diff --git a/docs/assistant/ai-alert-triage.asciidoc b/docs/AI-for-security/ai-alert-triage.asciidoc similarity index 100% rename from docs/assistant/ai-alert-triage.asciidoc rename to docs/AI-for-security/ai-alert-triage.asciidoc diff --git a/docs/assistant/ai-esql-queries.asciidoc b/docs/AI-for-security/ai-esql-queries.asciidoc similarity index 100% rename from docs/assistant/ai-esql-queries.asciidoc rename to docs/AI-for-security/ai-esql-queries.asciidoc diff --git a/docs/AI-for-security/ai-for-security.asciidoc b/docs/AI-for-security/ai-for-security.asciidoc new file mode 100644 index 0000000000..0a08f8d4da --- /dev/null +++ b/docs/AI-for-security/ai-for-security.asciidoc @@ -0,0 +1,24 @@ +[[ai-for-security]] += AI for security + +:frontmatter-description: Learn to use AI capabilities in {elastic-sec}. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [overview] +:frontmatter-tags-user-goals: [get-started] + +You can use {elastic-sec}'s built-in AI tools to speed up your work and augment your team's capabilities. The pages in this section describe <>, which answers questions and enhances your workflows throughout {elastic-sec}, and <>, which speeds up the triage process by finding patterns and identifying attacks spanning multiple alerts. + +include::security-assistant.asciidoc[leveloffset=+1] +include::attack-discovery.asciidoc[leveloffset=+1] + +include::llm-connector-guides.asciidoc[leveloffset=+1] +include::azure-openai-setup.asciidoc[leveloffset=+2] +include::connect-to-bedrock.asciidoc[leveloffset=+2] +include::connect-to-openai.asciidoc[leveloffset=+2] + +include::ai-use-cases.asciidoc[leveloffset=+1] +include::ai-alert-triage.asciidoc[leveloffset=+2] +include::use-attack-discovery-ai-assistant-incident-reporting.asciidoc[leveloffset=+2] +include::ai-esql-queries.asciidoc[leveloffset=+2] + +include::llm-performance-matrix.asciidoc[leveloffset=+1] diff --git a/docs/AI-for-security/ai-use-cases.asciidoc b/docs/AI-for-security/ai-use-cases.asciidoc new file mode 100644 index 0000000000..5d73139ead --- /dev/null +++ b/docs/AI-for-security/ai-use-cases.asciidoc @@ -0,0 +1,10 @@ +[[assistant-use-cases]] += Use cases + +The guides in this section describe use cases for AI Assistant and Attack discovery. Refer to them for examples of each tool's individual capabilities and of what they can do together. + +* <> +* <> +* <> + +For general information, refer to <> or <>. \ No newline at end of file diff --git a/docs/attack-discovery/attack-discovery.asciidoc b/docs/AI-for-security/attack-discovery.asciidoc similarity index 100% rename from docs/attack-discovery/attack-discovery.asciidoc rename to docs/AI-for-security/attack-discovery.asciidoc diff --git a/docs/assistant/azure-openai-setup.asciidoc b/docs/AI-for-security/azure-openai-setup.asciidoc similarity index 100% rename from docs/assistant/azure-openai-setup.asciidoc rename to docs/AI-for-security/azure-openai-setup.asciidoc diff --git a/docs/assistant/connect-to-bedrock.asciidoc b/docs/AI-for-security/connect-to-bedrock.asciidoc similarity index 100% rename from docs/assistant/connect-to-bedrock.asciidoc rename to docs/AI-for-security/connect-to-bedrock.asciidoc diff --git a/docs/assistant/connect-to-openai.asciidoc b/docs/AI-for-security/connect-to-openai.asciidoc similarity index 100% rename from docs/assistant/connect-to-openai.asciidoc rename to docs/AI-for-security/connect-to-openai.asciidoc diff --git a/docs/assistant/images/add-alert-context.gif b/docs/AI-for-security/images/add-alert-context.gif similarity index 100% rename from docs/assistant/images/add-alert-context.gif rename to docs/AI-for-security/images/add-alert-context.gif diff --git a/docs/attack-discovery/images/add-discovery-to-assistant.gif b/docs/AI-for-security/images/add-discovery-to-assistant.gif similarity index 100% rename from docs/attack-discovery/images/add-discovery-to-assistant.gif rename to docs/AI-for-security/images/add-discovery-to-assistant.gif diff --git a/docs/assistant/images/ai-assistant-button.png b/docs/AI-for-security/images/ai-assistant-button.png similarity index 100% rename from docs/assistant/images/ai-assistant-button.png rename to docs/AI-for-security/images/ai-assistant-button.png diff --git a/docs/assistant/images/ai-triage-add-to-case.png b/docs/AI-for-security/images/ai-triage-add-to-case.png similarity index 100% rename from docs/assistant/images/ai-triage-add-to-case.png rename to docs/AI-for-security/images/ai-triage-add-to-case.png diff --git a/docs/assistant/images/assistant-anonymization-menu.png b/docs/AI-for-security/images/assistant-anonymization-menu.png similarity index 100% rename from docs/assistant/images/assistant-anonymization-menu.png rename to docs/AI-for-security/images/assistant-anonymization-menu.png diff --git a/docs/assistant/images/assistant-basic-view.png