diff --git a/docs/AI-for-security/attack-discovery.asciidoc b/docs/AI-for-security/attack-discovery.asciidoc index 01bceba437..4b2c109d17 100644 --- a/docs/AI-for-security/attack-discovery.asciidoc +++ b/docs/AI-for-security/attack-discovery.asciidoc @@ -1,6 +1,6 @@ [[attack-discovery]] [chapter] -= Attack discovery += Attack Discovery :frontmatter-description: Accelerate threat identification by triaging alerts with a large language model. :frontmatter-tags-products: [security] @@ -9,7 +9,7 @@ preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."] -Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond. +Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond. For a demo, refer to the following video. ======= @@ -33,34 +33,42 @@ This page describes: * <> * <> +[discrete] +[[attack-discovery-rbac]] +== Role-based access control (RBAC) for Attack Discovery + +The `Attack Discovery: All` privilege allows you to use Attack Discovery. + +image::images/attck-disc-rbac.png[Attack Discovery's RBAC settings,60%] + [[attack-discovery-generate-discoveries]] [discrete] == Generate discoveries -When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as <>. To get started: +When you access Attack Discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as <>. To get started: -. Click the **Attack discovery** page from {elastic-sec}'s navigation menu. +. Click the **Attack Discovery** page from {elastic-sec}'s navigation menu. . Select an existing connector from the dropdown menu, or add a new one. + .Recommended models [sidebar] -- -While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3.5 Sonnet. In general, models with larger context windows are more effective for Attack discovery. +While Attack Discovery is compatible with many different models, refer to the <> to see which models perform best. -- + -image::images/attck-disc-select-model-empty-state.png[] +image::images/attck-disc-select-model-empty.png[] + . Once you've selected a connector, click **Generate** to start the analysis. It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. -IMPORTANT: Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours. By default it only analyzes up to 20 alerts within this timeframe, but you can expand this up to 100 by going to **AI Assistant → Settings (image:images/icon-settings.png[Settings icon,17,17]) → Knowledge Base** and updating the **Alerts** setting. +IMPORTANT: By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (image:images/icon-settings.png[Settings icon,17,17]) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. -image::images/knowledge-base-assistant-settings-kb-tab.png["AI Assistant's settings menu open to the Knowledge Base tab",75%] +image::images/attck-disc-alerts-number-menu.png["Attack Discovery's settings menu",75%] -IMPORTANT: Attack discovery uses the same data anonymization settings as <>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. +IMPORTANT: Attack Discovery uses the same data anonymization settings as <>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. -Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts. +Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the most current alerts. [[attack-discovery-what-info]] [discrete] @@ -72,7 +80,7 @@ Each discovery includes the following information describing the potential threa . The number of associated alerts and which parts of the https://attack.mitre.org/[MITRE ATT&CK matrix] they correspond to. . The implicated entities (users and hosts), and what suspicious activity was observed for each. -image::images/attack-discovery-full-card.png[Attack discovery detail view] +image::images/attck-disc-example-disc.png[Attack Discovery detail view] [[attack-discovery-workflows]] [discrete] @@ -86,4 +94,4 @@ There are several ways you can incorporate discoveries into your {elastic-sec} w * Click **Investigate in timeline** to explore the discovery in <>. * Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts. -image::images/add-discovery-to-assistant.gif[Attack discovery view in AI Assistant] +image::images/add-discovery-to-assistant.gif[Attack Discovery view in AI Assistant] diff --git a/docs/AI-for-security/images/add-discovery-to-assistant.gif b/docs/AI-for-security/images/add-discovery-to-assistant.gif index d2d969d60e..e532c7ecc0 100644 Binary files a/docs/AI-for-security/images/add-discovery-to-assistant.gif and b/docs/AI-for-security/images/add-discovery-to-assistant.gif differ diff --git a/docs/AI-for-security/images/attck-disc-11-alerts-disc.png b/docs/AI-for-security/images/attck-disc-11-alerts-disc.png index e6319da2b4..f36bf0424a 100644 Binary files a/docs/AI-for-security/images/attck-disc-11-alerts-disc.png and b/docs/AI-for-security/images/attck-disc-11-alerts-disc.png