[8.15] [8.15 & Serverless] Update the Security Timeline Documentation…

… in accordance with new Unified Timeline changes (backport #5505) (#5596) * [8.15 & Serverless] Update the Security Timeline Documentation in accordance with new Unified Timeline changes (#5505) * First draft * Fix broken image ref * Runtime fields * Updated timeline schema * fixed file ext * Updates Serverless Timeline docs * Second batch of Serverless updates * Fixed typos * Fixed syntax and image ref * Made images larger * One more update to size * Update docs/serverless/investigate/timelines-ui.mdx Co-authored-by: Jatin Kathuria <[email protected]> * Update docs/events/timeline-ui-overview.asciidoc Co-authored-by: Jatin Kathuria <[email protected]> * Fixed serverless section * Minor edits * More input from dev review * Updating list in serverless docs * Updating images for corr tab and temps * Update docs/events/timeline-ui-overview.asciidoc Co-authored-by: natasha-moore-elastic <[email protected]> * Update docs/events/timeline-ui-overview.asciidoc Co-authored-by: natasha-moore-elastic <[email protected]> * Update docs/events/timeline-ui-overview.asciidoc Co-authored-by: natasha-moore-elastic <[email protected]> * Nat's edits * Renamed image for timeline template * Corrected file name one more time --------- Co-authored-by: Jatin Kathuria <[email protected]> Co-authored-by: natasha-moore-elastic <[email protected]> (cherry picked from commit 1fe3f9e) # Conflicts: # docs/serverless/explore/runtime-fields.mdx # docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png # docs/serverless/images/timeline-object-schema/-reference-timeline-object-ui.png # docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png # docs/serverless/images/timelines-ui/-events-timeline-ui-filter-options.png # docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png # docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png # docs/serverless/investigate/timeline-templates-ui.mdx # docs/serverless/investigate/timelines-ui.mdx * Delete docs/serverless directory and its contents --------- Co-authored-by: Nastasha Solomon <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
elastic · Jul 23, 2024 · 7ee0b1d · 7ee0b1d
1 parent 8048133
commit 7ee0b1d
Show file tree

Hide file tree

Showing 16 changed files with 24 additions and 10 deletions.
diff --git a/docs/detections/images/ig-timeline.png b/docs/detections/images/ig-timeline.png
diff --git a/docs/events/images/add-field-button.png b/docs/events/images/add-field-button.png
diff --git a/docs/events/images/correlation-tab-eql-query.png b/docs/events/images/correlation-tab-eql-query.png
diff --git a/docs/events/images/create-a-timeline-filter.png b/docs/events/images/create-a-timeline-filter.png
diff --git a/docs/events/images/create-a-timeline-template-field.png b/docs/events/images/create-a-timeline-template-field.png
diff --git a/docs/events/images/customize-event-renderers.png b/docs/events/images/customize-event-renderers.png
diff --git a/docs/events/images/remove-field-button.png b/docs/events/images/remove-field-button.png
diff --git a/docs/events/images/timeline-sidebar.png b/docs/events/images/timeline-sidebar.png
diff --git a/docs/events/images/timeline-ui-filter-options.png b/docs/events/images/timeline-ui-filter-options.png
diff --git a/docs/events/images/timeline-ui-renderer.png b/docs/events/images/timeline-ui-renderer.png
diff --git a/docs/events/images/timeline-ui-updated.png b/docs/events/images/timeline-ui-updated.png
diff --git a/docs/events/timeline-templates.asciidoc b/docs/events/timeline-templates.asciidoc
@@ -84,7 +84,7 @@ filter (refer to <<pivot>>).
 * *Add template field*: Add a template filter with a value placeholder.
 +
 [role="screenshot"]
-image::images/create-a-timeline-filter.png[Shows an example of a Timeline filter]
+image::images/create-a-timeline-template-field.png[Shows an example of a Timeline template]
 +
 TIP: You can also drag and send items to the template from the *Overview*,
 *Hosts*, *Network*, and *Alerts* pages.

diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc
@@ -55,8 +55,7 @@ To further inspect an event or detection alert, click the *View details* button.
 == Configure Timeline event context and display
 
 Many types of events automatically appear in preconfigured views that provide relevant
-contextual information, called *Event Renderers*. You can display and turn them on or off
-with the Settings menu in the upper left corner of the results pane:
+contextual information, called *Event renderers*. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (image:images/customize-event-renderers.png[The customize event renderer button,20,20]) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you're done. Your changes are automatically applied to Timeline.
 
 [role="screenshot"]
 image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted]
@@ -67,13 +66,27 @@ interests you, you can drag it up to the drop zone below the query bar for furth
 
 You can also modify a Timeline's display in other ways:
 
-* Add, remove, reorder, or resize columns
-* Create <<runtime-fields,runtime fields>> and display them in the Timeline
+* <<add-remove-timeline-fields,Add and remove fields>> from Timeline
+* Create <<runtime-fields,runtime fields>> and display them in Timeline
+* Reorder and resize columns
+* Copy a column name or values to a clipboard 
+* Change how the name, value, and description of a field are displayed in Timeline
 * View the Timeline in full screen mode
 * Add or delete notes on individual events
 * Add or delete investigation notes on the entire Timeline
 * Pin interesting events to the Timeline
 
+[discrete]
+[[add-remove-timeline-fields]]
+== Add and remove fields from Timeline
+
+The Timeline table shows fields that are available for alerts and events in the selected data view. You can modify the table to display fields that interest you. Use the sidebar to search for specific fields or scroll through it to find fields of interest. Fields that you select display as columns in the table.
+
+To add a field from the sidebar, hover over it, and click the **Add field as a column** button (image:images/add-field-button.png[The button that lets you to add a field as a column,20,20]), or drag and drop the field into the table. To remove a field, hover over it, and click the **Remove field as a column** button (image:images/remove-field-button.png[The button that lets you to remove a field as a column,20,20]). 
+
+[role="screenshot"]
+image::images/timeline-sidebar.png[Shows the sidebar that allows you to configure the columns that display in Timeline]
+
 [discrete]
 [[narrow-expand]]
 == Use the Timeline query builder

diff --git a/docs/reference/images/create-runtime-fields-timeline.png b/docs/reference/images/create-runtime-fields-timeline.png
diff --git a/docs/reference/images/timeline-object-ui.png b/docs/reference/images/timeline-object-ui.png
diff --git a/docs/reference/runtime-fields.asciidoc b/docs/reference/runtime-fields.asciidoc
@@ -11,16 +11,17 @@ To create a runtime field:
 
 . Go to a page that lists alerts or events (for example, *Alerts* or *Timelines* -> *_Name of Timeline_*).
 
-. Click the *Fields* toolbar button in the table's upper-left. The *Fields* browser opens.
+. Do one of the following:
+** In the Alerts table, click the *Fields* toolbar button in the table's upper-left. From the *Fields* browser, click *Create field*. The *Create field* flyout opens.
 +
 [role="screenshot"]
 image::images/fields-browser.png[Fields browser]
-
-. Click *Create field*. The *Create field* flyout opens.
++
+** In Timeline, go to the bottom of the sidebar, then click *Add a field*. The *Create field* flyout opens.
 +
 [role="screenshot"]
-image::images/create-field-flyout.png[Create field flyout]
-
+image::images/create-runtime-fields-timeline.png[Create runtime fields button in Timeline]
++
 . Enter a *Name* for the new field.
 
 . Select a *Type* for the field's data type.