diff --git a/docs/detections/images/ig-timeline.png b/docs/detections/images/ig-timeline.png index 62510c92a1..706891bb91 100644 Binary files a/docs/detections/images/ig-timeline.png and b/docs/detections/images/ig-timeline.png differ diff --git a/docs/events/images/add-field-button.png b/docs/events/images/add-field-button.png new file mode 100644 index 0000000000..42d1afe44f Binary files /dev/null and b/docs/events/images/add-field-button.png differ diff --git a/docs/events/images/correlation-tab-eql-query.png b/docs/events/images/correlation-tab-eql-query.png index 0364d4b18a..2c2a104489 100644 Binary files a/docs/events/images/correlation-tab-eql-query.png and b/docs/events/images/correlation-tab-eql-query.png differ diff --git a/docs/events/images/create-a-timeline-filter.png b/docs/events/images/create-a-timeline-filter.png deleted file mode 100644 index e1a44f98e6..0000000000 Binary files a/docs/events/images/create-a-timeline-filter.png and /dev/null differ diff --git a/docs/events/images/create-a-timeline-template-field.png b/docs/events/images/create-a-timeline-template-field.png new file mode 100644 index 0000000000..6b2fd0ea1c Binary files /dev/null and b/docs/events/images/create-a-timeline-template-field.png differ diff --git a/docs/events/images/customize-event-renderers.png b/docs/events/images/customize-event-renderers.png new file mode 100644 index 0000000000..ece9382fff Binary files /dev/null and b/docs/events/images/customize-event-renderers.png differ diff --git a/docs/events/images/remove-field-button.png b/docs/events/images/remove-field-button.png new file mode 100644 index 0000000000..f5e272fe8a Binary files /dev/null and b/docs/events/images/remove-field-button.png differ diff --git a/docs/events/images/timeline-sidebar.png b/docs/events/images/timeline-sidebar.png new file mode 100644 index 0000000000..2c4152ffeb Binary files /dev/null and b/docs/events/images/timeline-sidebar.png differ diff --git a/docs/events/images/timeline-ui-filter-options.png b/docs/events/images/timeline-ui-filter-options.png index a2ea83a41d..e3aeddcec9 100644 Binary files a/docs/events/images/timeline-ui-filter-options.png and b/docs/events/images/timeline-ui-filter-options.png differ diff --git a/docs/events/images/timeline-ui-renderer.png b/docs/events/images/timeline-ui-renderer.png index 4bee454b14..e799fe2236 100644 Binary files a/docs/events/images/timeline-ui-renderer.png and b/docs/events/images/timeline-ui-renderer.png differ diff --git a/docs/events/images/timeline-ui-updated.png b/docs/events/images/timeline-ui-updated.png index 5835911d8a..4149116feb 100644 Binary files a/docs/events/images/timeline-ui-updated.png and b/docs/events/images/timeline-ui-updated.png differ diff --git a/docs/events/timeline-templates.asciidoc b/docs/events/timeline-templates.asciidoc index 69019cf2f1..0505c85018 100644 --- a/docs/events/timeline-templates.asciidoc +++ b/docs/events/timeline-templates.asciidoc @@ -84,7 +84,7 @@ filter (refer to <>). * *Add template field*: Add a template filter with a value placeholder. + [role="screenshot"] -image::images/create-a-timeline-filter.png[Shows an example of a Timeline filter] +image::images/create-a-timeline-template-field.png[Shows an example of a Timeline template] + TIP: You can also drag and send items to the template from the *Overview*, *Hosts*, *Network*, and *Alerts* pages. diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index eb638efb5e..5897da6b85 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -55,8 +55,7 @@ To further inspect an event or detection alert, click the *View details* button. == Configure Timeline event context and display Many types of events automatically appear in preconfigured views that provide relevant -contextual information, called *Event Renderers*. You can display and turn them on or off -with the Settings menu in the upper left corner of the results pane: +contextual information, called *Event renderers*. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (image:images/customize-event-renderers.png[The customize event renderer button,20,20]) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you're done. Your changes are automatically applied to Timeline. [role="screenshot"] image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted] @@ -67,13 +66,27 @@ interests you, you can drag it up to the drop zone below the query bar for furth You can also modify a Timeline's display in other ways: -* Add, remove, reorder, or resize columns -* Create <> and display them in the Timeline +* <> from Timeline +* Create <> and display them in Timeline +* Reorder and resize columns +* Copy a column name or values to a clipboard +* Change how the name, value, and description of a field are displayed in Timeline * View the Timeline in full screen mode * Add or delete notes on individual events * Add or delete investigation notes on the entire Timeline * Pin interesting events to the Timeline +[discrete] +[[add-remove-timeline-fields]] +== Add and remove fields from Timeline + +The Timeline table shows fields that are available for alerts and events in the selected data view. You can modify the table to display fields that interest you. Use the sidebar to search for specific fields or scroll through it to find fields of interest. Fields that you select display as columns in the table. + +To add a field from the sidebar, hover over it, and click the **Add field as a column** button (image:images/add-field-button.png[The button that lets you to add a field as a column,20,20]), or drag and drop the field into the table. To remove a field, hover over it, and click the **Remove field as a column** button (image:images/remove-field-button.png[The button that lets you to remove a field as a column,20,20]). + +[role="screenshot"] +image::images/timeline-sidebar.png[Shows the sidebar that allows you to configure the columns that display in Timeline] + [discrete] [[narrow-expand]] == Use the Timeline query builder diff --git a/docs/reference/images/create-runtime-fields-timeline.png b/docs/reference/images/create-runtime-fields-timeline.png new file mode 100644 index 0000000000..14b95f85c0 Binary files /dev/null and b/docs/reference/images/create-runtime-fields-timeline.png differ diff --git a/docs/reference/images/timeline-object-ui.png b/docs/reference/images/timeline-object-ui.png index b7ebfe0268..46024aaae5 100644 Binary files a/docs/reference/images/timeline-object-ui.png and b/docs/reference/images/timeline-object-ui.png differ diff --git a/docs/reference/runtime-fields.asciidoc b/docs/reference/runtime-fields.asciidoc index 40255601d4..c27a1ccce7 100644 --- a/docs/reference/runtime-fields.asciidoc +++ b/docs/reference/runtime-fields.asciidoc @@ -11,16 +11,17 @@ To create a runtime field: . Go to a page that lists alerts or events (for example, *Alerts* or *Timelines* -> *_Name of Timeline_*). -. Click the *Fields* toolbar button in the table's upper-left. The *Fields* browser opens. +. Do one of the following: +** In the Alerts table, click the *Fields* toolbar button in the table's upper-left. From the *Fields* browser, click *Create field*. The *Create field* flyout opens. + [role="screenshot"] image::images/fields-browser.png[Fields browser] - -. Click *Create field*. The *Create field* flyout opens. ++ +** In Timeline, go to the bottom of the sidebar, then click *Add a field*. The *Create field* flyout opens. + [role="screenshot"] -image::images/create-field-flyout.png[Create field flyout] - +image::images/create-runtime-fields-timeline.png[Create runtime fields button in Timeline] ++ . Enter a *Name* for the new field. . Select a *Type* for the field's data type.