Skip to content

Commit

Permalink
various minor updates (#5263) (#5267)
Browse files Browse the repository at this point in the history
(cherry picked from commit 64d7414)

Co-authored-by: Benjamin Ironside Goldstein <[email protected]>
  • Loading branch information
mergify[bot] and benironside authored May 29, 2024
1 parent dd23ce6 commit 5f8e2b0
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 11 deletions.
24 changes: 13 additions & 11 deletions docs/attack-discovery/attack-discovery.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,36 +7,38 @@
:frontmatter-tags-content-type: [overview]
:frontmatter-tags-user-goals: [get-started]

beta::[]
preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."]

NOTE: This feature is available starting with {elastic-sec} version 8.14.0.

Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This makes the most of each security analyst's time, helps fight alert fatigue, and can reduce your mean time to respond.

NOTE: Attack discovery currently only analyzes alerts from the past 24 hours.
Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.

This page describes:

* <<attack-discovery-generate-discoveries, How to generate discoveries>>.
* <<attack-discovery-what-info, What information each discovery includes>>.
* <<attack-discovery-workflows, How you can interact with discoveries to enhance {elastic-sec} workflows>>.
* <<attack-discovery-generate-discoveries, How to generate discoveries>>
* <<attack-discovery-what-info, What information each discovery includes>>
* <<attack-discovery-workflows, How you can interact with discoveries to enhance {elastic-sec} workflows>>

[[attack-discovery-generate-discoveries]]
[discrete]
== Generate discoveries

To use Attack discovery:
When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as <<security-assistant>>. To get started:

. Click the **Attack discovery** page from {elastic-sec}'s navigation menu.
. When you open the page for the first time, you'll need to select an LLM connector before you can analyze alerts. Select an existing connector from the dropdown menu, or add a new one.
. Select an existing connector from the dropdown menu, or add a new one.
+
NOTE: Attack discovery uses the same LLM connectors as <<security-assistant, Elastic AI Assistant>>. If you've already configured one, you can use it here without further configuration. In general, models with larger context windows are more effective for Attack discovery.
.Recommended models
[sidebar]
--
While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3 Sonnet and Claude 3 Opus. In general, models with larger context windows are more effective for Attack discovery.
--
+
image::images/select-model-empty-state.png[]
+
. Once you've selected a connector, click **Generate** to start the analysis.

It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery only analyzes alerts from the past 24 hours.

IMPORTANT: Attack discovery uses the same data anonymization settings as <<security-assistant, Elastic AI Assistant>>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.

Expand Down
Binary file modified docs/attack-discovery/images/add-discovery-to-assistant.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/attack-discovery/images/attack-discovery-full-card.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 5f8e2b0

Please sign in to comment.