diff --git a/solutions/images/security-ease-alert-flyout.png b/solutions/images/security-ease-alert-flyout.png new file mode 100644 index 0000000000..b6e54e083a Binary files /dev/null and b/solutions/images/security-ease-alert-flyout.png differ diff --git a/solutions/images/security-ease-alerts-summary.png b/solutions/images/security-ease-alerts-summary.png new file mode 100644 index 0000000000..698de6b779 Binary files /dev/null and b/solutions/images/security-ease-alerts-summary.png differ diff --git a/solutions/images/security-ease-cases.png b/solutions/images/security-ease-cases.png new file mode 100644 index 0000000000..50f204156b Binary files /dev/null and b/solutions/images/security-ease-cases.png differ diff --git a/solutions/images/security-ease-create-ease-project.png b/solutions/images/security-ease-create-ease-project.png new file mode 100644 index 0000000000..06105d520e Binary files /dev/null and b/solutions/images/security-ease-create-ease-project.png differ diff --git a/solutions/images/security-ease-integrations.png b/solutions/images/security-ease-integrations.png new file mode 100644 index 0000000000..22beba1562 Binary files /dev/null and b/solutions/images/security-ease-integrations.png differ diff --git a/solutions/images/security-ease-value-report.png b/solutions/images/security-ease-value-report.png new file mode 100644 index 0000000000..a6657f9f31 Binary files /dev/null and b/solutions/images/security-ease-value-report.png differ diff --git a/solutions/security/ai/ease/ease-alerts.md b/solutions/security/ai/ease/ease-alerts.md new file mode 100644 index 0000000000..8ed179cc46 --- /dev/null +++ b/solutions/security/ai/ease/ease-alerts.md @@ -0,0 +1,36 @@ +--- +navigation_title: Triage alerts +applies_to: + serverless: + security: preview +--- + +# Triage alerts in EASE + +Once you've ingested your alerts to Elastic AI SOC Engine (EASE), you can view, track, and analyze them from the **Alert summary** page. + +:::{image} /solutions/images/security-ease-alerts-summary.png +:alt: The Alert summary page of an EASE project +::: + +## View alert details + +An alert's details flyout shows its basic information, highlighted fields, and any associated attack discoveries. It also enables you to generate an AI summary of the alert, or collaborate with AI Assistant to continue your investigation. + +To open the alert details flyout, select the **Expand** button ({icon}`expand`) from the alert's row in the alerts table. + +:::{image} /solutions/images/security-ease-alert-flyout.png +:alt: The Alert summary page of an EASE project +::: + +You can take several actions from the alert details flyout: + +- **Generate insights**: To generate an AI description of the alert with recommended actions, click **Generate insights**. (The connector used here is the default LLM for your project. To update it, navigate to the **Advanced settings** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), and update the **Default AI Connector**.) + + :::{note} + The recommended actions are informed by any relevant custom knowledge you may have added to the AI Assistant's [knowledge base](/solutions/security/ai/ai-assistant-knowledge-base.md). For example, if you have specified a particular teammate is responsible for a particular type of alert of part of your infrastructure, it would recommend contacting that person. + ::: + +- **Ask AI Assistant**: To start a conversation with [AI Assistant](/solutions/security/ai/ai-assistant.md), select one of the suggested prompts or click **Ask AI Assistant**. +- **Add to case**: To add an alert to a new or existing case, scroll to the bottom and click **Take action**, then **Add to existing case** or **Add to new case**. +- **Apply alert tags**: To add tags to an alert, scroll to the bottom of its flyout and click **Take action**, then **Apply alert tags**. (To create new tags, navigate to the **Advanced settings** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), and update the **Alert tagging options**.) \ No newline at end of file diff --git a/solutions/security/ai/ease/ease-intro.md b/solutions/security/ai/ease/ease-intro.md new file mode 100644 index 0000000000..d13516f666 --- /dev/null +++ b/solutions/security/ai/ease/ease-intro.md @@ -0,0 +1,58 @@ +--- +navigation_title: Elastic AI SOC Engine +applies_to: + serverless: + security: preview +--- +# Elastic AI SOC Engine with {{sec-serverless}} + +Elastic AI Security Operations Center (SOC) Engine (EASE) is an {{sec-serverless}} project type that provides AI-powered tools and case management to augment third-party SIEM and EDR/XDR platforms. This page describes how to create an {{sec-serverless}} EASE project, how to ingest your data, and how to use its key features. + +## Create an EASE project + +To create an EASE project: + +1. [Create](/solutions/security/get-started/create-security-project.md) an {{sec-serverless}} project, and on the **Confirm your project settings** page, select **Elastic AI SOC Engine**. + + :::{image} /solutions/images/security-ease-create-ease-project.png + :alt: The Confirm your project settings page + ::: + +2. Click **Create serverless project**, and wait for your project to be provisioned. When it's ready, open it. + + +## Ingest your SOC data + +To ingest your SOC data: + +1. Go to the **Configurations** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). + + :::{image} /solutions/images/security-ease-integrations.png + :alt: The integrations page of an EASE project + ::: + +2. From the **Integrations** tab, select any [integration](integration-docs://reference/index.md) you want to ingest data from to view deployment instructions and more information. + +## Select a model + +EASE uses LLM connectors to enable its AI