AD updates for 8.16 (#6114)

* AD updates for 8.16

* Updates serverless docs

* Minor tweak for charles' feedback

* Fix icon image refs

* fixes outdated refs to AD page

* fixes timeline ref

* Apply suggestions from code review

Incorporates Nastasha's review

Co-authored-by: Nastasha Solomon <[email protected]>

---------

Co-authored-by: Nastasha Solomon <[email protected]>
(cherry picked from commit 88103ce)

# Conflicts:
#	docs/AI-for-security/attack-discovery.asciidoc
#	docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc
#	docs/serverless/AI-for-security/ai-for-security-landing-pg.asciidoc
#	docs/serverless/AI-for-security/attack-discovery.asciidoc
#	docs/serverless/AI-for-security/connect-to-byo-llm.asciidoc
#	docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png
#	docs/serverless/AI-for-security/llm-connector-guides.asciidoc
#	docs/serverless/AI-for-security/llm-performance-matrix.asciidoc
#	docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc

Author: benironside

docs/AI-for-security/attack-discovery.asciidoc

@@ -1,6 +1,6 @@
 [[attack-discovery]]
 [chapter]
-= Attack discovery
+= Attack Discovery
 
 :frontmatter-description: Accelerate threat identification by triaging alerts with a large language model.
 :frontmatter-tags-products: [security]
@@ -9,7 +9,7 @@
 
 preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."]
 
-Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
+Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
 
 For a demo, refer to the following video.
 =======
@@ -33,34 +33,49 @@ This page describes:
 * <<attack-discovery-what-info, What information each discovery includes>>
 * <<attack-discovery-workflows, How you can interact with discoveries to enhance {elastic-sec} workflows>>
 
+[discrete]
+[[attack-discovery-rbac]]
+== Role-based access control (RBAC) for Attack Discovery
+
+The `Attack Discovery: All` privilege allows you to use Attack Discovery.
+
+image::images/attck-disc-rbac.png[Attack Discovery's RBAC settings,60%]
+
 [[attack-discovery-generate-discoveries]]
 [discrete]
 == Generate discoveries
 
-When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as <<security-assistant>>. To get started:
+When you access Attack Discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as <<security-assistant>>. To get started:
 
-. Click the **Attack discovery** page from {elastic-sec}'s navigation menu.
+. Click the **Attack Discovery** page from {elastic-sec}'s navigation menu.
 . Select an existing connector from the dropdown menu, or add a new one.
 +
 .Recommended models
 [sidebar]
 --
+<<<<<<< HEAD
 While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3 Sonnet and Claude 3 Opus. In general, models with larger context windows are more effective for Attack discovery.
 --
 +
 image::images/select-model-empty-state.png[]
+=======
+While Attack Discovery is compatible with many different models, refer to the <<llm-performance-matrix, Large language model performance matrix>> to see which models perform best.
+--
++
+image::images/attck-disc-select-model-empty.png[]
+>>>>>>> 88103ce2 (AD updates for 8.16 (#6114))
 +
 . Once you've selected a connector, click **Generate** to start the analysis.
 
 It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. 
 
-IMPORTANT: Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours. By default it only analyzes up to 20 alerts within this timeframe, but you can expand this up to 100 by going to **AI Assistant → Settings (image:images/icon-settings.png[Settings icon,17,17]) → Knowledge Base** and updating the **Alerts** setting.
+IMPORTANT: By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (image:images/icon-settings.png[Settings icon,17,17]) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
 
-image::images/knowledge-base-assistant-settings-kb-tab.png["AI Assistant's settings menu open to the Knowledge Base tab",75%]
+image::images/attck-disc-alerts-number-menu.png["Attack Discovery's settings menu",75%]
 
-IMPORTANT: Attack discovery uses the same data anonymization settings as <<security-assistant, Elastic AI Assistant>>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
+IMPORTANT: Attack Discovery uses the same data anonymization settings as <<security-assistant, Elastic AI Assistant>>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
 
-Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts.
+Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the most current alerts.
 
 [[attack-discovery-what-info]]
 [discrete]
@@ -72,7 +87,7 @@ Each discovery includes the following information describing the potential threa
 . The number of associated alerts and which parts of the https://attack.mitre.org/[MITRE ATT&CK matrix] they correspond to.
 . The implicated entities (users and hosts), and what suspicious activity was observed for each.
 
-image::images/attack-discovery-full-card.png[Attack discovery detail view]
+image::images/attck-disc-example-disc.png[Attack Discovery detail view]
 
 [[attack-discovery-workflows]]
 [discrete]
@@ -86,4 +101,4 @@ There are several ways you can incorporate discoveries into your {elastic-sec} w
 * Click **Investigate in timeline** to explore the discovery in <<timelines-ui, Timeline>>.
 * Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts. 
 
