diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index e677be8fb5..623d661b58 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -139,6 +139,8 @@ From the Alerts table or the alert details flyout, you can: * <> * <> * <> +* <> +* <> * <> * <> * <> (Alert details flyout only) @@ -184,10 +186,65 @@ To apply or remove alert tags on individual alerts, do one of the following: To apply or remove alert tags on multiple alerts, select the alerts you want to change, then click *Selected _x_ alerts* at the upper-left above the table. Click *Apply alert tags*, select or unselect tags, then click *Apply tags*. - [role="screenshot"] image::images/bulk-apply-alert-tag.png[Bulk action menu with multiple alerts selected, 450] +[float] +[[assign-users-to-alerts]] +==== Assign users to alerts + +Assign users to alerts that you want them to investigate, and manage alert assignees throughout an alert's lifecycle. + +IMPORTANT: Users are not notified when they've been assigned to, or unassigned from, alerts. + +|============================================== +| Action | Instructions + +| Assign users to an alert + +a| Choose one of the following: + +* **Alerts table** - Click **More actions** (**...**) in an alert's row, then click **Assign alert**. Select users, then click **Apply**. +* **Alert details flyout** - Click **Take action -> Assign alert**. Alternatively, click the **Assign alert** icon at the top of the alert details flyout, select users, then click **Apply**. + +|Unassign all users from an alert + +a| Choose one of the following: + +* **Alerts table** - Click **More actions** (**...**) in an alert's row, then click **Unassign alert**. +* **Alert details flyout** - Click **Take action -> Unassign alert**. + +| Assign users to multiple alerts + +a| From the Alerts table, select the alerts you want to change. Click **Selected _x_ alerts** at the upper-left above the table, then click **Assign alert**. Select users, then click **Apply**. + +NOTE: Users assigned to some of the selected alerts will be displayed as unassigned in the selection list. Selecting said users will assign them to all alerts they haven't been assigned to yet. + +| Unassign users from multiple alerts + +| From the Alerts table, select the alerts you want to change and click **Selected _x_ alerts** at the upper-left above the table. Click **Unassign alert** to remove users from the alert. + +|============================================== + +Show users that have been assigned to alerts by adding the **Assignees** column to the Alerts table (**Fields** → `kibana.alert.workflow_assignee_ids`). Up to four assigned users can appear in the **Assignees** column. If an alert is assigned to five or more users, a number appears instead. + +[role="screenshot"] +image::images/alert-assigned-alerts.png[Alert assignees in the Alerts table, 650] + +Assigned users are automatically displayed in the alert details flyout. Up to two assigned users can be shown in the flyout. If an alert is assigned to three or more users, a numbered badge displays instead. + +[role="screenshot"] +image::images/alert-flyout-assignees.png[Alert assignees in the alert details flyout, 450] + +[float] +[[filter-assigned-alerts]] +==== Filter assigned alerts + +Click the **Assignees** filter above the Alerts table, then select the users you want to filter by. + +[role="screenshot"] +image::images/alert-filter-assigned-alerts.png[Filtering assigned alerts, 650] + [float] [[add-exception-from-alerts]] ==== Add a rule exception from an alert @@ -213,8 +270,7 @@ image::images/timeline-button.png[Investigate in timeline button, 300] * To view multiple alerts in Timeline (up to 2,000), select the checkboxes next to the alerts, then click *Selected _x_ alerts* -> *Investigate in timeline*. + -image::images/bulk-add-alerts-to-timeline.png[Bulk add alerts to timeline button,30%,30%] - +image::images/bulk-add-alerts-to-timeline.png[Bulk add alerts to timeline button,50%,50%] TIP: When you send an alert generated by a <> to Timeline, all matching events are diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 934f354be0..51192bc970 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -33,8 +33,8 @@ image::images/alert-details-flyout-right-panel.png[Right panel of the alert deta From the right panel, you can also: * Click **Expand details** to open the <>, which shows more information about sections in the right panel. -* Click **Chat** to access the <>. -* Click **Share alert** to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. +* Click the **Chat** icon (image:images/ai-assistant-chat.png[AI assistant chat icon,15,15]) to access the <>. +* Click the **Share alert** icon (image:images/share-alert.png[Share