Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Serverless][8.16] Notes docs #6006

Open
wants to merge 38 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
03a8046
First draft
nastasha-solomon Oct 27, 2024
0aa216c
First draft
nastasha-solomon Oct 27, 2024
6fc6d18
Updates titles
nastasha-solomon Oct 27, 2024
2d6d74a
Fixes toc and introduces images
nastasha-solomon Oct 27, 2024
71fb03c
Fixes serverless toc
nastasha-solomon Oct 27, 2024
593ea89
Adds missing image
nastasha-solomon Oct 27, 2024
dd26581
Typo
nastasha-solomon Oct 27, 2024
f82f93b
Adds more images and content
nastasha-solomon Oct 27, 2024
89651a9
Removes kib ref
nastasha-solomon Oct 27, 2024
351c2e8
Removed extra kib ref
nastasha-solomon Oct 27, 2024
e0ae798
Adjusted image name
nastasha-solomon Oct 28, 2024
9382d5f
Completed ref link
nastasha-solomon Oct 28, 2024
9387e8e
Adds ref to adv setting
nastasha-solomon Oct 28, 2024
e000d2d
Removed unnecessary ref
nastasha-solomon Oct 28, 2024
68be868
Missing s
nastasha-solomon Oct 28, 2024
3bcc01d
More minor adjustments
nastasha-solomon Oct 28, 2024
e0b5889
first draft of flyout changes
nastasha-solomon Oct 28, 2024
8c71270
Fix image size
nastasha-solomon Oct 28, 2024
8d0d4a1
Moves image over even more
nastasha-solomon Oct 28, 2024
929f000
Update docs/events/add-manage-notes.asciidoc
nastasha-solomon Oct 29, 2024
ffdc178
Incorporates dev input - ESS
nastasha-solomon Oct 29, 2024
85f195d
Serverless changes
nastasha-solomon Oct 29, 2024
0b61863
removed extra space
nastasha-solomon Oct 29, 2024
65ebc3f
fixes serverless doc bugs
nastasha-solomon Oct 29, 2024
7491580
One more small fix
nastasha-solomon Oct 29, 2024
c93167f
Missing s
nastasha-solomon Oct 29, 2024
9419d92
Adds missing image
nastasha-solomon Oct 29, 2024
fb64b56
Merge branch 'main' into issue-5441-the-notes-expansion
nastasha-solomon Oct 29, 2024
e6d9950
Update docs/events/add-manage-notes.asciidoc
nastasha-solomon Oct 29, 2024
b438eae
Revision round two
nastasha-solomon Oct 30, 2024
7f46dd3
Added image ext
nastasha-solomon Oct 30, 2024
3e69dc7
Adds nav instructions
nastasha-solomon Oct 30, 2024
85c2d5e
Fixes styling
nastasha-solomon Oct 30, 2024
2ae0fe5
Removed extra s
nastasha-solomon Oct 30, 2024
d6ddc83
Removed tab
nastasha-solomon Oct 30, 2024
d119a45
Merge branch 'main' into issue-5441-the-notes-expansion
nastasha-solomon Oct 30, 2024
7a2f1aa
Removing asset criticality adv setting again
nastasha-solomon Oct 30, 2024
dd155b7
Removes comment for now
nastasha-solomon Oct 30, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/detections/alerts-ui-manage.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ From the Alerts table or the alert details flyout, you can:
* <<alerts-run-osquery, Run Osquery against an alert>>
* <<signals-to-timelines>>
* <<visual-event-analyzer,Visually analyze an alert's process relationships>>
* <<notes-alerts-events,Add notes to alerts>>

[float]
[[detection-alert-status]]
Expand Down
14 changes: 12 additions & 2 deletions docs/detections/alerts-view-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,10 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo
* Find basic details about the alert, such as the:

** Associated rule
** Alert status
** Date and time the alert was created
** Alert status and when the alert was created
** Alert severity and risk score (these are inherited from rule that generated the alert)
** Users assigned to the alert (click the **Assign alert** image:images/assign-alert.png[Assign alert,15,15] icon to assign more users)
** Notes attached to the alert (click the **Add note** image:images/add-note-icon.png[Add note,15,15] icon to create a new note)

* Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs.

Expand Down Expand Up @@ -312,3 +312,13 @@ The **Response** section is located on the **Overview** tab in the right panel.
image::images/response-action-rp.png[Response section of the Overview tab, 50%]


[discrete]
[[expanded-notes-view]]
== Notes

The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert.

TIP: Go to the **Notes** <<manage-notes,page>> to find notes that were added to other alerts.

[role="screenshot"]
image::images/notes-tab-lp.png[Notes tab in the left panel, 70%]
Binary file added docs/detections/images/add-note-icon.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/images/notes-tab-lp.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/detections/notes-page-timeline-details.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
46 changes: 46 additions & 0 deletions docs/events/add-manage-notes.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
[[add-manage-notes]]
= Notes

Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page.

NOTE: Configure the `securitySolution:maxUnassociatedNotes` <<max-notes-alerts-events,advanced setting>> to specify the maximum number of notes that you can attach to alerts and events.

[discrete]
[[notes-alerts-events]]
== View and notes to alerts and events

Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (image:images/create-note-icon.png[Add note action,15,15]) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.

After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.

[role="screenshot"]
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
image::images/new-note-alert-event.png[New note added to an alert]

[discrete]
[[notes-timelines]]
== View and add notes to Timelines

IMPORTANT: You can only add notes to saved Timelines.

Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option.

After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline.

[role="screenshot"]
image::images/new-note-timeline-tab.png[New note added to a Timeline]

[discrete]
[[manage-notes]]
== Manage all notes

Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to *Investigations* in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **Notes**. From the **Notes** page, you can:

* Search for specific notes
* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
* Examine the contents of a note (click the text in the **Note content** column)
* Delete one or more notes
* Examine the alert or event that a note is attached to (click the image:images/notes-page-document-details.png[Preview alert or event action,15,15] icon)
* Open the Timeline that the note is attached to (click the image:images/notes-page-timeline-details.png[Open Timeline action,15,15] icon)

[role="screenshot"]
image::images/notes-management-page.png[Notes management page]
Binary file added docs/events/images/add-note-icon.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/events/images/create-note-icon.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/events/images/new-note-alert-event.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/events/images/new-note-timeline-tab.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/events/images/notes-management-page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/events/images/notes-page-document-details.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions docs/events/investigations-index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ include::timeline-templates.asciidoc[leveloffset=+2]
include::../detections/visual-event-analyzer.asciidoc[leveloffset=+1]
include::../cloud-native-security/session-view.asciidoc[leveloffset=+1]
include::../osquery/osquery-index.asciidoc[leveloffset=+1]
include::add-manage-notes.asciidoc[leveloffset=+1]
3 changes: 1 addition & 2 deletions docs/events/timeline-ui-overview.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,7 @@ You can also modify a Timeline's display in other ways:
* Copy a column name or values to a clipboard
* Change how the name, value, and description of a field are displayed in Timeline
* View the Timeline in full screen mode
* Add or delete notes on individual events
* Add or delete investigation notes on the entire Timeline
* Add or delete <<add-manage-notes,notes>> attached to alerts, events, or Timeline
* Pin interesting events to the Timeline

[discrete]
Expand Down
6 changes: 6 additions & 0 deletions docs/getting-started/advanced-setting.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,12 @@ By default, Elastic prebuilt rules in the *Rules* and *Rule Monitoring* tables i

The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <<apply-alert-tags>>.

[discrete]
[[max-notes-alerts-events]]
== Set the maximum notes limit for alerts and events

The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <<add-manage-notes,notes>> that you can attach to alerts and events. The maximum limit and default value is 1000.

[discrete]
[[exclude-cold-frozen-data-rule-executions]]
== Exclude cold and frozen data from rule executions
Expand Down
1 change: 1 addition & 0 deletions docs/serverless/alerts/alerts-ui-manage.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,7 @@ From the Alerts table or the alert details flyout, you can:
* <DocLink slug="/serverless/security/alerts-run-osquery">Run Osquery against an alert</DocLink>
* <DocLink slug="/serverless/security/alerts-manage" section="view-alerts-in-timeline">View alerts in Timeline</DocLink>
* <DocLink slug="/serverless/security/visual-event-analyzer">Visually analyze an alert's process relationships</DocLink>
* <DocLink slug="/serverless/security/add-manage-notes" section="notes-alerts-events">Add notes to alerts</DocLink>

<div id="detection-alert-status"></div>

Expand Down
16 changes: 14 additions & 2 deletions docs/serverless/alerts/view-alert-details.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,10 @@ From the right panel, you can also:
* Find basic details about the alert, such as the:

* Associated rule
* Alert status
* Date and time the alert was created
* Alert status and when the alert was created
* Alert severity and risk score (these are inherited from rule that generated the alert)
* Users assigned to the alert (click the <DocIcon type="plusInCircle" title="Assign alert" /> icon to assign more users)
* Notes attached to the alert (click the <DocIcon type="plusInCircle" title="Add note" /> icon to create a new note)
* Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs.

<div id="preview-panel"></div>
Expand Down Expand Up @@ -296,3 +296,15 @@ The expanded Prevalence view provides the following details:
The **Response** section is located on the **Overview** tab in the right panel. It shows <DocLink slug="/serverless/security/rules-create">response actions</DocLink> that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel.

<DocImage size="l" url="../images/view-alert-details/-detections-response-action-rp.png" alt="Response section of the Overview tab"/>

<div id="expanded-notes-view"></div>

## Notes

The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert.

<DocCallOut title="Tip">
Go to the **Notes** <DocLink slug="/serverless/security/add-manage-notes" section="manage-notes">page</DocLink> to find notes that were added to other alerts.
</DocCallOut>

<DocImage size="l" url="../images/view-alert-details/-detections-notes-tab-lp.png" alt="Notes tab in the left panel"/>
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
54 changes: 54 additions & 0 deletions docs/serverless/investigate/add-manage-notes.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
slug: /serverless/security/add-manage-notes
title: Notes
description: Create and manage notes for alerts, events, and Timeline.
tags: ["serverless","security","how-to","manage"]
---

<DocBadge template="technical preview" />
<div id="add-manage-notes"></div>

Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page.

<DocCallOut title="Note">
Configure the `securitySolution:maxUnassociatedNotes` <DocLink slug="/serverless/security/advanced-settings" section="max-notes-alerts-events">advanced settings</DocLink> to specify the maximum number of notes that you can attach to alerts and events.
</DocCallOut>

<div id="notes-alerts-events"></div>

## View and add notes to alerts and events

Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (<DocIcon type="editorComment" title="The action that lets you to add a new note" />) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.

After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.

<DocImage size="xl" url="../images/notes/-notes-new-note-alert-event.png" alt="New note added to an alert"/>

<div id="notes-timelines"></div>

## View and add notes to Timelines

<DocCallOut title="Important" color="warning">
You can only add notes to saved Timelines.
</DocCallOut>

Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option.

After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline.

<DocImage size="xl" url="../images/notes/-notes-new-note-timeline-tab.png" alt="New note added to a Timeline"/>

<div id="manage-notes"></div>

## Manage notes

Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to **Investigations** in the main navigation menu or by using the global search field, then go to **Notes**. From the **Notes** page, you can:

* Search for specific notes
* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
* Examine the contents of a note (select the text in the **Note content** column)
* Delete one or more notes
* Examine the alert or event that a note is attached to (click the <DocIcon type="expand" title="Preview alert or event details action" /> icon)
* Open the Timeline that the note is attached to (click the <DocIcon type="timelineWithArrow" title="Preview alert or event details action" /> icon)

<DocImage size="xl" url="../images/notes/-notes-management-page.png" alt="Notes management page"/>
3 changes: 1 addition & 2 deletions docs/serverless/investigate/timelines-ui.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,7 @@ You can also modify a Timeline's display in other ways:
* Copy a column name or values to a clipboard
* Change how the name, value, or description of a field are displayed in Timeline
* View the Timeline in full screen mode
* Add or delete notes on individual events
* Add or delete investigation notes on the entire Timeline
* Add or delete <DocLink slug="/serverless/security/add-manage-notes">notes</DocLink> attached to alerts, events, or Timeline
* Pin interesting events to the Timeline

<div id="add-remove-timeline-fields"></div>
Expand Down
4 changes: 4 additions & 0 deletions docs/serverless/serverless-security.docnav.json
Original file line number Diff line number Diff line change
Expand Up @@ -663,6 +663,10 @@
"classic-sources": [ "enSecurityCasesSettings" ]
}
]
},
{
"slug": "/serverless/security/add-manage-notes",
"classic-sources": [ "enSecurityAddManageNotes" ]
}
]
},
Expand Down
4 changes: 4 additions & 0 deletions docs/serverless/settings/advanced-settings.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ You can change these settings, which affect the news feed displayed on the
* `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
retrieved.

## Set the maximum notes limit for alerts and events

The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <DocLink slug="/serverless/security/add-manage-notes">notes</DocLink> that you can attach to alerts and events. The maximum limit and default value is 1000.

## Exclude cold and frozen tier data from analyzer queries

Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in <DocLink slug="/serverless/security/visual-event-analyzer">visual event analyzer</DocLink> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.
Expand Down
Loading