diff --git a/docs/en/siem/case-api-update-connector.asciidoc b/docs/en/siem/case-api-update-connector.asciidoc index 39513fa58..e782214e0 100644 --- a/docs/en/siem/case-api-update-connector.asciidoc +++ b/docs/en/siem/case-api-update-connector.asciidoc @@ -10,7 +10,7 @@ send cases to the external system. ==== Request URL -`PATCH //api/cases/configure` +`PATCH :/api/cases/configure` ==== Request body diff --git a/docs/en/siem/cases-api-add-comment.asciidoc b/docs/en/siem/cases-api-add-comment.asciidoc index 03477a034..a4802a3de 100644 --- a/docs/en/siem/cases-api-add-comment.asciidoc +++ b/docs/en/siem/cases-api-add-comment.asciidoc @@ -5,7 +5,7 @@ Adds a comment to an existing case. ==== Request URL -`POST //api/cases//comments` +`POST :/api/cases//comments` ===== URL parts diff --git a/docs/en/siem/cases-api-assign-connector.asciidoc b/docs/en/siem/cases-api-assign-connector.asciidoc index 5ceb5a24e..7901fd773 100644 --- a/docs/en/siem/cases-api-assign-connector.asciidoc +++ b/docs/en/siem/cases-api-assign-connector.asciidoc @@ -10,7 +10,7 @@ send cases to the external system. ==== Request URL -`POST //api/cases/configure` +`POST :/api/cases/configure` ==== Request body diff --git a/docs/en/siem/cases-api-associate-sn.asciidoc b/docs/en/siem/cases-api-associate-sn.asciidoc index c71fb2932..3be233faa 100644 --- a/docs/en/siem/cases-api-associate-sn.asciidoc +++ b/docs/en/siem/cases-api-associate-sn.asciidoc @@ -8,7 +8,7 @@ After sending a new or updated case to {sn}, you must associate the returned ==== Request URL -`POST //api/cases//_push` +`POST :/api/cases//_push` ===== URL parts diff --git a/docs/en/siem/cases-api-create.asciidoc b/docs/en/siem/cases-api-create.asciidoc index d714f4b15..04ce05810 100644 --- a/docs/en/siem/cases-api-create.asciidoc +++ b/docs/en/siem/cases-api-create.asciidoc @@ -5,7 +5,7 @@ Creates a new case. ==== Request URL -`POST //api/cases` +`POST :/api/cases` ==== Request body diff --git a/docs/en/siem/cases-api-delete-all-comments.asciidoc b/docs/en/siem/cases-api-delete-all-comments.asciidoc index 855e10a98..f174af702 100644 --- a/docs/en/siem/cases-api-delete-all-comments.asciidoc +++ b/docs/en/siem/cases-api-delete-all-comments.asciidoc @@ -5,7 +5,7 @@ Deletes all comments from the specified case. ==== Request URL -`DELETE //api/cases//comments` +`DELETE :/api/cases//comments` ===== URL parts diff --git a/docs/en/siem/cases-api-delete-case.asciidoc b/docs/en/siem/cases-api-delete-case.asciidoc index 0ef1da7ae..908cfcb02 100644 --- a/docs/en/siem/cases-api-delete-case.asciidoc +++ b/docs/en/siem/cases-api-delete-case.asciidoc @@ -5,7 +5,7 @@ Deletes the specified cases and all associated comments. ==== Request URL -`DELETE //api/cases?ids=["",""]` +`DELETE :/api/cases?ids=["",""]` ===== URL parts diff --git a/docs/en/siem/cases-api-delete-comment.asciidoc b/docs/en/siem/cases-api-delete-comment.asciidoc index 821fe78bc..7c63e7602 100644 --- a/docs/en/siem/cases-api-delete-comment.asciidoc +++ b/docs/en/siem/cases-api-delete-comment.asciidoc @@ -5,7 +5,7 @@ Deletes the specified comment. ==== Request URL -`DELETE //api/cases//comments/` +`DELETE :/api/cases//comments/` ===== URL parts diff --git a/docs/en/siem/cases-api-find-cases.asciidoc b/docs/en/siem/cases-api-find-cases.asciidoc index 8f525ce1f..623af89bb 100644 --- a/docs/en/siem/cases-api-find-cases.asciidoc +++ b/docs/en/siem/cases-api-find-cases.asciidoc @@ -10,7 +10,7 @@ parameters. ==== Request URL -`GET //api/cases/_find` +`GET :/api/cases/_find` ===== URL query parameters diff --git a/docs/en/siem/cases-api-find-connectors.asciidoc b/docs/en/siem/cases-api-find-connectors.asciidoc index 7ce9c085f..419560e89 100644 --- a/docs/en/siem/cases-api-find-connectors.asciidoc +++ b/docs/en/siem/cases-api-find-connectors.asciidoc @@ -8,7 +8,7 @@ see <>. ==== Request URL -`GET //api/cases/configure/connectors/_find` +`GET :/api/cases/configure/connectors/_find` ===== Example