diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc index 6b0943db75..9c35e8b79f 100644 --- a/docs/detections/alerts-view-details.asciidoc +++ b/docs/detections/alerts-view-details.asciidoc @@ -124,10 +124,32 @@ image::images/visualizations-section-rp.png[Visualizations section of the Overvi Click **Visualizations** to display the following previews: -* **Session view preview**: Shows a preview of <> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. +* **Session viewer preview**: Shows a preview of <> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. * **Analyzer preview**: Shows a preview of the <>. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline. +[discrete] +[[expanded-visualizations-view]] +=== Expanded visualizations view + +preview::[] + +.Requirements +[sidebar] +-- +To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` <>. +-- + +The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session viewer preview** or **Analyzer preview** from the right panel. + +[role="screenshot"] +image::images/visualize-tab-lp.png[Expanded view of visualization details, 80%] + +As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout. + +[role="screenshot"] +image::images/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%] + [discrete] [[insights-section]] == Insights diff --git a/docs/detections/images/visualize-tab-lp-alert-details.gif b/docs/detections/images/visualize-tab-lp-alert-details.gif new file mode 100644 index 0000000000..487f87c74a Binary files /dev/null and b/docs/detections/images/visualize-tab-lp-alert-details.gif differ diff --git a/docs/detections/images/visualize-tab-lp.png b/docs/detections/images/visualize-tab-lp.png new file mode 100644 index 0000000000..a65151a658 Binary files /dev/null and b/docs/detections/images/visualize-tab-lp.png differ diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index 4e422292e5..b3ca110815 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -29,7 +29,9 @@ Or + ** `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` -. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. Alternatively, open the alert details flyout, go to the Visualizations section, then click **Analyzer preview**. This opens the **Analyzer** tab in Timeline. +. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout. ++ +TIP: Turn on the `securitySolution:enableVisualizationsInFlyout` <> to access the event analyzer from the **Visualize** tab in the alert or event details flyout. + [role="screenshot"] diff --git a/docs/getting-started/advanced-setting.asciidoc b/docs/getting-started/advanced-setting.asciidoc index b1e10980c0..90bdf97b0e 100644 --- a/docs/getting-started/advanced-setting.asciidoc +++ b/docs/getting-started/advanced-setting.asciidoc @@ -113,6 +113,14 @@ The `securitySolution:enableAssetCriticality` setting determines whether asset c Including data from cold and frozen {ref}/data-tiers.html[data tiers] in <> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default. +[discrete] +[[visualizations-in-flyout]] +== Access the event analyzer and Session View from the event or alert details flyout + +preview::[] + +The `securitySolution:enableVisualizationsInFlyout` setting allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout. This setting is turned off by default. + [discrete] == Change the default search interval and data refresh time diff --git a/docs/serverless/alerts/view-alert-details.mdx b/docs/serverless/alerts/view-alert-details.mdx index 1b735a6e65..843fa11af6 100644 --- a/docs/serverless/alerts/view-alert-details.mdx +++ b/docs/serverless/alerts/view-alert-details.mdx @@ -124,10 +124,28 @@ The Visualizations section is located on the **Overview** tab in the right panel Click **Visualizations** to display the following previews: -* **Session view preview**: Shows a preview of session view data. Click **Session viewer preview** to open the **Session View** tab in Timeline. +* **Session view preview**: Shows a preview of Session View data. Click **Session viewer preview** to open the **Session View** tab in Timeline. * **Analyzer preview**: Shows a preview of the visual analyzer graph. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline. +
+ +### Expanded visualizations view + + + + +To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` advanced setting. + + +The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session view preview** or **Analyzer preview** from the right panel. + + + +As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout. + +![Examine alert details from event analyzer](../images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif) +
## Insights diff --git a/docs/serverless/alerts/visual-event-analyzer.mdx b/docs/serverless/alerts/visual-event-analyzer.mdx index 02a3b8d75b..e66f143144 100644 --- a/docs/serverless/alerts/visual-event-analyzer.mdx +++ b/docs/serverless/alerts/visual-event-analyzer.mdx @@ -39,7 +39,11 @@ To find events that can be visually analyzed: * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` -1. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. +1. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the Hosts, Alerts, and Timelines pages, as well as the alert details flyout. + + + Turn on the `securitySolution:enableVisualizationsInFlyout` advanced setting to access the event analyzer from the **Visualize** tab in the alert or event details flyout. + diff --git a/docs/serverless/images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif b/docs/serverless/images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif new file mode 100644 index 0000000000..487f87c74a Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif differ diff --git a/docs/serverless/images/view-alert-details/-detections-visualize-tab-lp.png b/docs/serverless/images/view-alert-details/-detections-visualize-tab-lp.png new file mode 100644 index 0000000000..a65151a658 Binary files /dev/null and b/docs/serverless/images/view-alert-details/-detections-visualize-tab-lp.png differ diff --git a/docs/serverless/settings/advanced-settings.mdx b/docs/serverless/settings/advanced-settings.mdx index 0d044dcb8c..d47d943e52 100644 --- a/docs/serverless/settings/advanced-settings.mdx +++ b/docs/serverless/settings/advanced-settings.mdx @@ -134,6 +134,14 @@ The `securitySolution:enableAssetCriticality` setting determines whether asset c Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in visual event analyzer queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default. +
+ +## Access the event analyzer and session view from the event or alert details flyout + + + +The `securitySolution:enableVisualizationsInFlyout` setting allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout. This setting is turned off by default. + ## Change the default search interval and data refresh time These settings determine the default time interval and refresh rate ((elastic-sec))