Skip to content

[Internal]: Document the Endpoint and Detection Dashboard #3663

New issue
New issue
Closed
#3691
Closed
[Internal]: Document the Endpoint and Detection Dashboard#3663
#3691
Assignees
natasha-moore-elastic
Labels
Team:ExperienceIssues owned by the Experience Docs Team
@raqueltabuyo

Description

@raqueltabuyo
raqueltabuyo
opened on Oct 27, 2025

Description

Background
A new Endpoint and Detection dashboard has been added in 9.2, similar to the Detection rule monitoring dashboard. This dashboard is part of the custom dashboards experience and not part of the Security views.
To ensure users understand its purpose, layout, and how to use it effectively, we need a dedicated documentation page for it.

Documentation requirements

  • Create a new page under the Dashboards section in the Elastic Security documentation. Similar structure and placement as the Detection rule monitoring dashboard documentation.
  • Clearly indicate that this dashboard is part of custom dashboards, not Security views.
  • Describe the dashboard purpose, key visualizations, and metrics available.
  • Include guidance on:
    • How to access the dashboard.
    • Filtering and interaction options.
    • Typical use cases for analysts and administrators. Examples:
      • Top 10 most infected endpoints: As a security analyst, I can identify endpoints with the highest number of detections or alerts over time to prioritize remediation. I can quickly take action over the endpoints with high number of alerts.
Image
  • Top 10 most impacted users per endpoint: As a security analyst, I want to detect potential compromised users by correlating multiple detections or alerts tied to the same user identity in the same endpoint.
Image
  • As a Security Lead/Administrator: I want to view the distribution of endpoints by OS or severity level to understand environment coverage.
  • As a Detection Engineer, I can evaluate which rules are generating the most frequent detections and identify candidates for tuning or correlation.
  • As a Security Analyst, I can quickly pivot from dashboard insights (Detections, Preventions, Ransomware, Severity levels, OS type, MITRE techniques, etc) into the relevant alert details to begin investigations.
Image

Resources

EPIC: https://github.com/elastic/security-team/issues/13426
Below an example of the dashboard:

Image

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

Identical

What release is this request related to?

N/A

Serverless release

9.2

Collaboration model

The documentation team

Point of contact.

Main contact: @raqueltabuyo

Stakeholders: @ferullo @pzl @dasansol92

Metadata

Metadata

Assignees

Labels

Team:ExperienceIssues owned by the Experience Docs Team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions