diff --git a/docs/assistant/security-assistant.asciidoc b/docs/assistant/security-assistant.asciidoc index 78e6eaeaf3..08d276dd7f 100644 --- a/docs/assistant/security-assistant.asciidoc +++ b/docs/assistant/security-assistant.asciidoc @@ -130,7 +130,7 @@ Quick prompt availability varies based on context — for example, the **Alert s ** *Add note to timeline* (image:images/icon-add-note.png[Add note icon,16,16]): Add the selected text to your currently active Timeline as a note. ** *Add to existing case* (image:images/icon-add-to-case.png[Add to case icon,19,16]): Add a comment to an existing case using the selected text. ** *Copy to clipboard* (image:images/icon-copy.png[Copy to clipboard icon,17,18]): Copy the text to clipboard to paste elsewhere. Also helpful for resubmitting a previous prompt. -** *Add to timeline* (image:images/icon-add-to-timeline.png[Copy to clipboard icon,17,18]): Add a filter or query to Timeline using the text. This button appears for particular queries in AI Assistant's responses. +** *Add to timeline* (image:images/icon-add-to-timeline.png[Add to timeline icon,17,18]): Add a filter or query to Timeline using the text. This button appears for particular queries in AI Assistant's responses. + TIP: Be sure to specify which language you'd like AI Assistant to use when writing a query. For example: "Can you generate an Event Query Language query to find four failed logins followed by a successful login?" ** *Clear chat* (image:images/icon-clear-red.png[Red X icon,16,16]): Delete the conversation history and start a new chat. diff --git a/docs/attack-discovery/attack-discovery.asciidoc b/docs/attack-discovery/attack-discovery.asciidoc new file mode 100644 index 0000000000..627ffec344 --- /dev/null +++ b/docs/attack-discovery/attack-discovery.asciidoc @@ -0,0 +1,69 @@ +[[attack-discovery]] +[chapter] += Attack discovery + +:frontmatter-description: Accelerate threat identification by triaging alerts with a large language model. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [overview] +:frontmatter-tags-user-goals: [get-started] + +beta::[] + +NOTE: This feature is available starting with {elastic-sec} version 8.14.0. + +Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This makes the most of each security analyst's time, helps fight alert fatigue, and can reduce your mean time to respond. + +NOTE: Attack discovery currently only analyzes alerts from the past 24 hours. + +This page describes: + +* <>. +* <>. +* <>. + +[[attack-discovery-generate-discoveries]] +[discrete] +== Generate discoveries + +To use Attack discovery: + +. Click the **Attack discovery** page from {elastic-sec}'s navigation menu. +. When you open the page for the first time, you'll need to select an LLM connector before you can analyze alerts. Select an existing connector from the dropdown menu, or add a new one. ++ +NOTE: Attack discovery uses the same LLM connectors as <>. If you've already configured one, you can use it here without further configuration. In general, models with larger context windows are more effective for Attack discovery. ++ +image::images/select-model-empty-state.png[] ++ +. Once you've selected a connector, click **Generate** to start the analysis. + +It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. + +IMPORTANT: Attack discovery uses the same data anonymization settings as <>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. + +Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts. + +[[attack-discovery-what-info]] +[discrete] +== What information does each discovery include? + +Each discovery includes the following information describing the potential threat, generated by the connected LLM: + +. A descriptive title and a summary of the potential threat. +. The number of associated alerts and which parts of the https://attack.mitre.org/[MITRE ATT&CK matrix] they correspond to. +. The implicated entities (users and hosts), and what suspicious activity was observed for each. + +image::images/attack-discovery-full-card.png[Attack discovery detail view] + +[[attack-discovery-workflows]] +[discrete] +== Incorporate discoveries with other workflows + +There are several ways you can incorporate discoveries into your {elastic-sec} workflows: + +* Click an entity's name to open the user or host details flyout and view more details that may be relevant to your investigation. +* Hover over an entity's name to either add the entity to Timeline (image:images/icon-add-to-timeline.png[Add to timeline icon,17,18]) or copy its field name and value to the clipboard (image:images/icon-copy.png[Copy to clipboard icon,17,18]). +* Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a <>. This makes it easy to share the information with your team and other stakeholders. +* Click **Investigate in timeline** to explore the discovery in <>. +* Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts. + +image::images/add-discovery-to-assistant.gif[Attack discovery view in AI Assistant] diff --git a/docs/attack-discovery/images/add-discovery-to-assistant.gif b/docs/attack-discovery/images/add-discovery-to-assistant.gif new file mode 100644 index 0000000000..11057cadb1 Binary files /dev/null and b/docs/attack-discovery/images/add-discovery-to-assistant.gif differ diff --git a/docs/attack-discovery/images/attack-discovery-full-card.png b/docs/attack-discovery/images/attack-discovery-full-card.png new file mode 100644 index 0000000000..81b9c1de69 Binary files /dev/null and b/docs/attack-discovery/images/attack-discovery-full-card.png differ diff --git a/docs/attack-discovery/images/icon-add-to-timeline.png b/docs/attack-discovery/images/icon-add-to-timeline.png new file mode 100644 index 0000000000..c01802253c Binary files /dev/null and b/docs/attack-discovery/images/icon-add-to-timeline.png differ diff --git a/docs/attack-discovery/images/icon-copy.png b/docs/attack-discovery/images/icon-copy.png new file mode 100644 index 0000000000..e0a53121d9 Binary files /dev/null and b/docs/attack-discovery/images/icon-copy.png differ diff --git a/docs/attack-discovery/images/select-model-empty-state.png b/docs/attack-discovery/images/select-model-empty-state.png new file mode 100644 index 0000000000..78608bbd21 Binary files /dev/null and b/docs/attack-discovery/images/select-model-empty-state.png differ diff --git a/docs/dashboards/images/data-qual-dash.png b/docs/dashboards/images/data-qual-dash.png index ae64e2c729..08c82a7b0e 100644 Binary files a/docs/dashboards/images/data-qual-dash.png and b/docs/dashboards/images/data-qual-dash.png differ diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 65cff813fa..d64655893d 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -20,6 +20,8 @@ include::getting-started/security-ui.asciidoc[] include::assistant/security-assistant.asciidoc[] +include::attack-discovery/attack-discovery.asciidoc[] + include::dashboards/dashboards-overview.asciidoc[] include::getting-started/explore-intro.asciidoc[]