/getting-started/threat-intel-integrations.asciidoc | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/cases/indicators-of-compromise.asciidoc b/docs/cases/indicators-of-compromise.asciidoc index a12bc6348f..368d69be4f 100644 --- a/docs/cases/indicators-of-compromise.asciidoc +++ b/docs/cases/indicators-of-compromise.asciidoc @@ -48,6 +48,8 @@ If indicator data is not appearing in the Indicators table after you installed a ** *{filebeat} integrations* - `filebeat-*` * Ensure the indicator data you're ingesting is mapped to {ecs-ref}[Elastic Common Schema (ECS)]. +NOTE: These troubleshooting steps also apply to the <>. + [discrete] [[intelligence-page-ui]] == Indicators page UI diff --git a/docs/getting-started/threat-intel-integrations.asciidoc b/docs/getting-started/threat-intel-integrations.asciidoc index e0cd015437..e1f9f9d287 100644 --- a/docs/getting-started/threat-intel-integrations.asciidoc +++ b/docs/getting-started/threat-intel-integrations.asciidoc @@ -1,7 +1,7 @@ [[es-threat-intel-integrations]] = Enable threat intelligence integrations -The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of threat indicators ingested from third-party threat intelligence sources. +The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of <> ingested from third-party threat intelligence sources. Threat indicators describe potential threats, unusual behavior, or malicious activity on a network or in an environment. They are commonly used in indicator match rules to detect and match known threats. When an indicator match rule generates an alert, it includes information about the matched threat indicator. @@ -10,7 +10,7 @@ NOTE: To learn more about alerts with threat intelligence, visit <>, the <>, or a <>. [role="screenshot"] -image::images/threat-intelligence-view.png[width=65%][height=65%][Shows the Threat Intelligence view on the Overview page] +image::images/threat-intelligence-view.png[width=65%][height=65%][Shows the Threat Intelligence view on the Overview dashboard] There are a few scenarios when data won't display in the Threat Intelligence view: @@ -41,7 +41,7 @@ If you know the name of {agent} integration you want to install, you can search ========================= . Select an {agent} integration, then complete the installation steps. -. Return to the Threat Intelligence view on the Overview page. Refresh the page if indicator data isn't displaying. +. Return to the Threat Intelligence view on the Overview dashboard. If indicator data isn't displaying, refresh the page or refer to these <>. [float] [[ti-mod-integration]] @@ -54,7 +54,7 @@ NOTE: For more information about enabling available threat intelligence filesets . Update the `securitySolution:defaultThreatIndex` <> by adding the appropriate index pattern name after the default {fleet} threat intelligence index pattern (`logs-ti*`): .. If you're _only_ using {filebeat} version 8.x, add the appropriate {filebeat} threat intelligence index pattern. For example, `logs-ti*`, `filebeat-8*`. .. If you're using a previous version of Filebeat _and_ a current one, differentiate between the threat intelligence indices by using unique index pattern names. For example, if you’re using {filebeat} version 7.0.0 and 8.0.0, update the setting to `logs-ti*`,`filebeat-7*`,`filebeat-8*`. -. Return to the Threat Intelligence view on the Overview page. Refresh the page if indicator data isn't displaying. +. Return to the Threat Intelligence view on the Overview dashboard. Refresh the page if indicator data isn't displaying. [float] [[custom-ti-integration]]