You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
17
-
18
-
$$$attack-discovery-generate-discoveries$$$
19
-
20
-
$$$attack-discovery-what-info$$$
21
-
22
-
$$$attack-discovery-workflows$$$
23
-
24
9
::::{warning}
25
10
This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.
26
11
::::
27
12
28
-
29
13
Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst’s time, fight alert fatigue, and reduce your mean time to respond.
When you access Attack Discovery for the first time, you’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [*AI Assistant*](/solutions/security/ai/ai-assistant.md). To get started:
37
+
When you access Attack Discovery for the first time, you’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [AI Assistant](/solutions/security/ai/ai-assistant.md). To get started:
66
38
67
39
1. Click the **Attack Discovery** page from {{elastic-sec}}'s navigation menu.
68
40
2. Select an existing connector from the dropdown menu, or add a new one.
69
41
70
-
::::{admonition} Recommended models
71
-
While Attack Discovery is compatible with many different models, refer to the [Large language model performance matrix](/solutions/security/ai/large-language-model-performance-matrix.md) to see which models perform best.
42
+
:::{admonition} Recommended models
43
+
While Attack Discovery is compatible with many different models, refer to the [Large language model performance matrix](/solutions/security/ai/large-language-model-performance-matrix.md) to see which models perform best.
3. Once you’ve selected a connector, click **Generate** to start the analysis.
81
53
82
54
It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
83
55
84
56
::::{important}
85
-
By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (![Settings icon](../../../images/security-icon-settings.png"")) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
57
+
By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (![Settings icon](../../../images/security-icon-settings.png"title= 70%")) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
86
58
::::
87
59
88
60
@@ -116,7 +88,7 @@ Each discovery includes the following information describing the potential threa
116
88
There are several ways you can incorporate discoveries into your {{elastic-sec}} workflows:
117
89
118
90
* Click an entity’s name to open the user or host details flyout and view more details that may be relevant to your investigation.
119
-
* Hover over an entity’s name to either add the entity to Timeline (![Add to timeline icon](../../../images/security-icon-add-to-timeline.png"")) or copy its field name and value to the clipboard (![Copy to clipboard icon](../../../images/security-icon-copy.png"")).
91
+
* Hover over an entity’s name to either add the entity to Timeline (![Add to timeline icon](../../../images/security-icon-add-to-timeline.png"title= 70%")) or copy its field name and value to the clipboard (![Copy to clipboard icon](../../../images/security-icon-copy.png"title= 70%")).
120
92
* Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a [case](/solutions/security/investigate/cases.md). This makes it easy to share the information with your team and other stakeholders.
121
93
* Click **Investigate in timeline** to explore the discovery in [Timeline](/solutions/security/investigate/timeline.md).
122
94
* Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts.
0 commit comments