Alerts section - 2nd round cleanup (#57)

* Update visualize-alerts.mdx * Update visualize-alerts.mdx Add description frontmatter * Update view-alert-details.mdx * Update signals-to-cases.mdx * Update alert-suppression.mdx * Update alert-suppression.mdx Add description frontmatter * Update reduce-notifications-alerts.mdx * Revise section title * Rename id: serverlessSecurityAlertsOverview * Rename file: alerts-overview.mdx * Update visual-event-analyzer.mdx * Update query-alert-indices.mdx * Update alert-schema.mdx Remove previous version column * Add missing descriptions
elastic · Aug 30, 2023 · 1939ab6 · 1939ab6
1 parent 3f72f7a
commit 1939ab6
Show file tree

Hide file tree

Showing 9 changed files with 52 additions and 190 deletions.
diff --git a/alerts/alert-schema.mdx b/alerts/alert-schema.mdx
diff --git a/alerts/alert-suppression.mdx b/alerts/alert-suppression.mdx
@@ -2,7 +2,7 @@
 id: serverlessSecurityAlertSuppression
 slug: /serverless/security/alert-suppression
 title: Suppress detection alerts
-# description: Description to be written
+description: Reduce noise from rules that create repeated or duplicate alerts.
 tags: [ 'serverless', 'security', 'how-to' ]
 status: rough content
 ---
@@ -14,11 +14,10 @@ import RoughContent from '../partials/rough-content-notice.mdx'
 <div id="alert-suppression"></div>
 
 <DocCallOut title="Requirements and notices">
-
 Alert suppression requires a [Platinum or higher subscription](https://www.elastic.co/pricing).
+</DocCallOut>
 
 <DocCallOut template="technical_preview" />
-</DocCallOut>
 
 Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by a <DocLink id="serverlessSecurityRulesUiCreate" section="create-a-custom-query-rule">custom query</DocLink> detection rule. 
 
@@ -45,8 +44,8 @@ You can configure alert suppression when you create or edit a custom query rule.
     <DocImage size="l" url="../images/alert-suppression/-detections-alert-suppression-options.png" alt="Alert suppression options" />
 
 1. Under **If a suppression field is missing**, choose how to handle events with missing suppression fields (events in which one or more of the **Suppress alerts by** fields don't exist):
-* **Suppress and group alerts for events with missing fields**: Create one alert for each group of events with missing fields. Missing fields get a `null` value, which is used to group and suppress alerts. 
-* **Do not suppress alerts for events with missing fields**: Create a separate alert for each matching event. This basically falls back to normal alert creation for events with missing suppression fields.
+    * **Suppress and group alerts for events with missing fields**: Create one alert for each group of events with missing fields. Missing fields get a `null` value, which is used to group and suppress alerts. 
+    * **Do not suppress alerts for events with missing fields**: Create a separate alert for each matching event. This basically falls back to normal alert creation for events with missing suppression fields.
 
 1. Configure other rule settings, then save and enable the rule.
 
@@ -76,7 +75,6 @@ With alert suppression, detection alerts aren't created for the grouped source e
 
 * **Alerts** table — Select **Investigate in timeline** in the **Actions** column.
 
-    <DocIcon type="timeline" title="Timeline" />
+    <DocImage size="m" url="../images/alert-suppression/-detections-timeline-button.png" alt="Investigate in timeline button"/>
 
 * Alert details flyout — Select **Take action** -> **Investigate in timeline**.
-
diff --git a/alerts/triage-and-respond-to-alerts.mdx → alerts/alerts-overview.mdx b/alerts/triage-and-respond-to-alerts.mdx → alerts/alerts-overview.mdx
@@ -1,7 +1,7 @@
 ---
-id: serverlessSecurityTriageAndRespondToAlerts
-slug: /serverless/security/triage-and-respond-to-alerts
-title: Triage and respond to alerts
+id: serverlessSecurityAlertsOverview
+slug: /serverless/security/alerts-overview
+title: "Alerts: triage and respond"
 # description: Description to be written
 tags: [ 'serverless', 'security', 'overview' ]
 status: rough content

diff --git a/alerts/query-alert-indices.mdx b/alerts/query-alert-indices.mdx
@@ -2,12 +2,12 @@
 id: serverlessSecurityQueryAlertIndices
 slug: /serverless/security/query-alert-indices
 title: Query alert indices
-# description: Description to be written
+description: Index patterns for querying alert data.
 tags: [ 'serverless', 'security', 'how-to' ]
-status: rough content
+status: in review
 ---
 
-import RoughContent from '../partials/rough-content-notice.mdx'
+import RoughContent from '../partials/in-review-notice.mdx'
 
 <RoughContent />
 
@@ -16,20 +16,8 @@ import RoughContent from '../partials/rough-content-notice.mdx'
 This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the <DocLink id="serverlessSecurityAlertSchema">Alert schema</DocLink>.
 
