diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 552b31109e..54612a3951 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -8,9 +8,6 @@ To learn more about an alert, click the *View details* button from the Alerts table. This opens the alert details flyout, which helps you understand and manage the alert. -[role="screenshot"] -image::images/open-alert-details-flyout.gif[Expandable flyout, 90%] - Use the alert details flyout to begin an investigation, open a case, or plan a response. Click **Take action** at the bottom of the flyout to find more options for interacting with the alert. [discrete] @@ -25,9 +22,6 @@ The alert details flyout has a right panel, a preview panel, and a left panel. E The right panel provides an overview of the alert. Expand any of the collapsed sections to learn more about the alert. You can also hover over fields on the *Overview* and *Table* tabs to display available <>. -[role="screenshot"] -image::images/alert-details-flyout-right-panel.png[Right panel of the alert details flyout, 65%] - From the right panel, you can also: * Click **Expand details** to open the <>, which shows more information about sections in the right panel. @@ -57,9 +51,6 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. -[role="screenshot"] -image::images/alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%] - [discrete] [[left-panel]] === Left panel @@ -67,16 +58,7 @@ image::images/alert-details-flyout-preview-panel.gif[Preview panel of the alert The left panel provides an expanded view of what's shown in the right panel. To open the left panel, do one of the following: * Click **Expand details** at the top of the right panel. -+ - -[role="screenshot"] -image::images/expand-details-button.png[Expand details button at the top of the alert details flyout, 65%] - * Click one of the section titles on the **Overview** tab within the right panel. -+ - -[role="screenshot"] -image::images/alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%] [discrete] [[about-section]] @@ -84,9 +66,6 @@ image::images/alert-details-flyout-left-panel.png[Left panel of the alert detail The About section is located on the **Overview** tab in the right panel. It provides a brief description of the rule that's related to the alert and an explanation of what generated the alert. -[role="screenshot"] -image::images/about-section-rp.png[About section of the Overview tab, 65%] - The About section has the following information: * **Rule description**: Describes the rule's purpose or detection goals. Click **Show rule summary** to display a preview of the rule's details. From the preview, click **Show rule details** to view the rule's details page. @@ -103,16 +82,13 @@ NOTE: The event renderer only displays if an event renderer exists for the alert The Investigation section is located on the **Overview** tab in the right panel. It offers a couple of ways to begin investigating the alert. -[role="screenshot"] -image::images/investigation-section-rp.png[Investigation section of the Overview tab, 65%] - The Investigation section provides the following information: * **Investigation guide**: The **Show investigation guide** button displays if the rule associated with the alert has an investigation guide. Click the button to open the expanded Investigation view in the left panel. + TIP: Add an <> to a rule when creating a new custom rule or modifying an existing custom rule's settings. -* **Highlighted fields**: Shows relevant fields for the alert and any <> you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added. +* **Highlighted fields**: Shows relevant fields for the alert and any <> you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added. To quickly add or remove custom highlighted fields from the rule, click the **Add field** in the Highlighted fields table. [discrete] [[visualizations-section]] @@ -120,9 +96,6 @@ TIP: Add an <> to a rule when creating The Visualizations section is located on the **Overview** tab in the right panel. It offers a glimpse of the processes that led up to the alert and occurred after it. -[role="screenshot"] -image::images/visualizations-section-rp.png[Visualizations section of the Overview tab, 65%] - Click **Visualizations** to display the following previews: * **Session viewer preview**: Shows a preview of <> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. @@ -135,50 +108,32 @@ Click **Visualizations** to display the following previews: The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session viewer preview** or **Analyzer preview** from the right panel. -[role="screenshot"] -image::images/visualize-tab-lp.png[Expanded view of visualization details, 80%] - As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout. -[role="screenshot"] -image::images/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%] - [discrete] [[insights-section]] == Insights The Insights section is located on the **Overview** tab