-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* First draft * Update Dashboards landing page * Add frontmatter * Address feedback from Georgii & Janeen Mention time range & filters, and spaces Edits (cherry picked from commit 57f23c9) Co-authored-by: Joe Peeples <[email protected]>
- Loading branch information
1 parent
59898bd
commit eb9cce6
Showing
5 changed files
with
82 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| [[rule-monitoring-dashboard]] | ||
| = Detection rule monitoring dashboard | ||
|
|
||
| :frontmatter-description: Visualize your detection rules' performance. | ||
| :frontmatter-tags-products: [security] | ||
| :frontmatter-tags-content-type: [how-to] | ||
| :frontmatter-tags-user-goals: [visualize, monitor] | ||
|
|
||
| The Detection rule monitoring dashboard provides visualizations to help you monitor the overall health and performance of {elastic-sec}'s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they're taking to run, search data, and create alerts. | ||
|
|
||
| [role="screenshot"] | ||
| image::images/rule-monitoring-overview.png[Overview of Detection rule monitoring dashboard] | ||
|
|
||
| .Requirements | ||
| [sidebar] | ||
| -- | ||
| To access this dashboard and its data, you must have: | ||
|
|
||
| * At least `Read` {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privileges] for both the *Analytics > Dashboard* and *Security > Security* {kib} features. | ||
|
|
||
| * At least `read` {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privileges] for the `.kibana-event-log-*` index. | ||
| -- | ||
|
|
||
| [discrete] | ||
| [[rule-monitoring-visualizations]] | ||
| == Visualization data and types | ||
|
|
||
| The dashboard presents a variety of information about your detection rules. Visualizations display and calculate data within the time range and filters selected at the top of the dashboard. | ||
|
|
||
| The dashboard also includes data from all {kib} spaces. To display data only from specific spaces, open the dashboard in {kib} (*Analytics* -> *Dashboard*) and use the *Kibana space* drop-down filter. | ||
|
|
||
| The following visualizations are included: | ||
|
|
||
| * *Rule KPIs (key performance indicators)*: The total number of rules enabled, how many times they collectively ran, and their response statuses. | ||
| * *Executions by rule type*: Rule executions over time, broken down by rule type. | ||
| * *Executions by status*: Rule executions over time, broken down by status. | ||
| * *Total rule execution duration*: How long rules take to run, from start to finish. | ||
| * *Rule schedule delay*: The delay between a rule's scheduled start time and when it actually starts running. | ||
| * *Search/query duration*: How long rules take to query source indices or data views. | ||
| * *Indexing duration*: How long rules take to generate alerts and write them to the `.alerts-security.alerts-*` index. | ||
| * *Top 10 rules*: Lists of the overall slowest rules, most delayed rules, and rules with the most *Failed* and *Warning* response statuses. | ||
|
|
||
| [discrete] | ||
| [[rule-visualization-actions]] | ||
| == Visualization panel actions | ||
|
|
||
| Open a panel's options menu (image:images/three-dot-icon.png[Options menu,18,18]) customize the panel or use its data for further analysis and investigation: | ||
|
|
||
| * *Edit panel settings*: Customize the panel's display settings. Options vary by visualization type. | ||
| * *Inspect*: Examine the panel's underlying data and queries. | ||
| * *Explore data in Discover*: Open Discover with preloaded filters to display the panel's data. | ||
| * *Maximize panel*: Expand the panel. | ||
| * *Download as CSV*: Download the panel's data in a CSV file. | ||
| * *Copy to dashboard*: Copy the panel to an existing or new dashboard. | ||
| * *Add to existing case*: Add the panel to an existing case. | ||
| * *Add to new case*: Create a new case and add the panel to it. | ||
| * *Create anomaly detection job*: Create a {ml} anomaly detection job using the panel's data. | ||
|
|
||
| [discrete] | ||
| [[clone-edit-dashboard]] | ||
| == Clone and edit the dashboard | ||
|
|
||
| This dashboard is managed by {kib}, so any changes you make to it will not last. To make persistent changes, you can clone the dashboard and edit the cloned copy, but your copy will not get updates from Elastic. | ||
|
|
||
| . Click *Edit*, then *Save as*. | ||
| . On the *Save dashboard* dialog, enter a new *Title* for your cloned copy. | ||
| . Make sure *Save as new dashboard* is selected, then click *Save*. You can now make additional changes and save them to your copy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters