You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/AI-for-security/attack-discovery.asciidoc
+11-5Lines changed: 11 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,6 +9,12 @@
9
9
10
10
preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."]
11
11
12
+
.Requirements
13
+
[sidebar]
14
+
--
15
+
To use Attack Discovery, you need the **Attack Discovery: All** {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privilege].
16
+
--
17
+
12
18
Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
13
19
14
20
For a demo, refer to the following video.
@@ -45,18 +51,18 @@ When you access Attack discovery for the first time, you'll need to select an LL
45
51
.Recommended models
46
52
[sidebar]
47
53
--
48
-
While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3.5 Sonnet. In general, models with larger context windows are more effective for Attack discovery.
54
+
While Attack discovery is compatible with many different models, refer to the <<llm-performance-matrix, Large language model performance matrix>> to see which models perform best.
. Once you've selected a connector, click **Generate** to start the analysis.
54
60
55
61
It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
56
62
57
-
IMPORTANT: Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours. By default it only analyzes up to 20 alerts within this timeframe, but you can expand this up to 100 by going to **AI Assistant → Settings (image:images/icon-settings.png[Settings icon,17,17]) → Knowledge Base** and updating the **Alerts** setting.
63
+
IMPORTANT: y default it analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (image:images/icon-settings.png[Settings icon,17,17]) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
58
64
59
-
image::images/knowledge-base-settings.png["AI Assistant's settings menu open to the Knowledge Base tab",75%]
IMPORTANT: Attack discovery uses the same data anonymization settings as <<security-assistant, Elastic AI Assistant>>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
62
68
@@ -72,7 +78,7 @@ Each discovery includes the following information describing the potential threa
72
78
. The number of associated alerts and which parts of the https://attack.mitre.org/[MITRE ATT&CK matrix] they correspond to.
73
79
. The implicated entities (users and hosts), and what suspicious activity was observed for each.
Copy file name to clipboardExpand all lines: docs/serverless/AI-for-security/attack-discovery.mdx
+6-2Lines changed: 6 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,10 @@ status: in review
12
12
This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.
13
13
</DocCallOut>
14
14
15
+
<DocCallOuttitle="Requirements">
16
+
To use Attack Discovery, you need the **Attack Discovery: All** privilege.
17
+
</DocCallOut>
18
+
15
19
Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
16
20
17
21
For a demo, refer to the following video.
@@ -34,7 +38,7 @@ When you access Attack discovery for the first time, you'll need to select an LL
34
38
2. Select an existing connector from the dropdown menu, or add a new one.
35
39
36
40
<DocCallOuttitle="Recommended models">
37
-
While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3.5 Sonnet. In general, models with larger context windows are more effective for Attack discovery.
41
+
While Attack discovery is compatible with many different models, refer to the <DocLinkslug="/serverless/security/llm-performance-matrix"> Large language model performance matrix </DocLink> to see which models perform best.
0 commit comments