[8.11] Adds new page about triaging alerts with AI Assistant (backport …

…#4359) (#4565) * Adds new page about triaging alerts with AI Assistant (#4359) * Adds new page about triaging alerts with AI Assistant * troubleshoots ToC * troubleshoots build error * updates section title * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Incorporates rest of Nastasha's feedback * save work * updates triage page with RAG for alerts info * fixes anchor tag * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: natasha-moore-elastic <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc Co-authored-by: natasha-moore-elastic <[email protected]> * Update docs/assistant/ai-alert-triage.asciidoc * Update docs/assistant/ai-alert-triage.asciidoc --------- Co-authored-by: Nastasha Solomon <[email protected]> Co-authored-by: natasha-moore-elastic <[email protected]> (cherry picked from commit b930aa6) * removes part from 8.11 that doesn't apply until 8.12 * fix merge conflict --------- Co-authored-by: Benjamin Ironside Goldstein <[email protected]> Co-authored-by: Benjamin Ironside Goldstein <[email protected]>
elastic · Jan 9, 2024 · 8b1d65a · 8b1d65a
1 parent 49831d3
commit 8b1d65a
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/docs/assistant/ai-alert-triage.asciidoc b/docs/assistant/ai-alert-triage.asciidoc
@@ -0,0 +1,36 @@
+[[assistant-triage]]
+= Triage alerts with Elastic AI Assistant
+Elastic AI Assistant can help you enhance and streamline your alert triage workflows by assessing multiple recent alerts in your environment, and helping you interpret an alert and its context. 
+
+When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue.
+
+[[ai-assistant-triage-alerts-instructions]]
+[discrete]
+== Use AI Assistant to triage an alert
+Once you have chosen an alert to investigate:
+
+. Click its **View details** button from the Alerts table.
+. In the alert details flyout, click **Chat** to launch the AI assistant. Data related to the selected alert is automatically added to the prompt. 
+. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant.
++
+NOTE: For more information about selecting which fields to send, and to learn about anonymizing your data, refer to <<security-assistant, AI Assistant>>.
++
+. (Optional) Click a quick prompt to use it as a starting point for your query, for example **Alert summarization**. Improve the quality of AI Assistant's response by customizing the prompt and adding detail. 
++
+Once you’ve submitted your query, AI Assistant will process the information and provide a detailed response. Depending on your prompt and the alert data that you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions.
++
+. (Optional) Ask AI Assistant follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report.
+
+[discrete]
+[[ai-triage-reportgen]]
+== Generate triage reports
+Elastic AI Assistant can streamline the documentation and report generation process by providing clear records of security incidents, their scope and impact, and your remediation efforts. You can use AI Assistant to create summaries or reports for stakeholders that include key event details, findings, and diagrams. Once the AI Assistant has finished analyzing one or more alerts, you can generate reports by using prompts such as:
+
+* “Generate a detailed report about this incident including timeline, impact analysis, and response actions. Also, include a diagram of events.”
+* “Generate a summary of this incident/alert and include diagrams of events.”
+* “Provide more details on the mitigation strategies used.”
+
+After you review the report, click **Add to existing case** at the top of AI Assistant's response. This allows you to save a record of the report and make it available to your team.
+
+[role="screenshot"]
+image::images/ai-triage-add-to-case.png[An AI Assistant dialogue with the add to existing case button highlighted]
diff --git a/docs/assistant/images/ai-triage-add-to-case.png b/docs/assistant/images/ai-triage-add-to-case.png
diff --git a/docs/assistant/security-assistant.asciidoc b/docs/assistant/security-assistant.asciidoc
@@ -1,5 +1,4 @@
 [[security-assistant]]
-[chapter]
 = AI Assistant
 
 :frontmatter-description: The Elastic AI Assistant is a generative AI open-code chat assistant.
@@ -191,3 +190,6 @@ In addition to practical advice, AI Assistant can offer conceptual advice, tips,
 
 * “How do I set up a {ml} job in {elastic-sec} to detect anomalies in network traffic volume over time?”
 * “I need to monitor for unusual file creation patterns that could indicate ransomware activity. How would I construct this query using EQL?”
+
+
+include::ai-alert-triage.asciidoc[leveloffset=+1]