Interactive investigation guides #2821

joepeeples · 2023-01-06T23:06:20Z

Resolves #2696.

Preview: Interactive investigation guides

github-actions · 2023-01-06T23:06:32Z

Documentation previews:

✨ HTML diff
📙 Elastic Security Guide

jmikell821

Looks great! Just a couple of small suggestions, thanks for pulling this together. 🌟

docs/experimental-features/investigation-guide-actions.asciidoc

Co-authored-by: Janeen Mikell Roberts <[email protected]>

kqualters-elastic · 2023-01-12T16:30:10Z

docs/experimental-features/investigation-guide-actions.asciidoc

+Each item in `providers` is defined by these attributes:
+
+* `field`: The name of a field to query.
+* `value`: The value to search for. Either a hard-coded literal value, or the name of the field on the alert whose value you want to use as a query parameter.


We should mention here that any value that contains a \ character need to be double escaped, i.e. a windows file path would be "C:\\Windows\\System32". This is a bit gross without the form builder doing this for them, but won't be an issue next release. The reason for this is that JSON.stringify/JSON.parse is ultimately used twice, once on the entire markdown snippet, and once on the provider part of the snippet.

ha the github markdown behaves similarly, that was supposed to be 4 slashes delineating each part of the path, so I think it ends up being 8. "C:\\\\Windows\\\\System32"

Thanks @kqualters-elastic! Are there any other special characters that need to be escaped, either double \\or single \?

Ya I believe all the other JSON special characters as well:
\b Backspace (ascii code 08)
\f Form feed (ascii code 0C)
\n New line
\r Carriage return
\t Tab
" Double quote
\ Backslash character

@kqualters-elastic I added a note to explain escape characters, based on our Slack discussion. It's intentionally a little more general, pointing to the error icon to help users troubleshoot syntax errors. Feel free to edit as needed, once you've confirmed how exactly the characters work.

kqualters-elastic

This is awesome, very clear and concise!

nastasha-solomon

Really helpful and thorough topic! Great idea to include example syntax as well. I left a handful of suggestions for your consideration and a couple of questions too. Good job!

docs/experimental-features/investigation-guide-actions.asciidoc

benironside

Looks good to me, just left one minor suggestion which you may choose to ignore!

docs/experimental-features/investigation-guide-actions.asciidoc

Co-authored-by: nastasha-solomon <[email protected]>

* Incomplete first draft * Expands first draft, still in progress * Complete first draft * Correct screenshot, some edits * Apply line edits Co-authored-by: Janeen Mikell Roberts <[email protected]> * Revision based on Janeen's comments * Apply suggestions from review Co-authored-by: nastasha-solomon <[email protected]> * Add draft statement about escape characters * Edits from Paul, et al Co-authored-by: Janeen Mikell Roberts <[email protected]> Co-authored-by: nastasha-solomon <[email protected]> (cherry picked from commit 48d59b7)

* Incomplete first draft * Expands first draft, still in progress * Complete first draft * Correct screenshot, some edits * Apply line edits Co-authored-by: Janeen Mikell Roberts <[email protected]> * Revision based on Janeen's comments * Apply suggestions from review Co-authored-by: nastasha-solomon <[email protected]> * Add draft statement about escape characters * Edits from Paul, et al Co-authored-by: Janeen Mikell Roberts <[email protected]> Co-authored-by: nastasha-solomon <[email protected]> (cherry picked from commit 48d59b7) Co-authored-by: Joe Peeples <[email protected]>

Incomplete first draft

25baee3

joepeeples added Team: Threat Hunting Formerly Data Visibility v8.6.0 labels Jan 6, 2023

joepeeples self-assigned this Jan 6, 2023

joepeeples added 5 commits January 9, 2023 19:49

Merge branch 'main' into 2696-investigation-guide-actions

5e18a8b

Expands first draft, still in progress

cafff58

Merge branch 'main' into 2696-investigation-guide-actions

947d6c7

Complete first draft

24d9dd7

Correct screenshot, some edits

2606f0f

joepeeples added Feature: Alerts Feature: Rules Feature: Timeline labels Jan 11, 2023