 ## Alert index aliases
-We recommend querying the following index aliases:
-
-* If you're using version 8.0.0 or later: `.alerts-security.alerts-<space-id>`
-    This alias includes the legacy (before 8.0.0) and the new alert indices.
-
-* If you're using a version before 8.0.0: `.siem-signals-<space-id>`
-    Queries on this alias will function regardless of your ((stack)) version but will not follow the newer `.alerts` naming convention and may be deprecated in future releases.
-
-Regardless of which alias you query, you should not include a dash or wildcard after the space ID. To query all spaces, use the following syntax: `.alerts-security.alerts-*` or `.siem-signals-*`.
+We recommend querying the `.alerts-security.alerts-<space-id>` index alias. You should not include a dash or wildcard after the space ID. To query all spaces, use the following syntax: `.alerts-security.alerts-*`.
 
 ## Alert indices
-For additional context, alert events are stored in hidden ((es)) indices. We do not recommend querying them directly. The naming conventions for these indices and their aliases differ depending on which version of ((stack)) you're running:
-
-* **8.0.0 or later:** `.internal.alerts-security.alerts-<space-id>-NNNNNN`, where `NNNNNN` is a number that increases over time, starting from 000001.
-
-* **Before 8.0.0:** `.siem-signals-<space-id>-NNNNNN`, where `NNNNNN` is a number that increases over time, starting from 000001.
+For additional context, alert events are stored in hidden ((es)) indices. We do not recommend querying them directly. The naming convention for these indices and their aliases is `.internal.alerts-security.alerts-<space-id>-NNNNNN`, where `NNNNNN` is a number that increases over time, starting from 000001.
 
diff --git a/alerts/reduce-notifications-alerts.mdx b/alerts/reduce-notifications-alerts.mdx
@@ -2,14 +2,14 @@
 id: serverlessSecurityReduceNotificationsAlerts
 slug: /serverless/security/reduce-notifications-alerts
 title: Reduce notifications and alerts
-# description: Description to be written
+description: A comparison of alert-reduction features.
 tags: [ 'serverless', 'security', 'how-to' ]
-status: rough content
+status: in review
 ---
 
-import RoughContent from '../partials/rough-content-notice.mdx'
+import InReview from '../partials/in-review-notice.mdx'
 
-<RoughContent />
+<InReview />
 
 <div id="reduce-notifications-alerts"></div>
 
@@ -18,11 +18,11 @@ import RoughContent from '../partials/rough-content-notice.mdx'
 <DocTable columns={[
   {
     "title": "",
-    "width": "50%"
+    "width": "30%"
   },
   {
     "title": "",
-    "width": "50%"
+    "width": "70%"
   }
 ]}>
   <DocRow>
@@ -47,13 +47,6 @@ import RoughContent from '../partials/rough-content-notice.mdx'
       **_Prevents all rules' notification actions from running_**. 
 
       Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their <DocLink id="serverlessSecurityRulesUiCreate" section="set-up-alert-notifications-optional">notification actions</DocLink> don't run.
-
-      <DocCallOut title="Note">
-      Maintenance windows are a ((kib)) feature, configured outside of the ((security-app)) in **Stack Management**.
-      </DocCallOut>
-
-
-
     </DocCell>
   </DocRow>
   <DocRow>

diff --git a/alerts/signals-to-cases.mdx b/alerts/signals-to-cases.mdx
@@ -43,7 +43,7 @@ To add alerts to a new case:
 1. Select a connector. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
 1. Click **Create case** after you've completed all of the required fields. A confirmation message is displayed with an option to view the new case. Click the link in the notification or go to the Cases page to view the case.
 
