[Request] Document Attack Discovery #5026
Description
Description
What: We're Introducing AI Insights
Background:
After the successful introduction of the Elastic AI Assistant, it became clear that there are additional opportunities to surface Generative AI in other areas of Elastic Security.
The primary use case of the AI Assistant today is alert triage, which still tends to be the most challenging role of a security analyst. Over time, we've found that LLM's are phenomenal at identifying attack progressions in alert data, and can correlate and identify related entities and sequences. They are also great at attributing attack progressions to threat actors.
While users can ask the Assistant to find these progressions today, it is not an optimal workflow. We should provide users with a dedicated UI to identify these progressions and action them accordingly.
We have the opportunity to turn this (a list of 60 alerts):
Into this - 2 actionable insights, based on what was found in the alerts:
Ultimately, this vision helps:
Significantly reduce the MTTR for an analyst/team
Help with the complexity of correlating alerts and spotting progressions, even across several different data sources
Dramatically reduce the time it takes to document findings, as the model does this for the user as part of the UI
Background & resources
- PRs: [Security Solution] [AI Insights] AI Insights kibana#180611
- Issues/metas: https://github.com/elastic/security-team/issues/8606
- Point of contact:
- Test environments:
Which documentation set does this change impact?
ESS and serverless
ESS release
8.14
Serverless release
tbd
Feature differences
TBD
API docs impact
We should create a new sub-page called AI Insights where we can highlight the true value of this functionality
Prerequisites, privileges, feature flags
TBD