Gen AI updates

Author: benironside

images/security-attack-discovery-more-popover.png

@@ -75,7 +75,7 @@ You can also chat with AI Assistant from several particular pages in {{elastic-s
 * [Data Quality dashboard](/solutions/security/dashboards/data-quality-dashboard.md): Select the **Incompatible fields** tab, then click **Chat**. (This is only available for fields marked red, indicating they’re incompatible).
 
 ::::{note}
-Each user’s chat history (up to the 99 most recent conversations) and custom Quick Prompts are automatically saved, so you can leave {{elastic-sec}} and return to a conversation later. Chat history appears to the left of the AI Assistant chat window, and on the **Conversations** tab of the **AI Assistant settings** menu. To access the settings menu, use the global search field to search for "AI Assistant for Security".
+Each user’s chat history (up to the 99 most recent conversations) and custom Quick Prompts are automatically saved, so you can leave {{elastic-sec}} and return to a conversation later. Chat history appears to the left of the AI Assistant chat window, and on the **Conversations** tab of the **AI Assistant settings** menu. To access the settings menu, use the global search field to search for "AI Assistant for Security" or open the menu in the upper-right of the AI Assistant chat window.
 ::::
 
 
@@ -87,16 +87,16 @@ Use these features to adjust and act on your conversations with AI Assistant:
 * (Optional) Select a *System Prompt* at the beginning of a conversation by using the **Select Prompt** menu. System Prompts provide context to the model, informing its response. To create a System Prompt, open the System Prompts dropdown menu and click **+ Add new System Prompt…​**.
 * (Optional) Select a *Quick Prompt* at the bottom of the chat window to get help writing a prompt for a specific purpose, such as summarizing an alert or converting a query from a legacy SIEM to {{elastic-sec}}.
 
-    :::{image} ../../../images/security-quick-prompts.png
-    :alt: Quick Prompts highlighted below a conversation
-    :screenshot:
-    :::
+   :::{image} ../../../images/security-quick-prompts.png
+   :alt: Quick Prompts highlighted below a conversation
+   :screenshot:
+   :::
 
 * System Prompts and Quick Prompts can also be configured from the corresponding tabs on the **Security AI settings** page.
 
-    :::{image} ../../../images/security-assistant-settings-system-prompts.png
-    :alt: The Security AI settings menu's System Prompts tab
-    :::
+   :::{image} ../../../images/security-assistant-settings-system-prompts.png
+   :alt: The Security AI settings menu's System Prompts tab
+   :::
 
 * Quick Prompt availability varies based on context—for example, the **Alert summarization** Quick Prompt appears when you open AI Assistant while viewing an alert. To customize existing Quick Prompts and create new ones, click **Add Quick Prompt**.
 * In an active conversation, you can use the inline actions that appear on messages to incorporate AI Assistant’s responses into your workflows:
@@ -117,11 +117,20 @@ AI Assistant can remember particular information you tell it to remember. For ex
 
 ## Configure AI Assistant [configure-ai-assistant]
 
-The **Security AI settings** page allows you to configure AI Assistant. To access it, use the global search field to search for "AI Assistant for Security".
+To adjust AI Assistant's settings from the chat window, click the more (three dots) button in the upper-right. 
+
+::::{image} ../../../images/security-attack-discovery-more-popover.png
+:alt: AI Assistant's more options popover
+:screenshot:
+::::
+
+The first three options (**AI Assistant settings**, **Knowledge Base**, and **Anonymization**) open the corresponding tabs of the **Security AI settings** page. The **Chat options** affect display-only user settings: whether to show or hide anonymized values, and whether to include citations. When citations are enabled, AI Assistant will refer you to information sources including data you've shared with it, information you've added to the knowledge base, and content from Elastic's Security Labs and product documentation.
+
+The **Security AI settings** page provides a range of configuration options for AI Assistant. To access it directly, use the global search field to search for "AI Assistant for Security".
 
 It has the following tabs:
 
-* **Conversations:** When you open AI Assistant from certain pages, such as ***Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
+* **Conversations:** When you open AI Assistant from certain pages, such as **Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
 * **Connectors:** Manage all LLM connectors.
 * **System Prompts:** Edit existing System Prompts or create new ones. To create a new System Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the System Prompt’s text. Under **Contexts**, select where the System Prompt should appear.
 * **Quick Prompts:** Modify existing Quick Prompts or create new ones. To create a new Quick Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the Quick Prompt’s text.
@@ -137,7 +146,7 @@ To modify Anonymization settings, you need the **Elastic AI Assistant: All** pri
 ::::
 
 
-The **Anonymization** tab of the Security AI settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed*** toggled on are included in events provided to AI Assistant. ***Allowed*** fields with ***Anonymized** set to **Yes** are included, but with their values obfuscated.
+The **Anonymization** tab of the Security AI settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed** toggled on are included in events provided to AI Assistant. **Allowed** fields with **Anonymized** set to **Yes** are included, but with their values obfuscated.
 
 ::::{note}
 You can access anonymization settings directly from the **Attack Discovery** page by clicking the settings (![Settings icon](../../../images/security-icon-settings.png "title =20x20")) button next to the model selection dropdown menu.

images/security-attack-discovery-settings.png

@@ -35,9 +35,30 @@ The `Attack Discovery: All` privilege allows you to use Attack Discovery.
 
 ![attack-discovery-rbac](../../../images/security-attck-disc-rbac.png)
 
+## Set up Attack Discovery
+
+By default, Attack Discovery analyzes up to 100 alerts from the last 24 hours, but you can expand this up to 500 alerts, and customize which alerts it analyzes using the settings menu. To open it, click the gear icon (![Settings icon](../../../images/security-icon-settings.png "title=20px")) next to the **Generate** button.
+
+::::{image} ../../../images/security-attack-discovery-settings.png
+:alt: Attack Discovery's settings menu
+:width: 500px
+::::
+
+From the settings menu, you can filter which alerts get processed by Attack Discovery using KQL queries, the time and date selector, and the **Number of alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. Under **Alert summary** you can view a summary of the selected alerts grouped by various fields, and under **Alerts preview** you can see more details about the selected alerts.
+
+:::{admonition} How to add non-ecs fields to Attack Discovery
+Attack Discovery is designed for use with alerts based on data that complies with ECS, and by default only analyses ECS-compliant fields. However you can enable Attack Discovery to review additional fields by following these steps:
+
+* Select an alert with some of the non-ECS fields you want to analyze, and go to it's details flyout. From here, use the **Chat** button to open AI Assistant.
+* At the bottom of the chat window, the alert's information appears. Click **Edit** to open the anonymization window to this alert's fields.
+* Search for and select the non-ECS fields you want Attack Discovery to analyze. Set them to **Allowed**. 
+
+The selected fields can now be analyzed the next you run Attack Discovery.
+:::
+
 ## Generate discoveries [attack-discovery-generate-discoveries]
 
-When you access Attack Discovery for the first time, you’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [AI Assistant](/solutions/security/ai/ai-assistant.md). To get started:
+You’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [AI Assistant](/solutions/security/ai/ai-assistant.md). To get started:
 
 1. Click the **Attack Discovery** page from {{elastic-sec}}'s navigation menu.
 2. Select an existing connector from the dropdown menu, or add a new one.
@@ -54,26 +75,13 @@ When you access Attack Discovery for the first time, you’ll need to select an
 
 3. Once you’ve selected a connector, click **Generate** to start the analysis.
 
-It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
-
-::::{important}
-By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (![Settings icon](../../../images/security-icon-settings.png "title=20px")) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
-::::
-
-
-:::{image} ../../../images/security-attck-disc-alerts-number-menu.png
-:alt: Attack Discovery's settings menu
-:width: 600px
-:::
+It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one’s title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the selected alerts.
 
 ::::{important}
 Attack Discovery uses the same data anonymization settings as [Elastic AI Assistant](/solutions/security/ai/ai-assistant.md). To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
 ::::
 
 
-Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one’s title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the most current alerts.
-
-
 ## What information does each discovery include? [attack-discovery-what-info]
 
 Each discovery includes the following information describing the potential threat, generated by the connected LLM:

solutions/security/ai/ai-assistant.md

@@ -13,7 +13,7 @@ applies_to:
 This page provides step-by-step instructions for setting up an Amazon Bedrock connector for the first time. This connector type enables you to leverage large language models (LLMs) within {{kib}}. You’ll first need to configure AWS, then configure the connector in {{kib}}.
 
 ::::{note}
-Only Amazon Bedrock’s `Anthropic` models are supported: `Claude` and `Claude instant`.
+All models in Amazon Bedrock's `Claude` model group are supported.
 ::::
 
 
@@ -99,7 +99,7 @@ Make sure the supported Amazon Bedrock LLMs are enabled:
 1. Search the AWS console for Amazon Bedrock.
 2. From the Amazon Bedrock page, click **Get started**.
 3. Select **Model access** from the left navigation menu, then click **Manage model access**.
-4. Check the boxes for **Claude** and/or **Claude Instant**, depending which model or models you plan to use.
+4. Check the box for the model or models you plan to use.
 5. Click **Save changes**.
 
 The following video demonstrates these steps (click to watch).
@@ -115,11 +115,13 @@ Finally, configure the connector in {{kib}}:
 2. Find the **Connectors** page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Then click **Create Connector**, and select **Amazon Bedrock**.
 3. Name your connector.
 4. (Optional) Configure the Amazon Bedrock connector to use a different AWS region where Anthropic models are supported by editing the **URL** field, for example by changing `us-east-1` to `eu-central-1`.
-5. (Optional) Add one of the following strings if you want to use a model other than the default:
+5. (Optional) Add one of the following strings if you want to use a model other than the default. Note that these URLs should have a prefix of `us.` or `eu.`, depending on your region, for example `us.anthropic.claude-3-5-sonnet-20240620-v1:0`.
 
-    * For Haiku: `anthropic.claude-3-haiku-20240307-v1:0`
-    * For Sonnet: `anthropic.claude-3-sonnet-20240229-v1:0`
-    * For Opus: `anthropic.claude-3-opus-20240229-v1:0`
+    * Sonnet 3.5: `anthropic.claude-3-5-sonnet-20240620-v1:0`
+    * Sonnet 3.5 v2: `anthropic.claude-3-5-sonnet-20241022-v2:0`
+    * Sonnet 3.7: `anthropic.claude-3-7-sonnet-20250219-v1:0`
+    * Haiku 3.5: `anthropic.claude-3-5-haiku-20241022-v1:0`
+    * Opus: `anthropic.claude-3-opus-20240229-v1:0`
 
 6. Enter the **Access Key** and **Secret** that you generated earlier, then click **Save**.