[Request][Serverless][8.16] New notes experience

[nastasha-solomon]

Description

In 8.16, you no longer need to create a Timeline just to add notes to alerts or events. Now, you can add notes to alerts and events from outside of Timeline (e.g., from the Alerts table or the Events tab on the Hosts or Users pages) and attach those alert/event notes to Timeline if you so wish.

In addition to the expanded functionality, the Notes tab UI was modified, a new page for managing all notes has being introduced, and an advanced setting that lets users specify a maximum number of notes that can be added to an event or alert (securitySolution:maxUnassociatedNotes) was created.

Updated Notes Timeline tab

You can still add notes to Timeline from the Timeline tab. The tab's UI contains the following:

• Details about the user who created the Timeline (shown in the Created by field) and users who added notes to the Timeline (shown in the Participants field)

• The Timeline description (shown in the text box at the top of the Notes tab)

• All notes added to the Timeline
  !

• An option for saving the Timeline if you're adding a note to an unsaved Timeline!
  

Notes management page

In ESS, the Notes page is located at Manage -> Investigations -> Notes. In Serverless, it's under ???. On the Notes page, users can do the following:

• Search for keywords and phrases in existing notes
• Filter by users who created notes
• Filter by notes association type to find notes that were added to alerts/events only, Timelines only, or alerts and Timelines
  

Advanced setting for limiting notes added to alerts/events

The securitySolution:maxUnassociatedNotes advanced setting lets users specify a maximum number of notes that can be added to an event or alert. The default value is 1000. Users can add 1000 notes to 1k alerts (1 note per alert) or 1000 notes to a single alert.

Additional details feature/functionality

What can you add notes to?

• Alerts and events
• Timeline

How do you add notes?

• Alerts and events: Two ways -

  • Can add notes from the Alerts table or event tables on the Explore pages (Hosts and Users). To do this, use the notes button (not sure if there will be an option to bulk-add notes)
    NOTE: A notifications icon (a red dot) appears on the Notes button when an alert or event has one or more notes.

  • Details flyout: Expand the flyout and directly add a note from the Notes tab or click the add icon in the Notes card in the flyout header (for alerts only)

    

• Timeline: Two ways -

  • Attach an alert’s notes to Timeline (Timeline must be saved)
  • Add notes directly to Timeline (these are only associated with the Timeline, not any alerts/events being investigated in Timeline)

How do you manage notes?

• Use the Notes management page to do the following:
  • View all notes that were created (including those that were only added to Timelines?)
  • Delete individual or multiple notes
  • Export notes (verify this)
  • Examine alerts that have notes (verify this)
• Use the Notes tab in the alert and event flyouts to do the following:
  • Add, delete, and view notes
  • View who added notes to the alert or event (names will appear in the Participants section on the right side)
    • Created by section shows who created the Timeline (name is logged in the section when someone saves the Timeline)

What should you be aware of?

• Before you can add a note to an alert or event that you're investigating in an unsaved Timeline, you must first save the Timeline. You can do this from the Timeline tab by opting to save the Timeline before adding a new note. Alternatively, you can save the Timeline the typical way.
• Adding a note to an alert or event and attaching it to a saved Timeline automatically pins the event in Timeline. To unpin the alert or event, you must delete the note associated with the Timeline.
• TBD

Doc plan

• Create a new page for the notes feature (title it "Notes") and add it to the Investigations tools section. Outline of new page is here.
  IMPORTANT: Will need to coordinate with Phillipe or Christine to create a link to these docs. More info here.
• Update the View detection alert details topic:
  • Add an item to the list of things that you can do from the right panel and link to the new Notes page.
  • Create a new section for the Notes tab.
• Update the Timeline topic. Revisit the list showing ways to configure Timeline's display.
• Add docs for the new securitySolution:maxUnassociatedNotes advanced setting to the Configure advanced settings page.
• Refresh the following images:
  • Timeline
    • timeline-ui-updated.png and -events-timeline-ui-updated.png
    • timeline-sidebar.png and -events-timeline-sidebar.png
    • correlation-tab-eql-query.png and -events-correlation-tab-eql-query.png
    • create-a-timeline-template-field.png and -events-create-a-timeline-template-field.png
  • Alert details flyout (will need assistance recreating some of these)
    • open-alert-details-flyout.gif and -detections-open-alert-details-flyout.gif
    • alert-details-flyout-right-panel.png and -detections-alert-details-flyout-right-panel.png
    • alert-details-flyout-preview-panel.gif and -detections-alert-details-flyout-preview-panel.gif
    • expand-details-button.png and -detections-expand-details-button.png
    • expanded-entities-view.png and -detections-expanded-entities-view.png
    • expanded-threat-intelligence-view.png and -detections-expanded-threat-intelligence-view.png
    • expanded-correlations-view.png and -detections-expanded-correlations-view.png
    • expanded-prevalence-view.png and -detections-expanded-prevalence-view.png
  • Misc.
    • ig-timeline.png and -detections-ig-timeline.png
    • ig-timeline-query.png and -detections-ig-timeline-query.png
    • indicator-in-timeline.png and -cases-indicator-in-timeline.png
    • timeline-object-ui.png and -reference-timeline-object-ui.png (maybe)

Background & resources

• Issues/PRs:
  • All work that's being done for the feature is tracked on the Notes tab in the Threat Hunting: Investigations project.
  • List existing notes in the expandable flyout: https://github.com/elastic/security-team/issues/9375
  • Create a new note from the expandable flyout: https://github.com/elastic/security-team/issues/9605
  • Notes management page:
    • https://github.com/elastic/security-team/issues/9641
    • [Security Solution][Timeline] Notes management table kibana#187214
    • [Security Solution][Notes] - fix an issue that breaks the notes management page, an enum value was missing from the api kibana#196912
  • securitySolution:maxUnassociatedNotes advanced setting: [Security Solution][Notes] Make MAX_UNASSOCIATED_NOTES an advanced Kibana setting kibana#194947
• Point of contact: @PhilippeOberti @paulewing
• Test environments: Endpoint test env
• Copy issue: [Security Solution][Notes] - copy changes kibana#193495 and [Security Solution][Notes] - copy changes for note and timeline + move the unassociated note advanced setting under the Security Solution section kibana#197312

Which documentation set does this change impact?

ESS and serverless

ESS release

8.16

Serverless release

November 4, 2024

Feature differences

N/A

API docs impact

N/A (Not updating 8.16 API docs anymore)

Prerequisites, privileges, feature flags

None

[nastasha-solomon]

Moving to a future sprint since this feature will be behind a feature flag in 8.15 and Serverless.

[nastasha-solomon]

Notes from meeting with @PhilippeOberti this week:

• The description for the notes advanced setting will be revised. It might need to point to the note feature docs, so I might need to add a stub link to main/8.16 to allow the link to resolve properly.
• Users might be presented with a warning or error message when they reach the max limit for the number of alerts that they can add to a document (event or timeline). While the instruction would be to delete irrelevant/outdated notes, there might also be a reference to the note feature docs.

The copy reviews and doc work (setting up the stub link) for both items must be completed by or before BC3.

[nastasha-solomon]

Core docs are being added in #6006. To keep the PR reviews on track, I'll file a separate PR to refresh impacted screenshots that are not Note-specific.
cc: @PhilippeOberti