[DOCS] Threat Intelligence - Indicators Page and Indicator Details

[dhru42]

Description

With the work done over the last few release cycles:

• users can now find all indicators from activated threat intelligence integrations/data sources in the Intelligence left-hand navigation. Once the user clicks on the Intelligence left-hand nav, they can see a centralized view of all IoCs reported from their TI feeds which allows for filtering, sorting, searching, adding to timeline, and more. (Epic)
• From the Indicators page, the user can click on any Indicator and view more Details on the Indicator Details (flyout). The Indicator details flyout displays an overview tab, table tab, and JSON tab which the user can switch through to get more insight about the IoC. (Epic)
• From either the main indicators page or Indicator details flyout, the user can also click on Investigate in Timeline button which adds the threat index value (threat.indicator.file.hash.sha256 = "c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba") along with the associated value in the source index (file.hash.sha256 = "c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba") into a new timeline. The goal with this functionality is so the user can easily find any matched activity within their environment, along with any alerts and other events that may have triggered. (Epic)

Definitions

What is Threat Intelligence?
Threat Intelligence is a research function that sits within the security operation center who is responsible for understanding current and emerging threats and recommending actions against these threats to protect their organizations.

What are IoCs?
An Indicator of Compromise - or IoC in short - is a document, a piece of information, that represents a known malicious threat or reported vulnerability. There are different types of IoCs, for example, URL, file, domain, email address, etc…

Acceptance Test Criteria

• Please create public-facing documentation for elastic security users
• Please add this to the new functionality in the 8.5 release notes

Notes

• This functionality is only available for Enterprise license tier

[maxcold]

here is the list of PRs related to the work described in the description. The PRs span between 8.4 and 8.5 as in 8.4 the features were under the feature flag but there was no mention of them in the release notes. In parenthesis my comments to extend on the PR title, happy to elaborate more if needed. Now the question is what is the good way to tag the PRs for the best representation in the release notes, especially when it comes to feature vs enhancement tagging

• [TIP] Add new Threat intelligence plugin kibana#136479 [TIP] Add new Threat intelligence plugin (initial PR to bring the Indicators data grid and Indicator's fly out)
• [TIP] Add KQL bar (#137178) kibana#137711 [TIP] Add KQL bar (add search and filter capabilities to Indicators page)
• [TIP] Add barchart summary to Indicators page kibana#137308 [TIP] Add barchart summary to Indicators page (add barchart visualisation to Indicators page)
• [TIP] Add to timeline kibana#138836 [TIP] Add to timeline (capability to add fields from indicator documents to Timelines)
• [TIP] Add field browser kibana#138882 [TIP] Add field browser (enable users to manage columns in indicators data grid with the Field browser)
• Filter in out kibana#139616 Filter in out (capability to use fields from indicator documents as filters in KQL search bar)
• [TIP] Preserve indicator grid state kibana#139696 [TIP] Preserve indicator grid state (columns and sorting applied in the Indicators data grid is persistet in a browser)
• [TIP] Compute Indicator Names with ES runtime fields kibana#139814 [TIP] Compute Indicator Names with ES runtime fields (introducing threat.indicator.name as a runtime field while not available in ECS)
• [TIP] Add Indicator Overview tab kibana#140073 [TIP] Add Indicator Overview tab (add Overview tab to Indicator details fly out with the most useful fields highlighted)
• [TIP] Investigate in timeline kibana#140496 [TIP] Investigate in timeline (capability to pivot from Indicators view to Timeline and investigate an indicator and related alerts and source documents)
• [TIP] Add sorting capabilities to Indicators Table kibana#140582 [TIP] Add sorting capabilities to Indicators Table (enable sorting in Indicators data gird)
• [TIP] Add inspect capability for barchart and grid requests kibana#140810 [TIP] Add inspect capability for barchart and grid requests (enable Inspect the requests made on Indicators page)

[maxcold]

btw as far as I understand the PRs that we merged in 8.4 won't be picked up by the automation for 8.5 release notes. How do we go about it?

[maxcold]

I tagged all the 8.5 PRs with Team:SecuritySolution and with a proper release_note label. But we also need feature release notes for the new Intelligence feature itself, which we introduced in 8.4 but behind a feature flag without any release notes. Maybe it makes sense to use this PR elastic/kibana#141117 where we remove the feature flag and going GA for the main "new Intelligence page" feature release note. I marked it accordingly.