features such as Attack Discovery and AI Assistant. The Elastic Managed LLM is enabled by default. You can also [create custom connectors](/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md). Keep in mind that different models [perform differently](/solutions/security/ai/large-language-model-performance-matrix.md) on different tasks. + + +## Features + +EASE provides a set of capabilities designed to help make the most of each security analyst’s time, fight alert fatigue, and reduce your mean time to respond. Once your data is ingested, you can start using the following features: + +- **[Attack Discovery](/solutions/security/ai/attack-discovery.md)**: Helps you analyze alerts in your environment and identify threats. Each discovery represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. + + :::{image} /solutions/images/security-attck-disc-example-disc.png + :alt: Attack Discovery detail view + ::: + +- **[AI Assistant](/solutions/security/ai/ai-assistant.md)**: An LLM-powered virtual assistant specialized for digital security; it helps with data analysis, alert investigation, incident response, and {{esql}} query generation. You can add custom background knowledge and data to its [knowledge base](/solutions/security/ai/ai-assistant-knowledge-base.md) and use natural language to ask for its assistance with your SOC operations. + +- **[Cases](/solutions/security/investigate/cases.md)**: Helps you track and share related information about security issues. Track key investigation details and collect alerts in a central location. + + :::{image} /solutions/images/security-ease-cases.png + :alt: The Cases page in an EASE project + ::: + diff --git a/solutions/security/ai/ease/ease-value-report.md b/solutions/security/ai/ease/ease-value-report.md new file mode 100644 index 0000000000..3c27a04654 --- /dev/null +++ b/solutions/security/ai/ease/ease-value-report.md @@ -0,0 +1,20 @@ +--- +navigation_title: Value report +applies_to: + serverless: + security: preview +--- + +# EASE Value Report + +The **Value report** page estimates your savings from using Elastic AI SOC Engine (EASE) for alert triage, in terms of **Analyst time saved** and **Cost Savings**. The message at the top of the page explains how those numbers were determined, and how many alerts were **Escalated** and **Filtered** by AI. + +You can interact with the page in the following ways: + +- **Update the time range:** Use the time selector in the upper right corner to select the time range for which to show value metrics. +- **Export report:** Select **Export report** in the upper right corner to download a sharable PDF of the value report. + + +:::{image} /solutions/images/security-ease-value-report.png +:alt: The Value Report in an EASE project +::: diff --git a/solutions/security/get-started/create-security-project.md b/solutions/security/get-started/create-security-project.md index 8a12054aab..8c7f044b55 100644 --- a/solutions/security/get-started/create-security-project.md +++ b/solutions/security/get-started/create-security-project.md @@ -8,10 +8,9 @@ products: - id: cloud-serverless --- -# Create a Security project [security-create-project] - -A serverless project allows you to run {{elastic-sec}} in an autoscaled and fully managed environment, where you don’t have to manage the underlying {{es}} cluster and {{kib}} instances. +# Create an {{sec-serverless}} project [security-create-project] +An {{sec-serverless}} project enables you to run {{elastic-sec}} in an autoscaled and fully managed environment, where you don’t have to manage the underlying {{es}} cluster and {{kib}} instances. ## Create project [security-create-project-create-project] @@ -20,15 +19,9 @@ Use your {{ecloud}} account to create a fully managed {{sec-serverless}} project 1. Navigate to [cloud.elastic.co](https://cloud.elastic.co/). 2. Log in to your {{ecloud}} account and select **Create project** from the **Serverless projects** panel. 3. Select **Next** from the **Security** panel. -4. Edit your project settings (click **Edit settings** to access all settings). - - * **Name**: A unique name for your project. - * **Cloud provider**: The cloud platform where you’ll deploy your project. We currently support Amazon Web Services (AWS). - * **Region**: The cloud platform’s [region](../../../deploy-manage/deploy/elastic-cloud/regions.md) where your project will live. - - You can also check [the pricing details](https://www.elastic.co/pricing/serverless-security) to see how you consume {{sec-serverless}}. - -5. Select **Create project**. It takes a few minutes before your project gets created. -6. Once the project is ready, select **Continue** to open the **Get started** page (you might need to log in to {{ecloud}} again). +4. Name your project and select your feature tier. For more information about tiers, refer to [pricing](https://www.elastic.co/pricing/serverless-security). +5. Select a cloud provider and region. +6. Select **Create project**. It takes a few minutes to create your project. +7. Once the project is ready, select **Continue** to open the **Get started** page (you might need to log in to {{ecloud}} again). From here, you can learn more about {{elastic-sec}} features and start setting up your workspace. diff --git a/solutions/toc.yml b/solutions/toc.yml index 563fd382d5..4f7f424fd5 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -491,6 +491,10 @@ toc: - file: security/esql-for-security/esql-threat-hunting-tutorial.md - file: security/ai.md children: + - file: security/ai/ease/ease-intro.md + children: + - file: security/ai/ease/ease-alerts.md + - file: security/ai/ease/ease-value-report.md - file: security/ai/ai-assistant.md children: - file: security/ai/ai-assistant-knowledge-base.md