You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: solutions/security/investigate/visual-event-analyzer.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -82,7 +82,7 @@ Use the following icons to perform more actions:
82
82
83
83
*`SOURCE`: Indicates the data source—for example, `endpoint` or `winlogbeat`
84
84
*`ID`: Event field that uniquely identifies a node
85
-
*`EDGE`: Event field which indicates the relationship between two nodes
85
+
*`EDGE`: Event field that indicates the relationship between two nodes
86
86
87
87
* Click the **Legend** icon ({icon}`node`) to show the state of each process node.
88
88
@@ -91,7 +91,7 @@ Use the following icons to perform more actions:
91
91
* Use the date and time filter ({icon}`calendar`) to analyze the event within a specific time range. By default, the selected time range matches that of the table from which you opened the alert.
92
92
93
93
94
-
* Click the list icon ({icon}`editor_unordered_list`) to open the preview analyzer panel. This displays a list of all processes related to the event, starting with the event chain’s first process. **Analyzed Event**—the event you selected to analyze from the events list or Timeline—is highlighted with a light blue outline around the cube.
94
+
* Click the list icon ({icon}`editor_unordered_list`) to open the preview analyzer panel. This displays a list of all processes related to the event, starting with the event chain’s first process. The **Analyzed Event**—the event you selected to analyze from the events list or Timeline—is highlighted with a light blue outline around the cube.
@@ -128,7 +128,7 @@ When you select an `event.category` pill (for example, **_x_ file** or **_x_ reg
128
128
- There is no limit to the number of events that can be associated with a process.
129
129
::::
130
130
131
-
To examine alerts associated with the event, select the alert pill (**_x_ alert**). The preview analyzer panel lists the total number of associated alerts, and alerts are ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert’s details.
131
+
To examine alerts associated with the event, select the alert pill (**_x_ alert**). The preview analyzer panel lists the total number of associated alerts, ordered from oldest to newest. Each alert shows the type of event that produced it (`event.category`), the event timestamp (`@timestamp`), and rule that generated the alert (`kibana.alert.rule.name`). Click on the rule name to open the alert’s details.
132
132
133
133
In the example screenshot, the analyzed event (`sdclt.exe`) generated three alerts. The preview analyzer panel displays basic information about each one.
0 commit comments