b/docs/AI-for-security/images/assistant-basic-view.png similarity index 100% rename from docs/assistant/images/assistant-basic-view.png rename to docs/AI-for-security/images/assistant-basic-view.png diff --git a/docs/assistant/images/assistant-settings-menu.png b/docs/AI-for-security/images/assistant-settings-menu.png similarity index 100% rename from docs/assistant/images/assistant-settings-menu.png rename to docs/AI-for-security/images/assistant-settings-menu.png diff --git a/docs/assistant/images/assistant.gif b/docs/AI-for-security/images/assistant.gif similarity index 100% rename from docs/assistant/images/assistant.gif rename to docs/AI-for-security/images/assistant.gif diff --git a/docs/attack-discovery/images/attack-discovery-full-card.png b/docs/AI-for-security/images/attack-discovery-full-card.png similarity index 100% rename from docs/attack-discovery/images/attack-discovery-full-card.png rename to docs/AI-for-security/images/attack-discovery-full-card.png diff --git a/docs/assistant/images/attck-disc-11-alerts-disc.png b/docs/AI-for-security/images/attck-disc-11-alerts-disc.png similarity index 100% rename from docs/assistant/images/attck-disc-11-alerts-disc.png rename to docs/AI-for-security/images/attck-disc-11-alerts-disc.png diff --git a/docs/assistant/images/attck-disc-esql-query-gen-example.png b/docs/AI-for-security/images/attck-disc-esql-query-gen-example.png similarity index 100% rename from docs/assistant/images/attck-disc-esql-query-gen-example.png rename to docs/AI-for-security/images/attck-disc-esql-query-gen-example.png diff --git a/docs/assistant/images/icon-add-note.png b/docs/AI-for-security/images/icon-add-note.png similarity index 100% rename from docs/assistant/images/icon-add-note.png rename to docs/AI-for-security/images/icon-add-note.png diff --git a/docs/assistant/images/icon-add-to-case.png b/docs/AI-for-security/images/icon-add-to-case.png similarity index 100% rename from docs/assistant/images/icon-add-to-case.png rename to docs/AI-for-security/images/icon-add-to-case.png diff --git a/docs/assistant/images/icon-add-to-timeline.png b/docs/AI-for-security/images/icon-add-to-timeline.png similarity index 100% rename from docs/assistant/images/icon-add-to-timeline.png rename to docs/AI-for-security/images/icon-add-to-timeline.png diff --git a/docs/assistant/images/icon-clear-red.png b/docs/AI-for-security/images/icon-clear-red.png similarity index 100% rename from docs/assistant/images/icon-clear-red.png rename to docs/AI-for-security/images/icon-clear-red.png diff --git a/docs/assistant/images/icon-copy.png b/docs/AI-for-security/images/icon-copy.png similarity index 100% rename from docs/assistant/images/icon-copy.png rename to docs/AI-for-security/images/icon-copy.png diff --git a/docs/assistant/images/icon-settings.png b/docs/AI-for-security/images/icon-settings.png similarity index 100% rename from docs/assistant/images/icon-settings.png rename to docs/AI-for-security/images/icon-settings.png diff --git a/docs/assistant/images/icon-system-prompt.png b/docs/AI-for-security/images/icon-system-prompt.png similarity index 100% rename from docs/assistant/images/icon-system-prompt.png rename to docs/AI-for-security/images/icon-system-prompt.png diff --git a/docs/assistant/images/knowledge-base-settings.png b/docs/AI-for-security/images/knowledge-base-settings.png similarity index 100% rename from docs/assistant/images/knowledge-base-settings.png rename to docs/AI-for-security/images/knowledge-base-settings.png diff --git a/docs/assistant/images/quick-prompts.png b/docs/AI-for-security/images/quick-prompts.png similarity index 100% rename from docs/assistant/images/quick-prompts.png rename to docs/AI-for-security/images/quick-prompts.png diff --git a/docs/attack-discovery/images/select-model-empty-state.png b/docs/AI-for-security/images/select-model-empty-state.png similarity index 100% rename from docs/attack-discovery/images/select-model-empty-state.png rename to docs/AI-for-security/images/select-model-empty-state.png diff --git a/docs/assistant/images/system-prompt.gif b/docs/AI-for-security/images/system-prompt.gif similarity index 100% rename from docs/assistant/images/system-prompt.gif rename to docs/AI-for-security/images/system-prompt.gif diff --git a/docs/assistant/llm-connector-guides.asciidoc b/docs/AI-for-security/llm-connector-guides.asciidoc similarity index 100% rename from docs/assistant/llm-connector-guides.asciidoc rename to docs/AI-for-security/llm-connector-guides.asciidoc diff --git a/docs/assistant/llm-performance-matrix.asciidoc b/docs/AI-for-security/llm-performance-matrix.asciidoc similarity index 100% rename from docs/assistant/llm-performance-matrix.asciidoc rename to docs/AI-for-security/llm-performance-matrix.asciidoc diff --git