[Docs]Timeline and Template UI updates #84

benskelker · 2020-08-03T12:14:35Z

Adds all the new 7.9 Timeline and Timeline template features.

angorayc · 2020-08-04T07:33:45Z

docs/siem/timeline/timeline-templates.asciidoc

+
+. Go to *Security* -> *Timelines*.
+. Click the *Templates* tab.
+. Click the More actions icon in the relevant row, and then select the action:


could we briefly mention about what the More actions icon looks like and its position as well, many users couldn't find for the first time

angorayc · 2020-08-04T07:36:14Z

docs/siem/timeline/timeline-templates.asciidoc

+TIP: To perform the same action on multiple templates, select templates and
+then the required action from the _Bulk actions_ menu.
+
+NOTE: You cannot delete prebuilt templates.


users cannot favourite it, or edit it either.
I think it would be nice to let them know that if they want to update the elastic prebuilt templates, they can duplicate them first and then they becomes custom templates, and they can do all the changes.

angorayc · 2020-08-04T07:40:23Z

docs/siem/timeline/timeline-templates.asciidoc

+*Bulk actions* -> _Export selected_.
+
+. To import templates, click *Import Timeline* and then select or drap-and-drop
+the template `ndjson` file.


could we put a note here to let them know the content of the ndjson has to be in minimised format to import it properly.

e.g.

This is ok

{"savedObjectId":"67664480-d191-11ea-ae67-4f4be8c1847b","version":"WzU1NSwxXQ==","columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"message","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.category","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"source.ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"user.name","searchable":null}],"dataProviders":[],"description":"","eventType":"all","filters":[],"kqlMode":"filter","timelineType":"default","kqlQuery":{"filterQuery":{"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"@timestamp\"}}],\"minimum_should_match\":1}}","kuery":{"expression":"@timestamp : * ","kind":"kuery"}}},"title":"x2","sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1596036895488,"createdBy":"angela","updated":1596491470411,"updatedBy":"angelachuang","templateTimelineId":null,"templateTimelineVersion":null,"dateRange":{"start":"2020-04-10T14:10:58.373Z","end":"2020-05-30T14:16:58.373Z"},"savedQueryId":null,"eventNotes":[{"noteId":"7d875ba0-d5d3-11ea-9899-ebec3d084fe0","version":"WzU1NiwxXQ==","eventId":"8KtMKnIBOS_moQ_K9fAe","note":"hi Xavier","timelineId":"67664480-d191-11ea-ae67-4f4be8c1847b","created":1596491490806,"createdBy":"angelachuang","updated":1596491490806,"updatedBy":"angelachuang"}],"globalNotes":[],"pinnedEventIds":["K99zy3EBDTDlbwBfpf6x","GKpFKnIBOS_moQ_Ke5AO","8KtMKnIBOS_moQ_K9fAe"]}

This will fail

{ "savedObjectId": "67664480-d191-11ea-ae67-4f4be8c1847b", "version": "WzU1NSwxXQ==", "columns": [ { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "@timestamp", "searchable": null }, { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "message", "searchable": null }, { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "event.category", "searchable": null }, { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "event.action", "searchable": null }, { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "host.name", "searchable": null }, { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "source.ip", "searchable": null }, { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "destination.ip", "searchable": null }, { "indexes": null, "name": null, "columnHeaderType": "not-filtered", "id": "user.name", "searchable": null } ], "dataProviders": [], "description": "", "eventType": "all", "filters": [], "kqlMode": "filter", "timelineType": "default", "kqlQuery": { "filterQuery": { "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"@timestamp\"}}],\"minimum_should_match\":1}}", "kuery": { "expression": "@timestamp : * ", "kind": "kuery" } } }, "title": "x2", "sort": { "columnId": "@timestamp", "sortDirection": "desc" }, "created": 1596036895488, "createdBy": "angela", "updated": 1596491470411, "updatedBy": "angelachuang", "templateTimelineId": null, "templateTimelineVersion": null, "dateRange": { "start": "2020-04-10T14:10:58.373Z", "end": "2020-05-30T14:16:58.373Z" }, "savedQueryId": null, "eventNotes": [ { "noteId": "7d875ba0-d5d3-11ea-9899-ebec3d084fe0", "version": "WzU1NiwxXQ==", "eventId": "8KtMKnIBOS_moQ_K9fAe", "note": "hi Xavier", "timelineId": "67664480-d191-11ea-ae67-4f4be8c1847b", "created": 1596491490806, "createdBy": "angelachuang", "updated": 1596491490806, "updatedBy": "angelachuang" } ], "globalNotes": [], "pinnedEventIds": [ "K99zy3EBDTDlbwBfpf6x", "GKpFKnIBOS_moQ_Ke5AO", "8KtMKnIBOS_moQ_K9fAe" ] }

* timeline and template updates * uncomments out original timeline section in SIEM UI * removes original timeline IDs to avoid build conflict * add all actions screenshot * add all actions screenshot * corrections * adds filter explanation and legend

timeline and template updates

eab1028

benskelker requested review from XavierM, angorayc, narcher7 and jmikell821 August 3, 2020 12:15

benskelker added the v7.9.0 Features in the 7.9 Release label Aug 3, 2020

benskelker linked an issue Aug 3, 2020 that may be closed by this pull request

[DOCS] Timeline Updates in 7.9 #61

Closed

benskelker requested review from MikePaquette and dontcallmesherryli August 3, 2020 12:16

benskelker mentioned this pull request Aug 3, 2020

[Security docs] 7.9 doc updates (Ben's stuff) #44

Closed

31 tasks

Ben Skelker added 2 commits August 3, 2020 22:58

uncomments out original timeline section in SIEM UI

496333d

removes original timeline IDs to avoid build conflict

faffec8

angorayc reviewed Aug 4, 2020

View reviewed changes

angorayc approved these changes Aug 4, 2020

View reviewed changes

Ben Skelker added 4 commits August 4, 2020 14:09

add all actions screenshot

1149f58

add all actions screenshot

02e0bae

corrections

b8a7d8c

adds filter explanation and legend

75c3bbf

narcher7 approved these changes Aug 4, 2020

View reviewed changes

benskelker merged commit c0feb23 into elastic:master Aug 4, 2020

benskelker deleted the 7.9-timeline-ui branch August 4, 2020 16:49

benskelker mentioned this pull request Aug 4, 2020

[7.x] [Docs]Timeline and Template UI updates (#84) #94

Merged

benskelker mentioned this pull request Aug 4, 2020

[7.9] [Docs]Timeline and Template UI updates (#84) #95

Merged

XavierM approved these changes Aug 4, 2020

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Docs]Timeline and Template UI updates #84

[Docs]Timeline and Template UI updates #84

benskelker commented Aug 3, 2020 •

edited

Loading

angorayc Aug 4, 2020

angorayc Aug 4, 2020

angorayc Aug 4, 2020

[Docs]Timeline and Template UI updates #84

[Docs]Timeline and Template UI updates #84

Conversation

benskelker commented Aug 3, 2020 • edited Loading

angorayc Aug 4, 2020

Choose a reason for hiding this comment

angorayc Aug 4, 2020

Choose a reason for hiding this comment

angorayc Aug 4, 2020

Choose a reason for hiding this comment

benskelker commented Aug 3, 2020 •

edited

Loading