diff --git a/docs/dashboards/dashboards-overview.asciidoc b/docs/dashboards/dashboards-overview.asciidoc new file mode 100644 index 0000000000..dca601fa2b --- /dev/null +++ b/docs/dashboards/dashboards-overview.asciidoc @@ -0,0 +1,9 @@ +[[dashboards-overview]] + += Dashboards + +The following sections describe the {security-app}'s prebuilt dashboards, which provide visualizations of your security environment. + +include::overview-dashboard.asciidoc[leveloffset=+1] + +include::detection-response-dashboard.asciidoc[leveloffset=+1] diff --git a/docs/dashboards/detection-response-dashboard.asciidoc b/docs/dashboards/detection-response-dashboard.asciidoc new file mode 100644 index 0000000000..79fa7e3505 --- /dev/null +++ b/docs/dashboards/detection-response-dashboard.asciidoc @@ -0,0 +1,40 @@ +[[detection-response-dashboard]] += Detection & Response dashboard + +The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts. + +[role="screenshot"] +image::detections/images/detection-response-dashboard.png[Overview of Detection & Response dashboard] + +Interact with various dashboard elements: + +* Use the date and time picker in the upper-right to specify a time range for displaying information on the dashboard. + +* In sections that list alert counts, click a number to investigate those alerts in Timeline. + +* Click the name of a detection rule, case, host, or user to open its details page. + +The following sections are included: + +[width="100%",cols="s,"] +|============================================== + +|Alerts +|The total number of detection alerts generated within the time range, organized by status and severity. Select *View alerts* to open the Alerts page. + +|Cases +|The total number of cases created within the time range, organized by status. Select *View cases* to open the Cases page. + +|Open alerts by rule +|The top four detection rules with open alerts, organized by the severity and number of alerts for each rule. Select *View all open alerts* to open the Alerts page. + +|Recently created cases +|The four most recently created cases. Select *View recent cases* to open the Cases page. + +|Hosts by alert severity +|The hosts generating detection alerts within the time range, organized by the severity and number of alerts. Shows up to 100 hosts. + +|Users by alert severity +|The users generating detection alerts within the time range, organized by the severity and number of alerts. Shows up to 100 users. + +|============================================== diff --git a/docs/dashboards/overview-dashboard.asciidoc b/docs/dashboards/overview-dashboard.asciidoc new file mode 100644 index 0000000000..49bfbf7d69 --- /dev/null +++ b/docs/dashboards/overview-dashboard.asciidoc @@ -0,0 +1,42 @@ +[[overview-dashboard]] += Overview dashboard + +The Overview dashboard provides a high-level snapshot of detections, external alerts, and event trends. It helps you assess overall system health and find anomalies that may require further investigation. + +image::images/overview-pg.png[Overview dashboard] + +[discrete] +== Live feed + +The live feed on the Overview dashboard helps you quickly access recently created cases, favorited Timelines, and the latest {elastic-sec} news. + +TIP: The *Security news* section provides the latest {elastic-sec} news to help you stay informed of new developments, learn about {elastic-sec} features, and more. + +image::images/live-feed-ov-page.png[Overview dashboard with live feed section highlighted] + +[discrete] +== Histograms + +Time-based histograms show the number of detections, alerts, and events that have occurred within the selected time range. To focus on a particular time, click and drag to select a time range, or choose a preset value. The *Stack by* menu lets you select which field is used to organize the data. For example, in the Detection alert trend histogram, stack by `kibana.alert.rule.name` to display alert counts by rule name within the specified time frame. + +TIP: Many {elastic-sec} histograms, graphs, and tables contain an *Inspect* button so you can examine the {es} queries used to retrieve data throughout the app. + +[discrete] +== Host and network events + +View event and host counts grouped by data source, such as *Auditbeat* or *{endpoint-cloud-sec}*. Expand a category to view specific counts of host or network events from the selected source. + +[role="screenshot"] +image::images/events-count.png[Host and network events on the Overview dashboard] + +[discrete] +== Threat Intelligence + +The Threat Intelligence view on the Overview dashboard provides streamlined threat intelligence data for threat detection and matching. + +The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To visualize the ingested threat indicator data, click the *Source* link for a threat intelligence source. + +NOTE: For more information about connecting to threat intelligence sources, visit <<es-threat-intel-integrations, Enable threat intelligence integrations>>. + +[role="screenshot"] +image::images/threat-intelligence-view.png[width=65%][height=65%][Threat Intelligence view on the Overview dashboard] diff --git a/docs/detections/images/detection-response-dashboard.png b/docs/detections/images/detection-response-dashboard.png new file mode 100644 index 0000000000..ae2e9cd18f Binary files /dev/null and b/docs/detections/images/detection-response-dashboard.png differ diff --git a/docs/getting-started/images/collapse-side-nav-button.gif b/docs/getting-started/images/collapse-side-nav-button.gif index b5940524ed..f80b00186f 100644 Binary files a/docs/getting-started/images/collapse-side-nav-button.gif and b/docs/getting-started/images/collapse-side-nav-button.gif differ diff --git a/docs/getting-started/security-ui.asciidoc b/docs/getting-started/security-ui.asciidoc index 38cfc82149..ee99c713d0 100644 --- a/docs/getting-started/security-ui.asciidoc +++ b/docs/getting-started/security-ui.asciidoc @@ -25,6 +25,7 @@ The {security-app} contains the following pages that enable analysts to view, an * Get started * Overview +* Detection & Response * Alerts * Rules * Exception lists @@ -40,7 +41,9 @@ The {security-app} contains the following pages that enable analysts to view, an * Host isolation exceptions * Blocklist -Pages are grouped into four main sections within the navigation pane: +Pages are grouped into these main sections within the navigation pane: + +* *Dashboards*: Visualize detections, investigations, and event trends across your environment. * *Detect*: View, create, and manage alerts, rules, and rule exceptions. @@ -65,42 +68,20 @@ image::images/getting-started-pg.png[Shows the Get started page] [float] [[overview-ui]] -=== Overview page - -The Overview page provides a high-level snapshot view of detections, external alerts, and event trends. These trends are useful to assess overall system health and find anomalies that may require further investigation. - -image::images/overview-pg.png[Shows the Overview page] - -From the live feed on the *Overview* page, you can quickly access recently created cases, favorited timelines, and the latest {elastic-sec} news. - -TIP: The *Security news* section provides you with the latest {elastic-sec} news to stay informed on new developments, learn about {elastic-sec} features, and more. - -image::images/live-feed-ov-page.png[Shows the Overview page] - -*Histograms* +=== Overview dashboard -Time-based histograms show you the number of detections, alerts, and events that have occurred within the selected time range. To focus on areas of interest in time-based histograms, select a region to reflect a date range, or select a preset value in the timepicker. In the **Stack by** dropdown, you can select specific parameters to visualize individual counts. For example, in the Detection alert trend histogram, stack by `kibana.alert.rule.name` to display the total counts by alert name within the specified time frame. +The Overview dashboard provides a high-level snapshot of detections, external alerts, and event trends. It can help you assess overall system health and find anomalies that may require further investigation. Refer to <<overview-dashboard, Overview dashboard>> for more information. -TIP: All Elastic Security histograms, graphs, and tables contain an **Inspect** button so you can examine the {es} queries used to retrieve data throughout -the app. +image::images/overview-pg.png[Overview dashboard] -*Host and network events* - -View event and host counts specific to Elastic data shippers and apps, such as **Auditbeats** or **Elastic {endpoint-cloud-sec}**. Expand each category to view specific counts of hosts or network events related to the selected category. - -[role="screenshot"] -image::images/events-count.png[Shows host and network events on the Overview page] - -*Threat Intelligence* - -The Threat Intelligence view on the Overview page provides a streamlined way to collect threat intelligence data for threat detection and matching. - -The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To visualize the ingested threat indicator data, click the *Source* link for a threat intelligence source. +[float] +[[detection-response-dashboard-ui]] +=== Detection & Response dashboard -NOTE: For more information about connecting to threat intelligence sources, visit <<es-threat-intel-integrations, Enable threat intelligence integrations>>. +The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts. Refer to <<detection-response-dashboard, Detection & Response dashboard>> for more information. [role="screenshot"] -image::images/threat-intelligence-view.png[width=65%][height=65%][Shows the Threat Intelligence view on the Overview page] +image::detections/images/detection-response-dashboard.png[Overview of Detection & Response dashboard] [float] [[detection-engine-ui]] diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 31e78924fc..e83b55b877 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -27,6 +27,8 @@ include::getting-started/index.asciidoc[] include::getting-started/security-ui.asciidoc[] +include::dashboards/dashboards-overview.asciidoc[] + include::getting-started/explore-intro.asciidoc[] include::detections/detections-index.asciidoc[]