a/docs/assistant/security-assistant.asciidoc b/docs/AI-for-security/security-assistant.asciidoc similarity index 96% rename from docs/assistant/security-assistant.asciidoc rename to docs/AI-for-security/security-assistant.asciidoc index a5aaf2c4d7..503b0b837c 100644 --- a/docs/assistant/security-assistant.asciidoc +++ b/docs/AI-for-security/security-assistant.asciidoc @@ -189,14 +189,3 @@ In addition to practical advice, AI Assistant can offer conceptual advice, tips, * “I need to monitor for unusual file creation patterns that could indicate ransomware activity. How would I construct this query using EQL?” -include::assistant-use-cases.asciidoc[leveloffset=+1] -include::ai-alert-triage.asciidoc[leveloffset=+2] -include::use-attack-discovery-ai-assistant-incident-reporting.asciidoc[leveloffset=+2] -include::ai-esql-queries.asciidoc[leveloffset=+2] - -include::llm-connector-guides.asciidoc[leveloffset=+1] -include::azure-openai-setup.asciidoc[leveloffset=+2] -include::connect-to-openai.asciidoc[leveloffset=+2] -include::connect-to-bedrock.asciidoc[leveloffset=+2] - -include::llm-performance-matrix.asciidoc[leveloffset=+1] diff --git a/docs/assistant/use-attack-discovery-ai-assistant-incident-reporting.asciidoc b/docs/AI-for-security/use-attack-discovery-ai-assistant-incident-reporting.asciidoc similarity index 100% rename from docs/assistant/use-attack-discovery-ai-assistant-incident-reporting.asciidoc rename to docs/AI-for-security/use-attack-discovery-ai-assistant-incident-reporting.asciidoc diff --git a/docs/assistant/assistant-use-cases.asciidoc b/docs/assistant/assistant-use-cases.asciidoc deleted file mode 100644 index 5a92f80197..0000000000 --- a/docs/assistant/assistant-use-cases.asciidoc +++ /dev/null @@ -1,10 +0,0 @@ -[[assistant-use-cases]] -= AI Assistant use cases - -Elastic AI Assistant's flexibility means you can use it for many different purposes. These topics describe some of the possible uses for AI Assistant within {elastic-sec}: - -* <> -* <> -* <> - -For general information about AI Assistant, refer to <>. \ No newline at end of file diff --git a/docs/attack-discovery/images/icon-add-to-timeline.png b/docs/attack-discovery/images/icon-add-to-timeline.png deleted file mode 100644 index c01802253c..0000000000 Binary files a/docs/attack-discovery/images/icon-add-to-timeline.png and /dev/null differ diff --git a/docs/attack-discovery/images/icon-copy.png b/docs/attack-discovery/images/icon-copy.png deleted file mode 100644 index e0a53121d9..0000000000 Binary files a/docs/attack-discovery/images/icon-copy.png and /dev/null differ diff --git a/docs/index.asciidoc b/docs/index.asciidoc index d64655893d..6791f36c90 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -18,9 +18,7 @@ include::getting-started/index.asciidoc[] include::getting-started/security-ui.asciidoc[] -include::assistant/security-assistant.asciidoc[] - -include::attack-discovery/attack-discovery.asciidoc[] +include::AI-for-security/ai-for-security.asciidoc[] include::dashboards/dashboards-overview.asciidoc[] diff --git a/docs/serverless/assistant/ai-assistant-alert-triage.mdx b/docs/serverless/assistant/ai-assistant-alert-triage.mdx index 3170433936..6251add6f9 100644 --- a/docs/serverless/assistant/ai-assistant-alert-triage.mdx +++ b/docs/serverless/assistant/ai-assistant-alert-triage.mdx @@ -34,6 +34,6 @@ Elastic AI Assistant can streamline the documentation and report generation proc * “Generate a summary of this incident/alert and include diagrams of events.” * “Provide more details on the mitigation strategies used.” -After you review the report, click **Add to existing case** at the top of AI Assistant's response. This allows you to save a record of the report and make it available to your team. n +After you review the report, click **Add to existing case** at the top of AI Assistant's response. This allows you to save a record of the report and make it available to your team. \ No newline at end of file diff --git a/docs/serverless/assistant/ai-assistant-esql-queries.mdx b/docs/serverless/assistant/ai-assistant-esql-queries.mdx index 95c7f95277..5fec9ca59f 100644 --- a/docs/serverless/assistant/ai-assistant-esql-queries.mdx +++ b/docs/serverless/assistant/ai-assistant-esql-queries.mdx @@ -8,7 +8,7 @@ status: in review Elastic AI Assistant can help you learn about and leverage the Elasticsearch Query Language (((esql))). -With AI Assistant's enabled, AI Assistant benefits from specialized training data that enables it to answer questions related to ((esql)) at an expert level. +With AI Assistant's enabled, AI Assistant benefits from specialized training data that enables it to answer questions related to ((esql)) at an expert level. AI Assistant can help with ((esql)) in many ways, including: diff --git a/docs/serverless/assistant/llm-connector-guides.mdx