request diff --git a/docs/en/siem/cases-api-get-case-activity.asciidoc b/docs/en/siem/cases-api-get-case-activity.asciidoc index 386a8104d..fa6a28a49 100644 --- a/docs/en/siem/cases-api-get-case-activity.asciidoc +++ b/docs/en/siem/cases-api-get-case-activity.asciidoc @@ -5,7 +5,7 @@ Returns all user activity for the specified case. ==== Request URL -`GET //api/cases//user_actions` +`GET :/api/cases//user_actions` ===== URL parts diff --git a/docs/en/siem/cases-api-get-case-comments.asciidoc b/docs/en/siem/cases-api-get-case-comments.asciidoc index b4c9e9627..806160c79 100644 --- a/docs/en/siem/cases-api-get-case-comments.asciidoc +++ b/docs/en/siem/cases-api-get-case-comments.asciidoc @@ -5,7 +5,7 @@ Returns all comments for the specified case. ==== Request URL -`GET //api/cases//comments` +`GET :/api/cases//comments` ===== URL parts diff --git a/docs/en/siem/cases-api-get-case.asciidoc b/docs/en/siem/cases-api-get-case.asciidoc index 2fa4d88c9..f9644c34d 100644 --- a/docs/en/siem/cases-api-get-case.asciidoc +++ b/docs/en/siem/cases-api-get-case.asciidoc @@ -5,7 +5,7 @@ Returns the specified case. ==== Request URL -`GET //api/cases/` +`GET :/api/cases/` ===== URL parts diff --git a/docs/en/siem/cases-api-get-comment.asciidoc b/docs/en/siem/cases-api-get-comment.asciidoc index 320c00ada..ce6ff716e 100644 --- a/docs/en/siem/cases-api-get-comment.asciidoc +++ b/docs/en/siem/cases-api-get-comment.asciidoc @@ -5,7 +5,7 @@ Gets the specified comment. ==== Request URL -`GET //api/cases//comments/` +`GET :/api/cases//comments/` ===== URL parts diff --git a/docs/en/siem/cases-api-get-connector.asciidoc b/docs/en/siem/cases-api-get-connector.asciidoc index 986dd235a..5e5de0b39 100644 --- a/docs/en/siem/cases-api-get-connector.asciidoc +++ b/docs/en/siem/cases-api-get-connector.asciidoc @@ -7,7 +7,7 @@ NOTE: For more information on connectors, see <>. ==== Request URL -`GET //api/cases/configure` +`GET :/api/cases/configure` ===== Example request diff --git a/docs/en/siem/cases-api-get-reporters.asciidoc b/docs/en/siem/cases-api-get-reporters.asciidoc index bfea63e45..660580a07 100644 --- a/docs/en/siem/cases-api-get-reporters.asciidoc +++ b/docs/en/siem/cases-api-get-reporters.asciidoc @@ -5,7 +5,7 @@ Returns all case reporters (users who opened cases). ==== Request URL -`GET //api/cases/reporters` +`GET :/api/cases/reporters` ===== Example request diff --git a/docs/en/siem/cases-api-get-status.asciidoc b/docs/en/siem/cases-api-get-status.asciidoc index b64e4ee64..04193367b 100644 --- a/docs/en/siem/cases-api-get-status.asciidoc +++ b/docs/en/siem/cases-api-get-status.asciidoc @@ -5,7 +5,7 @@ Returns the number of open and closed cases. ==== Request URL -`GET //api/cases/status` +`GET :/api/cases/status` ===== Example request diff --git a/docs/en/siem/cases-api-get-tags.asciidoc b/docs/en/siem/cases-api-get-tags.asciidoc index 4d31652e5..8ba4d8ac7 100644 --- a/docs/en/siem/cases-api-get-tags.asciidoc +++ b/docs/en/siem/cases-api-get-tags.asciidoc @@ -5,7 +5,7 @@ Aggregates and returns all unique tags from all cases. ==== Request URL -`GET //api/cases/tags` +`GET :/api/cases/tags` ===== Example request diff --git a/docs/en/siem/cases-api-update-comment.asciidoc b/docs/en/siem/cases-api-update-comment.asciidoc index 53cf8a16c..0c7e5376e 100644 --- a/docs/en/siem/cases-api-update-comment.asciidoc +++ b/docs/en/siem/cases-api-update-comment.asciidoc @@ -5,7 +5,7 @@ Updates an existing comment. ==== Request URL -`PATCH //api/cases//comments` +`PATCH :/api/cases//comments` ===== URL parts diff --git a/docs/en/siem/cases-api-update.asciidoc b/docs/en/siem/cases-api-update.asciidoc index 39b0d0500..520a679f8 100644 --- a/docs/en/siem/cases-api-update.asciidoc +++ b/docs/en/siem/cases-api-update.asciidoc @@ -5,7 +5,7 @@ Updates existing cases. ==== Request URL -`PATCH //api/cases` +`PATCH :/api/cases` ==== Request body diff --git a/docs/en/siem/cases-api.asciidoc b/docs/en/siem/cases-api.asciidoc index 6f34dcd87..466bf899f 100644 --- a/docs/en/siem/cases-api.asciidoc +++ b/docs/en/siem/cases-api.asciidoc @@ -6,11 +6,11 @@ You can create, manage, configure, and send cases to external systems with these APIs: * Cases API: Used to open and manage security action items. The API endpoint is -`//api/cases`, where `` is the host name and +`:/api/cases`, where `` is the host name and `` is the port number of your Kibana instance. * Actions API: Used to send cases to external systems. The API endpoint -is `//api/actions`. <> +is `:/api/actions`. <> describes how to set up integrations with third-party systems, and <> describes how to push {siem-app} cases to third party systems (currently, ServiceNow). @@ -58,6 +58,6 @@ For example, the following call retrieves the first 20 cases: [source,sh] -------------------------------------------------- -curl -X GET "//api/cases" +curl -X GET ":/api/cases" -H 'kbn-xsrf: kibana' -u : -------------------------------------------------- \ No newline at end of file diff --git a/docs/en/siem/cases-kbn-actions-api.asciidoc b/docs/en/siem/cases-kbn-actions-api.asciidoc index ac0b6f4b5..2a848071f 100644 --- a/docs/en/siem/cases-kbn-actions-api.asciidoc +++ b/docs/en/siem/cases-kbn-actions-api.asciidoc @@ -31,7 +31,7 @@ Creates a {sn} connector, which can then be used to open {sn} incidents from ===== Request URL -`POST //api/action` +`POST :/api/action` ===== Request body @@ -175,7 +175,7 @@ Updates a {sn} connector. ===== Request URL -`PUT //api/action/` +`PUT :/api/action/` ===== URL parts @@ -318,7 +318,7 @@ NOTE: You can only send cases to external system after you have ===== Request URL -`POST //api/action//_execute` +`POST :/api/action//_execute` ===== URL parts diff --git a/docs/en/siem/cases-overview.asciidoc b/docs/en/siem/cases-overview.asciidoc index 1147564c4..d81ca8c8b 100644 --- a/docs/en/siem/cases-overview.asciidoc +++ b/docs/en/siem/cases-overview.asciidoc @@ -7,13 +7,16 @@ beta[] Cases are used to open and track security issues directly in the {siem-app}. They list the original reporter and all users who contribute to a case -(`participants`). Comments support markdown syntax, and allow linking to saved +(`participants`). Comments support Markdown syntax, and allow linking to saved <>. Additionally, you can send cases to external systems from within the {siem-app} (currently {sn}). <> describes how to set this up. You can create and manage cases via the UI or the <>. +NOTE: To send cases to {sn}, you need the +https://www.elastic.co/subscriptions[appropriate license]. + IMPORTANT: To make sure you can view and open cases, see <>. [role="screenshot"] @@ -29,7 +32,7 @@ Open a new case to keep track of security issues and share their details with co . Give the case a name, and add a description and any relevant tags. + TIP: In the `Description` area, you can use -https://www.markdownguide.org/cheat-sheet[markdown] syntax and insert a +https://www.markdownguide.org/cheat-sheet[Markdown] syntax and insert a timeline link (click the icon in the top right corner of the area). . When ready, create the case. diff --git a/docs/en/siem/cases-ui-integrations.asciidoc b/docs/en/siem/cases-ui-integrations.asciidoc index 01e904843..a78ce1307 100644 --- a/docs/en/siem/cases-ui-integrations.asciidoc +++ b/docs/en/siem/cases-ui-integrations.asciidoc @@ -8,6 +8,9 @@ a connector, which stores the information required to push cases to {sn} via After you have created a connector, you can set {siem-soln} cases to close automatically when they are sent to {sn}. +NOTE: To create a {sn} connector and send cases to {sn}, you need the +https://www.elastic.co/subscriptions[appropriate license]. + [float] === Create a new connector diff --git a/docs/en/siem/detection-engine-intro.asciidoc b/docs/en/siem/detection-engine-intro.asciidoc index 