-image::images/add-discovery-to-assistant.gif[Attack discovery view in AI Assistant]
+image::images/add-discovery-to-assistant.gif[Attack Discovery view in AI Assistant]

docs/AI-for-security/images/add-discovery-to-assistant.gif

@@ -9,26 +9,10 @@ To enable AI Assistant to answer questions about alerts, you need to provide ale
 [[ai-assistant-triage-alerts-knowledge-base]]
 [discrete]
 == Use AI Assistant to triage multiple alerts
-Enable the <<ai-assistant-knowledge-base, Knowledge Base>> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. 
+Enable the <<ai-assistant-knowledge-base, Knowledge Base>> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. Use the slider on the Security AI settings' **Knowledge Base** tab to select the number of alerts to send to AI Assistant.
 
 For more information, refer to <<ai-assistant-knowledge-base, Knowledge Base>>.
 
-For a demo of AI Assistant's alert triage capabilities, refer to the following video.
-=======
-++++
-<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
-<img
-  style="width: 100%; margin: auto; display: block;"
-  class="vidyard-player-embed"
-  src="https://play.vidyard.com/v2dQtzmm6SoTFYc7dJzq7m.jpg"
-  data-uuid="v2dQtzmm6SoTFYc7dJzq7m"
-  data-v="4"
-  data-type="inline"
-/>
-</br>
-++++
-=======
-
 [[ai-assistant-triage-alerts-instructions]]
 [discrete]
 == Use AI Assistant to triage a specific alert

docs/AI-for-security/images/attck-disc-11-alerts-disc.png

@@ -0,0 +1,52 @@
+[[security-triage-alerts-with-elastic-ai-assistant]]
+= Triage alerts
+
+// :description: Elastic AI Assistant can help you enhance and streamline your alert triage workflows.
+// :keywords: security, overview, get-started
+
+Elastic AI Assistant can help you enhance and streamline your alert triage workflows by assessing multiple recent alerts in your environment, and helping you interpret an alert and its context. 
+
+When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue.
+
+To enable AI Assistant to answer questions about alerts, you need to provide alert data as context for your prompts. You can either provide multiple alerts using the <<ai-assistant-knowledge-base, Knowledge Base>> feature, or provide individual alerts directly.
+
+[[ai-assistant-triage-alerts-knowledge-base]]
+[discrete]
+== Use AI Assistant to triage multiple alerts
+Enable the <<ai-assistant-knowledge-base, Knowledge Base>> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. Use the slider on the Security AI settings' **Knowledge Base** tab to select the number of alerts to send to AI Assistant.
+
+For more information, refer to <<ai-assistant-knowledge-base, Knowledge Base>>.
+
+
+[discrete]
+[[use-ai-assistant-to-triage-an-alert]]
+== Use AI Assistant to triage a specific alert
+
+Once you have chosen an alert to investigate:
+
+. Click its **View details** button from the Alerts table.
+. In the alert details flyout, click **Chat** to launch the AI assistant. Data related to the selected alert is automatically added to the prompt. 
+. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant.
++
+NOTE: For more information about selecting which fields to send, and to learn about anonymizing your data, refer to <<security-ai-assistant, AI Assistant>>.
++
+. (Optional) Click a quick prompt to use it as a starting point for your query, for example **Alert summarization**. Improve the quality of AI Assistant's response by customizing the prompt and adding detail. 
++
+Once you've submitted your query, AI Assistant will process the information and provide a detailed response. Depending on your prompt and the alert data that you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions.
++
+. (Optional) Ask AI Assistant follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report.
+
+[discrete]
+[[generate-triage-reports]]
+== Generate triage reports
+
+Elastic AI Assistant can streamline the documentation and report generation process by providing clear records of security incidents, their scope and impact, and your remediation efforts. You can use AI Assistant to create summaries or reports for stakeholders that include key event details, findings, and diagrams. Once the AI Assistant has finished analyzing one or more alerts, you can generate reports by using prompts such as:
+
+* “Generate a detailed report about this incident, including timeline, impact analysis, and response actions. Also, include a diagram of events.”
+* “Generate a summary of this incident/alert and include diagrams of events.”
+* “Provide more details on the mitigation strategies used.”
+
+After you review the report, click **Add to existing case** at the top of AI Assistant's response. This allows you to save a record of the report and make it available to your team.
+
+[role="screenshot"]
+image::images/ai-assistant-alert-triage/ai-triage-add-to-case.png[An AI Assistant dialogue with the add to existing case button highlighted]

docs/AI-for-security/images/attck-disc-alerts-number-menu.png

@@ -0,0 +1,7 @@
+[[security-ai-for-security]]
+= AI for security
+
+// :description: Learn about Elastic's native AI security tools.
+// :keywords: serverless, security, overview, LLM, artificial intelligence
+
+You can use {elastic-sec}’s built-in AI tools to speed up your work and augment your team’s capabilities. The pages in this section describe <<security-ai-assistant>>, which answers questions and enhances your workflows throughout Elastic Security, and <<attack-discovery>>, which speeds up the triage process by finding patterns and identifying attacks spanning multiple alerts.