From 44c56022e67f87a0075e87e6a491de3d2bb46f30 Mon Sep 17 00:00:00 2001
From: Benjamin Ironside Goldstein
<91905639+benironside@users.noreply.github.com>
Date: Mon, 10 Jun 2024 17:27:08 -0400
Subject: [PATCH 1/2] Adds a video demo to the AD docs (#5362)
* Adds a video to the AD doc
* Adds fix for 5631
(cherry picked from commit ea8158c07b9d3aeb29fc71938a8ae438f70ebdae)
# Conflicts:
# docs/serverless/attack-discovery/attack-discovery.mdx
---
.../attack-discovery.asciidoc | 20 ++++-
.../attack-discovery/attack-discovery.mdx | 76 +++++++++++++++++++
2 files changed, 93 insertions(+), 3 deletions(-)
create mode 100644 docs/serverless/attack-discovery/attack-discovery.mdx
diff --git a/docs/attack-discovery/attack-discovery.asciidoc b/docs/attack-discovery/attack-discovery.asciidoc
index c8a8ce2177..0be333f939 100644
--- a/docs/attack-discovery/attack-discovery.asciidoc
+++ b/docs/attack-discovery/attack-discovery.asciidoc
@@ -9,10 +9,24 @@
preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."]
-NOTE: This feature is available starting with {elastic-sec} version 8.14.0.
-
Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
+For a demo, refer to the following video.
+=======
+++++
+
+
+
+++++
+=======
+
This page describes:
* <>
@@ -38,7 +52,7 @@ image::images/select-model-empty-state.png[]
+
. Once you've selected a connector, click **Generate** to start the analysis.
-It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery only analyzes alerts from the past 24 hours.
+It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours.
IMPORTANT: Attack discovery uses the same data anonymization settings as <>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
diff --git a/docs/serverless/attack-discovery/attack-discovery.mdx b/docs/serverless/attack-discovery/attack-discovery.mdx
new file mode 100644
index 0000000000..339ff577a6
--- /dev/null
+++ b/docs/serverless/attack-discovery/attack-discovery.mdx
@@ -0,0 +1,76 @@
+---
+id: attackDiscovery
+slug: /serverless/security/attack-discovery
+title: Attack discovery
+description: Accelerate threat identification by triaging alerts with a large language model.
+tags: [ 'serverless', 'security', 'overview', 'LLM', 'artificial intelligence' ]
+status: in review
+---
+
+
+
+
+This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.
+
+
+Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
+
+For a demo, refer to the following video.
+
+
+This page describes:
+
+- How to start generating discoveries
+- What information each discovery includes
+- How you can interact with discoveries to enhance ((elastic-sec)) workflows
+
+
+
+## Generate discoveries
+
+When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as Elastic AI Assistant. To get started:
+
+1. Click the **Attack discovery** page from ((elastic-sec))'s navigation menu.
+
+2. Select an existing connector from the dropdown menu, or add a new one.
+
+
+While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3 Sonnet and Claude 3 Opus. In general, models with larger context windows are more effective for Attack discovery.
+
+
+
+
+3. Once you've selected a connector, click **Generate** to start the analysis.
+
+It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours.
+
+
+
+Attack discovery uses the same data anonymization settings as Elastic AI Assistant. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
+
+
+Once the analysis is complete, any threats it identifies appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts.
+
+
+## What information does each discovery include?
+
+Each discovery includes the following information describing the potential threat, generated by the connected LLM:
+
+- A descriptive title and a summary of the potential threat.
+- The number of associated alerts and which parts of the [MITRE ATT&CK matrix](https://attack.mitre.org/) they correspond to.
+- The implicated entities (users and hosts), and what suspicious activity was observed for each.
+
+
+
+
+## Incorporate discoveries with other workflows
+
+There are several ways you can incorporate discoveries into your ((elastic-sec)) workflows:
+
+- Click an entity's name to open the user or host details flyout and view more details that may be relevant to your investigation.
+- Hover over an entity's name to either add the entity to Timeline () or copy its field name and value to the clipboard ().
+- Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a case. This makes it easy to share the information with your team and other stakeholders.
+- Click **Investigate in timeline** to explore the discovery in Timeline.
+- Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow up questions about the discovery or associated alerts.
+
+
From 976422f14957f7df4d5c26ec7f5370887dc049ef Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
Date: Mon, 10 Jun 2024 21:28:40 +0000
Subject: [PATCH 2/2] Delete docs/serverless directory and its contents
---
.../attack-discovery/attack-discovery.mdx | 76 -------------------
1 file changed, 76 deletions(-)
delete mode 100644 docs/serverless/attack-discovery/attack-discovery.mdx
diff --git a/docs/serverless/attack-discovery/attack-discovery.mdx b/docs/serverless/attack-discovery/attack-discovery.mdx
deleted file mode 100644
index 339ff577a6..0000000000
--- a/docs/serverless/attack-discovery/attack-discovery.mdx
+++ /dev/null
@@ -1,76 +0,0 @@
----
-id: attackDiscovery
-slug: /serverless/security/attack-discovery
-title: Attack discovery
-description: Accelerate threat identification by triaging alerts with a large language model.
-tags: [ 'serverless', 'security', 'overview', 'LLM', 'artificial intelligence' ]
-status: in review
----
-
-
-
-
-This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.
-
-
-Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
-
-For a demo, refer to the following video.
-
-
-This page describes:
-
-- How to start generating discoveries
-- What information each discovery includes
-- How you can interact with discoveries to enhance ((elastic-sec)) workflows
-
-
-
-## Generate discoveries
-
-When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as Elastic AI Assistant. To get started:
-
-1. Click the **Attack discovery** page from ((elastic-sec))'s navigation menu.
-
-2. Select an existing connector from the dropdown menu, or add a new one.
-
-
-While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3 Sonnet and Claude 3 Opus. In general, models with larger context windows are more effective for Attack discovery.
-
-
-
-
-3. Once you've selected a connector, click **Generate** to start the analysis.
-
-It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours.
-
-
-
-Attack discovery uses the same data anonymization settings as Elastic AI Assistant. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
-
-
-Once the analysis is complete, any threats it identifies appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts.
-
-
-## What information does each discovery include?
-
-Each discovery includes the following information describing the potential threat, generated by the connected LLM:
-
-- A descriptive title and a summary of the potential threat.
-- The number of associated alerts and which parts of the [MITRE ATT&CK matrix](https://attack.mitre.org/) they correspond to.
-- The implicated entities (users and hosts), and what suspicious activity was observed for each.
-
-
-
-
-## Incorporate discoveries with other workflows
-
-There are several ways you can incorporate discoveries into your ((elastic-sec)) workflows:
-
-- Click an entity's name to open the user or host details flyout and view more details that may be relevant to your investigation.
-- Hover over an entity's name to either add the entity to Timeline () or copy its field name and value to the clipboard ().
-- Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a case. This makes it easy to share the information with your team and other stakeholders.
-- Click **Investigate in timeline** to explore the discovery in Timeline.
-- Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow up questions about the discovery or associated alerts.
-
-