diff --git a/docs/detections/images/analyze-event-button.png b/docs/detections/images/analyze-event-button.png new file mode 100644 index 0000000000..cd6f9f1795 Binary files /dev/null and b/docs/detections/images/analyze-event-button.png differ diff --git a/docs/detections/images/analyze-event-timeline.png b/docs/detections/images/analyze-event-timeline.png new file mode 100644 index 0000000000..ec8138699c Binary files /dev/null and b/docs/detections/images/analyze-event-timeline.png differ diff --git a/docs/detections/images/analyze-event-view.png b/docs/detections/images/analyze-event-view.png index 6828a58db3..cedad385fb 100644 Binary files a/docs/detections/images/analyze-event-view.png and b/docs/detections/images/analyze-event-view.png differ diff --git a/docs/detections/images/analyze-event.gif b/docs/detections/images/analyze-event.gif deleted file mode 100644 index 94edb59fb0..0000000000 Binary files a/docs/detections/images/analyze-event.gif and /dev/null differ diff --git a/docs/detections/images/analyzer_KQL_query.png b/docs/detections/images/analyzer_KQL_query.png new file mode 100644 index 0000000000..d2f2c4a20b Binary files /dev/null and b/docs/detections/images/analyzer_KQL_query.png differ diff --git a/docs/detections/images/event-details.png b/docs/detections/images/event-details.png index f8cc0dbf43..d474bb22e9 100644 Binary files a/docs/detections/images/event-details.png and b/docs/detections/images/event-details.png differ diff --git a/docs/detections/images/event-type.png b/docs/detections/images/event-type.png index a3f5c488e4..13abf34abc 100644 Binary files a/docs/detections/images/event-type.png and b/docs/detections/images/event-type.png differ diff --git a/docs/detections/images/full-screen-analyzer.png b/docs/detections/images/full-screen-analyzer.png index 971620195f..a8f78cb27e 100644 Binary files a/docs/detections/images/full-screen-analyzer.png and b/docs/detections/images/full-screen-analyzer.png differ diff --git a/docs/detections/images/graphical-view.png b/docs/detections/images/graphical-view.png index d99d895b38..61c67e9dff 100644 Binary files a/docs/detections/images/graphical-view.png and b/docs/detections/images/graphical-view.png differ diff --git a/docs/detections/images/kql-agent-type.png b/docs/detections/images/kql-agent-type.png index 6aa75ee288..2e5bec8530 100644 Binary files a/docs/detections/images/kql-agent-type.png and b/docs/detections/images/kql-agent-type.png differ diff --git a/docs/detections/images/node-legend.png b/docs/detections/images/node-legend.png index 673044477c..1e661673a2 100644 Binary files a/docs/detections/images/node-legend.png and b/docs/detections/images/node-legend.png differ diff --git a/docs/detections/images/process-details.png b/docs/detections/images/process-details.png index 4458667649..f3ff290ff1 100644 Binary files a/docs/detections/images/process-details.png and b/docs/detections/images/process-details.png differ diff --git a/docs/detections/images/process-list.png b/docs/detections/images/process-list.png index d2f5cf1283..e68f76e4a0 100644 Binary files a/docs/detections/images/process-list.png and b/docs/detections/images/process-list.png differ diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index c8c79bfb30..3685833513 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -2,38 +2,44 @@ [role="xpack"] == Visual event analyzer -Elastic Security allows any event detected by Elastic Endpoint to be analyzed using a process-based visual analyzer. This enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. +{elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Viewing events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. [float] [[find-events-analyze]] === Find events to analyze -You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration or any sysmon data from `winlogbeat`. +You can only visualize events triggered by hosts configured with the {endpoint-sec} integration or any `sysmon` data from `winlogbeat`. In KQL, this translates to any event with the `agent.type` set to either: * `endpoint` * `winlogbeat` with `event.module` set to `sysmon` -To access events that can be visually analyzed: +To find events that can be visually analyzed: -1. Select *Explore* -> *Hosts* -> *Events*. A list of all your hosts' events appears at the bottom of the Hosts page. - -2. Create a KQL query that filters all `endpoint` detected events by entering either `agent.type:"endpoint" and process.entity_id : *` or `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` into the KQL search bar, and then selecting **Update**. +. First, view a list of events by doing one of the following: +* Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page. +* Go to *Detect* -> *Alerts*, then scroll down to view the Alerts table. +. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*: +** `agent.type:"endpoint" and process.entity_id :*` ++ +Or ++ +** `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` + [role="screenshot"] -image::images/kql-agent-type.png[] +image::images/analyzer_KQL_query.png[] + +. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. -3. For the event that you want to analyze, click the **More actions** button and select **Analyze event**. The visual analyzer view appears. -+ [role="screenshot"] -image::images/analyze-event.gif[Shows analyze event option] -+ -NOTE: Events that cannot be analyzed will not have the **More actions** -> **Analyze event** option available. This might happen if the event has incompatible field mappings. -+ +image::images/analyze-event-button.png[Shows analyze event option] + +NOTE: Events that cannot be analyzed will not have the **Analyze event** option available. This might occur if the event has incompatible field mappings. + [role="screenshot"] -image::images/analyze-event-view.png[] -+ +image::images/analyze-event-timeline.png[] + TIP: You can also analyze events from <>. @@ -41,7 +47,7 @@ TIP: You can also analyze events from <>. [[visual-analyzer-ui]] === Visual event analyzer UI -Inside the visual analyzer, each cube represents a process (e.g. an executable file or network event). Click and drag in timeline view to see all process relationships. +Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to see the hierarchy of all process relationships. To understand what fields were used to create the process, select the **Process Tree** to view the schema that created the graphical view. The fields included are: @@ -62,22 +68,22 @@ To expand the analyzer to a full screen, select the **Full Screen** icon above t [role="screenshot"] image::images/full-screen-analyzer.png[] -The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events**, as in the event you selected to analyze from either the events list or your timeline, are highlighted by a light blue outline around the cube. +The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events** -- the event you selected to analyze from the events list or Timeline -- are highlighted with a light blue outline around the cube. [role="screenshot"] image::images/process-list.png[] In the graphical view, you can: -- Zoom in and out of the graphical view using the slider to the right of the timeline +- Zoom in and out of the graphical view using the slider on the far right - Click and drag around the graphical view to more process relationships -- See the time passed between each process +- See child process events that spawned from the parent process +- See how much time passed between each process - See all events related to each process [role="screenshot"] image::images/graphical-view.png[] - [discrete] [[process-and-event-details]] === Process and event details @@ -98,14 +104,14 @@ When you first select a process, it appears in a loading state. If loading data See event details by selecting that event's URL at the top of the process details view or choosing one of the event pills in the graphical view. -Events are categorized based on their `event.category`. +Events are categorized based on the `event.category` value. [role="screenshot"] image::images/event-type.png[] -When you select an `event.category`, pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list. +When you select an `event.category` pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list. [role="screenshot"] image::images/event-details.png[] -NOTE: In {stack} version >= 7.10.0, there is no limit to the number of events that can be associated with a process. However, in {stack} minor versions < = 7.9.0, each process is limited to only 100 events. +NOTE: In {stack} versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in {stack} versions 7.9.0 and earlier, each process is limited to only 100 events.