Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] New page: Detection & Response dashboard #2085

Merged
merged 11 commits into from
Jun 26, 2022
9 changes: 9 additions & 0 deletions docs/dashboards/dashboards-overview.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[[dashboards-overview]]

= Dashboards

The following sections describe the {security-app}'s prebuilt dashboards, which provide visualizations of your security environment.

include::overview-dashboard.asciidoc[leveloffset=+1]

include::detection-response-dashboard.asciidoc[leveloffset=+1]
40 changes: 40 additions & 0 deletions docs/dashboards/detection-response-dashboard.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
[[detection-response-dashboard]]
= Detection & Response dashboard

The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts.

[role="screenshot"]
image::detections/images/detection-response-dashboard.png[Overview of Detection & Response dashboard]

Interact with various dashboard elements:

* Use the date and time picker in the upper-right to specify a time range for displaying information on the dashboard.

* In sections that list alert counts, click a number to investigate those alerts in Timeline.

* Click the name of a detection rule, case, host, or user to open its details page.

The following sections are included:

[width="100%",cols="s,"]
|==============================================

|Alerts
|The total number of detection alerts generated in the time range, organized by status and severity. Select *View alerts* to open the Alerts page.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

|Cases
|The total number of cases created in the time range, organized by status. Select *View cases* to open the Cases page.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

|Open alerts by rule
|The top four detection rules with open alerts, organized by the severity and number of alerts for each rule. Select *View all open alerts* to open the Alerts page.

|Recently created cases
|The four most recently created cases. Select *View recent cases* to open the Cases page.

|Hosts by alert severity
|The hosts generating detection alerts in the time range, organized by the severity and number of alerts. Shows up to 100 hosts.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

|Users by alert severity
|The users generating detection alerts in the time range, organized by the severity and number of alerts. Shows up to 100 users.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

|==============================================
42 changes: 42 additions & 0 deletions docs/dashboards/overview-dashboard.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
[[overview-dashboard]]
= Overview dashboard

The Overview dashboard provides a high-level snapshot of detections, external alerts, and event trends. It can help you assess overall system health and find anomalies that may require further investigation.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

image::images/overview-pg.png[Overview dashboard]

[discrete]
== Live feed

The live feed on the Overview dashboard helps you quickly access recently created cases, favorited Timelines, and the latest {elastic-sec} news.

TIP: The *Security news* section provides the latest {elastic-sec} news to help you stay informed of new developments, learn about {elastic-sec} features, and more.

image::images/live-feed-ov-page.png[Overview dashboard with live feed section highlighted]

[discrete]
== Histograms

Time-based histograms show you the number of detections, alerts, and events that have occurred within the selected time range. To focus on a particular time, click and drag to select a time range, or choose a preset value. The *Stack by* dropdown lets you select which field is used to organize the data. For example, in the Detection alert trend histogram, stack by `kibana.alert.rule.name` to display alert counts by rule name within the specified time frame.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

TIP: Many {elastic-sec} histograms, graphs, and tables contain an *Inspect* button so you can examine the {es} queries used to retrieve data throughout the app.

[discrete]
== Host and network events

View event and host counts grouped by data source, such as *Auditbeat* or *{endpoint-cloud-sec}*. Expand a category to view specific counts of host or network events from the selected source.

[role="screenshot"]
image::images/events-count.png[Host and network events on the Overview dashboard]

[discrete]
== Threat Intelligence

The Threat Intelligence view on the Overview dashboard provides streamlined threat intelligence data for threat detection and matching.

The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To visualize the ingested threat indicator data, click the *Source* link for a threat intelligence source.

NOTE: For more information about connecting to threat intelligence sources, visit <<es-threat-intel-integrations, Enable threat intelligence integrations>>.

[role="screenshot"]
image::images/threat-intelligence-view.png[width=65%][height=65%][Threat Intelligence view on the Overview dashboard]
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/getting-started/images/collapse-side-nav-button.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
43 changes: 12 additions & 31 deletions docs/getting-started/security-ui.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ The {security-app} contains the following pages that enable analysts to view, an

* Get started
* Overview
* Detection & Response
* Alerts
* Rules
* Exception lists
Expand All @@ -40,7 +41,9 @@ The {security-app} contains the following pages that enable analysts to view, an
* Host isolation exceptions
* Blocklist

Pages are grouped into four main sections within the navigation pane:
Pages are grouped into these main sections within the navigation pane:

* *Dashboards*: Visualize detections, investigations, and event trends across your environment.

* *Detect*: View, create, and manage alerts, rules, and rule exceptions.

Expand All @@ -65,42 +68,20 @@ image::images/getting-started-pg.png[Shows the Get started page]

[float]
[[overview-ui]]
=== Overview page

The Overview page provides a high-level snapshot view of detections, external alerts, and event trends. These trends are useful to assess overall system health and find anomalies that may require further investigation.

image::images/overview-pg.png[Shows the Overview page]

From the live feed on the *Overview* page, you can quickly access recently created cases, favorited timelines, and the latest {elastic-sec} news.

TIP: The *Security news* section provides you with the latest {elastic-sec} news to stay informed on new developments, learn about {elastic-sec} features, and more.

image::images/live-feed-ov-page.png[Shows the Overview page]

*Histograms*
=== Overview dashboard

Time-based histograms show you the number of detections, alerts, and events that have occurred within the selected time range. To focus on areas of interest in time-based histograms, select a region to reflect a date range, or select a preset value in the timepicker. In the **Stack by** dropdown, you can select specific parameters to visualize individual counts. For example, in the Detection alert trend histogram, stack by `kibana.alert.rule.name` to display the total counts by alert name within the specified time frame.
The Overview dashboard provides a high-level snapshot of detections, external alerts, and event trends. It can help you assess overall system health and find anomalies that may require further investigation. Refer to <<overview-dashboard, Overview dashboard>> for more information.

TIP: All Elastic Security histograms, graphs, and tables contain an **Inspect** button so you can examine the {es} queries used to retrieve data throughout
the app.
image::images/overview-pg.png[Overview dashboard]

*Host and network events*

View event and host counts specific to Elastic data shippers and apps, such as **Auditbeats** or **Elastic Endpoint Security**. Expand each category to view specific counts of hosts or network events related to the selected category.

[role="screenshot"]
image::images/events-count.png[Shows host and network events on the Overview page]

*Threat Intelligence*

The Threat Intelligence view on the Overview page provides a streamlined way to collect threat intelligence data for threat detection and matching.

The view shows the total number of ingested threat indicators, enabled threat intelligence sources, and ingested threat indicators per source. To visualize the ingested threat indicator data, click the *Source* link for a threat intelligence source.
[float]
[[detection-response-dashboard-ui]]
=== Detection & Response dashboard

NOTE: For more information about connecting to threat intelligence sources, visit <<es-threat-intel-integrations, Enable threat intelligence integrations>>.
The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts. Refer to <<detection-response-dashboard, Detection & Response dashboard>> for more information.

[role="screenshot"]
image::images/threat-intelligence-view.png[width=65%][height=65%][Shows the Threat Intelligence view on the Overview page]
image::detections/images/detection-response-dashboard.png[Overview of Detection & Response dashboard]

[float]
[[detection-engine-ui]]
Expand Down
2 changes: 2 additions & 0 deletions docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ include::getting-started/index.asciidoc[]

include::getting-started/security-ui.asciidoc[]

include::dashboards/dashboards-overview.asciidoc[]

include::getting-started/explore-intro.asciidoc[]

include::detections/detections-index.asciidoc[]
Expand Down