[Doc][SIEM]General corrections #1001
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -93,9 +96,39 @@ To open and close signals, either: | |||
| *Close/Open selected*. | |||
|
|
|||
| [float] | |||
| [[signals-to-timelines]] | |||
| === Send signals to the Timeline | |||
There was a problem hiding this comment.
Can we use "Investigate signals in Timeline" rather than "Send". (Send implies that you might be moving it to the timeline, but it will actually stay in the signals table).
|
|
||
| *Example* | ||
|
|
||
| The timeline template used in the rule has this query: |
There was a problem hiding this comment.
replace "query" with "dropzone query". (I know it seems overly detailed, but to avoid confusion with Saved Queries or KQL queries, I think we should repeat "dropzone" each time.)
| `host.name: "Linux-LiverpoolFC"`. When signals generated by the rule are sent | ||
| to the Timeline, the `host.name` value is replaced with the signal's | ||
| `host.name` value. If the signal's `host.name` value is `Windows-ArsenalFC`, | ||
| the timeline query is `host.name: "Windows-ArsenalFC"`. |
| To investigate a signal in the Timeline, click the *Investigate in timeline* | ||
| icon. | ||
|
|
||
| If the rule that generated the signal uses a timeline template, when you send |
There was a problem hiding this comment.
change "when you send" to "when you investigate"
| icon. | ||
|
|
||
| If the rule that generated the signal uses a timeline template, when you send | ||
| the signal to the Timeline, the following dropzone query values are replaced |
There was a problem hiding this comment.
change "to the Timeline" to "in the Timeline"
benskelker
added a commit
to benskelker/stack-docs
that referenced
this pull request
Apr 22, 2020
* adds license requirements * adds timeline field subs * wording * typo * expands example * corrects api urls * finalises licensing text * fixes list formatting * corrections after review
benskelker
added a commit
to benskelker/stack-docs
that referenced
this pull request
Apr 22, 2020
* adds license requirements * adds timeline field subs * wording * typo * expands example * corrects api urls * finalises licensing text * fixes list formatting * corrections after review
benskelker
added a commit
that referenced
this pull request
Apr 22, 2020
benskelker
added a commit
that referenced
this pull request
Apr 22, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds licensing requirements and list of substituted timeline query field values.
Preview of timeline field value substitutions