Merge branch 'main' into 2696-investigation-guide-actions

35917bf

joepeeples marked this pull request as ready for review January 11, 2023 19:01

joepeeples requested review from paulewing, kqualters-elastic, nastasha-solomon, jmikell821 and benironside January 11, 2023 19:01

joepeeples changed the title ~~Investigation guide query actions~~ Interactive investigation guides Jan 11, 2023

jmikell821 reviewed Jan 11, 2023

View reviewed changes

joepeeples and others added 3 commits January 12, 2023 09:48

Apply line edits

562a99f

Co-authored-by: Janeen Mikell Roberts <[email protected]>

Revision based on Janeen's comments

7b31b89

Merge branch 'main' into 2696-investigation-guide-actions

12e0f21

kqualters-elastic reviewed Jan 12, 2023

View reviewed changes

kqualters-elastic approved these changes Jan 12, 2023

View reviewed changes

nastasha-solomon reviewed Jan 12, 2023

View reviewed changes

benironside reviewed Jan 13, 2023

View reviewed changes

docs/experimental-features/investigation-guide-actions.asciidoc Outdated Show resolved Hide resolved

Merge branch 'main' into 2696-investigation-guide-actions

3587cc7

joepeeples commented Jan 13, 2023

View reviewed changes

docs/experimental-features/investigation-guide-actions.asciidoc Outdated Show resolved Hide resolved

joepeeples commented Jan 13, 2023

View reviewed changes

docs/experimental-features/investigation-guide-actions.asciidoc Outdated Show resolved Hide resolved

joepeeples and others added 2 commits January 13, 2023 11:04

Apply suggestions from review

34565cd

Co-authored-by: nastasha-solomon <[email protected]>

Add draft statement about escape characters

a95f1fd

joepeeples mentioned this pull request Jan 18, 2023

Investigation guide under rule creation timeline plugin doc is also not found #2859

Closed

joepeeples added 2 commits January 24, 2023 09:42

Merge branch 'main' into 2696-investigation-guide-actions

f7eda88

Edits from Paul, et al

d407cd6

joepeeples merged commit 48d59b7 into main Jan 24, 2023

mergify bot mentioned this pull request Jan 24, 2023

[8.6] Interactive investigation guides (backport #2821) #2914

Merged

joepeeples deleted the 2696-investigation-guide-actions branch January 24, 2023 15:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Interactive investigation guides #2821

Interactive investigation guides #2821

joepeeples commented Jan 6, 2023 •

edited

Loading

github-actions bot commented Jan 6, 2023

jmikell821 left a comment

kqualters-elastic Jan 12, 2023

kqualters-elastic Jan 12, 2023

joepeeples Jan 12, 2023

kqualters-elastic Jan 12, 2023

joepeeples Jan 13, 2023

kqualters-elastic left a comment

nastasha-solomon left a comment

benironside left a comment •

edited

Loading

Interactive investigation guides #2821

Interactive investigation guides #2821

Conversation

joepeeples commented Jan 6, 2023 • edited Loading

github-actions bot commented Jan 6, 2023

jmikell821 left a comment

Choose a reason for hiding this comment

kqualters-elastic Jan 12, 2023

Choose a reason for hiding this comment

kqualters-elastic Jan 12, 2023

Choose a reason for hiding this comment

joepeeples Jan 12, 2023

Choose a reason for hiding this comment

kqualters-elastic Jan 12, 2023

Choose a reason for hiding this comment

joepeeples Jan 13, 2023

Choose a reason for hiding this comment

kqualters-elastic left a comment

Choose a reason for hiding this comment

nastasha-solomon left a comment

Choose a reason for hiding this comment

benironside left a comment • edited Loading

Choose a reason for hiding this comment

joepeeples commented Jan 6, 2023 •

edited

Loading

benironside left a comment •

edited

Loading