You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/detections/visual-event-analyzer.asciidoc
+29-23Lines changed: 29 additions & 23 deletions
Original file line number
Diff line number
Diff line change
@@ -2,46 +2,52 @@
2
2
[role="xpack"]
3
3
== Visual event analyzer
4
4
5
-
Elastic Security allows any event detected by Elastic Endpoint to be analyzed using a process-based visual analyzer. This enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.
5
+
{elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Viewing events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations.
6
6
7
7
[float]
8
8
[[find-events-analyze]]
9
9
=== Find events to analyze
10
10
11
-
You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration or any sysmon data from `winlogbeat`.
11
+
You can only visualize events triggered by hosts configured with the {endpoint-sec} integration or any `sysmon` data from `winlogbeat`.
12
12
13
13
In KQL, this translates to any event with the `agent.type` set to either:
14
14
15
15
* `endpoint`
16
16
* `winlogbeat` with `event.module` set to `sysmon`
17
17
18
-
To access events that can be visually analyzed:
18
+
To find events that can be visually analyzed:
19
19
20
-
1. Select *Explore* -> *Hosts* -> *Events*. A list of all your hosts' events appears at the bottom of the Hosts page.
21
-
22
-
2. Create a KQL query that filters all `endpoint` detected events by entering either `agent.type:"endpoint" and process.entity_id : *` or `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` into the KQL search bar, and then selecting **Update**.
20
+
. First, view a list of events by doing one of the following:
21
+
* Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page.
22
+
* Go to *Detect* -> *Alerts*, then scroll down to view the Alerts table.
23
+
. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*:
24
+
** `agent.type:"endpoint" and process.entity_id :*`
25
+
+
26
+
Or
27
+
+
28
+
** `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
23
29
+
24
30
[role="screenshot"]
25
-
image::images/kql-agent-type.png[]
31
+
image::images/analyzer_KQL_query.png[]
32
+
33
+
. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer.
26
34
27
-
3. For the event that you want to analyze, click the **More actions** button and select **Analyze event**. The visual analyzer view appears.
NOTE: Events that cannot be analyzed will not have the **More actions** -> **Analyze event** option available. This might happen if the event has incompatible field mappings.
NOTE: Events that cannot be analyzed will not have the **Analyze event** option available. This might occur if the event has incompatible field mappings.
39
+
34
40
[role="screenshot"]
35
-
image::images/analyze-event-view.png[]
36
-
+
41
+
image::images/analyze-event-timeline.png[]
42
+
37
43
TIP: You can also analyze events from <<timelines-ui,Timelines>>.
38
44
39
45
40
46
[discrete]
41
47
[[visual-analyzer-ui]]
42
48
=== Visual event analyzer UI
43
49
44
-
Inside the visual analyzer, each cube represents a process (e.g. an executable file or network event). Click and drag in timeline view to see all process relationships.
50
+
Within the visual analyzer, each cube represents a process, such as an executable file or network event. Click and drag in the analyzer to see the hierarchy of all process relationships.
45
51
46
52
To understand what fields were used to create the process, select the **Process Tree** to view the schema that created the graphical view. The fields included are:
47
53
@@ -62,22 +68,22 @@ To expand the analyzer to a full screen, select the **Full Screen** icon above t
62
68
[role="screenshot"]
63
69
image::images/full-screen-analyzer.png[]
64
70
65
-
The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events**, as in the event you selected to analyze from either the events list or your timeline, are highlighted by a light blue outline around the cube.
71
+
The left panel contains a list of all processes related to the event, starting with the event chain's first process. **Analyzed Events** -- the event you selected to analyze from the events list or Timeline -- are highlighted with a light blue outline around the cube.
66
72
67
73
[role="screenshot"]
68
74
image::images/process-list.png[]
69
75
70
76
In the graphical view, you can:
71
77
72
-
- Zoom in and out of the graphical view using the slider to the right of the timeline
78
+
- Zoom in and out of the graphical view using the slider on the far right
73
79
- Click and drag around the graphical view to more process relationships
74
-
- See the time passed between each process
80
+
- See child process events that spawned from the parent process
81
+
- See how much time passed between each process
75
82
- See all events related to each process
76
83
77
84
[role="screenshot"]
78
85
image::images/graphical-view.png[]
79
86
80
-
81
87
[discrete]
82
88
[[process-and-event-details]]
83
89
=== Process and event details
@@ -98,14 +104,14 @@ When you first select a process, it appears in a loading state. If loading data
98
104
99
105
See event details by selecting that event's URL at the top of the process details view or choosing one of the event pills in the graphical view.
100
106
101
-
Events are categorized based on their `event.category`.
107
+
Events are categorized based on the `event.category` value.
102
108
103
109
[role="screenshot"]
104
110
image::images/event-type.png[]
105
111
106
-
When you select an `event.category`, pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list.
112
+
When you select an `event.category` pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list.
107
113
108
114
[role="screenshot"]
109
115
image::images/event-details.png[]
110
116
111
-
NOTE: In {stack} version >= 7.10.0, there is no limit to the number of events that can be associated with a process. However, in {stack} minor versions < = 7.9.0, each process is limited to only 100 events.
117
+
NOTE: In {stack} versions 7.10.0 and newer, there is no limit to the number of events that can be associated with a process. However, in {stack} versions 7.9.0 and earlier, each process is limited to only 100 events.
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments