You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start and end dates appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, choose **Update** to apply the changes.
<imgsrc="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png"alt="Altering date range"width="55%">
As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown list) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**.
When one of the commonly used windows of time is selected, you can choose **Show dates** in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify an absolute, relative, or current date and time setting. For absolute and relative changes, choose **Update** to apply the changes.
The **Findings** list displays all findings according to the time of the finding, the finding ID, the rule name that generated the finding, the detector that captured the finding, and other details, as shown in the following image.
<imgsrc="{{site.url}}{{site.baseurl}}/images/Security/finding-list.png"alt="A list of all findings"width="85%">
* The diagonal arrow provides a way to open the [**Finding details**](#finding-details) pane, which describes the finding according to parameters defined when creating the detector and includes the document that generated the finding.
* The bell icon allows you to open the **Create detector alert trigger** pane, where you can quickly set up an alert for the specific finding and modify rules and their conditions as required.
For information about setting up alerts, see [Step 4. Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-4-set-up-alerts) in the detector creation documentation.
Each finding in the list also includes a **Finding ID**. In addition to using the diagonal arrow in **Actions**, you can select the ID to open the **Finding details** pane. An example of **Finding details** is shown in the following image.
The **Finding details** pane contains specific information about the finding, including the document that generated the finding. To investigate the series of events that led to the finding or followed the finding, you can select **View surrounding documents** to open the document in the **Discover** panel and view other documents preceding or following it.
1. Open **Finding details** by selecting the **Finding ID** in the **Findings** list.
1. In the **Documents** section, select **View surrounding documents**. If an index pattern already exists for the document, the **Discover** panel opens and displays the document. If an index pattern does not exist, the **Create index pattern to view documents** window opens and prompts you to create an index pattern, as shown in the following image.
<imgsrc="{{site.url}}{{site.baseurl}}/images/Security/findings2.png"alt="popup window prompting users to create an index pattern"width="60%">
1. In the **Create index pattern to view documents** window, the index pattern name is automatically populated. Enter the appropriate time field from the log index used to determine the timing for log events. For information on mapping log fields to detector fields, see [Step 2. Create field mappings]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-2-create-field-mappings). Choose **Create index pattern**. The **Create index pattern to view documents** confirmation window opens.
1. Select **View surrounding documents** in the confirmation window. The **Discover** panel opens, as shown in the following image.
<imgsrc="{{site.url}}{{site.baseurl}}/images/Security/findings4.png"alt="Discover panel with surrounding documents"width="85%">
The **Discover** panel displays the document that generated the finding with a highlighted background. Other documents that came either before or after the event are also displayed.
For details about working with **Discover** in OpenSearch Dashboards, see [Exploring data]({{site.url}}{{site.baseurl}}/dashboards/discover/index-discover/).
Correlations between findings are generated by the correlation engine, which is an experimental feature released in OpenSearch 2.7. Therefore, we do not recommend using the feature in a production environment at this time. For updates on the progress of the correlation engine, see [Security Analytics Correlation Engine](https://github.com/opensearch-project/security-analytics/issues/369) on GitHub. To share ideas and provide feedback, join the [Security Analytics forum](https://forum.opensearch.org/c/plugins/security-analytics/73).
{: .warning }
To see how the finding is correlated with other findings, select the **Correlations** tab. Correlations are relationships between findings that express a particular threat scenario involving multiple log types. Information in the **Correlated findings** table shows the time at which a correlated finding was generated, a finding's ID, the log type used to generate the finding, its threat severity, and the correlation score---a measure of its proximity to the reference finding---as shown in the following image.
<imgsrc="{{site.url}}{{site.baseurl}}/images/Security/corr-details-findings.png"alt="A table of correlated findings with respect to the reference finding"width="60%">
You can select **View correlations graph** to visualize correlations between the findings. For more information about using the correlation graph, see [Working with the correlation graph]({{site.url}}{{site.baseurl}}/security-analytics/usage/correlation-graph/).