Skip to content

Commit

Permalink
Merge branch 'main' into issue-6038-alerts-bugs
Browse files Browse the repository at this point in the history
  • Loading branch information
nastasha-solomon authored Dec 5, 2024
2 parents 04dad4f + bb61132 commit 7652062
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 98 deletions.
15 changes: 8 additions & 7 deletions docs/AI-for-security/llm-performance-matrix.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@

This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <<attack-discovery, Attack discovery>> or <<security-assistant, AI Assistant>>.

[cols="1,1,1,1,1,1,1,1", options="header"]
[cols="1,1,1,1,1,1,1,1,1,1", options="header"]
|===
| *Feature* | *Model* | | | | | |
| | *Claude 3: Opus* | *Claude 3.5: Sonnet* | *Claude 3: Haiku* | *GPT-4o* | *GPT-4 Turbo* | **Gemini 1.5 Pro ** | **Gemini 1.5 Flash**
| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent
| *Assistant - {esql} generation*| Great | Great | Poor | Excellent | Poor | Good | Poor
| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Poor | Excellent | Good
| *Attack discovery* | Excellent | Excellent | Poor | Poor | Good | Great | Poor
| *Feature* | *Model* | | | | | | | |
| | *Claude 3: Opus*| *Claude 3.5: Sonnet v2* | *Claude 3.5: Sonnet* | *Claude 3.5: Haiku*| *Claude 3: Haiku* | *GPT-4o* | *GPT-4o-mini* | **Gemini 1.5 Pro 002** | **Gemini 1.5 Flash 002**
| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent
| *Assistant - {esql} generation*| Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Poor
| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Good
| *Assistant - Knowledge retrieval* | Good | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Excellent
| *Attack Discovery* | Great | Great | Excellent | Poor | Poor | Great | Poor | Excellent | Poor
|===

56 changes: 10 additions & 46 deletions docs/serverless/AI-for-security/llm-performance-matrix.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,51 +6,15 @@

This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <<attack-discovery,Attack Discovery>> or <<security-ai-assistant,AI Assistant>>.

|===
| **Feature**| **Model**| | | | | |

|
| **Claude 3: Opus**
| **Claude 3.5: Sonnet**
| **Claude 3: Haiku**
| **GPT-4o**
| **GPT-4 Turbo**
| **Gemini 1.5 Pro**
| **Gemini 1.5 Flash**

| **Assistant: general**
| Excellent
| Excellent
| Excellent
| Excellent
| Excellent
| Excellent
| Excellent

| **Assistant: {esql} generation**
| Great
| Great
| Poor
| Excellent
| Poor
| Good
| Poor

| **Assistant: alert questions**
| Excellent
| Excellent
| Excellent
| Excellent
| Poor
| Excellent
| Good

| **Attack discovery**
| Excellent
| Excellent
| Poor
| Poor
| Good
| Great
| Poor
[cols="1,1,1,1,1,1,1,1,1,1", options="header"]
|===
| *Feature* | *Model* | | | | | | | |
| | *Claude 3: Opus*| *Claude 3.5: Sonnet v2* | *Claude 3.5: Sonnet* | *Claude 3.5: Haiku*| *Claude 3: Haiku* | *GPT-4o* | *GPT-4o-mini* | **Gemini 1.5 Pro 002** | **Gemini 1.5 Flash 002**
| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent
| *Assistant - {esql} generation*| Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Poor
| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Good
| *Assistant - Knowledge retrieval* | Good | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Excellent
| *Attack Discovery* | Great | Great | Excellent | Poor | Poor | Great | Poor | Excellent | Poor
|===

89 changes: 44 additions & 45 deletions docs/serverless/rules/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -26,43 +26,6 @@ To create a new detection rule, follow these steps:
At any step, you can <<preview-rules,preview the rule>> before saving it to see what kind of results you can expect.
====

[discrete]
[[create-ml-rule]]
== Create a machine learning rule

[IMPORTANT]
====
To create or edit {ml} rules, you need an appropriate user role. Additionally, the selected {ml} job must be running for the rule to function correctly.
====

. Go to **Rules** → **Detection rules (SIEM)** → **Create new rule**. The **Create new rule** page displays.
. To create a rule based on a {ml} anomaly threshold, select **Machine Learning**,
then select:
+
.. The required {ml} jobs.
+
[NOTE]
====
If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule.
====
.. The anomaly score threshold above which alerts are created.
. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<security-alert-suppression,Suppress detection alerts>> for more information.
+
[NOTE]
====
Because {ml} rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression.
====
+
////
/* The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too. */
////
. (Optional) Add **Related integrations** to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
+
.. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
. Click **Continue** to <<rule-ui-basic-params,configure basic rule settings>>.

