Elastic Security UI

edit

The Elastic Security app is a highly interactive workspace designed for security analysts that provides a clear overview of events and alerts from your environment. You can use the interactive UI to drill down into areas of interest.

Search

edit

Filter for alerts, events, processes, and other important security data by entering Kibana Query Language (KQL) queries in the search bar, which appears at the top of each page throughout the app. A date/time filter set to Today is enabled by default, but can be changed to any time range.

search bar
  • To refine your search results, select Add Filter (Add filter icon), then enter the field, operator (such as is not or is between), and value for your filter.
  • To save the current KQL query and any applied filters, select Saved query menu (Saved query menu icon), enter a name for the saved query, and select Save saved query.

Navigation menu

edit

The navigation menu contains direct links and expandable groups, identified by the group icon (Group icon).

  • Click a top-level link to go directly to its landing page, which contains links and information for related pages.
  • Click a group’s icon (Group icon) to open its flyout menu, which displays links to related pages within that group. Click a link in the flyout to navigate to its landing page.
Overview of the navigation menu

Click the Collapse side navigation icon (Side menu collapse icon) to collapse and expand the main navigation menu.

Elastic Security app pages

edit

The Elastic Security app contains the following pages that enable analysts to view, analyze, and manage security data.

Dashboards

edit

Expand this section to access the Overview, Detection & Response, Kubernetes, and Cloud Posture dashboards, which provide interactive visualizations that summarize specific data within your environment. Refer to Dashboards for more information.

dashboards pg

Alerts

edit

View and manage alerts to monitor activity within your network. Refer to Detections and alerts for more information.

alert page

Findings

edit

Compare your Kubernetes infrastucture against a variety of security benchmarks. Refer to the Findings page to find out how to set this up.

The Findings page

Timelines

edit

Investigate alerts and complex threats — such as lateral movement — in your network. Timelines are interactive and allow you to share your findings with other team members. Refer to Investigate events in Timeline to learn more.

Shows the Timeline page

Select the collapsable Timeline button at the bottom of the Elastic Security app to start an investigation.

Cases

edit

Open and track security issues. Refer to Cases to learn more.

Shows the Cases page

Explore

edit

Expand this section to view the following pages:

  • Hosts: Examine key metrics for host-related security events using graphs, charts, and interactive data tables.

    Shows the Hosts page
  • Network: Explore the interactive map to discover key network activity metrics and investigate network events further in Timeline.

    Shows the Network page
  • Users: Access a comprehensive overview of user data to help you understand authentication and user behavior within your environment.

    Shows the Users page

Get started

edit

Quickly add security integrations that can ingest data and monitor your hosts.

Shows the Get started page

Manage

edit

Expand this section to access and manage additional security features:

  • Rules: Create and manage rules to monitor suspicious events.
  • Exception lists: View and manage all rule exceptions.
  • Endpoints: View and manage hosts running Endpoint and Cloud Security.
  • Policies: View and manage Endpoint and Cloud Security integration policies.
  • Trusted applications: View and manage trusted Windows, macOS, and Linux applications.
  • Event filters: View and manage event filters, which allow you to filter endpoint events you don’t need to want stored in Elasticsearch.
  • Host isolation exceptions: View and manage host isolation exceptions, which specify IP addresses that can communicate with your hosts even when those hosts are blocked from your network.
  • Blocklist: View and manage the blocklist, which allows you to prevent specified applications from running on hosts, extending the list of processes that Endpoint and Cloud Security considers malicious.
  • CSP Benchmarks: View, enable, or disable benchmark rules.
Shows the Manage page

Accessibility features

edit

Accessibility features, such as keyboard focus and screen reader support, are built into the Elastic Security UI. These features offer additional ways to navigate the UI and interact with the application.

Interact with draggable elements

edit

Use your keyboard to interact with draggable elements in the Elastic Security UI:

  • Press the Tab key to apply keyboard focus to an element within a table. Or, use your mouse to click on an element and apply keyboard focus to it.
timeline accessiblity keyboard focus
  • Press Enter on an element with keyboard focus to display its menu and press Tab to apply focus sequentially to menu options. The f, o, a, t, c hotkeys are automatically enabled during this process and offer an alternative way to interact with menu options.
timeline accessiblity keyboard focus hotkeys
  • Press the spacebar once to begin dragging an element to a different location and press it a second time to drop it. Use the directional arrows to move the element around the UI.
timeline ui accessiblity drag n drop
  • If an event has an event renderer, press the Shift key and the down directional arrow to apply keyboard focus to the event renderer and Tab or Shift + Tab to navigate between fields. To return to the cells in the current row, press the up directional arrow. To move to the next row, press the down directional arrow.
timeline accessiblity event renderers

Navigate the Elastic Security UI

edit

Use your keyboard to navigate through rows, columns, and menu options in the Elastic Security UI:

  • Use the directional arrows to move keyboard focus right, left, up, and down in a table.
timeline accessiblity directional arrows
  • Press the Tab key to navigate through a table cell with multiple elements, such as buttons, field names, and menus. Pressing the Tab key will sequentially apply keyboard focus to each element in the table cell.
timeline accessiblity tab keys
  • Use CTRL + Home to shift keyboard focus to the first cell in a row. Likewise, use CTRL + End to move keyboard focus to the last cell in the row.
timeline accessiblity shifting keyboard focus
  • Use the Page Up and Page Down keys to scroll through the page.
timeline accessiblity page up n down