[Docs]Detections and Alerts UI #73
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jul 26, 2020
This was
linked to
issues
Jul 26, 2020
benskelker
force-pushed
the
7.9-detections-ui
branch
from
9888c8b
to
8d4a7db
Compare
benskelker
requested review from
narcher7,
rylnd,
spong,
dontcallmesherryli and
jmikell821
benskelker
changed the title
rylnd
reviewed
Jul 30, 2020
peluja1012
reviewed
Jul 30, 2020
spong
reviewed
Aug 4, 2020
spong
reviewed
Aug 4, 2020
spong
reviewed
Aug 4, 2020
spong
reviewed
Aug 4, 2020
spong
reviewed
Aug 4, 2020
spong
reviewed
Aug 4, 2020
Comment on lines
+51
to
+62
| // * `host.name` | ||
| // * `host.hostname` | ||
| // * `host.domain` | ||
| // * `host.id` | ||
| // * `host.ip` | ||
| // * `client.ip` | ||
| // * `destination.ip` | ||
| // * `server.ip` | ||
| // * `source.ip` | ||
| // * `network.community_id` | ||
| // * `user.name` | ||
| // * `process.name` |
There was a problem hiding this comment.
Are these comments placeholders for something, or can they be removed?
There was a problem hiding this comment.
I think they can be removed but I need to check with @XavierM. Worst case, I'll remove them in a separate PR.
spong
reviewed
Aug 4, 2020
Comment on lines
+5
to
+11
| Create building-block rules when you do not want to see their generated alerts | ||
| in the UI. This is useful when you want: | ||
|
|
||
| * A record of low-risk alerts without producing noise in the Alerts table. | ||
| * Rules that execute on the alert indices (`.siem-signals-<kibana space>-*`). | ||
| You can then use building-block rules to create hidden alerts that act as a | ||
| basis for an 'ordinary' rule to generate visible alerts. |
There was a problem hiding this comment.
Perfect description @benskelker! 🙂
I've been curious what to call non-building-block detection rules, and I think ordinary in this context fits the bill. 👍
spong
reviewed
Aug 4, 2020
spong
reviewed
Aug 4, 2020
added 16 commits
August 4, 2020 16:27
benskelker
force-pushed
the
7.9-detections-ui
branch
from
64eb7e7
to
c72af0b
Compare
narcher7
approved these changes
Aug 4, 2020
|
|
||
| *Example* | ||
|
|
||
| The Timeline template used in the rule has this dropzone query: |
There was a problem hiding this comment.
Change to, "This Timeline template example uses the host.name: Linux-LivepoolFC dropzone query in the rule.
| [[alerts-to-resolver]] | ||
| === Visually analyze process relationships. | ||
|
|
||
| For process events received from the Elastic Endpoint agent, you can open a |
There was a problem hiding this comment.
We might have to loop around and rename this the Elastic Security Endpoint integration. Technically speaking, the Elastic Endpoint Security agent in the legacy Endgame agent, whereas the Elastic agent ingested onto a device is configured with the Elastic Security Endpoint integration.
There was a problem hiding this comment.
Yep - and we'll need to add the link as well.
| . In the Alert table, select _Additional filters_ -> | ||
| _Include building-block alerts_. | ||
|
|
||
| NOTE: On a building-block Rule details page, the rule's alerts are displayed (by |
There was a problem hiding this comment.
does "Details" need to be capitalized as well if we're referring to the "Rule Details" page?
There was a problem hiding this comment.
No - sentence capitalisation
| @@ -1,5 +1,5 @@ | |||
| [[elastic-endpoint-prebuilt-rule]] | |||
| === Elastic Endpoint | |||
| === Elastic Endpoint Security | |||
There was a problem hiding this comment.
We may have to loop back around and change these post-merge. See my previous comment about Elastic Endpoint Security for an explanation.
There was a problem hiding this comment.
This will be OK as it refers to a prebuilt rule name that's already finalised (for 7.9 at least).
benskelker
added a commit
to benskelker/security-docs
that referenced
this pull request
Aug 4, 2020
* dtections-ui-overview * initial overview draft * typo * restructuring for dedicated alerts section * rewording * exceptions from alerts * adds new rule options * adds new action text placeholder * restructer * structure, exceptions and building-blocks * minor edits * adds exceptions * exceptions cont * exceptions correction * more stuff * proofing and whatnot * terminology * nested exception conditions * typo * typo - thanks Nate * corrections - round 1 * add nested conditions example * typo * editing * more proofing * updates ex example * adds promoted endpoint events * typo * corrections after review * corrections
benskelker
added a commit
to benskelker/security-docs
that referenced
this pull request
Aug 4, 2020
* dtections-ui-overview * initial overview draft * typo * restructuring for dedicated alerts section * rewording * exceptions from alerts * adds new rule options * adds new action text placeholder * restructer * structure, exceptions and building-blocks * minor edits * adds exceptions * exceptions cont * exceptions correction * more stuff * proofing and whatnot * terminology * nested exception conditions * typo * typo - thanks Nate * corrections - round 1 * add nested conditions example * typo * editing * more proofing * updates ex example * adds promoted endpoint events * typo * corrections after review * corrections
benskelker
added a commit
that referenced
this pull request
Aug 4, 2020
* dtections-ui-overview * initial overview draft * typo * restructuring for dedicated alerts section * rewording * exceptions from alerts * adds new rule options * adds new action text placeholder * restructer * structure, exceptions and building-blocks * minor edits * adds exceptions * exceptions cont * exceptions correction * more stuff * proofing and whatnot * terminology * nested exception conditions * typo * typo - thanks Nate * corrections - round 1 * add nested conditions example * typo * editing * more proofing * updates ex example * adds promoted endpoint events * typo * corrections after review * corrections
benskelker
added a commit
that referenced
this pull request
Aug 4, 2020
* dtections-ui-overview * initial overview draft * typo * restructuring for dedicated alerts section * rewording * exceptions from alerts * adds new rule options * adds new action text placeholder * restructer * structure, exceptions and building-blocks * minor edits * adds exceptions * exceptions cont * exceptions correction * more stuff * proofing and whatnot * terminology * nested exception conditions * typo * typo - thanks Nate * corrections - round 1 * add nested conditions example * typo * editing * more proofing * updates ex example * adds promoted endpoint events * typo * corrections after review * corrections
joepeeples
pushed a commit
that referenced
this pull request
Mar 13, 2024
Install and configure Elastic Defend cleanup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates the docs with new Detection rules and alerts functionality.
Detections preview
Please ignore all the
BENplaceholders for links and any old screenshots. Thanks