Kibana: [SIEM] Page Enrichments with Histograms, Tabs & Updated KPIs

Pinging @elastic/secops

Here are screenshots of the wireframes we looked at in today's SIEM sync. If there are any comments or questions, please feel free to drop here or as a comment in the Figma links above.

All Hosts Tab:

Authentications Tab:

Uncommon Processes Tab:

Anomalies Tab:

Events Tab:

A small comment on the new KPIs: When I open the Figma prototype on the mac laptop screen, the second level of tabs are just below the fold:

Since we've said before that we want the tabs to be visible, we might want to reduce a bit the KPIs in height so that the tab headers fit comfortably on the page?

@tsg @MichaelMarcialis
I think we can remove the word 'frequency' from the histogram headers (Event count, Anomaly count, Authentication count, Host count).

Don't think we need the word 'top' in any of the drop-downs either.

@MichaelMarcialis Love the new tabbed sub-navigation. Is this a feature which could one day become usable in normal dashboards for Kibana users?

@tsg @MichaelMarcialis
I think we can remove the word 'frequency' from the histogram headers (Event count, Anomaly count, Authentication count, Host count).

Don't think we need the word 'top' in any of the drop-downs either.

@benskelker: Sounds good on the header text updates. I'll update the wireframes to reflect that.

Regarding the word "top" prefixing some of the stack options, the original intent was that we would only show the top 5 users/sources/destinations/etc. in the stacked bar chart, with a 6th stack reserved for "All others". The idea there was to prevent from having too many colors/stacks and instead focus on only the most numerous.

In implementation however (with the host events histogram), it looks like we are not limiting the number of stacks/colors in the chart, and are instead showing them all. If that's how we plan to proceed with these histograms, I agree with you that we should remove the "top" prefix text. However, if we want to limit the number of colors/stacks as my wireframes suggest, it would make sense to keep the text. I'm not sure if we discussed which way would be best to proceed. @tsg, do you have any opinions on the matter?

@MichaelMarcialis Love the new tabbed sub-navigation. Is this a feature which could one day become usable in normal dashboards for Kibana users?

@willemdh: Thanks so much for the kind feedback! Any and all feedback is most welcome.

Regarding your question, it looks like there is an open issue for using pagination or tabs in a dashboard. I'm sure if you inquire about the status of it on the issue, someone from the Kibana app team can give you an update on its progress.

If that issue isn't what you were looking for though, please do feel free to open a new feature request.

@MichaelMarcialis
Thanks - let's decide on the drop-down text after the implementation is finalised.

Just wondering, would displaying the least common Authentication and Event counts also be useful for SIEM (especially if we only display the top 5 and all others are aggregated)?

Just wondering, would displaying the least common Authentication and Event counts also be useful for SIEM (especially if we only display the top 5 and all others are aggregated)?

@benskelker: I agree there's value in showing something like the least common authentications, though I'm not sure if a histogram is the best way to convey that information (as its presence will be minimal by definition, yielding a not-so-interesting shape to the data). It's also tricky because it's subjective depending on what field the user is defining as "uncommon." For example, is it the number of login successes? Login failures? Both? I wonder if filtering and manipulating the table data would be more successful in that regard.

@randomuserid: Do you have any thoughts on this?

@MichaelMarcialis @cwurm @tsg could you check if we do need any more histograms to add?

Awesome to see most of the checkboxes done :). Generally speaking, I think we'll want to go deep and add more visualizations that you can access via the drop-down in the mockups. That would make things a bit more customizable, which is a common request.

But I'd say that for now, we've managed to get pretty good coverage and the pages look really good, so I'm fine with closing this ticket.

@MichaelMarcialis @cwurm @tsg could you check if we do need any more histograms to add?

Hey, @patrykkopycinski. You and @angorayc have done a great job knocking these out! Regarding your question above, here's some comments and questions:

• For all the histograms that you all have added, do we plan to continue iterating on them to include allowing users to select the stack dimension via the dropdown interface indicated in the wireframes?
• On the hosts page, do we still want to do a histogram for the All hosts tab? Or has that been cut?
• On the network page, top talkers has since been replaced with source/destination IPs and source/destination countries. Do we wish to have histograms for any or all of those? I'm happy to mock those up if need be.
• The IP details tabbed navigation task has been struck-through. Was it decided that we wouldn't be introducing tabbed navigation into that page at all?
  
  
  
  • If we do plan to add tabbed navigation to the IP details page, do we want to include histograms for source/destination IPs, source/destination countries, users, HTTP requests, transport layer security and anomalies?
  
  
• There was also the notion of enhancing the existing KPIs for each page, which would include metrics for percentage change from the previous time interval, removal of redundant visualizations (with the addition of the new histograms), and some layout changes. Things have changed a fair bit since this issue was opened, so it probably requires that I take another pass at determining the best KPIs to include and mocking them up for each page. Do we want to spin this off as a separate issue?