[7.9] "What's changed" - Security update overview #58
Description
Description
We want to include documentation to help communicate some of the changes as a result of the combined security app in 7.9. We want to get ahead of questions like "where are my signals?" and help users better understand where new and old features now live in the unified app.
What's Changed
Terminology changes for 7.9:
Old → New
- Endpoint → Host
- Signal Detection Rules → Detection Rules
- Whitelist → Exception(s) / Exception List
- Elastic SIEM & Endpoint Security → Elastic Security
- Management → Administration
- Signals → Detection Alerts (See note below)
Detection Alerts: Alerts occurring within the Elastic Security from the Detection Engine / Detection RulesExternal Alerts: Alerts originating outside of Elastic SecurityKibana Alerts: Alerts native to Kibana not necessarily security-related
- Resolver → No name, will be referred to as an action: "Analyze Event"
- Sensor → Endpoint
Note: Some navigation changes happened due to renaming of Signals
- Top Nav naming:
- Alerts → Detections
- URL will be app/security/detections
- Under "Detection":
- Alert page title → Detection alerts
- Alert count → Trend
- Alert list → nothing (blank space)
- URL will be app/security/detections
- Under "Overview":
- Alert Count → Detection Alert Trend
- External Alert Count → External Alert Trend
- Inside Timeline Event filter drop down
- Alert Events → Detection Alerts
What's New
Administration Tab:
- New Administration tab is dedicated to managing Hosts that are running endpoint security. From this page you can view hosts, view and edit the advanced integration options,
Other stuff:
- Alert table customisations are now persistent, on both the Detections and Rule details pages ([SIEM][Timeline] Persist timeline to localStorage kibana#67156) cc @spong @cnasikas
- Exceptions and value lists
- Endpoint integration (policies and endpoint exceptions)
- Threshold rules
- Timeline templates
- IBM Resilient integration for Cases