Skip to content

Commit

Permalink
[DOCS] New page: Detection & Response dashboard (#2085) (#2150)
Browse files Browse the repository at this point in the history
* First draft

- Create new section: Dashboards
- Move Overview page to new topic within Dashboards
- Create new topic for D&R dashboard

* Update collapse-side-nav-button.gif

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Additional suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update docs/getting-started/security-ui.asciidoc

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

* Update docs/dashboards/overview-dashboard.asciidoc

* Apply suggestions from Janeen's review

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
(cherry picked from commit 0619d16)

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
mergify[bot] and joepeeples authored Jun 26, 2022

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 1b44eda commit 10da804
Showing 7 changed files with 105 additions and 31 deletions.
9 changes: 9 additions & 0 deletions docs/dashboards/dashboards-overview.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[[dashboards-overview]]

= Dashboards

The following sections describe the {security-app}'s prebuilt dashboards, which provide visualizations of your security environment.

include::overview-dashboard.asciidoc[leveloffset=+1]

include::detection-response-dashboard.asciidoc[leveloffset=+1]
40 changes: 40 additions & 0 deletions docs/dashboards/detection-response-dashboard.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
[[detection-response-dashboard]]
= Detection & Response dashboard

The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts.

[role="screenshot"]
image::detections/images/detection-response-dashboard.png[Overview of Detection & Response dashboard]

Interact with various dashboard elements:

* Use the date and time picker in the upper-right to specify a time range for displaying information on the dashboard.

* In sections that list alert counts, click a number to investigate those alerts in Timeline.

* Click the name of a detection rule, case, host, or user to open its details page.

The following sections are included:

[width="100%",cols="s,"]
|==============================================

|Alerts
|The total number of detection alerts generated within the time range, organized by status and severity. Select *View alerts* to open the Alerts page.

|Cases
|The total number of cases created within the time range, organized by status. Select *View cases* to open the Cases page.

|Open alerts by rule
|The top four detection rules with open alerts, organized by the severity and number of alerts for each rule. Select *View all open alerts* to open the Alerts page.

|Recently created cases
|The four most recently created cases. Select *View recent cases* to open the Cases page.

|Hosts by alert severity
|The hosts generating detection alerts within the time range, organized by the severity and number of alerts. Shows up to 100 hosts.

|Users by alert severity
|The users generating detection alerts within the time range, organized by the severity and number of alerts. Shows up to 100 users.

|==============================================
42 changes: 42 additions & 0 deletions docs/dashboards/overview-dashboard.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
[[overview-dashboard]]
= Overview dashboard

The Overview dashboard provides a high-level snapshot of detections, external alerts, and event trends. It helps you assess overall system health and find anomalies that may require further investigation.

image::images/overview-pg.png[Overview dashboard]

[discrete]
== Live feed

The live feed on the Overview dashboard helps you quickly access recently created cases, favorited Timelines, and the latest {elastic-sec} news.

TIP: The *Security news* section provides the latest {elastic-sec} news to help you stay informed of new developments, learn about {elastic-sec} features, and more.

image::images/live-feed-ov-page.png[Overview dashboard with live feed section highlighted]

[discrete]
== Histograms

Time-based histograms show the number of detections, alerts, and events that have occurred within the selected time range. To focus on a particular time, click and drag to select a time range, or choose a preset value. The *Stack by* menu lets you select which field is used to organize the data. For example, in the Detection alert trend histogram, stack by `kibana.alert.rule.name` to display alert counts by rule name within the specified time frame.

TIP: Many {elastic-sec} histograms, graphs, and tables contain an *Inspect* button so you can examine the {es} queries used to retrieve data throughout the app.

[discrete]
== Host and network events

View event and host counts grouped by data source, such as *Auditbeat* or *{endpoint-cloud-sec}*. Expand a category to view specific counts of host or network events from the selected source.

[role="screenshot"]
image::images/events-count.png[Host and network events on the Overview dashboard]

[discrete]
== Threat Intelligence

The Threat Intelligence view on the Overview dashboard provides streamlined threat intelligence data for threat detection and matching.

The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To visualize the ingested threat indicator data, click the *Source* link for a threat intelligence source.

NOTE: For more information about connecting to threat intelligence sources, visit <<es-threat-intel-integrations, Enable threat intelligence integrations>>.

[role="screenshot"]
image::images/threat-intelligence-view.png[width=65%][height=65%][Threat Intelligence view on the Overview dashboard]
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/getting-started/images/collapse-side-nav-button.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
43 changes: 12 additions & 31 deletions docs/getting-started/security-ui.asciidoc
Original file line number Diff line number Diff line change
@@ -25,6 +25,7 @@ The {security-app} contains the following pages that enable analysts to view, an

* Get started
* Overview
* Detection & Response
* Alerts
* Rules
* Exception lists
@@ -40,7 +41,9 @@ The {security-app} contains the following pages that enable analysts to view, an
* Host isolation exceptions
* Blocklist

Pages are grouped into four main sections within the navigation pane:
Pages are grouped into these main sections within the navigation pane:

* *Dashboards*: Visualize detections, investigations, and event trends across your environment.

* *Detect*: View, create, and manage alerts, rules, and rule exceptions.

@@ -65,42 +68,20 @@ image::images/getting-started-pg.png[Shows the Get started page]

[float]
[[overview-ui]]
=== Overview page

The Overview page provides a high-level snapshot view of detections, external alerts, and event trends. These trends are useful to assess overall system health and find anomalies that may require further investigation.

image::images/overview-pg.png[Shows the Overview page]

From the live feed on the *Overview* page, you can quickly access recently created cases, favorited timelines, and the latest {elastic-sec} news.

TIP: The *Security news* section provides you with the latest {elastic-sec} news to stay informed on new developments, learn about {elastic-sec} features, and more.

image::images/live-feed-ov-page.png[Shows the Overview page]

*Histograms*
=== Overview dashboard

Time-based histograms show you the number of detections, alerts, and events that have occurred within the selected time range. To focus on areas of interest in time-based histograms, select a region to reflect a date range, or select a preset value in the timepicker. In the **Stack by** dropdown, you can select specific parameters to visualize individual counts. For example, in the Detection alert trend histogram, stack by `kibana.alert.rule.name` to display the total counts by alert name within the specified time frame.
The Overview dashboard provides a high-level snapshot of detections, external alerts, and event trends. It can help you assess overall system health and find anomalies that may require further investigation. Refer to <<overview-dashboard, Overview dashboard>> for more information.

TIP: All Elastic Security histograms, graphs, and tables contain an **Inspect** button so you can examine the {es} queries used to retrieve data throughout
the app.
image::images/overview-pg.png[Overview dashboard]

*Host and network events*

View event and host counts specific to Elastic data shippers and apps, such as **Auditbeats** or **Elastic {endpoint-cloud-sec}**. Expand each category to view specific counts of hosts or network events related to the selected category.

[role="screenshot"]
image::images/events-count.png[Shows host and network events on the Overview page]

*Threat Intelligence*

The Threat Intelligence view on the Overview page provides a streamlined way to collect threat intelligence data for threat detection and matching.

The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To visualize the ingested threat indicator data, click the *Source* link for a threat intelligence source.
[float]
[[detection-response-dashboard-ui]]
=== Detection & Response dashboard

NOTE: For more information about connecting to threat intelligence sources, visit <<es-threat-intel-integrations, Enable threat intelligence integrations>>.
The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts. Refer to <<detection-response-dashboard, Detection & Response dashboard>> for more information.

[role="screenshot"]
image::images/threat-intelligence-view.png[width=65%][height=65%][Shows the Threat Intelligence view on the Overview page]
image::detections/images/detection-response-dashboard.png[Overview of Detection & Response dashboard]

[float]
[[detection-engine-ui]]
2 changes: 2 additions & 0 deletions docs/index.asciidoc
Original file line number Diff line number Diff line change
@@ -27,6 +27,8 @@ include::getting-started/index.asciidoc[]

include::getting-started/security-ui.asciidoc[]

include::dashboards/dashboards-overview.asciidoc[]

include::getting-started/explore-intro.asciidoc[]

include::detections/detections-index.asciidoc[]

0 comments on commit 10da804

Please sign in to comment.