Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.10] [Expandable flyout] Task 2: Update references to the alert details flyout and refresh screenshots (backport #3854) #3912

Merged
merged 1 commit into from
Sep 18, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/cloud-native-security/session-view.asciidoc
Original file line number Diff line number Diff line change
@@ -46,7 +46,7 @@ fields collected when this setting is enabled, refer to the https://github.com/e
[float]
[[open-session-view]]
=== Open Session View
Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the **Kubernetes** dashboard.
Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout and the **Kubernetes** dashboard.
Events and sessions that you can investigate in Session View have a rectangular
*Open Session View* button in the *Actions* column. For example:

4 changes: 2 additions & 2 deletions docs/detections/alert-suppression.asciidoc
Original file line number Diff line number Diff line change
@@ -55,10 +55,10 @@ image::images/suppressed-alerts-table.png[Suppressed alerts icon and tooltip in
[role="screenshot"]
image::images/suppressed-alerts-table-column.png[Suppressed alerts count field column in Alerts table,75%]

* Alert details flyout — *Insights* section:
* Alert details flyout — *Insights* -> *Correlations* section:
+
[role="screenshot"]
image::images/suppressed-alerts-details.png[Suppressed alerts Insights section in alert details flyout,75%]
image::images/suppressed-alerts-details.png[Suppressed alerts in the Correlations section within the alert details flyout,75%]

=== Investigate events for suppressed alerts

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/detections/images/ig-alert-flyout.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/detections/images/suppressed-alerts-details.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
9 changes: 7 additions & 2 deletions docs/detections/investigation-guide-actions.asciidoc
Original file line number Diff line number Diff line change
@@ -11,9 +11,14 @@ Detection rule investigation guides suggest steps for triaging, analyzing, and r
IMPORTANT: Interactive investigation guides are compatible between {stack} versions 8.7.0 and later. Query buttons created in 8.6.x use different syntax and won't render correctly in later versions, and vice versa.

[role="screenshot"]
image::images/ig-alert-flyout.png[Alert details flyout with interactive investigation guide,550]
image::images/ig-alert-flyout.png[Alert details flyout with interactive investigation guide,450]

Each query button displays the number of event documents found. Click the button to automatically load the query in Timeline based on configuration settings in the investigation guide.
Under the Investigation section, click **Show investigation guide** to open the **Investigation** tab in the left panel of the alert details flyout.

[role="screenshot"]
image::images/ig-alert-flyout-invest-tab.png[Alert details flyout with interactive investigation guide,800]

The **Investigation** tab displays query buttons, and each query button displays the number of event documents found. Click the query button to automatically load the query in Timeline, based on configuration settings in the investigation guide.

[role="screenshot"]
image::images/ig-timeline.png[Timeline with query pre-loaded from investigation guide action]
2 changes: 1 addition & 1 deletion docs/detections/visual-event-analyzer.asciidoc
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ Or
+
** `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`

. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer.
. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. Alternatively, open the alert details flyout, go to the Visualizations section, then click **Analyzer preview**. This opens the **Analyzer** tab in Timeline.

+
[role="screenshot"]
4 changes: 2 additions & 2 deletions docs/experimental-features/host-risk-score.asciidoc
Original file line number Diff line number Diff line change
@@ -98,10 +98,10 @@ The `host.risk.calculated_level` column in the Alerts table:
[role="screenshot"]
image::images/hrs-alerts-table.png[Host risk score in the Alerts table]

The *Overview* tab on the Alert details flyout:
The *Insights* -> *Entities* section on the *Overview* tab within the alert details flyout:

[role="screenshot"]
image::images/score-in-flyout.png[Host risk score in Alert details flyout]
image::images/score-in-flyout.png[Host risk score in alert details flyout,65%]

The *Host risk classification* column in the All hosts table on the Hosts page:

Binary file modified docs/experimental-features/images/score-in-flyout.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/experimental-features/images/urs-score-flyout.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 2 additions & 2 deletions docs/experimental-features/user-risk-score.asciidoc
Original file line number Diff line number Diff line change
@@ -94,10 +94,10 @@ The `user.risk.calculated_level` column in the Alerts table:
[role="screenshot"]
image::images/urs-alerts-table.png[User risk score in Alerts table]

The *Overview* tab on the Alert details flyout:
The *Insights* -> *Entities* section on the *Overview* tab within the alert details flyout

[role="screenshot"]
image::images/urs-score-flyout.png[User risk score in Alert details flyout]
image::images/urs-score-flyout.png[User risk score in alert details flyout,65%]

The *User risk* tab on the Users page:

2 changes: 1 addition & 1 deletion docs/management/admin/host-isolation-ov.asciidoc
Original file line number Diff line number Diff line change
@@ -145,4 +145,4 @@ To confirm if a host has been successfully isolated or released, check the respo
Go to *Manage* -> *Endpoints*, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <<response-actions-history>> for more details.

[role="screenshot"]
image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%]
image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%]
Binary file modified docs/osquery/images/osquery-results-tab.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion docs/osquery/osquery-response-action.asciidoc
Original file line number Diff line number Diff line change
@@ -64,7 +64,7 @@ IMPORTANT: If you edited a saved query or query pack that an Osquery Response Ac
[[find-osquery-response-action-results]]
=== Find query results

When a rule generates an alert, Osquery automatically collects data on the host. Query results are displayed within the *Response Results* tab in the Alert details flyout. The number next to the *Response Results* tab represents the number of queries attached to the rule, in addition to endpoint response actions run by the rule.
When a rule generates an alert, Osquery automatically collects data on the host. Query results are displayed within the *Response* tab in the left panel of the alert details flyout. The number next to the *Response Results* tab represents the number of queries attached to the rule, in addition to endpoint response actions run by the rule.

NOTE: Refer to <<view-osquery-results>> for more information about query results.