in the right panel. It offers different perspectives from which you can assess the alert. Click **Insights** to display overviews for <>, <>, <>, and <>. -[role="screenshot"] -image::images/insights-section-rp.png[Insights section of the Overview tab, 65%] - [discrete] [[entities-overview]] === Entities The Entities overview provides high-level details about the user and host that are related to the alert. Host and user risk classifications are also available with a https://www.elastic.co/pricing[Platinum subscription] or higher. -[role="screenshot"] -image::images/entities-overview.png[Overview of the entity details section in the right panel, 60%] - [discrete] [[expanded-entities-view]] ==== Expanded entities view From the right panel, click **Entities** to open a detailed view of the host and user associated with the alert. The expanded view also includes risk scores and classifications (if you have a Platinum subscription or higher) and activity on related hosts and users. -[role="screenshot"] -image::images/expanded-entities-view.png[Expanded view of entity details, 70%] - [discrete] [[threat-intelligence-overview]] === Threat intelligence The Threat intelligence overview shows matched indicators, which provide threat intelligence relevant to the alert. -[role="screenshot"] -image::images/threat-intelligence-overview.png[Overview of threat intelligence on the alert, 70%] - The Threat intelligence overview provides the following information: * **Threat match detected**: Only available when examining an alert generated from an <> rule. Shows the number of matched indicators that are present in the alert document. Shows zero if there are no matched indicators or you're examining an alert generated by another type of rule. @@ -193,9 +148,6 @@ From the right panel, click **Threat intelligence** to open the expanded Threat NOTE: The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to <> to learn more about threat intelligence indices. -[role="screenshot"] -image::images/expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%] - The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. Matched threats are organized into two sections, described below. Within each section, matched threats are shown in reverse chronological order, with the most recent at the top. All mapped fields are displayed for each matched threat. @@ -229,9 +181,6 @@ When searching for threat intelligence, {elastic-sec} queries the alert document The Correlations overview shows how an alert is related to other alerts and offers ways to investigate related alerts. Use this information to quickly find patterns between alerts and then take action. -[role="screenshot"] -image::images/correlations-overview.png[Overview of available correlation data, 60%] - The Correlations overview provides the following information: * **Suppressed alerts**: Indicates that the alert was created with alert suppression, and shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. @@ -248,9 +197,6 @@ NOTE: To access data about alerts related by process ancestry, you must have a h From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. -[role="screenshot"] -image::images/expanded-correlations-view.png[Expanded view of correlation data, 75%] - In the expanded view, corelation data is organized into several tables: * **Suppressed alerts**: Shows how many duplicate alerts were suppressed. This information only appears if alert suppression is enabled for the rule. @@ -276,9 +222,6 @@ From the right panel, click **Prevalence** to open the expanded Prevalence view TIP: Update the date time picker for the table to show data from a different time range. -[role="screenshot"] -image::images/expanded-prevalence-view.png[Expanded view of prevalence data] - The expanded Prevalence view provides the following details: * **Field**: Shows <> for the alert and any custom highlighted fields that were added to the alert's rule. @@ -301,10 +244,6 @@ The following features require a https://www.elastic.co/pricing[Platinum subscri The **Response** section is located on the **Overview** tab in the right panel. It shows <> that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel. -[role="screenshot"] -image::images/response-action-rp.png[Response section of the Overview tab, 50%] - - [discrete] [[expanded-notes-view]] == Notes @@ -312,6 +251,3 @@ image::images/response-action-rp.png[Response section of the Overview tab, 50%] The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. TIP: Go to the **Notes** <> to find notes that were added to other alerts. - -[role="screenshot"] -image::images/notes-tab-lp.png[Notes tab in the left panel, 70%] diff --git a/docs/detections/images/about-section-rp.png b/docs/detections/images/about-section-rp.png deleted file mode 100644 index 754cf1c0dd..0000000000 Binary files a/docs/detections/images/about-section-rp.png and /dev/null differ diff --git a/docs/detections/images/alert-details-flyout-left-panel.png b/docs/detections/images/alert-details-flyout-left-panel.png deleted file mode 100644 index 08e5dfe55e..0000000000 Binary files a/docs/detections/images/alert-details-flyout-left-panel.png and /dev/null differ diff --git a/docs/detections/images/alert-details-flyout-preview-panel.gif b/docs/detections/images/alert-details-flyout-preview-panel.gif deleted file mode 100644 index 0e27cbf7dc..0000000000 Binary files a/docs/detections/images/alert-details-flyout-preview-panel.gif and /dev/null differ diff --git a/docs/detections/images/alert-details-flyout-right-panel.png b/docs/detections/images/alert-details-flyout-right-panel.png deleted file mode 100644 index 13849218f3..0000000000 Binary files a/docs/detections/images/alert-details-flyout-right-panel.png and /dev/null differ diff --git a/docs/detections/images/correlations-overview.png b/docs/detections/images/correlations-overview.png deleted file mode 100644 index 6fec67ee03..0000000000 Binary files a/docs/detections/images/correlations-overview.png and /dev/null differ diff --git a/docs/detections/images/entities-overview.png b/docs/detections/images/entities-overview.png deleted file mode 100644 index e27d149368..0000000000 Binary files a/docs/detections/images/entities-overview.png and /dev/null differ diff --git a/docs/detections/images/expand-details-button.png b/docs/detections/images/expand-details-button.png deleted file mode 100644 index 3152e9cad2..0000000000 Binary files a/docs/detections/images/expand-details-button.png and /dev/null differ diff --git a/docs/detections/images/expanded-correlations-view.png b/docs/detections/images/expanded-correlations-view.png deleted file mode 100644 index 7679fa88c5..0000000000 Binary files a/docs/detections/images/expanded-correlations-view.png and /dev/null differ diff --git a/docs/detections/images/expanded-entities-view.png b/docs/detections/images/expanded-entities-view.png deleted file mode 100644 index 6a37b0cb0e..0000000000 Binary files a/docs/detections/images/expanded-entities-view.png and /dev/null differ diff --git a/docs/detections/images/expanded-prevalence-view.png b/docs/detections/images/expanded-prevalence-view.png deleted file mode 100644 index 2bfe84fa1a..0000000000 Binary files a/docs/detections/images/expanded-prevalence-view.png and /dev/null differ diff --git a/docs/detections/images/expanded-threat-intelligence-view.png b/docs/detections/images/expanded-threat-intelligence-view.png deleted file mode 100644 index 0fff543aa7..0000000000 Binary files a/docs/detections/images/expanded-threat-intelligence-view.png and /dev/null differ diff --git a/docs/detections/images/insights-section-rp.png b/docs/detections/images/insights-section-rp.png deleted file mode 100644 index f10cc70a72..0000000000 Binary files a/docs/detections/images/insights-section-rp.png and /dev/null differ diff --git a/docs/detections/images/investigation-section-rp.png b/docs/detections/images/investigation-section-rp.png deleted file mode 100644 index c496593144..0000000000 Binary files a/docs/detections/images/investigation-section-rp.png and /dev/null differ diff --git a/docs/detections/images/notes-tab-lp.png b/docs/detections/images/notes-tab-lp.png deleted file mode 100644 index e277a109f7..0000000000 Binary files a/docs/detections/images/notes-tab-lp.png and /dev/null differ diff --git a/docs/detections/images/open-alert-details-flyout.gif b/docs/detections/images/open-alert-details-flyout.gif deleted file mode 100644 index 29a156e35c..0000000000 Binary files a/docs/detections/images/open-alert-details-flyout.gif and /dev/null differ diff --git a/docs/detections/images/response-action-rp.png b/docs/detections/images/response-action-rp.png deleted file mode 100644 index 03bac21042..0000000000 Binary files a/docs/detections/images/response-action-rp.png and /dev/null differ diff --git a/docs/detections/images/threat-intelligence-overview.png b/docs/detections/images/threat-intelligence-overview.png deleted file mode 100644 index af44623035..0000000000 Binary files a/docs/detections/images/threat-intelligence-overview.png and /dev/null differ diff --git a/docs/detections/images/visualizations-section-rp.png b/docs/detections/images/visualizations-section-rp.png deleted file mode 100644 index 783bd302d0..0000000000 Binary files a/docs/detections/images/visualizations-section-rp.png and /dev/null differ diff --git a/docs/detections/images/visualize-tab-lp-alert-details.gif b/docs/detections/images/visualize-tab-lp-alert-details.gif deleted file mode 100644 index 487f87c74a..0000000000 Binary files a/docs/detections/images/visualize-tab-lp-alert-details.gif and /dev/null differ diff --git a/docs/detections/images/visualize-tab-lp.png b/docs/detections/images/visualize-tab-lp.png deleted file mode 100644 index a65151a658..0000000000 Binary files a/docs/detections/images/visualize-tab-lp.png and /dev/null differ