diff --git a/docs/cloud-native-security/session-view.asciidoc b/docs/cloud-native-security/session-view.asciidoc index 3cfc90571b..202e84b353 100644 --- a/docs/cloud-native-security/session-view.asciidoc +++ b/docs/cloud-native-security/session-view.asciidoc @@ -46,7 +46,7 @@ fields collected when this setting is enabled, refer to the https://github.com/e [float] [[open-session-view]] === Open Session View -Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the **Kubernetes** dashboard. +Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout and the **Kubernetes** dashboard. Events and sessions that you can investigate in Session View have a rectangular *Open Session View* button in the *Actions* column. For example: diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 07c399de92..12a4a779ff 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -55,10 +55,10 @@ image::images/suppressed-alerts-table.png[Suppressed alerts icon and tooltip in [role="screenshot"] image::images/suppressed-alerts-table-column.png[Suppressed alerts count field column in Alerts table,75%] -* Alert details flyout — *Insights* section: +* Alert details flyout — *Insights* -> *Correlations* section: + [role="screenshot"] -image::images/suppressed-alerts-details.png[Suppressed alerts Insights section in alert details flyout,75%] +image::images/suppressed-alerts-details.png[Suppressed alerts in the Correlations section within the alert details flyout,75%] === Investigate events for suppressed alerts diff --git a/docs/detections/images/ig-alert-flyout-invest-tab.png b/docs/detections/images/ig-alert-flyout-invest-tab.png new file mode 100644 index 0000000000..d50b701273 Binary files /dev/null and b/docs/detections/images/ig-alert-flyout-invest-tab.png differ diff --git a/docs/detections/images/ig-alert-flyout.png b/docs/detections/images/ig-alert-flyout.png index ee9ab728de..058767a716 100644 Binary files a/docs/detections/images/ig-alert-flyout.png and b/docs/detections/images/ig-alert-flyout.png differ diff --git a/docs/detections/images/suppressed-alerts-details.png b/docs/detections/images/suppressed-alerts-details.png index 1743314927..fe880155c3 100644 Binary files a/docs/detections/images/suppressed-alerts-details.png and b/docs/detections/images/suppressed-alerts-details.png differ diff --git a/docs/detections/investigation-guide-actions.asciidoc b/docs/detections/investigation-guide-actions.asciidoc index 33430195f5..52c1d1d6f2 100644 --- a/docs/detections/investigation-guide-actions.asciidoc +++ b/docs/detections/investigation-guide-actions.asciidoc @@ -11,9 +11,14 @@ Detection rule investigation guides suggest steps for triaging, analyzing, and r IMPORTANT: Interactive investigation guides are compatible between {stack} versions 8.7.0 and later. Query buttons created in 8.6.x use different syntax and won't render correctly in later versions, and vice versa. [role="screenshot"] -image::images/ig-alert-flyout.png[Alert details flyout with interactive investigation guide,550] +image::images/ig-alert-flyout.png[Alert details flyout with interactive investigation guide,450] -Each query button displays the number of event documents found. Click the button to automatically load the query in Timeline based on configuration settings in the investigation guide. +Under the Investigation section, click **Show investigation guide** to open the **Investigation** tab in the left panel of the alert details flyout. + +[role="screenshot"] +image::images/ig-alert-flyout-invest-tab.png[Alert details flyout with interactive investigation guide,800] + +The **Investigation** tab displays query buttons, and each query button displays the number of event documents found. Click the query button to automatically load the query in Timeline, based on configuration settings in the investigation guide. [role="screenshot"] image::images/ig-timeline.png[Timeline with query pre-loaded from investigation guide action] diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index db3e22689f..a4d89e7647 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -27,7 +27,7 @@ Or + ** `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` -. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. +. