[Security] Attack Discovery scheduling and saved discoveries #2023
Conversation
🔍 Preview links for changed docs |
natasha-moore-elastic
added
Serverless
| @@ -54,7 +47,7 @@ Attack Discovery is designed for use with alerts based on data that complies wit | |||
| The selected fields can now be analyzed the next time you run Attack Discovery. | |||
| ::: | |||
|
|
|||
| ## Generate discoveries [attack-discovery-generate-discoveries] | |||
| ## Generate discoveries manually[attack-discovery-generate-discoveries] | |||
There was a problem hiding this comment.
Consider the following updates in this section; (sorry, GH won't let me comment on the specific lines because they are unchanged):
- Select an existing connector from the dropdown menu, or add a new one.
-
In the new design, the user must first click the gear icon next to the Generate button to access the connector dropdown. Note: This is different than the Connector filter (located next to the Status filter) on the main page.
-
The screenshot in this section may be updated to illustrate the updated "empty" state, for example:
There was a problem hiding this comment.
In the What information does each discovery include? section (sorry, GH won't let me comment on the unchanged line numbers), consider updating the following image:
:::{image} /solutions/images/security-attck-disc-example-disc.png
:alt: Attack Discovery detail view
:::
to the following (or a similar) refreshed screenshot, which includes the new status and sharing indicators:
|
|
||
| ### Change a discovery's status | ||
|
|
||
| You can set a discovery's status to indicate that it's under active investigation or that it's been resolved. To do this, click **Take action**, then select **Mark as acknowledged** or **Mark as closed**. |
There was a problem hiding this comment.
Attack discoveries have a new (introduced in 8.19.0 / 9.1.0) workflow status, illustrated by the screenshot below:
This workflow status (of the discovery itself), is separate from the alerts associated with the attack discovery.
Consider documenting the option for users to (optionally) update the workflow status of the alerts associated an attack discovery, as illustrated by the following screenshot, which appears when user click the Mark as open | acknowledged | closed Take action menu items:
The updated alerts associated with the attack discovery are illustrated by the screenshot below:
|
|
||
| * **Visibility**: Use this filter to, for example, show only shared discoveries. | ||
|
|
||
| * **Status**: Filter discoveries by their current status. |
There was a problem hiding this comment.
Consider creating a new Sharing Attack discoveries section to document this feature introduced in 8.19.0 / 9.1.0, which is illustrated by the screenshot below:
Consider speaking to the following nuances:
- Manually generated discoveries are initially
Not shared - Scheduled discoveries are (automatically)
Shared - Once shared, the visibility of shared discoveries cannot be changed, as illustrated by the screenshot below:
|
|
||
| To create a new schedule: | ||
|
|
||
| 1. Click the gear icon to open the settings menu, then select **Schedule**. |
There was a problem hiding this comment.
Just a note, this flow will be changed soon. Design team currently finalising mockups where "Schedule" tab will be opened by clicking on a separate button within the main page.
| @@ -54,7 +47,7 @@ Attack Discovery is designed for use with alerts based on data that complies wit | |||
| The selected fields can now be analyzed the next time you run Attack Discovery. | |||
| ::: | |||
|
|
|||
| ## Generate discoveries [attack-discovery-generate-discoveries] | |||
| ## Generate discoveries manually[attack-discovery-generate-discoveries] | |||
There was a problem hiding this comment.
We will need to add a Index privileges section describing minimum requirements for the user to be able to interact with the new attack discovery alerts.
Contributes to #1939 and #1941.
Documents the new Attack Discovery features: