fixed index cards

Author: kimsauce

docs/search/behavior-insights/index.md

@@ -4,6 +4,8 @@ title: Behavior Insights
 description: Gain behavioral insight of your environment using LogReduce operators.
 ---
 
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
 Behavior Insights encompasses three log search operators to accelerate insights, troubleshooting, and action plans using structured logs. About 23% of the daily log ingest volume pertains to JSON data and accounts for a growing share of total log volume. This growth is driven by modern applications and underlying cloud (AWS, GCP, Azure) and orchestrator logs. Behavior Insights helps answer the following questions for SecOps, DevOps, and business users:
 
 * What activity patterns are evident from structured logs? What patterns are trending?
@@ -17,20 +19,20 @@ In this section, we'll introduce the following concepts:
 <div className="box-wrapper" >
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/search/behavior-insights/logexplain"><h4>LogExplain</h4></a>
-  <p>This operator finds the root cause of outliers in logs based on conditions you specify.</p>
+  <a href="/docs/search/behavior-insights/logcompare"><img src={useBaseUrl('img/icons/operations/queries.png')} alt="icon" width="35"/><h4>LogCompare</h4></a>
+  <p>Compare log data from different time periods to detect major changes or anomalies.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/search/behavior-insights/logexplain"><h4>LogReduce Keys</h4></a>
-  <p>Clusters JSON logs based on keys providing an at-a-glance summary of patterns in logs based on their schema while ignoring specific values.</p>
+  <a href="/docs/search/behavior-insights/logreduce"><img src={useBaseUrl('img/icons/operations/queries.png')} alt="icon" width="35"/><h4>LogReduce</h4></a>
+  <p>Assess activity patterns for things like a range of devices or traffic on a website.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/search/behavior-insights/logreduce/logreduce-values"><h4>LogReduce Values</h4></a>
-  <p>Clusters JSON logs using the values of keys.</p>
+  <a href="/docs/search/behavior-insights/logexplain"><img src={useBaseUrl('img/icons/operations/queries.png')} alt="icon" width="35"/><h4>LogExplain</h4></a>
+  <p>Find the root cause of outliers in logs based on conditions you specify.</p>
   </div>
 </div>
 </div>

docs/search/behavior-insights/logexplain.md

@@ -54,7 +54,7 @@ With the provided results you can:
 * Field values must be categorical.
 * [Built-in metadata fields](/docs/search/get-started-with-search/search-basics/built-in-metadata) are not supported.
 * Not supported with [Real Time alerts](../../alerts/scheduled-searches/create-real-time-alert.md).
-* [Time Compare](/docs/search/time-compare) and the [compare operator](/docs/search/search-query-language/search-operators/compare) are not supported against LogExplain results.
+* [Time Compare](/docs/search/time-compare) and the [`compare` operator](/docs/search/search-query-language/search-operators/compare) are not supported against LogExplain results.
 * Response fields `_explanation`, `_relevance`, `_test_coverage`,  and  `_control_coverage` are not supported with [Dashboard filters](/docs/dashboards/filter-template-variables).
 * If you reach the memory limit you can try to shorten the time range or the number of specified fields. When the memory limit is reached you will get partial results on a subset of your data.
 
@@ -132,11 +132,11 @@ Results show the relevance of each explanation:
 
 As a SecOps user, I want to detect compromised user credentials for Windows machines. 
 
-SecOps Insight: A hacked credential will display a remote login pattern (eventdata_logontype = 10) where a given user logs into more machines than they usually do, based on eventid = 4624 (login successful). I want to baseline 14 days of remote access activity and detect outliers in the most recent 24 hours.
+SecOps Insight: A hacked credential will display a remote login pattern (`eventdata_logontype=10`) where a given user logs into more machines than they usually do, based on `eventid=4624` (login successful). I want to baseline 14 days of remote access activity and detect outliers in the most recent 24 hours.
 
 #### Approach 1: Time Compare
 
-The time compare query attempts to enumerate all machine-to-user combinations over the past 24 hours and compares the average daily logins for each pair of machine and user. As `compare` only supports up to 8 sequential slices, the data has to be sliced into 2 day intervals with 7 epochs, to create 14 days of data.
+The time compare query attempts to enumerate all machine-to-user combinations over the past 24 hours and compares the average daily logins for each pair of machine and user. As `compare` only supports up to 8 sequential slices, the data has to be sliced into 2-day intervals with 7 epochs, to create 14 days of data.
 
 ```sql
 _sourceCategory=OS*Windows* eventid=4624 eventdata_logontype=10
@@ -162,4 +162,4 @@ _sourceCategory=OS*Windows* eventid=4624 eventdata_logontype=10
 
 In an example dataset, this requires you to examine just 4 results, versus 773 in the worst case for time compare. The machines were not reported as significant in the `logexplain` algorithm, as they appeared at relatively the same frequency in both the baseline and comparison logs. Subjectively, the 4 users identified by `logexplain` were among the 150 results in the `time compare` query, sorted by percent increase in activity, so we believe our accuracy was at least as good as `time compare` with fewer results for the user to examine.
 
-One important difference for `logexplain` is that it is able to detectusers who were very active 14 days ago but are no longer or less active recently. This is important as hackers may have left the network by the time Sec Ops chooses to run any of these queries. Time compare on the other hand, if sorted based on percent increase of activity, will force the user to examine all 773 user-machine combinations to get the full picture.
+One important difference for `logexplain` is that it is able to detect users who were very active 14 days ago but are no longer or less active recently. This is important as hackers may have left the network by the time SecOps chooses to run any of these queries. Time compare on the other hand, if sorted based on percent increase of activity, will force the user to examine all 773 user-machine combinations to get the full picture.

docs/search/behavior-insights/logreduce/index.md

@@ -38,14 +38,20 @@ In this section, we'll introduce the following concepts:
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce/"><img src={useBaseUrl('img/icons/search.png')} alt="icon" width="35"/><h4>Detect Patterns with LogReduce</h4></a>
+  <a href="/docs/search/behavior-insights/logreduce/detect-patterns-with-logreduce"><img src={useBaseUrl('img/icons/search.png')} alt="icon" width="35"/><h4>Detect Patterns with LogReduce</h4></a>
   <p>Group messages with similar structures and patterns, providing insight into specific keywords or time range.</p>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome/"><img src={useBaseUrl('img/icons/search.png')} alt="icon" width="35"/><h4>Influence the LogReduce Outcome</h4></a>
-  <p>Influence the algorithm by editing a signature to increase or decrease your results granularity.</p>
+  <a href="/docs/search/behavior-insights/logreduce/logreduce-keys"><img src={useBaseUrl('img/icons/operations/queries.png')} alt="icon" width="35"/><h4>LogReduce Keys</h4></a>
+  <p>Clusters JSON logs based on keys providing an at-a-glance summary of patterns in logs based on their schema while ignoring specific values.</p>
+  </div>
+</div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/search/behavior-insights/logreduce/logreduce-values"><img src={useBaseUrl('img/icons/operations/queries.png')} alt="icon" width="35"/><h4>LogReduce Values</h4></a>
+  <p>Clusters JSON logs using the values of keys.</p>
   </div>
 </div>
 <div className="box smallbox card">
@@ -54,4 +60,10 @@ In this section, we'll introduce the following concepts:
   <p>Displays a numerical score for a signature, predicting which signatures could be most meaningful.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/search/behavior-insights/logreduce/influence-the-logreduce-outcome"><img src={useBaseUrl('img/icons/search.png')} alt="icon" width="35"/><h4>Influence the LogReduce Outcome</h4></a>
+  <p>Influence the algorithm by editing a signature to increase or decrease your results granularity.</p>
+  </div>
+</div>
 </div>

docs/search/behavior-insights/logreduce/logreduce-values.md

@@ -6,7 +6,7 @@ description: Group by the values of specific keys in JSON logs.
 
 
 
-The **LogReduce Values** operator allows you to quickly explore structured logs by known keys. Structured logs can be in JSON, CSV, key-value, or any structured format. Unlike the LogReduce Keys operator, you need to specify the keys you want to explore. The values of each specified key are parsed and aggregated for you to explore.
+The **LogReduce Values** operator allows you to quickly explore structured logs by known keys. Structured logs can be in JSON, CSV, key-value, or any structured format. Unlike the [LogReduce Keys operator](/docs/search/behavior-insights/logreduce/logreduce-keys), you need to specify the keys you want to explore. The values of each specified key are parsed and aggregated for you to explore.
 
 This operator does not automatically [parse](/docs/search/search-query-language/parse-operators) your logs. You need to parse the keys you want to explore prior to specifying them in the LogReduce Values operation.