You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/detections/visual-event-analyzer.asciidoc
+40-16
Original file line number
Diff line number
Diff line change
@@ -8,13 +8,18 @@ Elastic Security allows any event detected by Elastic Endpoint to be analyzed us
8
8
[[find-events-analyze]]
9
9
=== Find events to analyze
10
10
11
-
You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration. In KQL, this translates to any event with the `agent.type` set to `endpoint`.
11
+
You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration or any sysmon data from `winlogbeat`.
12
+
13
+
In KQL, this translates to any event with the `agent.type` set to either:
14
+
15
+
* `endpoint`.
16
+
* `winlogbeat` with `event.module` set to `sysmon`.
12
17
13
18
To access events that can be visually analyzed:
14
19
15
20
1. In Elastic Security, select **Hosts** > **Events**. A list of all your host's events appears in the bottom panel of the host's view.
16
21
17
-
2. Create a KQL query that filters all `endpoint` detected events by entering `agent.type:endpoint and process.entity_id : *` into the KQL search bar, and then select **Update**.
22
+
2. Create a KQL query that filters all `endpoint` detected events by entering `agent.type:"endpoint" and process.entity_id : *` or `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` into the KQL search bar, and then select **Update**.
18
23
+
19
24
[role="screenshot"]
20
25
image::images/kql-agent-type.png[]
@@ -25,22 +30,40 @@ A list of all `endpoint` related events appears.
25
30
+
26
31
[role="screenshot"]
27
32
image::images/analyze-event.png[]
33
+
+
34
+
Any events that cannot be analyzed will contain the warning "This event cannot be analyzed since it has incompatible field mappings."
35
+
[role="screenshot"]
36
+
image::images/incompatible-field-mappings.png[]
28
37
29
38
The visual **Analyzer** view appears.
30
39
31
40
[role="screenshot"]
32
41
image::images/analyze-event-view.png[]
33
42
34
-
You can also analyze events from <<timelines-ui,Timelines>>
43
+
TIP: You can also analyze events from <<timelines-ui,Timelines>>.
35
44
36
45
37
46
[discrete]
38
47
[[visual-analyzer-ui]]
39
48
=== Visual event analyzer UI
40
49
41
-
Inside the visual analyzer, each cube represents a process (i.e. an executable file or network event). Click and drag in timeline view to see all process relationships.
50
+
Inside the visual analyzer, each cube represents a process (e.g. an executable file or network event). Click and drag in timeline view to see all process relationships.
51
+
52
+
To help understand what fields were used to create the process, select the **Process Tree** to view the schema that created the graphical view. The fields included are:
53
+
54
+
* `SOURCE`: Can be either `endpoint` or `winlogbeat`.
55
+
* `ID`: Event field that uniquely identifies a node.
56
+
* `EDGE`: Event field which indicates the relationship between two nodes.
57
+
58
+
[role="screenshot"]
59
+
image::images/process-schema.png[]
60
+
61
+
View the **Legend** to understand the state of each process node.
62
+
63
+
[role="screenshot"]
64
+
image::images/node-legend.png[]
42
65
43
-
To make the analyzer full screen, select the **Full Screen** icon above the left-panel.
66
+
To expand the analyzer to a full screen, select the **Full Screen** icon above the leftpanel.
To see more details about each related process, select the process either in the left panel or the graphical view. The information on the process appears in the left panel, which typically includes but isn't limited to:
91
+
To see more details about each related process, select the process either in the left panel or the graphical view. The left panel displays process details such as:
69
92
70
-
- The number of events associated with the process.
71
-
- The timestamp when the process was executed.
72
-
- The file path of the process within the host.
73
-
- The `process-pid`.
74
-
- The user name and domain that ran the process.
75
-
- Any other relevant process information.
93
+
* The number of events associated with the process.
94
+
* The timestamp when the process was executed.
95
+
* The file path of the process within the host.
96
+
* The `process-pid`.
97
+
* The user name and domain that ran the process.
98
+
* Any other relevant process information.
76
99
77
100
[role="screenshot"]
78
101
image::images/process-details.png[]
79
102
80
-
See event details by selecting the **# events** URL at the top of the process details view or choosing one of the event pills in the graphical view.
103
+
When you first select a process, it appears in a loading state. If loading data for a given process fails, click **Reload `{process-name}`** beneath the process to reload the data.
81
104
105
+
See event details by selecting that event's URL at the top of the process details view or choosing one of the event pills in the graphical view.
82
106
83
-
Events are categorized based on their `event.category`.
107
+
Events are categorized based on their `event.category`.
84
108
85
109
[role="screenshot"]
86
110
image::event-type.png[]
87
111
88
-
When selecting an `event.type`, a list of all those types of events appears in the left panel. If you want further details on the event, choose the event from the list. Event details appear in the left panel.
112
+
When you select an `event.category`, pill, all the events within that category are listed in the left panel. To view more details about a specific event, select it from the list.
89
113
90
114
[role="screenshot"]
91
115
image::event-details.png[]
92
116
93
-
In Elastic Security 7.10 and later, there is no limit to the number of events that can be associated with a process. However, in 7.9, each process is limited to only 100 events.
117
+
NOTE: In {stack} version >= 7.10.0, there is no limit to the number of events that can be associated with a process. However, in {stack} minor versions < = 7.9.0, each process is limited to only 100 events.
0 commit comments