You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/detections/visual-event-analyzer.asciidoc
+18-6Lines changed: 18 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
[role="xpack"]
3
3
== Visual event analyzer
4
4
5
-
{elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Viewing events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.
5
+
{elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.
6
6
7
7
[float]
8
8
[[find-events-analyze]]
@@ -17,9 +17,9 @@ In KQL, this translates to any event with the `agent.type` set to either:
17
17
18
18
To find events that can be visually analyzed:
19
19
20
-
. First, view a list of events by doing one of the following:
20
+
. First, display a list of events by doing one of the following:
21
21
* Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page.
22
-
* Go to *Alerts*, then scroll down to view the Alerts table.
22
+
* Go to *Alerts*, then scroll down to the Alerts table.
23
23
. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*:
24
24
** `agent.type:"endpoint" and process.entity_id :*`
25
25
+
@@ -49,7 +49,7 @@ TIP: You can also analyze events from <<timelines-ui,Timelines>>.
49
49
50
50
Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to explore the hierarchy of all process relationships.
51
51
52
-
To understand what fields were used to create the process, select the **Process Tree** to view the schema that created the graphical view. The fields included are:
52
+
To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are:
53
53
54
54
* `SOURCE`: Can be either `endpoint` or `winlogbeat`
55
55
* `ID`: Event field that uniquely identifies a node
@@ -58,7 +58,7 @@ To understand what fields were used to create the process, select the **Process
58
58
[role="screenshot"]
59
59
image::images/process-schema.png[]
60
60
61
-
View the **Legend** to understand the state of each process node.
61
+
Click the **Legend** to show the state of each process node.
62
62
63
63
[role="screenshot"]
64
64
image::images/node-legend.png[]
@@ -96,6 +96,7 @@ To learn more about each related process, select the process in the left panel o
96
96
* The `process-pid`
97
97
* The user name and domain that ran the process
98
98
* Any other relevant process information
99
+
* Any associated alerts
99
100
100
101
[role="screenshot"]
101
102
image::images/process-details.png[]
@@ -109,9 +110,20 @@ Events are categorized based on the `event.category` value.
109
110
[role="screenshot"]
110
111
image::images/event-type.png[]
111
112
112
-
When you select an `event.category` pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list.
113
+
When you select an `event.category` pill, all the events within that category are listed in the left panel. To display more details about a specific event, select it from the list.
113
114
114
115
[role="screenshot"]
115
116
image::images/event-details.png[]
116
117
117
118
NOTE: In {stack} versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in {stack} versions 7.9.0 and earlier, each process is limited to only 100 events.
119
+
120
+
To examine alerts associated with the event, select the alert pill (*_x_ alert*). The left pane lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert's details.
121
+
122
+
In the example screenshot below, five alerts were generated by the analyzed event (`lsass.exe`). The left pane displays the associated alerts and basic information about each one.
123
+
124
+
preview::[]
125
+
126
+
NOTE: This is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. In addition, to display it in {elastic-security} you must add the `xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']` feature flag to the `kibana.yml` file.
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments