Documents Attack Discovery (#342)

* first draft

* troubleshoots docnav

* updates Docnav

* incorporates Dhru's feedback

* minor edits

* line edit

* Removes unnecessary link

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>

* incorporates Janeen's review

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* incorporates Nastasha's feedback

* removes unnecessary link

* Incorporates Joe's review

* Adds note to AI Assistant page

* fixes note

* minor updates

* moves period

* adds missing "to"

* Incorporates Janeen's feedback

---------

Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

Author: 3 people

docs/assistant/ai-assistant.mdx

@@ -77,7 +77,7 @@ You can also chat with AI Assistant from several particular pages in ((elastic-s
 * <DocLink id="serverlessSecurityTimelinesUi">Timeline</DocLink>: Select the **Security Assistant** tab.
 
 <DocCallOut title="Note">
-Each user's chat history and custom quick prompts are automatically saved, so you can leave ((elastic-sec)) and return to pick up a conversation later.
+Each user's chat history and custom quick prompts are automatically saved, so you can leave ((elastic-sec)) and return to pick up a conversation later. Chat history is saved in the `.kibana-elastic-ai-assistant-conversations` data stream. 
 </DocCallOut>
 
 <div id="interact-with-assistant"></div>

docs/attack-discovery/attack-discovery.mdx

@@ -0,0 +1,72 @@
+---
+id: attackDiscovery
+slug: /serverless/security/attack-discovery
+title: Attack discovery
+description: Accelerate threat identification by triaging alerts with a large language model.
+tags: [ 'serverless', 'security', 'overview', 'LLM', 'artificial intelligence' ]
+status: in review
+---
+
+<DocBadge template="beta" />
+
+Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This makes the most of each security analyst's time, helps fight alert fatigue, and can reduce your mean time to respond.
+
+<DocCallOut title="Note">
+Attack discovery currently only analyzes alerts from the past 24 hours.
+</DocCallOut>
+
+This page describes:
+
+- <DocLink id="attackDiscovery" section="generate-discoveries">How to start generating discoveries</DocLink>
+- <DocLink id="attackDiscovery" section="discovery-info">What information each discovery includes</DocLink>
+- <DocLink id="attackDiscovery" section="workflows">How you can interact with discoveries to enhance ((elastic-sec)) workflows</DocLink>.
+
+
+<div id="generate-discoveries"></div>
+## Generate discoveries
+
+To use Attack discovery:
+
+1. Click the **Attack discovery** page from ((elastic-sec))'s navigation menu.
+
+2. When you open the page for the first time, you'll need to select an LLM connector before you can analyze alerts. Select an existing connector from the dropdown menu, or add a new one. 
+
+<DocCallOut title="Note">
+Attack discovery uses the same LLM connectors as <DocLink id="serverlessSecurityAIAssistant">Elastic AI Assistant</DocLink>. If you've already configured one, you can use it here without further configuration. In general, models with larger context windows are more effective for Attack discovery.
+</DocCallOut>
+
+![Attack discovery empty state](../images/attack-discovery/select-model-empty-state.png)
+
+3. Once you've selected a connector, click **Generate** to start the analysis. 
+
+It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
+
+<DocCallOut title="Important">
+Attack discovery uses the same data anonymization settings as <DocLink id="serverlessSecurityAIAssistant">Elastic AI Assistant</DocLink>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. 
+</DocCallOut>
+
+Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts.
+
+<div id="discovery-info"></div>
+## What information does each discovery include?
+
+Each discovery includes the following information describing the potential threat, generated by the connected LLM:
+
+- A descriptive title and a summary of the potential threat.
+- The number of associated alerts and which parts of the [MITRE ATT&CK matrix](https://attack.mitre.org/) they correspond to.
+- The implicated entities (users and hosts), and what suspicious activity was observed for each.
+
+![Attack discovery detail view](../images/attack-discovery/attack-discovery-full-card.png)
+
+<div id="workflows"></div>
+## Incorporate discoveries with other workflows
+
+There are several ways you can incorporate discoveries into your ((elastic-sec)) workflows:
+
+- Click an entity's name to open the user or host details flyout and view more details that may be relevant to your investigation.
+- Hover over an entity's name to either add the entity to Timeline (<DocIcon type="timeline" title="Timeline" />) or copy its field name and value to the clipboard (<DocIcon type="copyClipboard" title="Copy to clipboard"/>). 
+- Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a case. This makes it easy to share the information with your team and other stakeholders.
+- Click **Investigate in timeline** to explore the discovery in Timeline.
+- Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow up questions about the discovery or associated alerts. 
+
+![Attack discovery view in AI Assistant](../images/attack-discovery/add-discovery-to-assistant.gif)

docs/images/attack-discovery/add-discovery-to-assistant.gif

@@ -19,6 +19,9 @@
       "pageId": "serverlessSecurityEsUiOverview", 
       "classic-sources": [ "enSecurityEsUiOverview" ]
     },
+    {
+      "pageId": "attackDiscovery"
+    },    
     {
       "label": "Elastic AI Assistant",
       "pageId": "serverlessSecurityAIAssistant",