b/docs/serverless/assistant/llm-connector-guides.mdx index 17063204de..fcdedd575a 100644 --- a/docs/serverless/assistant/llm-connector-guides.mdx +++ b/docs/serverless/assistant/llm-connector-guides.mdx @@ -13,4 +13,5 @@ Setup guides are available for the following LLM providers: * * * -* \ No newline at end of file +* + diff --git a/docs/serverless/assistant/usecase-attack-disc-ai-assistant-incident-reporting.mdx b/docs/serverless/assistant/usecase-attack-disc-ai-assistant-incident-reporting.mdx index 29f4aecaae..b9104ee812 100644 --- a/docs/serverless/assistant/usecase-attack-disc-ai-assistant-incident-reporting.mdx +++ b/docs/serverless/assistant/usecase-attack-disc-ai-assistant-incident-reporting.mdx @@ -20,7 +20,7 @@ In this guide, you'll learn how to: ## Use Attack discovery to identify threats Attack discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack discovery generates a detailed summary of each potential threat, which can serve as the basis for further analysis. Learn how to . - + In the example above, Attack discovery found connections between eleven alerts, and used them to identify and describe an attack chain. @@ -33,9 +33,10 @@ From a discovery on the Attack discovery page, click **View in AI Assistant** to AI Assistant can quickly compile essential data and provide suggestions to help you generate an incident report and plan an effective response. You can ask it to provide relevant data or answer questions, such as “How can I remediate this threat?” or “What ((esql)) query would isolate actions taken by this user?” - -The image above shows an ((esql)) query generated by AI Assistant in response to a user prompt. Learn more about . + + +The image above shows an ((esql)) query generated by AI Assistant in response to a user prompt. Learn more about . At any point in a conversation with AI Assistant, you can add data, narrative summaries, and other information from its responses to ((elastic-sec))'s case management system to generate incident reports. @@ -53,5 +54,5 @@ AI Assistant can translate its findings into other human languages, helping to e After AI Assistant provides information in one language, you can ask it to translate its responses. For example, if it provides remediation steps for an incident, you can instruct it to “Translate these remediation steps into Japanese.” You can then add the translated output to a case. This can help team members receive the same information and insights regardless of their primary language. -NOTE: In our internal testing, AI Assistant translations preserved the accuracy of the original content. However, all LLMs can make mistakes, so use caution. +In our internal testing, AI Assistant translations preserved the accuracy of the original content. However, all LLMs can make mistakes, so use caution. diff --git a/docs/serverless/endpoint-response-actions/response-actions.mdx b/docs/serverless/endpoint-response-actions/response-actions.mdx index cae21136ac..0229a22c5e 100644 --- a/docs/serverless/endpoint-response-actions/response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions.mdx @@ -106,10 +106,17 @@ Required role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations ana Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` +
### `get-file` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + +Files retrieved from third-party-protected hosts require a different password. Refer to the following: + +- SentinelOne response actions + + You must include the following parameter to specify the file's location on the host: * `--path` : The file's full path (including the file name). diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx index b12d4d04b5..f2874aece6 100644 --- a/docs/serverless/endpoint-response-actions/third-party-actions.mdx +++ b/docs/serverless/endpoint-response-actions/third-party-actions.mdx @@ -13,6 +13,12 @@ tags: ["serverless","security","defend","reference","manage"] You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior configuration is required to connect ((elastic-sec)) with SentinelOne. + + +Third-party response actions require the Endpoint Protection Complete , and each response action type has its own user role privilege requirements. Refer to for more information. + + + The following response actions and related features are supported for SentinelOne-protected hosts: - **Isolate and release a host** using any of these methods: @@ -21,4 +27,9 @@ The following response actions and related features are supported for SentinelOn Refer to the instructions on isolating and releasing hosts for more details. +- **Retrieve a file from a host** with the `get-file` response action. + + For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file. + + - **View past response action activity** in the response actions history log.