-<DocImage size="l" url="../images/signals-to-cases/-detections-add-alert-to-new-case.png" alt="Create case flyout with sample data filled in" />
+    <DocImage size="l" url="../images/signals-to-cases/-detections-add-alert-to-new-case.png" alt="Create case flyout with sample data filled in" />
 
 <div id="signals-to-existing-cases"></div>
 
@@ -59,4 +59,4 @@ To add alerts to an existing case:
     If you attach the alert to a case that has been configured to sync its status with associated alerts, the alert's status updates any time the case's status is modified.
     </DocCallOut>
 
-![Select case dialog listing existing cases](../images/signals-to-cases/-detections-add-alert-to-existing-case.png)
+    ![Select case dialog listing existing cases](../images/signals-to-cases/-detections-add-alert-to-existing-case.png)
diff --git a/alerts/view-alert-details.mdx b/alerts/view-alert-details.mdx
@@ -2,7 +2,7 @@
 id: serverlessSecurityViewAlertDetails
 slug: /serverless/security/view-alert-details
 title: View detection alert details
-description: Create detection rules to monitor your environment for suspicious and malicious behavior.
+description: Expand an alert to view detailed alert data.
 tags: ["serverless","security","defend","reference","manage"]
 status: rough content
 ---
@@ -15,7 +15,7 @@ import RoughContent from '../partials/rough-content-notice.mdx'
 
 To inspect a detection alert, click the **View details** button from the Alerts table. The alert details flyout appears with several options to view alert data.
 
-<DocImage flatImage alt="View details button, 200" url="../images/view-alert-details/-detections-view-alert-details.png" /> 
+<DocImage size="m" alt="View details button" url="../images/view-alert-details/-detections-view-alert-details.png" /> 
 
 The alert details flyout contains these informational tabs:
 
@@ -35,11 +35,11 @@ If you've enabled grouping on the Alerts page, the alert details flyout won't op
 If you've configured the [`server.publicBaseUrl`](((kibana-ref))/settings.html#server-publicBaseUrl) setting in the `kibana.yml` file, the shareable URL is also in the `kibana.alert.url` field. You can find the field by searching for `kibana.alert.url` on the **Table** tab.
 </DocCallOut>
 
-![Alert details flyout, 90%](../images/view-alert-details/-detections-alert-details-flyout.png)
+![Alert details flyout](../images/view-alert-details/-detections-alert-details-flyout.png)
 
 Hover over fields on the **Overview** and **Table** tabs to display available <DocLink id="serverlessSecurityEsUiOverview" section="inline-actions-for-fields-and-values">inline actions</DocLink>. 
 
-![Alert details flyout, 75%](../images/view-alert-details/-detections-alert-details-flyout-inline-actions.png)
+![Alert details flyout](../images/view-alert-details/-detections-alert-details-flyout-inline-actions.png)
 
 <div id="alert-details-overview"></div>
 
@@ -161,7 +161,6 @@ Matched threats are organized into several sections, described below. Within eac
 * **Threat Matched Detected**: This section is solely reserved for threat indicator matches identified by an indicator match rule. Threat indicator matches are produced whenever event data matches a threat indicator field value in your indicator index. If indicator threat matches are not discovered, the section displays a message that none are available.
 * **Enriched with Threat Intelligence**: This section shows indicator matches that ((elastic-sec)) found when querying the alert for fields with threat intelligence. You can use the date time picker to modify the query time frame, which looks at the past 30 days by default. Click the **Inspect** button, located on the far right of the threat label, to view more information on the query. If threat matches are not discovered within the selected time frame, the section displays a message that none are available.
 
-<DocCallOut title="Note">
-The event enrichment query uses the indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, refer to <DocLink id="serverlessSecurityAdvancedSettings" section="update-default-elastic-security-threat-intelligence-indices">Update default Elastic Security threat intelligence indices</DocLink>.
-</DocCallOut>
-
+    <DocCallOut title="Note">
+    The event enrichment query uses the indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, refer to <DocLink id="serverlessSecurityAdvancedSettings" section="update-default-elastic-security-threat-intelligence-indices">Update default Elastic Security threat intelligence indices</DocLink>.
+    </DocCallOut>
diff --git a/alerts/visual-event-analyzer.mdx b/alerts/visual-event-analyzer.mdx
@@ -2,7 +2,7 @@
 id: serverlessSecurityVisualEventAnalyzer
 slug: /serverless/security/visual-event-analyzer
 title: Visual event analyzer
-# description: Description to be written
+description: Examine events and processes in a graphical timeline.
 tags: [ 'serverless', 'security', 'how-to' ]
 status: rough content
 ---
@@ -29,28 +29,29 @@ In KQL, this translates to any event with the `agent.type` set to either:
 To find events that can be visually analyzed:
 
