[UI copy]: Review and refine content for redesigned Attack Discovery flow in Detections section

[0lha0liinyk]

Description

🔴🔴 More details added in the recent comment 🔴🔴

As part of the Detections redesign, we’re relocating Attack Discovery under the new Detections section. The goal is to align it with Alerts, Saved Views, and other related workflows to create a more unified and intuitive experience.

The updated Attack Discovery experience will consist of two tabs:

1. Attacks tab
   This is the primary view we want to emphasize. It will show:

• Scheduled discoveries – attack discoveries triggered automatically on a defined cadence
• Manually run discoveries that were promoted to the shared list
  Users will also be able to set up new schedules directly from this tab.

2. [TBD] tab (currently called "Playground" in the mockups)
   This tab is intended as a space where users can:

• Manually run one-time attack discoveries
• Review their own generated results
• Choose whether to add them to the shared Attacks list (i.e., promote them)

We’d like your input on what to call this tab — we’re currently avoiding terms like "Private / Shared" and "Playground". Some alternatives like “Drafts”, “Test”, or “Explore” are being considered, but we’d appreciate help landing on the most intuitive and consistent term from a copy perspective.

Content needs:

• Review and refine all user-facing content on this page (headlines, empty states, buttons, labels, etc.)
• Ensure language clearly differentiates between scheduled vs. manually generated discoveries without relying on “private/shared” language
• Improve empty states and first-time use messages across both tabs
• Ensure tone and terminology align with Elastic’s copy guidelines

Future note:
The design also includes charts that will display discovery-related metrics (e.g., volume over time, manual vs. scheduled ratio). These will be finalized later, and copy help for those may come in a follow-up ticket.

Related links / assets

Figma link: https://www.figma.com/design/RvimInFsHI5a0QGUs2VXna/GenAI-in-Alerts---%E2%80%A8Alerts-and-AI-Attack-Discovery-Navigation--9344?node-id=2139-106665&t=UigqFs081hxl4yV0-1 (work in progress)

Which product area does this mainly concern?

Security UI

Collaborators

PM: Paul Ewing
Designer: Olha Oliinyk

[benironside]

Completed first round of feedback and followed up with Olha.

[0lha0liinyk]

Enhancing the Detections experience

Stage: Design, implementation starting soon
Assets: Figma file
As part of the newly approved Detections section architecture, work is focused on finalizing designs for the Overview dashboard, Attack Discovery, and improvements to the Alerts experience. The goal is to make detections easier to navigate, more actionable, and better aligned with analyst workflows.
Designing the Detections Overview dashboard
The Overview dashboard acts as a central entry point highlighting what matters most. Insights from recent user feedback sessions guided refinements of widgets to surface the highest-impact signals: detected attacks, critical alerts, unassigned alerts, total alerts by severity, operations and response trends, alert and attack volume over time, and a treemap of triggered rules.
The AI priorities section now follows a unified structure for each investigate first suggestion: label → detection type → entity/target → supporting context → reason for priority → suggested action.
Widgets are designed to guide analysts toward urgent items while maintaining visibility into the overall security posture. Each widget includes hyperlinks that provide direct access to the underlying data for deeper investigation.
Redesigning the Attack Discovery experience
The Attack Discovery page supports two discovery types, split into two tabs:
Scheduled discoveries – automatically recurring on a set cadence
Manual discoveries – initiated by the user, initially visible only to the creator, with the option to promote results to the team’s list (Attacks tab)

The redesigned pages introduce clearer empty states to support users at different stages:
First-time use for both Attacks and Manual runs tabs, with headlines and descriptions explaining scheduled vs. manual scans
“No attacks detected” messages after the first run
Prompts to set up schedules when none exist
Clear messaging when filters return no results, with a Clear filters option
The Attack flyout includes an AI-generated summary and an attack chain, mirroring the structure used in the Alert flyout for consistency.
Refining Alerts and shared UX patterns
Filters on the Alerts page are simplified, placing assignees inline with status, severity, host, and username
Alerts can also be grouped by attacks in addition to existing grouping options
The Take action menu, used across alerts and attacks, includes sections and icons for clearer action discovery

Moving toward a unified triage workflow
Together, these updates help address the current challenge of users navigating two parallel workflows — Alerts and Attack Discovery. The direction going forward is to simplify triage by reducing context switching and consolidating both views into a single, customizable overview page. This approach will provide a more focused experience and allow users to close a group of associated alerts at once when resolving an attack.

All texts in the Figma file require review and approval.