diff --git a/docs/AI-for-security/llm-performance-matrix.asciidoc b/docs/AI-for-security/llm-performance-matrix.asciidoc index 9cf6998a87..c8f9e845c3 100644 --- a/docs/AI-for-security/llm-performance-matrix.asciidoc +++ b/docs/AI-for-security/llm-performance-matrix.asciidoc @@ -3,13 +3,14 @@ This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <> or <>. -[cols="1,1,1,1,1,1,1,1", options="header"] +[cols="1,1,1,1,1,1,1,1,1,1", options="header"] |=== -| *Feature* | *Model* | | | | | | -| | *Claude 3: Opus* | *Claude 3.5: Sonnet* | *Claude 3: Haiku* | *GPT-4o* | *GPT-4 Turbo* | **Gemini 1.5 Pro ** | **Gemini 1.5 Flash** -| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent -| *Assistant - {esql} generation*| Great | Great | Poor | Excellent | Poor | Good | Poor -| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Poor | Excellent | Good -| *Attack discovery* | Excellent | Excellent | Poor | Poor | Good | Great | Poor +| *Feature* | *Model* | | | | | | | | +| | *Claude 3: Opus*| *Claude 3.5: Sonnet v2* | *Claude 3.5: Sonnet* | *Claude 3.5: Haiku*| *Claude 3: Haiku* | *GPT-4o* | *GPT-4o-mini* | **Gemini 1.5 Pro 002** | **Gemini 1.5 Flash 002** +| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent +| *Assistant - {esql} generation*| Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Poor +| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Good +| *Assistant - Knowledge retrieval* | Good | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Excellent +| *Attack Discovery* | Great | Great | Excellent | Poor | Poor | Great | Poor | Excellent | Poor |=== \ No newline at end of file diff --git a/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc b/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc index 3dafe9f8c1..193ea061ef 100644 --- a/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc +++ b/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc @@ -6,51 +6,15 @@ This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <> or <>. -|=== -| **Feature**| **Model**| | | | | | - -| -| **Claude 3: Opus** -| **Claude 3.5: Sonnet** -| **Claude 3: Haiku** -| **GPT-4o** -| **GPT-4 Turbo** -| **Gemini 1.5 Pro** -| **Gemini 1.5 Flash** - -| **Assistant: general** -| Excellent -| Excellent -| Excellent -| Excellent -| Excellent -| Excellent -| Excellent -| **Assistant: {esql} generation** -| Great -| Great -| Poor -| Excellent -| Poor -| Good -| Poor - -| **Assistant: alert questions** -| Excellent -| Excellent -| Excellent -| Excellent -| Poor -| Excellent -| Good - -| **Attack discovery** -| Excellent -| Excellent -| Poor -| Poor -| Good -| Great -| Poor +[cols="1,1,1,1,1,1,1,1,1,1", options="header"] +|=== +| *Feature* | *Model* | | | | | | | | +| | *Claude 3: Opus*| *Claude 3.5: Sonnet v2* | *Claude 3.5: Sonnet* | *Claude 3.5: Haiku*| *Claude 3: Haiku* | *GPT-4o* | *GPT-4o-mini* | **Gemini 1.5 Pro 002** | **Gemini 1.5 Flash 002** +| *Assistant - General* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent +| *Assistant - {esql} generation*| Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Poor +| *Assistant - Alert questions* | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Good +| *Assistant - Knowledge retrieval* | Good | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent | Excellent +| *Attack Discovery* | Great | Great | Excellent | Poor | Poor | Great | Poor | Excellent | Poor |=== + \ No newline at end of file diff --git a/docs/serverless/rules/rules-ui-create.asciidoc b/docs/serverless/rules/rules-ui-create.asciidoc index a1391fa086..beb1cc8e9f 100644 --- a/docs/serverless/rules/rules-ui-create.asciidoc +++ b/docs/serverless/rules/rules-ui-create.asciidoc @@ -26,43 +26,6 @@ To create a new detection rule, follow these steps: At any step, you can <> before saving it to see what kind of results you can expect. ==== -[discrete] -[[create-ml-rule]] -== Create a machine learning rule - -[IMPORTANT] -==== -To create or edit {ml} rules, you need an appropriate user role. Additionally, the selected {ml} job must be running for the rule to function correctly. -==== - -. Go to **Rules** → **Detection rules (SIEM)** → **Create new rule**. The **Create new rule** page displays. -. To create a rule based on a {ml} anomaly threshold, select **Machine Learning**, -then select: -+ -.. The required {ml} jobs. -+ -[NOTE] -==== -If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule. -==== -.. The anomaly score threshold above which alerts are created. -. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. -+ -[NOTE] -==== -Because {ml} rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression. -==== -+ -//// -/* The following steps are repeated across multiple rule types. If you change anything -in these steps or sub-steps, apply the change to the other rule types, too. */ -//// -. (Optional) Add **Related integrations** to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. -+ -.. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. -.. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. -. Click **Continue** to <>. - [discrete] [[create-custom-rule]] == Create a custom query rule @@ -89,7 +52,7 @@ copies. + [role="screenshot"] image::images/rules-ui-create/-detections-rule-query-example.png[Rule query example] -.. You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. +.. You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. + When you use a saved query, the **Load saved query "_query name_" dynamically on each rule execution** check box appears: + @@ -112,6 +75,43 @@ in these steps or sub-steps, apply the change to the other rule types, too. */ .. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. . Click **Continue** to <>. +[discrete] +[[create-ml-rule]] +== Create a machine learning rule + +[IMPORTANT] +==== +To create or edit {ml} rules, you need an appropriate user role. Additionally, the selected {ml} job must be running for the rule to function correctly. +==== + +. Go to **Rules** → **Detection rules (SIEM)** → **Create new rule**. The **Create new rule** page displays. +. To create a rule based on a {ml} anomaly threshold, select **Machine Learning**, +then select: ++ +.. The required {ml} jobs. ++ +[NOTE] +==== +If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule. +==== +.. The anomaly score threshold above which alerts are created. +. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ +[NOTE] +==== +Because {ml} rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression. +==== ++ +//// +/* The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. */ +//// +. (Optional) Add **Related integrations** to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. ++ +.. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org/[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. +. Click **Continue** to <>. + [discrete] [[create-threshold-rule]] == Create a threshold rule @@ -125,7 +125,7 @@ alerts. + [NOTE] ==== -You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. +You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. ==== .. Use the **Group by** and **Threshold** fields to determine which source event field is used as a threshold and the threshold's value. .. Use the **Count** field to limit alerts by cardinality of a certain field. @@ -245,7 +245,7 @@ wildcard expression: `*:*`. + [NOTE] ==== -You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. +You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. ==== .. **Indicator index patterns**: The indicator index patterns containing field values for which you want to generate alerts. This field is automatically populated with indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, see <>. + @@ -280,8 +280,7 @@ image::images/rules-ui-create/-detections-indicator-rule-example.png[Indicator m + [TIP] ==== -Before you create rules, create <> so -they can be selected here. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values. +Before you create rules, create <> so you can select them under **Timeline template** at the end of the **Define rule** section. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values. ==== . (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + @@ -340,7 +339,7 @@ alerts. + [NOTE] ==== -You can use saved queries (image:images/icons/filterInCircle.svg[Filter]) and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. +You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions. ==== .. Use the **Fields** menu to select a field to check for new terms. You can also select up to three fields to detect a combination of new terms (for example, a `host.ip` and `host.id` that have never been observed together before). + @@ -660,7 +659,7 @@ run exactly at its scheduled time. . Click **Continue**. The **Rule actions** pane is displayed. . Do either of the following: + -** Continue onto <> and <> (optional). +** Continue onto <> and <> (optional). ** Create the rule (with or without activation). [discrete] @@ -680,7 +679,7 @@ To use actions for alert notifications, you need the appropriate user role. For ==== Each action type requires a connector. Connectors store the information required to send the notification from the external system. You can -configure connectors while creating the rule or in **Project settings** → **Management** → **{connectors-ui}**. For more +configure connectors while creating the rule or in **Project settings** → **Stack Management** → **{connectors-ui}**. For more information, see {kibana-ref}/action-types.html[Action and connector types]. Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the {kibana-ref}/cases-action-type.html[Cases connector].