-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Doc][SIEM]General corrections #1001
Changes from 8 commits
0da1165
40f9bdd
b5a8833
9c22afc
fb234dd
c0cbac4
f771355
40dfa5a
28ecd18
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,6 +12,9 @@ for creating signals. Additionally, you can use the {kib} | |
framework to send notifications via other systems, such as email and Slack, | ||
when signals are generated. | ||
|
||
NOTE: To use {kib} Alerting for signal notifications, you need the | ||
https://www.elastic.co/subscriptions[appropriate license]. | ||
|
||
The {siem-app} comes with <<prebuilt-rules, prebuilt rules>> that search for | ||
suspicious activity on your network and hosts. For information on how to | ||
optimize the prebuilt rules, see <<tuning-detection-signals>>. You can also | ||
|
@@ -93,9 +96,39 @@ To open and close signals, either: | |
*Close/Open selected*. | ||
|
||
[float] | ||
[[signals-to-timelines]] | ||
=== Send signals to the Timeline | ||
|
||
To investigate a signal in the Timeline, click the *View in timeline* icon. | ||
To investigate a signal in the Timeline, click the *Investigate in timeline* | ||
icon. | ||
|
||
If the rule that generated the signal uses a timeline template, when you send | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. change "when you send" to "when you investigate" |
||
the signal to the Timeline, the following dropzone query values are replaced | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. change "to the Timeline" to "in the Timeline" |
||
with their corresponding signal values: | ||
|
||
* `host.name` | ||
* `host.hostname` | ||
* `host.domain` | ||
* `host.id` | ||
* `host.ip` | ||
* `client.ip` | ||
* `destination.ip` | ||
* `server.ip` | ||
* `source.ip` | ||
* `network.community_id` | ||
* `user.name` | ||
* `process.name` | ||
|
||
*Example* | ||
|
||
The timeline template used in the rule has this query: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. replace "query" with "dropzone query". (I know it seems overly detailed, but to avoid confusion with Saved Queries or KQL queries, I think we should repeat "dropzone" each time.) |
||
`host.name: "Linux-LiverpoolFC"`. When signals generated by the rule are sent | ||
to the Timeline, the `host.name` value is replaced with the signal's | ||
`host.name` value. If the signal's `host.name` value is `Windows-ArsenalFC`, | ||
the timeline query is `host.name: "Windows-ArsenalFC"`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. again "dropzone query" |
||
|
||
NOTE: For information on how to add timeline templates to rules, see | ||
<<create-rule-ui>>. | ||
|
||
[float] | ||
[[detections-permissions]] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use "Investigate signals in Timeline" rather than "Send". (Send implies that you might be moving it to the timeline, but it will actually stay in the signals table).