Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interactive investigation guides #2821

Merged
merged 15 commits into from
Jan 24, 2023
Merged

Interactive investigation guides #2821

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
25baee3
Incomplete first draft
joepeeples Jan 6, 2023
5e18a8b
Merge branch 'main' into 2696-investigation-guide-actions
joepeeples Jan 10, 2023
cafff58
Expands first draft, still in progress
joepeeples Jan 11, 2023
947d6c7
Merge branch 'main' into 2696-investigation-guide-actions
joepeeples Jan 11, 2023
24d9dd7
Complete first draft
joepeeples Jan 11, 2023
2606f0f
Correct screenshot, some edits
joepeeples Jan 11, 2023
35917bf
Merge branch 'main' into 2696-investigation-guide-actions
joepeeples Jan 11, 2023
562a99f
Apply line edits
joepeeples Jan 12, 2023
7b31b89
Revision based on Janeen's comments
joepeeples Jan 12, 2023
12e0f21
Merge branch 'main' into 2696-investigation-guide-actions
joepeeples Jan 12, 2023
3587cc7
Merge branch 'main' into 2696-investigation-guide-actions
joepeeples Jan 13, 2023
34565cd
Apply suggestions from review
joepeeples Jan 13, 2023
a95f1fd
Add draft statement about escape characters
joepeeples Jan 13, 2023
f7eda88
Merge branch 'main' into 2696-investigation-guide-actions
joepeeples Jan 24, 2023
d407cd6
Edits from Paul, et al
joepeeples Jan 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/experimental-features/experimental-features-intro.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ The features in this section are experimental and may be changed or removed comp
include::host-risk-score.asciidoc[]
include::user-risk-score.asciidoc[]
include::beaconing-detection.asciidoc[]
include::investigation-guide-actions.asciidoc[]
Binary file added docs/experimental-features/images/ig-alert-flyout.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/experimental-features/images/ig-error-icon.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/experimental-features/images/ig-investigation-guide-editor.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/experimental-features/images/ig-timeline-query.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/experimental-features/images/ig-timeline-template-fields.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/experimental-features/images/ig-timeline.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
82 changes: 82 additions & 0 deletions docs/experimental-features/investigation-guide-actions.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
[[interactive-investigation-guides]]
== Interactive investigation guides

NOTE: This feature is available for {stack} versions 8.6.0 and newer.

Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. For custom rules, you can create an interactive investigation guide that includes buttons for launching runtime queries in <<timelines-ui,Timeline>>, using alert data and hard-coded literal values. This allows you to start detailed Timeline investigations directly from an alert using relevant data.

[role="screenshot"]
image::images/ig-alert-flyout.png[Alert details flyout with interactive investigation guide,550]

Each query button displays in parentheses the number of documents found. Click the button to automatically create the query in Timeline based on settings specified in the investigation guide.

[role="screenshot"]
image::images/ig-timeline.png[Timeline with query pre-loaded from investigation guide action]

[discrete]
[[add-ig-actions-rule]]
=== Add investigation guide actions to a rule

NOTE: You can only create interactive investigation guides with custom rules because Elastic prebuilt rules can't be edited. However, you can duplicate a prebuilt rule, then configure the investigation guide for the duplicated rule.

You can configure an interactive investigation guide when you <<rules-ui-create,create a new rule>> or <<edit-rules-settings,edit an existing rule>>. When configuring the rule's settings (the *About rule* step for a new rule, or the *About* tab for an existing rule), expand the *Advanced settings*, then scroll down to the *Investigation guide* field.

[role="screenshot"]
image::images/ig-investigation-guide-editor.png[Investigation guide editor field]

Add the following syntax to the *Investigation guide* Markdown editor to configure a query. The syntax will appear as a clickable button in the investigation guide.

[width="100%",options="header"]
|===
|Field |Description

|`!{insight{ }}` |The container object holding all the configuration attributes for the button and the query.
|`label` |Text to identify the button.
|`description` |Additional text to include on the button.
|`providers` a|A two-level nested array that defines the query you want to run in Timeline. Similar to the structure of queries in Timeline, items in the outer level are joined by an `OR` relationship, and items in the inner level are joined by an `AND` relationship.

Each item in `providers` is defined by these attributes:

* `field`: The name of a field to query.
* `value`: The value to search for. Either a hard-coded literal value, or the name of the field on the alert whose value you want to use as a query parameter.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should mention here that any value that contains a \ character need to be double escaped, i.e. a windows file path would be "C:\\Windows\\System32". This is a bit gross without the form builder doing this for them, but won't be an issue next release. The reason for this is that JSON.stringify/JSON.parse is ultimately used twice, once on the entire markdown snippet, and once on the provider part of the snippet.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ha the github markdown behaves similarly, that was supposed to be 4 slashes delineating each part of the path, so I think it ends up being 8. "C:\\\\Windows\\\\System32"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kqualters-elastic! Are there any other special characters that need to be escaped, either double \\or single \?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ya I believe all the other JSON special characters as well:
\b Backspace (ascii code 08)
\f Form feed (ascii code 0C)
\n New line
\r Carriage return
\t Tab
" Double quote
\ Backslash character

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kqualters-elastic I added a note to explain escape characters, based on our Slack discussion. It's intentionally a little more general, pointing to the error icon to help users troubleshoot syntax errors. Feel free to edit as needed, once you've confirmed how exactly the characters work.

* `type`: Either `literal` or `parameter`.
|===

NOTE: Some characters must be escaped with a backslash, such as `\"` for a quotation mark and `\\` for a literal backslash. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. A clickable error icon (image:images/ig-error-icon.png[Error icon,19,18]) displays below the Markdown editor if there are any syntax errors.

[discrete]
==== Example syntax

[source,json]
----
!{insight{
"label": "Test action",
"description": "Click to investigate",
"providers": [
[
{"field": "event.id", "value": "kibana.alert.original_event.id", "type": "parameter"}
],
[
{"field": "event.action", "value": "rename", "type": "literal"},
{"field": "process.pid", "value": "process.pid", "type": "parameter"}
]
]
}}
----

This example creates the following Timeline query, as illustrated below:

`(event.id : <alert value>)` +
`OR (event.action : "rename" AND process.pid : <alert value>)`

[role="screenshot"]
image::images/ig-timeline-query.png[Timeline query,500]

[discrete]
==== Timeline template fields

When viewing an interactive investigation guide in contexts unconnected to a specific alert (such a rule's details page), queries open as <<timeline-templates-ui,Timeline templates>>, and `parameter` fields are treated as Timeline template fields.

[role="screenshot"]
image::images/ig-timeline-template-fields.png[Timeline template,500]