diff --git a/docs/detections/machine-learning/machine-learning.asciidoc b/docs/detections/machine-learning/machine-learning.asciidoc index d595170d95..99f92b1d5a 100644 --- a/docs/detections/machine-learning/machine-learning.asciidoc +++ b/docs/detections/machine-learning/machine-learning.asciidoc @@ -24,8 +24,8 @@ interface on the *Alerts*, *Rules*, and *Exceptions* pages can be used for for v image::images/ml-ui.png[] TIP: To add a custom job to the `ML job settings` interface, add `Security` to -the job's `Groups` field ({kib} -> {ml-cap} -> Create/Edit job -> Job -details). +the job's `Groups` field (*{kib}* -> *{ml-cap}* -> *Create/Edit job* -> *Job +details*). [float] [[included-jobs]] @@ -35,17 +35,17 @@ details). host and network anomalies. The jobs are displayed in the `Anomaly Detection` interface. They are available when either: -* You ship data using https://www.elastic.co/products/beats[Beats] or the -<>, and {kib} is configured with the required index -patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*` -in {kib} -> {stack-manage-app} -> Index Patterns). +* You ship data using https://www.elastic.co/products/beats[Beats] or the +<>, and {kib} is configured with the required index +patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*` +in *{kib}* -> *{stack-manage-app}* -> *Data Views*). Or * Your shipped data is ECS-compliant, and {kib} is configured with the shipped -data's index patterns. +data's index patterns in *{kib}* -> *{stack-manage-app}* -> *Data Views*. -<> describes all available {ml} jobs and lists which ECS +<> describes all available {ml} jobs and lists which ECS fields are required on your hosts when you are not using {beats} or the {agent} to ship your data. For information on tuning anomaly results to reduce the number of false positives, see <>. @@ -63,7 +63,7 @@ the user must have the `machine_learning_admin` or `machine_learning_user` role. NOTE: To adjust the `score` threshold that determines which anomalies are shown, you can modify -{kib} -> {stack-manage-app} -> Advanced Settings -> `securitySolution:defaultAnomalyScore`. +*{kib}* -> *{stack-manage-app}* -> *Advanced Settings* -> *`securitySolution:defaultAnomalyScore`*. [[prebuilt-ml-jobs]] == Prebuilt job reference diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index 9c9e5310de..98432f616b 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -1,8 +1,7 @@ [[tuning-detection-signals]] == Tune detection rules -In the {es-sec-app}, prebuilt detection rules can be tuned to produce the best -possible set of actionable alerts. To reduce the noise level, you can: +Using the {es-sec-app}, you can tune prebuilt detection rules to optimize alert generation. To reduce noise, you can: * Add <> to detection rules. + @@ -152,7 +151,7 @@ exception with the port number Take the following steps to tune indicator match rules: -* Specify a detailed query as part of the indicator index query. Every result returned from the indicator index query will be used by the detection engine to subsequently query the index patterns defined in your rule definition. Using no query or the wildcard `*.*` query will result in your rule executing potentially very large queries. +* Specify a detailed query as part of the indicator index query. Results of the indicator index query are used by the detection engine to query the indices specified in your rule definition's index pattern. Using no query or the wildcard `***` query may result in your rule executing very large queries. * Limit your rule's additional look-back time to as short a duration as possible, and no more than 24 hours. NOTE: {es-sec} provides limited support for indicator match rules. See <> for more information. diff --git a/docs/events/images/correlation-tab-eql-query.png b/docs/events/images/correlation-tab-eql-query.png index c8715c9b67..bf4d84c5e0 100644 Binary files a/docs/events/images/correlation-tab-eql-query.png and b/docs/events/images/correlation-tab-eql-query.png differ diff --git a/docs/events/images/timeline-ui-renderer.png b/docs/events/images/timeline-ui-renderer.png