diff --git a/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md b/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md index f305724877..774e42da20 100644 --- a/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md +++ b/docs/cse/get-started-with-cloud-siem/about-cse-insight-ui.md @@ -28,25 +28,15 @@ This screenshot shows the **Insights** page in list view.  Insights page -Here’s one row from the List view. The numbered definitions below correspond to the labels in the screenshot. - -Insight summary - -1. **Creation date and time**. When the insight was created. -1. **Detection time**. The time between when the first event happened (when the first record in the insight occurred) and when the insight was generated. (This differs from "dwell time", which is the time between when the first record and the last record occurred in an insight.) -1. **Age**. The elapsed time since the insight was created. -1. **Insight name**. The insight name, made up of the insight ID, and the MITRE stage or stages associated with the signals in the insight.  -1. **Related incidents**. Incidents that share common entities and other characteristics. -1. **Global Confidence**. If sufficient data is available, a [Global Confidence score](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the insight is shown.  -1. **Assignee**. The analyst assigned to the Incident. -1. The [MITRE ATT&CK](https://attack.mitre.org/) tactics and techniques exhibited by the insight. -1. **Severity**. The severity of the insight. The value is a function of the configured entity activity score threshold for insight generation. For more information, see [About insight severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process#about-insight-severity). -1. **Entity**. The entity associated with the insight. -1. **Signal Data**. This area has three bits of information: - * The count of signals that caused the insight to be created. - * The total count of signals on the insight entity during the detection window. - * How long it's been since the last signal fired associated with the insight fired. -1. The visualization plots the insight's signals over time (x-axis) by severity (y-axis). +* **Status**. The [status](/docs/cse/administration/manage-custom-insight-statuses/) of the insight. +* **ID**. The insight name, made up of the insight ID, and the MITRE stage or stages associated with the signals in the insight. +* **Created**. When the insight was created. +* **Assignee**. The analyst assigned to the Incident. +* **Age**. The elapsed time since the insight was created. +* **Entity**. The [entity](/docs/cse/records-signals-entities-insights/view-manage-entities/) associated with the insight. +* **Severity**. The severity of the insight. The value is a function of the configured entity activity score threshold for insight generation. For more information, see [About insight severity](/docs/cse/get-started-with-cloud-siem/insight-generation-process#about-insight-severity). +* **Global Confidence**. If sufficient data is available, a [Global Confidence score](/docs/cse/records-signals-entities-insights/global-intelligence-security-insights/) for the insight is shown. +* **Signals**. The total count of signals on the insight entity during the detection window. ### Board view diff --git a/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md b/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md index 342d988f8a..a34a4a9494 100644 --- a/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md +++ b/docs/cse/records-signals-entities-insights/global-intelligence-security-insights.md @@ -43,7 +43,7 @@ Watch this micro lesson to learn more about Global Intelligence for insights. ## What is a Global Confidence score? An insight’s Global Confidence score represents a level of confidence, predicted by Sumo Logic’s Global Intelligence machine learning model, that the insight is actionable. -Global confidence score example +Global confidence score example The score is generated based on the underlying pattern of signals in an insight. The model compares this pattern to previously observed patterns from insights that were closed with either a **False Positive** or **Resolved** resolution. The model does such comparisons broadly—across the global installed base of Cloud SIEM customers—so it can generate a Confidence score based on the patterns seen at one customer when encountered at another. In addition to leveraging the patterns discovered across the Cloud SIEM installed base, the model customizes scores for insights in your account based on your customized content, including tuned and custom rules. @@ -60,7 +60,7 @@ The only prerequisite for taking full advantage of Confidence scores is to make ## Using Global Confidence scores The Global Confidence score is a valuable data point to consider when prioritizing which insights to triage first. -An insight’s Confidence score is shown for each insight on the insights list page. You can sort the insight list by the Global Confidence score, as well as by Severity. +An insight’s Confidence score is shown for each insight on the insights list page. On the board page, you can sort the insight list by the Global Confidence score, as well as by Severity. -Global confidence screen image example +Global confidence screen image example diff --git a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md index afa613ec5c..5d4af82743 100644 --- a/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md +++ b/docs/cse/records-signals-entities-insights/tags-insights-signals-entities-rules.md @@ -39,15 +39,9 @@ summarizes this behavior. ## View tags -You can view tags on the pages that provide summary views of insights, signals, entities, and rules. You can also view the tags assigned to an item on the detailed page you see when you navigate to a particular insight, signal, entity, or rule.  +You can view tags on the details pages of insights, signals, entities, or rules.  -This is an overview of an insight from the insights page. Multiple schema key tags are attached to the insight. - -Insight list tags - -The screenshot below shows an entity to which a schema tag is attached. - -Entity list tags +Following is the details view of an insight showing multiple schema key tags attached to the insight:
Insight list tags ## Tag actions @@ -75,7 +69,7 @@ difference is where you do the tagging.  1. The UI for tagging is at the bottom of the **Details** pane. 2. To add a tag, follow the instructions in [Add a keyword tag](#apply-a-keyword-tag).
Tag an entity -### UI for tagging an Cloud SIEM-generated insight +### UI for tagging a Cloud SIEM-generated insight Note that in addition to tags that you manually assign to an insight, an insight will inherit any tags that were applied to the content that went into the insight—the entity and the rule(s) or custom insight definitions that created the included signals—will automatically be inherited (and aggregated) by the insight.  @@ -121,16 +115,4 @@ Note that in addition to tags that you manually assign to an insight, an insight 1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu, select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. 1. Click in the **Filters** area and select **Tags** from the **Fields** list.
Search rules by tag 1. Choose **contain** or **do not contain** from the **Operators** list.
Operators -1. Select a tag from either the **Schema Keys** or **Keyword Tags** list. If you select a tag from the **Schema Keys** list, you are prompted to select a value, and items that match are listed. If you select a tag from the **Keywords Tags** list, items that match are listed. Note that if an item has a Mitre-related tag, an icon appears next to it. Click the icon to view a Mitre page on the Tactic or Technique. - -### Filter a list view by clicking a tag - -On the insights, signals, rules, or entities page, you can click a tag to filter the list. For example, if you click the **Tactic: TA0005 - Defense Evasion** tag on an insight, like this: - -Filter list by tag - -the page will be filtered to show only insights that have that tag: - -Filtered list - -  +1. Select a tag from either the **Schema Keys** or **Keyword Tags** list. If you select a tag from the **Schema Keys** list, you are prompted to select a value, and items that match are listed. If you select a tag from the **Keywords Tags** list, items that match are listed. Note that if an item has a MITRE-related tag, an icon appears next to it. Click the icon to view a MITRE page on the Tactic or Technique. \ No newline at end of file diff --git a/static/img/cse/Confidence-Screenshot.png b/static/img/cse/Confidence-Screenshot.png index ce690a4dd5..624a72996f 100644 Binary files a/static/img/cse/Confidence-Screenshot.png and b/static/img/cse/Confidence-Screenshot.png differ diff --git a/static/img/cse/closeup.png b/static/img/cse/closeup.png index dd9df7da6a..095f3b1d90 100644 Binary files a/static/img/cse/closeup.png and b/static/img/cse/closeup.png differ diff --git a/static/img/cse/insight-list-tags.png b/static/img/cse/insight-list-tags.png index a9a574a117..e30723e917 100644 Binary files a/static/img/cse/insight-list-tags.png and b/static/img/cse/insight-list-tags.png differ diff --git a/static/img/cse/insights-page.png b/static/img/cse/insights-page.png index 4a34fc35a9..befcee0b33 100644 Binary files a/static/img/cse/insights-page.png and b/static/img/cse/insights-page.png differ