Merge pull request #8850 from wazuh/enhancement/idr256-adjust-data-analysis

Add adjustments to Data analysis documentation

Author: ayodeko

CHANGELOG.md

@@ -57,6 +57,7 @@ All notable changes to this project will be documented in this file.
 - **Post-release**: Updated the instruction and images in Wazuh server API getting started documentation to reflect the new navigation path (**Server management** > **Dev Tools**). ([#8811](https://github.com/wazuh/wazuh-documentation/pull/8811))
 - **Post-release**: Updated the *Getting started with Wazuh - Architecture* documentation. ([#8819](https://github.com/wazuh/wazuh-documentation/pull/8819))
 - **Post-release**: Changed Suricata ruleset file permission in POC guide. ([#8821](https://github.com/wazuh/wazuh-documentation/pull/8821))
+- **Post-release**: Adjusted the Data analysis documentation. ([#8850](https://github.com/wazuh/wazuh-documentation/pull/8850))
 
 ### Fixed
 

source/images/manual/mitre/dashboard-tab2.png

@@ -68,7 +68,9 @@ Check out this example on how to create new decoders and rules. The following lo
 Modify default decoders
 -----------------------
 
-To modify a default decoder, you can rewrite its file in the ``/var/ossec/etc/decoders/`` directory on the Wazuh server, make the changes, and exclude the original decoder file from the loading list.
+Default decoders may not parse custom or non-standard log formats correctly, so modifying them ensures accurate analysis for your specific environment.
+
+To modify a default decoder, you can rewrite its file in the ``/var/ossec/etc/decoders/`` directory on the Wazuh server, make the changes, and exclude the original decoder file from the loading list. This approach avoids editing core files, preventing conflicts during Wazuh updates, and allows tailored log processing to extract specific fields or handle unique application logs effectively.
 
 For example, if you want to customize decoders in the ``/var/ossec/ruleset/decoders/0310-ssh_decoders.xml`` file, follow these steps:
 

source/images/manual/mitre/events-tab2.png

@@ -58,7 +58,7 @@ Suricata event log:
       "host": "suricata.com"
    }
 
-The JSON decoder extracts each field from the JSON log data for comparison against the rules, eliminating the need for a specific Suricata decoder.
+The JSON decoder extracts each field from the JSON log data for comparison against the rules, eliminating the need for a specific Suricata decoder. Ensure to convert the multiline JSON log above to single-line, just as seen from the output below.
 
 We can now run the ``/var/ossec/bin/wazuh-logtest`` tool on the Wazuh server to test the log sample and have insights into the current decoding.
 

source/images/manual/mitre/framework-tab.png

@@ -34,7 +34,7 @@ Below, we show the structure of the ruleset directory on the Wazuh server:
                    └─ rules/
 
 .. note::
-   
+
    You can find all the out-of-the-box rules and decoders inside the ``/var/ossec/ruleset/ directory``. All files within this directory are overwritten or modified during the Wazuh upgrade process. Therefore, we do not recommend editing or adding your custom files here. Instead, we recommend making custom changes in the ``/var/ossec/etc/`` directory. Here, you can add your own decoders and rules files or use the default ``/var/ossec/etc/decoders/local_decoder.xml`` and ``/var/ossec/etc/rules/local_rules.xml`` files.
 
 GitHub repository
@@ -50,7 +50,7 @@ In the repository, you will find:
 
 -  **Tools**
 
-   We provide useful tools such as the `wazuh-logtest </user-manual/reference/tools/wazuh-logtest>`__, which allows for testing rules and decoders before using them. This tool processes only log per line and is available in ``/var/ossec/bin/wazuh-logtest`` on the Wazuh server, along with various other binaries which help in managing the Wazuh server and agents. For more information you can take a look at `Wazuh tools </user-manual/reference/tools/index>`__ documentation.
+   We provide useful tools such as the :doc:`wazuh-logtest </user-manual/reference/tools/wazuh-logtest>`, which allows for testing rules and decoders before using them. This tool processes only one-liner (no line breaks) logs and is available in ``/var/ossec/bin/wazuh-logtest`` on the Wazuh server, along with various other binaries which help in managing the Wazuh server and agents. For more information you can take a look at :doc:`Wazuh tools </user-manual/reference/tools/index>` documentation.
 
 .. topic:: Content
 

source/images/manual/mitre/intelligence-tab.png

@@ -2,7 +2,7 @@
 
 .. meta::
    :description: The Wazuh integration with MITRE ATT&CK framework allows users to map alerts generated by Wazuh to specific tactics and techniques. Learn more in this section of the documentation.
-  
+
 MITRE ATT&CK framework
 ======================
 
@@ -47,6 +47,12 @@ Dashboard
 
 The **MITRE ATT&CK Dashboard** tab provides an overview of the current state of your infrastructure with respect to known adversarial Tactics, Techniques, and Procedures (TTPs) in the MITRE ATT&CK framework. The dashboard displays key indicators such as the total number of events, alerts, and a summary of the top 10 TTPs detected within your environment. These indicators can be used to assess the effectiveness of existing security controls and identify areas that may require further attention. Additionally, you can customize the dashboard to display specific metrics that are most relevant to your organization's security posture.
 
+.. thumbnail:: /images/manual/mitre/dashboard-tab2.png
+   :title: Dashboard tab
+   :alt: Dashboard tab
+   :align: center
+   :width: 80%
+
 .. thumbnail:: /images/manual/mitre/dashboard-tab.png
    :title: Dashboard tab
    :alt: Dashboard tab
@@ -60,6 +66,12 @@ The **MITRE ATT&CK Events** tab provides detailed information about each event t
 
 You can filter the events based on various criteria such as severity, event type, and detection method, and also sort them by different fields to locate relevant information quickly. Additionally, the tab provides access to additional details, such as the full event log message and any related alerts that may have been generated in response to the event.
 
+.. thumbnail:: /images/manual/mitre/events-tab2.png
+   :title: Events tab
+   :alt: Events tab
+   :align: center
+   :width: 80%
+
 .. thumbnail:: /images/manual/mitre/events-tab.png
    :title: Events tab
    :alt: Events tab
@@ -126,7 +138,7 @@ Windows 11
 
 Perform the following steps to configure the Wazuh agent to capture Sysmon logs and send them to the Wazuh server for analysis.
 
-#. Download `Sysmon <https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon>`__ and the configuration file `sysmonconfig.xml <https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml>`__.
+#. Download `Sysmon <https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon>`__ and the configuration file `sysmonconfig.xml <https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml>`__ in the same folder.
 #. Launch PowerShell with administrative privilege, and install Sysmon as follows:
 
    .. code-block:: powershell