 1. First, display a list of events by doing one of the following:
-* Go to **Explore** -> **Hosts**, then select the **Events** tab. A list of all your hosts' events appears at the bottom of the page.
-* Go to **Alerts**, then scroll down to the Alerts table.
+    * Go to **Explore** -> **Hosts**, then select the **Events** tab. A list of all your hosts' events appears at the bottom of the page.
+    * Go to **Alerts**, then scroll down to the Alerts table.
+
 1. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting **Enter**:
     * `agent.type:"endpoint" and process.entity_id :*`
 
         Or
 
-            * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
+    * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
 
 1. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer.
 
     <DocImage size="xl" url="../images/visual-event-analyzer/-detections-analyze-event-button.png" alt="Shows analyze event option" />
 
-<DocCallOut title="Note">
-Events that cannot be analyzed will not have the **Analyze event** option available. This might occur if the event has incompatible field mappings.
-</DocCallOut>
+    <DocCallOut title="Note">
+    Events that cannot be analyzed will not have the **Analyze event** option available. This might occur if the event has incompatible field mappings.
+    </DocCallOut>
 
-![](../images/visual-event-analyzer/-detections-analyze-event-timeline.png)
+    ![](../images/visual-event-analyzer/-detections-analyze-event-timeline.png)
 
-<DocCallOut title="Tip">
-You can also analyze events from <DocLink id="serverlessSecurityTimelinesUi">Timelines</DocLink>.
-</DocCallOut>
+    <DocCallOut title="Tip">
+    You can also analyze events from <DocLink id="serverlessSecurityTimelinesUi">Timelines</DocLink>.
+    </DocCallOut>
 
 <div id="visual-analyzer-ui"></div>
 
@@ -74,7 +75,7 @@ To expand the analyzer to a full screen, select the **Full Screen** icon above t
 
 ![](../images/visual-event-analyzer/-detections-full-screen-analyzer.png)
 
-The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events** -- the event you selected to analyze from the events list or Timeline -- are highlighted with a light blue outline around the cube.
+The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events** — the event you selected to analyze from the events list or Timeline — are highlighted with a light blue outline around the cube.
 
 ![](../images/visual-event-analyzer/-detections-process-list.png)
 
@@ -117,12 +118,12 @@ When you select an `event.category` pill, all the events within that category ar
 ![](../images/visual-event-analyzer/-detections-event-details.png)
 
 <DocCallOut title="Note">
-In ((stack)) versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in ((stack)) versions 7.9.0 and earlier, each process is limited to only 100 events.
+There is no limit to the number of events that can be associated with a process.
 </DocCallOut>
 
 If you have a [Platinum or Enterprise subscription](https://www.elastic.co/pricing), you can also examine alerts associated with events.
 
-To examine alerts associated with the event, select the alert pill (*_x_ alert*). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert's details.
+To examine alerts associated with the event, select the alert pill (**_x_ alert**). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert's details.
 
 In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one.
 

diff --git a/alerts/visualize-alerts.mdx b/alerts/visualize-alerts.mdx
@@ -2,7 +2,7 @@
 id: serverlessSecurityVisualizeAlerts
 slug: /serverless/security/visualize-alerts
 title: Visualize detection alerts
-# description: Description to be written
+description: Display alert trends and distributions on the Alerts page.
 tags: [ 'serverless', 'security', 'how-to' ]
 status: rough content
 ---
@@ -17,7 +17,7 @@ Visualize and group detection alerts by specific parameters in the visualization
 
 ![Alerts page with visualizations section highlighted](../images/visualize-alerts/-detections-alert-page-visualizations.png)
 
-Use the left buttons to select a view type (*Summary*, **Trend**, **Counts**, or **Treemap**), and use the right menus to select the ECS fields to use for grouping: 
+Use the left buttons to select a view type (**Summary**, **Trend**, **Counts**, or **Treemap**), and use the right menus to select the ECS fields to use for grouping: 
 
 * **Top alerts by** or **Group by**: Primary field for grouping alerts.
 * **Group by top** (if available): Secondary field for further subdividing grouped alerts.