You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [AI Assistant](/solutions/security/ai/ai-assistant.md). To get started:
60
53
@@ -106,3 +99,67 @@ There are several ways you can incorporate discoveries into your {{elastic-sec}}
You can define recurring schedules (for example, daily or weekly) to automatically generate attack discoveries without needing manual runs. For example, you can generate discoveries every 24 hours and send a Slack notification to your SecOps channel if discoveries are found. Notifications are sent using configured [connectors](/deploy-manage/manage-connectors.md), such as Slack or email, and you can customize the notification content to tailor alert context to your needs.
111
+
112
+
Scheduled discoveries are shared by default with all users in a {{kib}} space.
113
+
114
+
:::{note}
115
+
You can still generate discoveries manually at any time, regardless of an active schedule.
116
+
:::
117
+
118
+
To create a new schedule:
119
+
120
+
1. Click the gear icon to open the settings menu, then select **Schedule**.
121
+
2. Select **Create new schedule**.
122
+
3. Enter a name for the new schedule.
123
+
4. Select the LLM connector to use for generating discoveries, or add a new one.
124
+
5. Use the KQL query bar, time filter, and alerts slider to customize the set of alerts that will be analyzed.
125
+
6. Define the schedule's frequency (for example, every 24 hours).
126
+
7. Optionally, select the [connectors](/deploy-manage/manage-connectors.md) to use for receiving notifications, and define their actions.
127
+
8. Click **Create & enable schedule**.
128
+
129
+
After creating new schedules, you can view their status, modify them or delete them from the **Schedule** tab in the settings menu.
130
+
131
+
:::{tip}
132
+
Scheduled discoveries are shown with a **Scheduled Attack discovery** icon ({icon}`calendar`). Click the icon to view the schedule that created it.
133
+
:::
134
+
135
+
## View saved discoveries
136
+
137
+
```yaml {applies_to}
138
+
stack: ga 9.1
139
+
serverless: ga
140
+
```
141
+
142
+
Attack discoveries are automatically saved each time you generate them. Once saved, discoveries remain available for later review, reporting, and tracking over time. This allows you to revisit discoveries to monitor trends, maintain audit trails, and support investigations as your environment evolves.
143
+
144
+
### Change a discovery's status
145
+
146
+
You can set a discovery's status to indicate that it's under active investigation or that it's been resolved. To do this, click **Take action**, then select **Mark as acknowledged** or **Mark as closed**.
147
+
148
+
### Take bulk actions
149
+
150
+
You can take bulk actions on multiple discoveries, such as bulk-changing their status or adding them to a case. To do this, select the checkboxes next to each discovery, then click **Selected *x* Attack discoveries** and choose the action you want to take.
151
+
152
+
### Search and filter saved discoveries
153
+
154
+
You can search and filter saved discoveries to help locate relevant findings.
155
+
156
+
* Use the search box to perform full-text searches across your generated discoveries.
157
+
158
+
* **Visibility**: Use this filter to, for example, show only shared discoveries.
159
+
160
+
* **Status**: Filter discoveries by their current status.
161
+
162
+
* **Connector**: Filter discoveries by connector name. Connectors that are deleted after discoveries have been generated are shown with a **Deleted** tag.
163
+
164
+
* Time filter: Adjust the time filter to view discoveries generated within a specific timeframe.
0 commit comments