[discrete]
[[create-custom-rule]]
== Create a custom query rule
Expand All @@ -89,7 +52,7 @@ copies.
+
[role="screenshot"]
image::images/rules-ui-create/-detections-rule-query-example.png[Rule query example]
.. You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
.. You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
+
When you use a saved query, the **Load saved query "_query name_" dynamically on each rule execution** check box appears:
+
Expand All @@ -112,6 +75,43 @@ in these steps or sub-steps, apply the change to the other rule types, too. */
.. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
. Click **Continue** to <<rule-ui-basic-params,configure basic rule settings>>.

[discrete]
[[create-ml-rule]]
== Create a machine learning rule

[IMPORTANT]
====
To create or edit {ml} rules, you need an appropriate user role. Additionally, the selected {ml} job must be running for the rule to function correctly.
====

. Go to **Rules** → **Detection rules (SIEM)** → **Create new rule**. The **Create new rule** page displays.
. To create a rule based on a {ml} anomaly threshold, select **Machine Learning**,
then select:
+
.. The required {ml} jobs.
+
[NOTE]
====
If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule.
====
.. The anomaly score threshold above which alerts are created.
. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<security-alert-suppression,Suppress detection alerts>> for more information.
+
[NOTE]
====
Because {ml} rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression.
====
+
////
/* The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too. */
////
. (Optional) Add **Related integrations** to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
+
.. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
. Click **Continue** to <<rule-ui-basic-params,configure basic rule settings>>.

[discrete]
[[create-threshold-rule]]
== Create a threshold rule
Expand All @@ -125,7 +125,7 @@ alerts.
+
[NOTE]
====
You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
====
.. Use the **Group by** and **Threshold** fields to determine which source event field is used as a threshold and the threshold's value.
.. Use the **Count** field to limit alerts by cardinality of a certain field.
Expand Down Expand Up @@ -245,7 +245,7 @@ wildcard expression: `*:*`.
+
[NOTE]
====
You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
====
.. **Indicator index patterns**: The indicator index patterns containing field values for which you want to generate alerts. This field is automatically populated with indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, see <<update-threat-intel-indices,Update default Elastic Security threat intelligence indices>>.
+
Expand Down Expand Up @@ -280,8 +280,7 @@ image::images/rules-ui-create/-detections-indicator-rule-example.png[Indicator m
+
[TIP]
====
Before you create rules, create <<security-timelines-ui,Timeline templates>> so
they can be selected here. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values.
Before you create rules, create <<security-timeline-templates-ui,Timeline templates>> so you can select them under **Timeline template** at the end of the **Define rule** section. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values.
====
. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<security-alert-suppression,Suppress detection alerts>> for more information.
+
Expand Down Expand Up @@ -340,7 +339,7 @@ alerts.
+
[NOTE]
====
You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
====
.. Use the **Fields** menu to select a field to check for new terms. You can also select up to three fields to detect a combination of new terms (for example, a `host.ip` and `host.id` that have never been observed together before).
+
Expand Down Expand Up @@ -660,7 +659,7 @@ run exactly at its scheduled time.
. Click **Continue**. The **Rule actions** pane is displayed.
. Do either of the following:
+
** Continue onto <<security-rules-create,setting up alert notifications>> and <<rule-response-action,Response Actions>> (optional).
** Continue onto <<rule-notifications,setting up alert notifications>> and <<rule-response-action,Response Actions>> (optional).
** Create the rule (with or without activation).

[discrete]
Expand All @@ -680,7 +679,7 @@ To use actions for alert notifications, you need the appropriate user role. For
====
Each action type requires a connector. Connectors store the
information required to send the notification from the external system. You can
configure connectors while creating the rule or in **Project settings** → **Management** → **{connectors-ui}**. For more
configure connectors while creating the rule or in **Project settings** → **Stack Management** → **{connectors-ui}**. For more
information, see {kibana-ref}/action-types.html[Action and connector types].
Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the {kibana-ref}/cases-action-type.html[Cases connector].
Expand Down

0 comments on commit 7652062

Please sign in to comment.