Cell actions being added to more places in Security app (#3296)

* First draft * Small edits * Moar actions, edits * Apply suggestions from Ben's review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Apply suggestions from Ben's review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Correct description for Add to timeline * Update docs/getting-started/security-ui.asciidoc * Update docs/getting-started/security-ui.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>
elastic · May 22, 2023 · 90ab9e4 · 90ab9e4
1 parent db7fd90
commit 90ab9e4
Show file tree

Hide file tree

Showing 9 changed files with 37 additions and 7 deletions.
diff --git a/docs/dashboards/detection-response-dashboard.asciidoc b/docs/dashboards/detection-response-dashboard.asciidoc
@@ -10,7 +10,7 @@ Interact with various dashboard elements:
 
 * Use the date and time picker in the upper-right to specify a time range for displaying information on the dashboard. 
 
-* In sections that list alert counts, click a number to investigate those alerts in Timeline.
+* In sections that list alert counts, click a number to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to open the alerts in Timeline.
 
 * Click the name of a detection rule, case, host, or user to open its details page.
 

diff --git a/docs/dashboards/entity-dashboard.asciidoc b/docs/dashboards/entity-dashboard.asciidoc
@@ -51,9 +51,9 @@ Interact with the table to filter data, view more details, and take action:
 
 * Select the *Host risk classification* menu to filter the chart by the selected classification. 
 * Click a host name link to go to the Host details page.
-* Hover over a host name link to display inline actions: *Add to timeline investigation*, which adds the selected value to a new Timeline, and *Copy to Clipboard*, which copies the host name value for you to paste later. 
+* Hover over a host name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the host name value for you to paste later. 
 * Click *View all* in the upper-right to display all host risk information on the Hosts page. 
-* Click the number link in the *Alerts* column to launch Timeline, which populates a query with the selected host name value.
+* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated host name value.
 
 [role="screenshot"]
 image::images/launch-timeline.gif[Launch Timeline from Host Risk Scores table]
@@ -73,9 +73,9 @@ Interact with the table to filter data, view more details, and take action:
 
 * Select the *User risk classification* menu to filter the chart by the selected classification. 
 * Click a user name link to go to the User details page. 
-* Hover over a host name link to display inline actions: *Add to timeline investigation*, which adds the selected value to a new Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. 
+* Hover over a host name link to display inline actions: *Add to timeline*, which adds the selected value to Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. 
 * Click *View all* in the upper-right to display all user risk information on the Users page. 
-* Click the number link in the *Alerts* column to launch Timeline, which populates a query with the selected user name value.
+* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline with a query that includes the associated user name value.
 
 NOTE: The host risk and user risk score tables are not affected by the date and time range. 
 

diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc
@@ -17,16 +17,18 @@ The Alerts page offers various ways for you to organize and triage detection ale
 [role="screenshot"]
 image::images/view-alert-details.png[View details button, 200]
 
+* View the rule that created an alert. Click a name in the *Rule* column to open the rule's details page.
+
 * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices.
 
 * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours.
 
 * Visualize and group alerts by specific fields in the visualization section. Use the buttons on the left to select a view type (*Summary*, *Trend*, *Counts*, or *Treemap*), and use the menus on the right to select the ECS fields used for grouping alerts. Refer to <<visualize-alerts>> for more on each view type.
 
-* Hover over a value in the data grid to display available inline actions, such as *Filter In*, *Filter Out*, and *Add to timeline investigation*. Click the expand button to open a full context menu of options, including *Show top values*, *Copy to Clipboard*, and *View rule details*. The available options vary based on the type of data.
+* Hover over a value to display available <<inline-actions, inline actions>>, such as *Filter In*, *Filter Out*, and *Add to timeline*. Click the expand icon for more options, including *Show top _x_* and *Copy to Clipboard*. The available options vary based on the type of data.
 +
 [role="screenshot"]
-image::images/inline-actions-menu.gif[width=75%][height=75%][Animation of using the inline additional actions menu]
+image::images/inline-actions-menu.png[Inline additional actions menu,55%]
 
 * Filter alert results to include building block alerts or to only show alerts from indicator match rules by selecting the *Additional filters* drop-down. By default, <<building-block-rule, building block alerts>> are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts.
 +

diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc
@@ -23,6 +23,11 @@ NOTE: If you've configured the {kibana-ref}/settings.html#server-publicBaseUrl[`
 [role="screenshot"]
 image::images/alert-details-flyout.png[Alert details flyout, 90%]
 
+Hover over fields on the *Overview* and *Table* tabs to display available <<inline-actions, inline actions>>. 
+
+[role="screenshot"]
+image::images/alert-details-flyout-inline-actions.png[Alert details flyout, 75%]
+
 [discrete]
 [[alert-details-overview]]
 === Overview tab

diff --git a/docs/detections/images/alert-details-flyout-inline-actions.png b/docs/detections/images/alert-details-flyout-inline-actions.png
diff --git a/docs/detections/images/inline-actions-menu.png b/docs/detections/images/inline-actions-menu.png
diff --git a/docs/getting-started/images/inline-actions-legend.png b/docs/getting-started/images/inline-actions-legend.png
diff --git a/docs/getting-started/images/three-dot-icon-vertical.png b/docs/getting-started/images/three-dot-icon-vertical.png
diff --git a/docs/getting-started/security-ui.asciidoc b/docs/getting-started/security-ui.asciidoc
@@ -46,6 +46,29 @@ Other visualizations display an options menu (image:images/three-dot-icon.png[Th
 [role="screenshot"]
 image::images/viz-options-menu-open.png[Options menu opened,85%]
 
+[float]
+[[inline-actions]]
+== Inline actions for fields and values
+
+Throughout the {security-app}, you can hover over many data fields and values to display inline actions, which allow you to customize your view or investigate further based on that field or value. 
+
+[role="screenshot"]
+image::images/inline-actions-menu.png[Inline additional actions menu,45%]
+
+In some visualizations, these actions are available in the legend by clicking a value's options icon (image:images/three-dot-icon-vertical.png[Vertical three-dot icon,16,16]).
+
+[role="screenshot"]
+image::images/inline-actions-legend.png[Actions in a visualization legend,90%]
+
+Inline actions include the following (some actions are unavailable in some contexts):
+
+* *Filter In*: Add a filter that includes the selected value.
+* *Filter Out*: Add a filter that excludes the selected value.
+* *Add to timeline*: Add a filter to Timeline for the selected value.
+* *Toggle column in table*: Add or remove the selected field as a column in the alerts or events table. (This action is only available on an alert's or event's details flyout.)
+* *Show top _x_*: Display a pop-up window that shows the selected field's top events or detection alerts.
+* *Copy to Clipboard*: Copy the selected field-value pair to paste elsewhere.
+
 [float]
 == {security-app} pages