Explore Security data in Discover
Discover provides a Security-specific experience for exploring alert and event data. When the Security profile is active, Discover adds color-coded row indicators, security-focused default columns, and a contextual overview tab in the document flyout that surfaces key alert and event context.
For general Discover concepts and features, refer to Discover.
How the Security profile activates depends on your deployment type:
-
The Security profile activates automatically when you open Discover from your Elastic Security Serverless project. -
The Security profile activates when you open Discover from the Elastic Security solution view.
With the Security profile active, Discover adds the following features to help you triage and investigate alerts and events.
Color-coded indicators appear on the left side of each row in the data table, helping you distinguish between alerts and events at a glance:
- Alerts: Yellow indicator
- Events: Gray indicator
When you use a data view that includes security alerts data, such as the default Elastic Security data view, Discover displays pre-configured columns optimized for alert triage.
When you expand a document in Discover, the document flyout includes an Alert Overview or Event Overview tab depending on the document type. This tab surfaces key information to help you quickly understand the document and decide on next steps.
The overview tab includes the following sections:
- About
- An ECS-based description of the event category, helping you understand the type of activity the document represents.
- Description
- The detection rule description. Appears for alert documents.
- Reason
- The reason the alert was generated. Appears for alert documents.
- Explore in Alerts or Explore in Timeline
- For alerts, links directly to the alert in the Elastic Security app Alerts page. For events, opens the event in Timeline for further investigation.