diff --git a/docs/AI-for-security/images/ai-triage-add-to-case.png b/docs/AI-for-security/images/ai-triage-add-to-case.png index 29d0f91333..06aa13ca6a 100644 Binary files a/docs/AI-for-security/images/ai-triage-add-to-case.png and b/docs/AI-for-security/images/ai-triage-add-to-case.png differ diff --git a/docs/AI-for-security/images/attck-disc-11-alerts-disc.png b/docs/AI-for-security/images/attck-disc-11-alerts-disc.png index 0f2bf87bac..e6319da2b4 100644 Binary files a/docs/AI-for-security/images/attck-disc-11-alerts-disc.png and b/docs/AI-for-security/images/attck-disc-11-alerts-disc.png differ diff --git a/docs/AI-for-security/images/attck-disc-esql-query-gen-example.png b/docs/AI-for-security/images/attck-disc-esql-query-gen-example.png index 3ec015ced4..2db023e780 100644 Binary files a/docs/AI-for-security/images/attck-disc-esql-query-gen-example.png and b/docs/AI-for-security/images/attck-disc-esql-query-gen-example.png differ diff --git a/docs/AI-for-security/images/attck-disc-remediate-sodinokibi.gif b/docs/AI-for-security/images/attck-disc-remediate-sodinokibi.gif deleted file mode 100644 index f4fd2c9ed1..0000000000 Binary files a/docs/AI-for-security/images/attck-disc-remediate-sodinokibi.gif and /dev/null differ diff --git a/docs/AI-for-security/images/attck-disc-remediate-threat.gif b/docs/AI-for-security/images/attck-disc-remediate-threat.gif new file mode 100644 index 0000000000..e31f84235e Binary files /dev/null and b/docs/AI-for-security/images/attck-disc-remediate-threat.gif differ diff --git a/docs/AI-for-security/images/attck-disc-translate-japanese.png b/docs/AI-for-security/images/attck-disc-translate-japanese.png index 190efbb09e..320b3fd1a5 100644 Binary files a/docs/AI-for-security/images/attck-disc-translate-japanese.png and b/docs/AI-for-security/images/attck-disc-translate-japanese.png differ diff --git a/docs/AI-for-security/usecase-alert-triage.asciidoc b/docs/AI-for-security/usecase-alert-triage.asciidoc index 1e779bb95e..2554fcdeeb 100644 --- a/docs/AI-for-security/usecase-alert-triage.asciidoc +++ b/docs/AI-for-security/usecase-alert-triage.asciidoc @@ -4,14 +4,14 @@ Elastic AI Assistant can help you enhance and streamline your alert triage workf When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue. -To enable AI Assistant to answer questions about alerts, you need to provide alert data as context for your prompts. You can either provide multiple alerts using the <> feature, or provide individual alerts directly. +To enable AI Assistant to answer questions about alerts, you need to provide alert data as context for your prompts. You can either provide multiple alerts using the <> feature, or provide individual alerts directly. [[ai-assistant-triage-alerts-knowledge-base]] [discrete] == Use AI Assistant to triage multiple alerts -Enable the <> **Alerts** setting to send AI Assistant data for up to 100 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. +Enable the <> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. -For more information, refer to <>. +For more information, refer to <>. For a demo of AI Assistant's alert triage capabilities, refer to the following video. ======= @@ -42,7 +42,7 @@ NOTE: For more information about selecting which fields to send, and to learn ab + . (Optional) Click a quick prompt to use it as a starting point for your query, for example **Alert summarization**. Improve the quality of AI Assistant's response by customizing the prompt and adding detail. + -Once you’ve submitted your query, AI Assistant will process the information and provide a detailed response. Depending on your prompt and the alert data that you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions. +Once you've submitted your query, AI Assistant will process the information and provide a detailed response. Depending on your prompt and the alert data that you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions. + . (Optional) Ask AI Assistant follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report. diff --git a/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc b/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc index 427f7a03cf..b708456d60 100644 --- a/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc +++ b/docs/AI-for-security/usecase-attack-discovery-ai-assistant-incident-reporting.asciidoc @@ -23,7 +23,7 @@ Attack discovery can detect a wide range of threats by finding relationships amo image::images/attck-disc-11-alerts-disc.png[An Attack discovery card showing an attack with 11 related alerts,90%] -In the example above, Attack discovery found connections between nine alerts, and used them to identify and describe an attack chain. +In the example above, Attack discovery found connections between thirteen alerts, and used them to identify and describe an attack chain. After Attack discovery outlines your threat landscape, use Elastic AI Assistant to quickly analyze a threat in detail. @@ -33,7 +33,7 @@ After Attack discovery outlines your threat landscape, use Elastic AI Assistant From a discovery on the Attack discovery page, click **View in AI Assistant** to start a chat that includes the discovery as context. -image::images/attck-disc-remediate-sodinokibi.gif[A dialogue with AI Assistant that has the attack discovery as context,90%] +image::images/attck-disc-remediate-threat.gif[A dialogue with AI Assistant that has the attack discovery as context,90%] AI Assistant can quickly compile essential data and provide suggestions to help you generate an incident report and plan an effective response. You can ask it to provide relevant data or answer questions, such as “How can I remediate this threat?” or “What {esql} query would isolate actions taken by this user?” diff --git a/docs/AI-for-security/usecase-esql-queries.asciidoc b/docs/AI-for-security/usecase-esql-queries.asciidoc index 0a8776ae54..537168c260 100644 --- a/docs/AI-for-security/usecase-esql-queries.asciidoc +++ b/docs/AI-for-security/usecase-esql-queries.asciidoc @@ -6,11 +6,7 @@ :frontmatter-tags-content-type: [guide] :frontmatter-tags-user-goals: [get-started] -Elastic AI Assistant can help you learn about and leverage the Elasticsearch Query Language ({esql}). - -With AI Assistant's <> enabled, AI Assistant benefits from specialized training data that enables it to answer questions related to {esql} at an expert level. - -AI Assistant can help with {esql} in many ways, including: +Elastic AI Assistant can help you learn about and leverage the Elasticsearch Query Language ({esql}) in many ways, including: * **Education and training**: AI Assistant can serve as a powerful {esql} learning tool. Ask it for examples, explanations of complex queries, and best practices. * **Writing new queries**: Prompt AI Assistant to provide a query that accomplishes a particular task, and it will generate a query matching your description. For example: "Write a query to identify documents with `curl.exe` usage and calculate the sum of `destination.bytes`" or "What query would return all user logins to [a host] in the last six hours?" diff --git a/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc b/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc index 4a94c2baf2..a650a822a3 100644 --- a/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc +++ b/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc @@ -4,22 +4,52 @@ // :description: Elastic AI Assistant can help you enhance and streamline your alert triage workflows. // :keywords: security, overview, get-started -preview:[] +Elastic AI Assistant can help you enhance and streamline your alert triage workflows by assessing multiple recent alerts in your environment, and helping you interpret an alert and its context. -Elastic AI Assistant can help you enhance and streamline your alert triage workflows. +When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue. -AI Assistant can help you interpret an alert and understand its context. When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue. +To enable AI Assistant to answer questions about alerts, you need to provide alert data as context for your prompts. You can either provide multiple alerts using the <> feature, or provide individual alerts directly. + +[[ai-assistant-triage-alerts-knowledge-base]] +[discrete] +== Use AI Assistant to triage multiple alerts +Enable the <> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. + +For more information, refer to <>. + +For a demo of AI Assistant's alert triage capabilities, refer to the following video. +======= +++++ + + +
+++++ +======= [discrete] [[use-ai-assistant-to-triage-an-alert]] -== Use AI Assistant to triage an alert - -. Choose an alert to investigate, then click the **View details** button from the Alerts table. -. On the details flyout, click **Chat** to launch AI Assistant. Data related to the selected alert is automatically added to the prompt. -. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant. (For more information about selecting which fields to send, and to learn about anonymizing your data, refer to <>.) -. (Optional) Click a quick prompt to use it as a starting point for your query, for example, **Alert summarization**. Customize the prompt and add detail to improve AI Assistant's response. -Once you’ve submitted your query, the AI Assistant will process the information and provide a detailed response. Depending on your prompt and which alert data you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions. -. (Optional) Ask follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report. +== Use AI Assistant to triage a specific alert + +Once you have chosen an alert to investigate: + +. Click its **View details** button from the Alerts table. +. In the alert details flyout, click **Chat** to launch the AI assistant. Data related to the selected alert is automatically added to the prompt. +. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant. ++ +NOTE: For more information about selecting which fields to send, and to learn about anonymizing your data, refer to <>. ++ +. (Optional) Click a quick prompt to use it as a starting point for your query, for example **Alert summarization**. Improve the quality of AI Assistant's response by customizing the prompt and adding detail. ++ +Once you've submitted your query, AI Assistant will process the information and provide a detailed response. Depending on your prompt and the alert data that you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions. ++ +. (Optional) Ask AI Assistant follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report. [discrete] [[generate-triage-reports]] diff --git a/docs/serverless/AI-for-security/ai-assistant-esql-queries.asciidoc b/docs/serverless/AI-for-security/ai-assistant-esql-queries.asciidoc index 1c4d2982bf..d586f5719c 100644 --- a/docs/serverless/AI-for-security/ai-assistant-esql-queries.asciidoc +++ b/docs/serverless/AI-for-security/ai-assistant-esql-queries.asciidoc @@ -4,11 +4,7 @@ // :description: AI Assistant has specialized {esql} capabilities. // :keywords: security, overview, get-started -Elastic AI Assistant can help you learn about and leverage the Elasticsearch Query Language ({esql}). - -With AI Assistant's <> enabled, AI Assistant benefits from specialized training data that enables it to answer questions related to {esql} at an expert level. - -AI Assistant can help with {esql} in many ways, including: +Elastic AI Assistant can help you learn about and leverage the Elasticsearch Query Language ({esql}) in many ways, including: * **Education and training**: AI Assistant can serve as a powerful {esql} learning tool. Ask it for examples, explanations of complex queries, and best practices. * **Writing new queries**: Prompt AI Assistant to provide a query that accomplishes a particular task, and it will generate a query matching your description. For example: "Write a query to identify documents with `curl.exe` usage and calculate the sum of `destination.bytes`" or "What query would return all user logins to [a host] in the last six hours?" diff --git a/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png b/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png index 0f2bf87bac..e6319da2b4 100644 Binary files a/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png and b/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-remediate-sodinokibi.gif b/docs/serverless/AI-for-security/images/attck-disc-remediate-sodinokibi.gif deleted file mode 100644 index f4fd2c9ed1..0000000000 Binary files a/docs/serverless/AI-for-security/images/attck-disc-remediate-sodinokibi.gif and /dev/null differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-remediate-threat.gif b/docs/serverless/AI-for-security/images/attck-disc-remediate-threat.gif new file mode 100644 index 0000000000..e31f84235e Binary files /dev/null and b/docs/serverless/AI-for-security/images/attck-disc-remediate-threat.gif differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-translate-japanese.png b/docs/serverless/AI-for-security/images/attck-disc-translate-japanese.png index 190efbb09e..320b3fd1a5 100644 Binary files a/docs/serverless/AI-for-security/images/attck-disc-translate-japanese.png and b/docs/serverless/AI-for-security/images/attck-disc-translate-japanese.png differ diff --git a/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc b/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc index baf09b362a..57c6d262d1 100644 --- a/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc +++ b/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc @@ -1,8 +1,10 @@ [[security-ai-usecase-incident-reporting]] = Identify, investigate, and document threats -// :description: Use Attack discovery and AI Assistant to manage threats. -// :keywords: security, overview, get-started +:frontmatter-description: Elastic AI Assistant can help you write ES|QL queries. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [guide] +:frontmatter-tags-user-goals: [get-started] Together, <> and <> can help you identify and mitigate threats, investigate incidents, and generate incident reports in various languages so you can monitor and protect your environment. @@ -22,7 +24,7 @@ Attack discovery can detect a wide range of threats by finding relationships amo [role="screenshot"] image::images/attck-disc-11-alerts-disc.png[An Attack discovery card showing an attack with 11 related alerts] -In the example above, Attack discovery found connections between nine alerts, and used them to identify and describe an attack chain. +In the example above, Attack discovery found connections between thirteen alerts, and used them to identify and describe an attack chain. After Attack discovery outlines your threat landscape, use Elastic AI Assistant to quickly analyze a threat in detail. @@ -33,7 +35,7 @@ After Attack discovery outlines your threat landscape, use Elastic AI Assistant From a discovery on the Attack discovery page, click **View in AI Assistant** to start a chat that includes the discovery as context. [role="screenshot"] -image::images/attck-disc-remediate-sodinokibi.gif[A dialogue with AI Assistant that has the attack discovery as context] +image::images/attck-disc-remediate-threat.gif[A dialogue with AI Assistant that has the attack discovery as context,90%] AI Assistant can quickly compile essential data and provide suggestions to help you generate an incident report and plan an effective response. You can ask it to provide relevant data or answer questions, such as “How can I remediate this threat?” or “What {esql} query would isolate actions taken by this user?” @@ -48,7 +50,7 @@ At any point in a conversation with AI Assistant, you can add data, narrative su [[use-case-incident-reporting-create-a-case-using-ai-assistant]] == Generate reports -From the AI Assistant dialog window, click **Add to case** (image:images/icons/addDataApp.svg[Add data]) next to a message to add the information in that message to a <>. Cases help centralize relevant details in one place for easy sharing with stakeholders. +From the AI Assistant dialog window, click **Add to case** (image:images/icons/addDataApp.svg[Add data,19,16]) next to a message to add the information in that message to a <>. Cases help centralize relevant details in one place for easy sharing with stakeholders. If you add a message that contains a discovery to a case, AI Assistant automatically adds the attack summary and all associated alerts to the case. You can also add AI Assistant messages that contain remediation steps and relevant data to the case. @@ -57,7 +59,7 @@ If you add a message that contains a discovery to a case, AI Assistant automatic == Translate incident information to a different human language using AI Assistant [role="screenshot"] -image::images/attck-disc-translate-japanese.png[An AI Assistant dialogue in which the assistant translates from English to Japanese] +image::images/attck-disc-translate-japanese.png[An AI Assistant dialogue in which the assistant translates from English to Japanese,90%] AI Assistant can translate its findings into other human languages, helping to enable collaboration among global security teams, and making it easier to operate within multilingual organizations. diff --git a/docs/serverless/images/ai-assistant-alert-triage/ai-triage-add-to-case.png b/docs/serverless/images/ai-assistant-alert-triage/ai-triage-add-to-case.png index 29d0f91333..06aa13ca6a 100644 Binary files a/docs/serverless/images/ai-assistant-alert-triage/ai-triage-add-to-case.png and b/docs/serverless/images/ai-assistant-alert-triage/ai-triage-add-to-case.png differ