Add documentation for log type updates in Security Analytics - pt. 2 (#3083)

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#3018-sec-analytics-2.6-II

Signed-off-by: cwillum <cwmmoore@amazon.com>

---------

Signed-off-by: cwillum <cwmmoore@amazon.com>

_security-analytics/sec-analytics-config/detectors-config.md

@@ -32,6 +32,8 @@ You can define a new detector by naming the detector, selecting a data source an
 * Use the **Log type**, **Rule severity**, and **Source** dropdown lists to filter the rules you want to select from. 
 * Use the **Search** bar to search for specific rules.
 
+When selecting **Network events**, **CloudTrail logs**, or **S3 access logs** as the log type, a detector dashboard is automatically created. The dashboard offers visualizations for the detector and can provide security-related insight into log source data. For more information about visualizations, see [Building data visualizations]({{site.url}}{{site.baseurl}}/dashboards/visualize/viz-index/).
+
     To quickly select one or more known rules and dismiss others, first deselect all rules by moving the **Rule name** toggle to the left, then search for your target rule names and select each individually by moving its toggle to the right.
     {: .tip }
 

_security-analytics/usage/findings.md

@@ -7,42 +7,69 @@ nav_order: 35
 
 # Working with findings
 
-The Findings window includes features for viewing and working with findings. The two main features are:
+The **Findings** window includes features for viewing and working with findings. The two main features are:
 * The bar graph with findings information arranged by count, date, and log type or rule severity.
-* The Findings list arranged by time, finding ID, rule name, and other details.
+* The **Findings** list arranged by time, finding ID, rule name, and other details.
 
-You can select the **Refresh** button at any time to refresh information on the Findings page.
+You can choose **Refresh** at any time to refresh information on the **Findings** page.
 
 ## The Findings graph
 
 The findings graph can display findings by log type or rule severity. Use the **Group by** dropdown list to specify either log type or rule severity.
 
 To specify the date range you would like the graph to display, first select the calendar dropdown list. The date selector window opens.
-<br><img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph" width="55%">
+
+<img src="{{site.url}}{{site.baseurl}}/images/Security/find-date-pick.png" alt="Date selector for findings graph" width="55%">
 
 You can use the **Quick select** settings to specify an exact window of time.
 * Select either **Last** or **Next** in the first dropdown list to set the window of time behind the current setting or ahead of the current setting.
 * Select a number in the second dropdown list to define a value for the range.
 * Select a unit of time in the third dropdown list. Available options are seconds, minutes, hours, days, weeks, months, and years.
-Select the **Apply** button to apply the range of dates to the graph. Information on the graph changes accordingly.
+Choose **Apply** to apply the range of dates to the graph. Information on the graph changes accordingly, as shown in the following image.
-<br><img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example" width="40%">
+
-<br>You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start date and end date appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, select the **Update** button to apply the changes.
+<img src="{{site.url}}{{site.baseurl}}/images/Security/quickset.png" alt="Quick select settings example" width="40%">
-<br><img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range" width="55%">
+
+You can use the left and right arrows to move the window of time behind the current range of dates or ahead of the current range of dates. When you use these arrows, the start and end dates appear in the date range field. You can then select each one to set an absolute, relative, or current date and time. For absolute and relative changes, choose **Update** to apply the changes.
+
+<img src="{{site.url}}{{site.baseurl}}/images/Security/date-pick.png" alt="Altering date range" width="55%">
 
 As an alternative, you can select an option in the **Commonly used** section (see the preceding image of the calendar dropdown list) to conveniently set a window of time. Options include date ranges such as **Today**, **Yesterday**, **this week**, and **week to date**. 
 
-When one of the commonly used windows of time is selected, you can select the **Show dates** label in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify by an absolute, relative, or current date and time setting. For absolute and relative changes, select the **Update** button to apply the changes.
+When one of the commonly used windows of time is selected, you can choose **Show dates** in the date range field to populate the range of dates. Following that, you can select either the start date or end date to specify an absolute, relative, or current date and time setting. For absolute and relative changes, choose **Update** to apply the changes.
 
 As one more alternative, you can select an option from the **Recently used date ranges** section to go back to a previous setting.
 
 ## The Findings list
 
-The Findings list displays all findings according to time of the finding, the finding ID, the rule name that generated the finding, the detector that captured the finding, and other details.
+The **Findings** list displays all findings according to the time of the finding, the finding ID, the rule name that generated the finding, the detector that captured the finding, and other details, as shown in the following image.
-<br><img src="{{site.url}}{{site.baseurl}}/images/Security/finding-list.png" alt="A list of all findings" width="85%">
+
+<img src="{{site.url}}{{site.baseurl}}/images/Security/finding-list.png" alt="A list of all findings" width="85%">
+
 Use the **Rule severity** dropdown list to filter the list of findings by severity. Use the **log type** dropdown list to filter the list by log type.
-Each finding in the list includes a finding ID. You can select the ID to open the Finding details pane, which describes the finding by parameters defined when creating the detector.
+
-The Actions column includes two options for each finding:
+The **Actions** column includes two options for each finding:
-* The diagonal arrow provides another way to open the Findings detail pane.
+* The diagonal arrow provides a way to open the **Finding details** pane, which describes the finding by parameters defined when creating the detector and includes the document that generated the finding.
-* The bell icon allows you to open the Create detector alert trigger pane, where you can quickly set up an alert for the specific finding and modify rules and their conditions as required.
+* The bell icon allows you to open the **Create detector alert trigger** pane, where you can quickly set up an alert for the specific finding and modify rules and their conditions as required.
 For details on setting up an alert, see [Set up alerts]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-3-set-up-alerts) in detector creation documentation.
 
+Each finding in the list also includes a **Finding ID**. In addition to using the diagonal arrow in **Actions**, you can select the ID to open the **Finding details** pane. An example of **Finding details** is shown in the following image.
+
+<img src="{{site.url}}{{site.baseurl}}/images/Security/findings1.png" alt="Finding details pane" width="60%">
+
+### Viewing surrounding documents
+
+The **Finding details** pane contains specific information about the finding, including the document that generated the finding. To investigate the series of events that led to the finding or followed the finding, you can select **View surrounding documents** to open the document in the **Discover** panel and view other documents preceding or following it.
+
+1. Open **Finding details** by selecting the **Finding ID** in the **Findings** list.
+1. In the **Documents** section, select **View surrounding documents**. If an index pattern already exists for the document, the **Discover** panel opens and displays the document. If an index pattern does not exist, the **Create index pattern to view documents** window opens and prompts you to create an index pattern, as shown in the following image.
+
+    <img src="{{site.url}}{{site.baseurl}}/images/Security/findings2.png" alt="popup window prompting users to create an index pattern" width="60%">
+
+1. In the **Create index pattern to view documents** window, the index pattern name is automatically populated. Enter the appropriate time field from the log index used to determine the timing for log events. For information on mapping log fields to detector fields, see [Step 2. Create field mappings]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#step-2-create-field-mappings). Choose **Create index pattern**. The **Create index pattern to view documents** confirmation window opens.
+1. Select **View surrounding documents** in the confirmation window. The **Discover** panel opens, as shown in the following image.
+
+    <img src="{{site.url}}{{site.baseurl}}/images/Security/findings4.png" alt="Discover panel with surrounding documents" width="85%">
+    
+The **Discover** panel displays the document that generated the finding with a highlighted background. Other documents that came either before or after the event are also displayed.
+
+For details about working with **Discover** in OpenSearch Dashboards, see [Exploring data]({{site.url}}{{site.baseurl}}/dashboards/discover/index-discover/).