index 56bbad6f47..0fdd4da090 100644 Binary files a/docs/events/images/timeline-ui-renderer.png and b/docs/events/images/timeline-ui-renderer.png differ diff --git a/docs/events/images/timeline-ui-updated.png b/docs/events/images/timeline-ui-updated.png index 35be8a2a0d..889b5a8262 100644 Binary files a/docs/events/images/timeline-ui-updated.png and b/docs/events/images/timeline-ui-updated.png differ diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index ff72c89e26..31b2c5c599 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -179,4 +179,4 @@ From the *Correlation* tab, you can also do the following: * Specify the date and time range that you want to investigate. * Reorder the columns and choose which fields to display. -* Choose whether you want to see all data sources (the default selection), only events, only detection alerts, or a custom data source. Custom data sources might include Kibana index patterns. +* Choose a data view and whether to show detection alerts only. diff --git a/docs/getting-started/net-map-req.asciidoc b/docs/getting-started/net-map-req.asciidoc index 928b74ac0c..ed70c8aed4 100644 --- a/docs/getting-started/net-map-req.asciidoc +++ b/docs/getting-started/net-map-req.asciidoc @@ -13,19 +13,14 @@ configure `source.geo` and `destination.geo` ECS fields for your indices. [float] [[kibana-index-pattern]] -=== Create {kib} index patterns +=== Create {kib} data views -To display map data, you must define {kib} -{kibana-ref}/tutorial-define-index.html[index patterns] (*Stack Management* -> -*Index Patterns*) that match the names or glob patterns used to define -Elastic Security indices. - -NOTE: The Elastic Security indices are defined in the `securitysolution:defaultIndex` field +To display map data, you must define a {kib} +{kibana-ref}/data-views.html[data view] (*Stack Management* -> +*Data Views*) that includes one or more of the indices specified in the `securitysolution:defaultIndex` field (*{kib}* -> *Stack Management* -> *Advanced Settings* -> *`securitysolution:defaultIndex`*). -For example, if you define an Elastic Security `servers-europe-*` glob pattern, -to display map data for the matching indices you must also define a {kib} index -pattern that matches `servers-europe-*`, such as `servers-*`. +For example, to display data that is stored in indices matching the index pattern `servers-europe-*` on the map, you must use a {kib} data view whose index pattern matches `servers-europe-*`, such as `servers-*`. [float] [[geoip-data]] diff --git a/docs/getting-started/siem-ui.asciidoc b/docs/getting-started/siem-ui.asciidoc index f91e90075c..ca42d70440 100644 --- a/docs/getting-started/siem-ui.asciidoc +++ b/docs/getting-started/siem-ui.asciidoc @@ -344,19 +344,14 @@ configure `source.geo` and `destination.geo` ECS fields for your indices. [float] [[kibana-index-pattern]] -=== Create {kib} index patterns +=== Create {kib} data views -To display map data, you must define {kib} -{kibana-ref}/tutorial-define-index.html[index patterns] (*Management* -> -*Index Patterns*) that match the names or glob patterns used to define -{siem-soln} {es} indices. +To display map data, you must define a {kib} +{kibana-ref}/data-views.html[data view] (*Stack Management* -> +*Data Views*) that includes one or more of the indices specified in the `securitysolution:defaultIndex` field +(*{kib}* -> *Stack Management* -> *Advanced Settings* -> *`securitysolution:defaultIndex`*). -NOTE: The {siem-soln} {es} indices are defined in the `siem:defaultIndex` field -(*{kib}* -> *Management* -> *Advanced Settings* -> *`siem:defaultIndex`*). - -For example, if you define a {siem-soln} {es} `servers-europe-*` glob pattern, -to display map data for the matching indices you must also define a {kib} index -pattern that matches `servers-europe-*`, such as `servers-*`. +For example, to display data that is stored using the index pattern `servers-europe-*` on the map, you must use a {kib} data view whose index pattern matches `servers-europe-*`, such as `servers-*`. [float] [[geoip-data]]