alert icon,15,15]) to get a shareable alert URL. We _do not_ recommend copying the URL from your browser's address bar, which can lead to inconsistent results if you've set up filters or relative time ranges for the Alerts page. + NOTE: If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[`server.publicBaseUrl`] setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the *Table* tab. + @@ -46,6 +46,7 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo ** Alert status ** Date and time the alert was created ** Alert severity and risk score (these are inherited from rule that generated the alert) +** Users assigned to the alert (click the **Assign alert** image:images/assign-alert.png[Assign alert,15,15] icon to assign more users) * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. diff --git a/docs/detections/images/ai-assistant-chat.png b/docs/detections/images/ai-assistant-chat.png new file mode 100644 index 0000000000..2e5b9450ad Binary files /dev/null and b/docs/detections/images/ai-assistant-chat.png differ diff --git a/docs/detections/images/alert-assigned-alerts.png b/docs/detections/images/alert-assigned-alerts.png new file mode 100644 index 0000000000..1d63dccf53 Binary files /dev/null and b/docs/detections/images/alert-assigned-alerts.png differ diff --git a/docs/detections/images/alert-change-status.png b/docs/detections/images/alert-change-status.png index 98b1f50e53..333366d09f 100644 Binary files a/docs/detections/images/alert-change-status.png and b/docs/detections/images/alert-change-status.png differ diff --git a/docs/detections/images/alert-details-flyout-preview-panel.gif b/docs/detections/images/alert-details-flyout-preview-panel.gif index 4232ac09f3..c50d422882 100644 Binary files a/docs/detections/images/alert-details-flyout-preview-panel.gif and b/docs/detections/images/alert-details-flyout-preview-panel.gif differ diff --git a/docs/detections/images/alert-details-flyout-right-panel.png b/docs/detections/images/alert-details-flyout-right-panel.png index 251d8d3536..87eca75c43 100644 Binary files a/docs/detections/images/alert-details-flyout-right-panel.png and b/docs/detections/images/alert-details-flyout-right-panel.png differ diff --git a/docs/detections/images/alert-filter-assigned-alerts.png b/docs/detections/images/alert-filter-assigned-alerts.png new file mode 100644 index 0000000000..98f0833897 Binary files /dev/null and b/docs/detections/images/alert-filter-assigned-alerts.png differ diff --git a/docs/detections/images/alert-flyout-assignees.png b/docs/detections/images/alert-flyout-assignees.png new file mode 100644 index 0000000000..0f795ebf77 Binary files /dev/null and b/docs/detections/images/alert-flyout-assignees.png differ diff --git a/docs/detections/images/assign-alert.png b/docs/detections/images/assign-alert.png new file mode 100644 index 0000000000..e854c2b52c Binary files /dev/null and b/docs/detections/images/assign-alert.png differ diff --git a/docs/detections/images/bulk-add-alerts-to-timeline.png b/docs/detections/images/bulk-add-alerts-to-timeline.png index 0bf1879fd7..bfcac3e402 100644 Binary files a/docs/detections/images/bulk-add-alerts-to-timeline.png and b/docs/detections/images/bulk-add-alerts-to-timeline.png differ diff --git a/docs/detections/images/expand-details-button.png b/docs/detections/images/expand-details-button.png index 0b91ece2bf..9edc11f535 100644 Binary files a/docs/detections/images/expand-details-button.png and b/docs/detections/images/expand-details-button.png differ diff --git a/docs/detections/images/open-alert-details-flyout.gif b/docs/detections/images/open-alert-details-flyout.gif index ea70b9dae7..7b1d715f70 100644 Binary files a/docs/detections/images/open-alert-details-flyout.gif and b/docs/detections/images/open-alert-details-flyout.gif differ diff --git a/docs/detections/images/share-alert.png b/docs/detections/images/share-alert.png new file mode 100644 index 0000000000..c4f69cfaf9 Binary files /dev/null and b/docs/detections/images/share-alert.png differ diff --git a/docs/reference/alert-schema.asciidoc b/docs/reference/alert-schema.asciidoc index bee54009eb..1e38cc4e2e 100644 --- a/docs/reference/alert-schema.asciidoc +++ b/docs/reference/alert-schema.asciidoc @@ -183,4 +183,12 @@ This field can contain an array of values, for example: `["False Positive", "pro Type: keyword +|N/A | `kibana.alert.workflow_assignee_ids` a| List of users assigned to an alert. + +An array of unique identifiers (UIDs) for user profiles, for example: `["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]` + +UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings. + +Type: string[] + |==============================================