45a5086ca..73d0b3091 100644 --- a/docs/en/siem/detection-engine-intro.asciidoc +++ b/docs/en/siem/detection-engine-intro.asciidoc @@ -12,6 +12,9 @@ for creating signals. Additionally, you can use the {kib} framework to send notifications via other systems, such as email and Slack, when signals are generated. +NOTE: To use {kib} Alerting for signal notifications, you need the +https://www.elastic.co/subscriptions[appropriate license]. + The {siem-app} comes with <> that search for suspicious activity on your network and hosts. For information on how to optimize the prebuilt rules, see <>. You can also @@ -93,9 +96,39 @@ To open and close signals, either: *Close/Open selected*. [float] -=== Send signals to the Timeline - -To investigate a signal in the Timeline, click the *View in timeline* icon. +[[signals-to-timelines]] +=== Investigate signals in Timeline + +To investigate a signal in Timeline, click the *Investigate in timeline* +icon. + +If the rule that generated the signal uses a timeline template, when you +investigate the signal in Timeline, the following dropzone query values are +replaced with their corresponding signal values: + +* `host.name` +* `host.hostname` +* `host.domain` +* `host.id` +* `host.ip` +* `client.ip` +* `destination.ip` +* `server.ip` +* `source.ip` +* `network.community_id` +* `user.name` +* `process.name` + +*Example* + +The timeline template used in the rule has this dropzone query: +`host.name: "Linux-LiverpoolFC"`. When signals generated by the rule are +investigated in Timeline, the `host.name` value is replaced with the signal's +`host.name` value. If the signal's `host.name` value is `Windows-ArsenalFC`, +the timeline dropzone query is `host.name: "Windows-ArsenalFC"`. + +NOTE: For information on how to add timeline templates to rules, see +<>. [float] [[detections-permissions]] diff --git a/docs/en/siem/machine-learning.asciidoc b/docs/en/siem/machine-learning.asciidoc index 3e1843e58..fb15c3834 100644 --- a/docs/en/siem/machine-learning.asciidoc +++ b/docs/en/siem/machine-learning.asciidoc @@ -2,16 +2,16 @@ [role="xpack"] == Anomaly Detection with Machine Learning -For *Free Trial*, *{ess-trial}[Cloud]* -and *https://www.elastic.co/subscriptions[Platinum License]* deployments, -{kibana-ref}/xpack-ml.html[Machine Learning] functionality is available -on the *Detections* page. You can view the details of detected anomalies -within the `Anomalies` table widget shown on the Hosts, Network and associated -Details pages, or even narrow to the specific date range of an anomaly from the -`Max Anomaly Score` details in the overview of the Host and IP Details pages. -Each of these interfaces also offer the ability to drag and drop details of the -anomaly to Timeline, such as the `Entity` itself, or any of the associated -`Influencers`. +{kibana-ref}/xpack-ml.html[{ml-cap}] functionality is available when +you have the *https://www.elastic.co/subscriptions[appropriate license]*, are +using a *{ess-trial}[cloud deployment]*, or are testing out a *Free Trial*. + +You can view the details of detected anomalies within the `Anomalies` table +widget shown on the Hosts, Network and associated Details pages, or even narrow +to the specific date range of an anomaly from the `Max Anomaly Score` details +in the overview of the Host and IP Details pages. Each of these interfaces also +offer the ability to drag and drop details of the anomaly to Timeline, such as +the `Entity` itself, or any of the associated `Influencers`. [role="screenshot"] image::ml-ui.png[] diff --git a/docs/en/siem/prebuilt-rules-reference.asciidoc b/docs/en/siem/prebuilt-rules-reference.asciidoc index 6b9da77c8..e437d99f8 100644 --- a/docs/en/siem/prebuilt-rules-reference.asciidoc +++ b/docs/en/siem/prebuilt-rules-reference.asciidoc @@ -6,10 +6,10 @@ beta[] This section lists all available prebuilt rules. -IMPORTANT: You can only run {ml} prebuilt