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. Alternatively, open the alert details flyout, go to the Visualizations section, then click **Analyzer preview**. This opens the **Analyzer** tab in Timeline. + [role="screenshot"] diff --git a/docs/experimental-features/host-risk-score.asciidoc b/docs/experimental-features/host-risk-score.asciidoc index fb2ea58b28..9eb14da6ca 100644 --- a/docs/experimental-features/host-risk-score.asciidoc +++ b/docs/experimental-features/host-risk-score.asciidoc @@ -98,10 +98,10 @@ The `host.risk.calculated_level` column in the Alerts table: [role="screenshot"] image::images/hrs-alerts-table.png[Host risk score in the Alerts table] -The *Overview* tab on the Alert details flyout: +The *Insights* -> *Entities* section on the *Overview* tab within the alert details flyout: [role="screenshot"] -image::images/score-in-flyout.png[Host risk score in Alert details flyout] +image::images/score-in-flyout.png[Host risk score in alert details flyout,65%] The *Host risk classification* column in the All hosts table on the Hosts page: diff --git a/docs/experimental-features/images/score-in-flyout.png b/docs/experimental-features/images/score-in-flyout.png index b4c626009e..1dda839c22 100644 Binary files a/docs/experimental-features/images/score-in-flyout.png and b/docs/experimental-features/images/score-in-flyout.png differ diff --git a/docs/experimental-features/images/urs-score-flyout.png b/docs/experimental-features/images/urs-score-flyout.png index 26310b768c..86d22ff2fd 100644 Binary files a/docs/experimental-features/images/urs-score-flyout.png and b/docs/experimental-features/images/urs-score-flyout.png differ diff --git a/docs/experimental-features/user-risk-score.asciidoc b/docs/experimental-features/user-risk-score.asciidoc index 5b70692bcb..2f98027752 100644 --- a/docs/experimental-features/user-risk-score.asciidoc +++ b/docs/experimental-features/user-risk-score.asciidoc @@ -94,10 +94,10 @@ The `user.risk.calculated_level` column in the Alerts table: [role="screenshot"] image::images/urs-alerts-table.png[User risk score in Alerts table] -The *Overview* tab on the Alert details flyout: +The *Insights* -> *Entities* section on the *Overview* tab within the alert details flyout [role="screenshot"] -image::images/urs-score-flyout.png[User risk score in Alert details flyout] +image::images/urs-score-flyout.png[User risk score in alert details flyout,65%] The *User risk* tab on the Users page: diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index f9ce142433..d12fa08aaa 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -145,4 +145,4 @@ To confirm if a host has been successfully isolated or released, check the respo Go to *Manage* -> *Endpoints*, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <> for more details. [role="screenshot"] -image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%] +image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%] \ No newline at end of file diff --git a/docs/osquery/images/osquery-results-tab.png b/docs/osquery/images/osquery-results-tab.png index 862f24e965..92d4b8edcd 100644 Binary files a/docs/osquery/images/osquery-results-tab.png and b/docs/osquery/images/osquery-results-tab.png differ diff --git a/docs/osquery/osquery-response-action.asciidoc b/docs/osquery/osquery-response-action.asciidoc index f2803a44c4..4a138c2a75 100644 --- a/docs/osquery/osquery-response-action.asciidoc +++ b/docs/osquery/osquery-response-action.asciidoc @@ -64,7 +64,7 @@ IMPORTANT: If you edited a saved query or query pack that an Osquery Response Ac [[find-osquery-response-action-results]] === Find query results -When a rule generates an alert, Osquery automatically collects data on the host. Query results are displayed within the *Response Results* tab in the Alert details flyout. The number next to the *Response Results* tab represents the number of queries attached to the rule, in addition to endpoint response actions run by the rule. +When a rule generates an alert, Osquery automatically collects data on the host. Query results are displayed within the *Response* tab in the left panel of the alert details flyout. The number next to the *Response Results* tab represents the number of queries attached to the rule, in addition to endpoint response actions run by the rule. NOTE: Refer to <> for more information about query results.