[Docs][SIEM]Threat hunting ehancements (#1039) (#1055)

* threat hunting ehancements * fixes typo * minor edits * corrections
elastic · May 11, 2020 · 8f993b2 · 8f993b2
1 parent 3182b0e
commit 8f993b2
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/docs/en/siem/images/siem-click-swipe.png b/docs/en/siem/images/siem-click-swipe.png
diff --git a/docs/en/siem/images/siem-field-highlight.png b/docs/en/siem/images/siem-field-highlight.png
diff --git a/docs/en/siem/siem-ui.asciidoc b/docs/en/siem/siem-ui.asciidoc
@@ -8,7 +8,32 @@ environment, and you can use the interactive UI to drill down into areas of
 interest.
 
 The *{kibana-ref}/kuery-query.html[{kib} Query Language (KQL)]* bar is available
-throughout the {siem-app} for searching and filtering.
+throughout the {siem-app} for searching and filtering. You can also select
+areas of interest in time-based histograms, which updates the timepicker.
+
+[role="screenshot"]
+image::images/siem-click-swipe.png[]
+
+TIP: All {siem-soln} histograms, graphs, and tables contain an **Inspect**
+button, so you can examine the {es} queries used to retrieve data throughout
+the app.
+
+Chart legends and many grid fields are interactive. Fields that can be dragged
+to <<timelines-ui, Timeline>> are indicated with two dotted vertical lines, and
+are highlighted when you hover over a grid's row:
+
+[role="screenshot"]
+image::images/siem-field-highlight.png[]
+
+When a popup menu appears while hovering over a field, you can perform these
+actions:
+
+* Filter for value: adds the field to the filter bar
+* Filter out value: adds the field with a `NOT` operator to the filter bar
+* Add to Timeline investigation: adds the field to Timeline
+* Show top <field name>: displays a histogram of the top field values
+* Copy to clipboard: copies the field and its value to your clipboard, using
+KQL syntax
 
 NOTE: The default index glob patterns defined for {siem-soln} events are
 `endgame-*`, `auditbeat-*`, `winlogbeat-*`, `filebeat-*`, `packetbeat-*`,
@@ -23,9 +48,6 @@ Management -> Advanced Settings -> `siem:defaultIndex`.
 The Overview page provides a high-level view of security events available
 for analysis, and can help surface problems with data ingestion.
 
-TIP: All histograms and graphs on the overview page contain an **Inspect** button so users may better understand that data surfaced through the {siem-app}.
-
-
 [discrete]
 [[search-overview]]
 ==== Search
@@ -214,13 +236,13 @@ image::images/cases-ui-home.png[]
 [[timelines-ui]]
 == Timelines
 
-Use timelines as your workspace for alert investigations or threat hunting.
+Use Timeline as your workspace for alert investigations or threat hunting.
 Data from multiple indices can be added to a timeline, which enables
 investigating complex threats, such as lateral movement of malware across hosts
 in your network.
 
-You can drag objects of interest into the Timeline Event Viewer to create
-exactly the query filter you need to get to the bottom of an alert. You can drag
+You can drag objects of interest into Timeline to create exactly the query
+filter you need to get to the bottom of an alert. You can drag
 items from table widgets within Hosts and Network pages, or even from within
 Timeline itself.
 
@@ -234,7 +256,7 @@ image::images/timeline-ui.png[]
 
 Add notes for your own use and to communicate your workflow and findings to
 others. You can share a timeline, or pass it off to another person or team. You
-can link to timelines from a ticketing system.
+can also link to timelines from Cases and external ticketing systems.
 
 
 [discrete]