rules when you have a -https://www.elastic.co/subscriptions[Platinum License] or you are using a -{ess-trial}[Cloud] deployment. All {ml} prebuilt rules are tagged with `ML`, -and their rule type is `machine_learning`. +IMPORTANT: To run {ml} prebuilt rules, you must have the +https://www.elastic.co/subscriptions[appropriate license] or use a +{ess-trial}[cloud deployment]. All machine learning prebuilt rules are tagged +with `ML`, and their rule type is `machine_learning`. [width="100%",options="header"] |============================================== diff --git a/docs/en/siem/rules-api-create.asciidoc b/docs/en/siem/rules-api-create.asciidoc index 3f25aa6dd..677a9aaaf 100644 --- a/docs/en/siem/rules-api-create.asciidoc +++ b/docs/en/siem/rules-api-create.asciidoc @@ -9,11 +9,10 @@ You can create two types of rules: a document matches the rule's query. * {ml-cap} rules, which create a signal when a {ml} job discovers an anomaly above the defined threshold (see <>). -IMPORTANT: You can only create {ml} jobs when you have a -https://www.elastic.co/subscriptions[Platinum License], are using a -{ess-trial}[Cloud] deployment, or are testing out a *Free Trial*. Additionally, -for the {ml} rule to function correctly, the associated {ml} job must be -running. +IMPORTANT: To create {ml} rules, you must have the +https://www.elastic.co/subscriptions[appropriate license] or use a +{ess-trial}[cloud deployment]. Additionally, for the {ml} rule to function +correctly, the associated {ml} job must be running. To retrieve {ml} job IDs, which are required to create {ml} jobs, call the {ref}/ml-get-job.html[{es} Get jobs API]. {ml-cap} jobs that contain `siem` in @@ -47,7 +46,7 @@ notifications: NOTE: For more information on PagerDuty fields, see https://v2.developer.pagerduty.com/v2/docs/send-an-event-events-api-v2[PagerDuty Send a v2 Event API]. To retrieve connector IDs, which are required to configure rule notifications, -call `GET //api/action/_find`. +call `GET :/api/action/_find`. For detailed information on {kib} actions and alerting, and additional API calls, see: diff --git a/docs/en/siem/rules-ui-create.asciidoc b/docs/en/siem/rules-ui-create.asciidoc index 603f82b0f..55ea15226 100644 --- a/docs/en/siem/rules-ui-create.asciidoc +++ b/docs/en/siem/rules-ui-create.asciidoc @@ -80,9 +80,9 @@ running, the rule will: are discovered. ** Issue an error stating the {ml} job was not running when the rule executed. -IMPORTANT: You can only create {ml} jobs when you have a -https://www.elastic.co/subscriptions[Platinum License], are using a -{ess-trial}[Cloud] deployment, or are testing out a *Free Trial*. +IMPORTANT: To create {ml} rules, you must have the +https://www.elastic.co/subscriptions[appropriate license] or use a +{ess-trial}[cloud deployment]. . Go to *SIEM* -> *Detections* -> *Manage signal detection rules*. . Click *Create new rule*. @@ -128,7 +128,10 @@ TIP: This example is based on the to the timeline (optional). + TIP: Before you create rules, create and save relevant -<> so they can be selected here. +<> so they can be selected here. When signals generated +by the rule are sent to the Timeline, +<> are replaced with their +corresponding signal field values. . Click *Continue*. + @@ -191,8 +194,12 @@ The {siem-app} performs deduplication. Duplicate signals discovered during the The *Rule actions* pane is displayed. [role="screenshot"] image::images/rule-actions.png[] -. Optionally, use {kib} Actions to set up notifications sent via other systems -when new signals are detected: +. Optionally, use {kib} Alerting to set up notifications sent via other systems +when new signals are detected. ++ +NOTE: To use {kib} Alerting for signal notifications, you need the +https://www.elastic.co/subscriptions[appropriate license]. + .. Set how often notifications are sent: * _On each rule execution_: Sends a notification every time new signals are