differ diff --git a/docs/AI-for-security/images/attck-disc-alerts-number-menu.png b/docs/AI-for-security/images/attck-disc-alerts-number-menu.png new file mode 100644 index 0000000000..bcbb57ccce Binary files /dev/null and b/docs/AI-for-security/images/attck-disc-alerts-number-menu.png differ diff --git a/docs/AI-for-security/images/attck-disc-example-disc.png b/docs/AI-for-security/images/attck-disc-example-disc.png new file mode 100644 index 0000000000..f36bf0424a Binary files /dev/null and b/docs/AI-for-security/images/attck-disc-example-disc.png differ diff --git a/docs/AI-for-security/images/attck-disc-rbac.png b/docs/AI-for-security/images/attck-disc-rbac.png new file mode 100644 index 0000000000..36a3c27e42 Binary files /dev/null and b/docs/AI-for-security/images/attck-disc-rbac.png differ diff --git a/docs/AI-for-security/images/attck-disc-select-model-empty.png b/docs/AI-for-security/images/attck-disc-select-model-empty.png new file mode 100644 index 0000000000..b1eb9488f1 Binary files /dev/null and b/docs/AI-for-security/images/attck-disc-select-model-empty.png differ diff --git a/docs/AI-for-security/usecase-alert-triage.asciidoc b/docs/AI-for-security/usecase-alert-triage.asciidoc index 2554fcdeeb..a5842ce260 100644 --- a/docs/AI-for-security/usecase-alert-triage.asciidoc +++ b/docs/AI-for-security/usecase-alert-triage.asciidoc @@ -9,26 +9,10 @@ To enable AI Assistant to answer questions about alerts, you need to provide ale [[ai-assistant-triage-alerts-knowledge-base]] [discrete] == Use AI Assistant to triage multiple alerts -Enable the <> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. +Enable the <> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. Use the slider on the Security AI settings' **Knowledge Base** tab to select the number of alerts to send to AI Assistant. For more information, refer to <>. -For a demo of AI Assistant's alert triage capabilities, refer to the following video. -======= -++++ - - -
-++++ -======= - [[ai-assistant-triage-alerts-instructions]] [discrete] == Use AI Assistant to triage a specific alert diff --git a/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc b/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc index a650a822a3..9864d590a0 100644 --- a/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc +++ b/docs/serverless/AI-for-security/ai-assistant-alert-triage.asciidoc @@ -13,25 +13,10 @@ To enable AI Assistant to answer questions about alerts, you need to provide ale [[ai-assistant-triage-alerts-knowledge-base]] [discrete] == Use AI Assistant to triage multiple alerts -Enable the <> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. +Enable the <> **Alerts** setting to send AI Assistant data for up to 500 alerts as context for each of your prompts. Use the slider on the Security AI settings' **Knowledge Base** tab to select the number of alerts to send to AI Assistant. For more information, refer to <>. -For a demo of AI Assistant's alert triage capabilities, refer to the following video. -======= -++++ - - -
-++++ -======= [discrete] [[use-ai-assistant-to-triage-an-alert]] diff --git a/docs/serverless/AI-for-security/ai-for-security-landing-pg.asciidoc b/docs/serverless/AI-for-security/ai-for-security-landing-pg.asciidoc index f15deda925..877c1271c8 100644 --- a/docs/serverless/AI-for-security/ai-for-security-landing-pg.asciidoc +++ b/docs/serverless/AI-for-security/ai-for-security-landing-pg.asciidoc @@ -4,4 +4,4 @@ // :description: Learn about Elastic's native AI security tools. // :keywords: serverless, security, overview, LLM, artificial intelligence -You can use {elastic-sec}’s built-in AI tools to speed up your work and augment your team’s capabilities. The pages in this section describe <>, which answers questions and enhances your workflows throughout Elastic Security, and <>, which speeds up the triage process by finding patterns and identifying attacks spanning multiple alerts. +You can use {elastic-sec}’s built-in AI tools to speed up your work and augment your team’s capabilities. The pages in this section describe <>, which answers questions and enhances your workflows throughout Elastic Security, and <>, which speeds up the triage process by finding patterns and identifying attacks spanning multiple alerts. diff --git a/docs/serverless/AI-for-security/attack-discovery.asciidoc b/docs/serverless/AI-for-security/attack-discovery.asciidoc index fcfd0cf904..1b3d0e0d4b 100644 --- a/docs/serverless/AI-for-security/attack-discovery.asciidoc +++ b/docs/serverless/AI-for-security/attack-discovery.asciidoc @@ -1,23 +1,20 @@ -[[security-attack-discovery]] -= Attack discovery +[[attack-discovery]] +[chapter] += Attack Discovery -// :description: Accelerate threat identification by triaging alerts with a large language model. -// :keywords: serverless, security, overview, LLM, artificial intelligence +:frontmatter-description: Accelerate threat identification by triaging alerts with a large language model. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [overview] +:frontmatter-tags-user-goals: [get-started] -preview:[] +preview::["This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features."] -.Technical preview -[IMPORTANT] -==== -This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features. -==== - -Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond. +Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond. For a demo, refer to the following video. - +======= ++++ - + +
++++ +======= This page describes: -* <> -* <> -* <> +* <> +* <> +* <> + +[discrete] +[[attack-discovery-rbac]] +== Role-based access control (RBAC) for Attack Discovery + +The `Attack Discovery: All` privilege allows you to use Attack Discovery. + +image::images/attck-disc-rbac.png[Attack Discovery's RBAC settings,60%] +[[attack-discovery-generate-discoveries]] [discrete] -[[generate-discoveries]] == Generate discoveries -When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as <>. To get started: +When you access Attack Discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as <>. To get started: -. Click the **Attack discovery** page from {elastic-sec}'s navigation menu. +. Click the **Attack Discovery** page from {elastic-sec}'s navigation menu. . Select an existing connector from the dropdown menu, or add a new one. + .Recommended models -[NOTE] -==== -While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3.5 Sonnet. In general, models with larger context windows are more effective for Attack discovery. -==== +[sidebar] +-- +While Attack Discovery is compatible with many different models, refer to the <> to see which models perform best. +-- + -[role="screenshot"] -image::images/attack-discovery/attck-disc-select-model-empty-state.png[Attack discovery empty state] +image::images/attck-disc-select-model-empty.png[] + . Once you've selected a connector, click **Generate** to start the analysis. -It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. +It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. -[IMPORTANT] -==== -Attack discovery is in technical preview and will only analyze opened and acknowleged alerts from the past 24 hours. By default it analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon image:images/icons/gear.svg[Settings icon] next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. -==== +IMPORTANT: By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (image:images/icons/gear.svg[Settings icon,17,17]) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. -[role="screenshot"] -image::images/attack-discovery/attck-disc-alerts-number-menu.png[AI Assistant knowledge base menu] +image::images/attck-disc-alerts-number-menu.png["Attack Discovery's settings menu",75%] -[IMPORTANT] -==== -Attack discovery uses the same data anonymization settings as <>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. -==== +IMPORTANT: Attack Discovery uses the same data anonymization settings as <>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. -Once the analysis is complete, any threats it identifies appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts. +Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the most current alerts. +[[attack-discovery-what-info]] [discrete] -[[discovery-info]] == What information does each discovery include? Each discovery includes the following information describing the potential threat, generated by the connected LLM: -* A descriptive title and a summary of the potential threat. -* The number of associated alerts and which parts of the https://attack.mitre.org/[MITRE ATT&CK matrix] they correspond to. -* The implicated entities (users and hosts), and what suspicious activity was observed for each. +. A descriptive title and a summary of the potential threat. +. The number of associated alerts and which parts of the https://attack.mitre.org/[MITRE ATT&CK matrix] they correspond to. +. The implicated entities (users and hosts), and what suspicious activity was observed for each. -[role="screenshot"] -image::images/attack-discovery/attack-discovery-full-card.png[Attack discovery detail view] +image::images/attck-disc-example-disc.png[Attack Discovery detail view] +[[attack-discovery-workflows]] [discrete] -[[workflows]] == Incorporate discoveries with other workflows There are several ways you can incorporate discoveries into your {elastic-sec} workflows: * Click an entity's name to open the user or host details flyout and view more details that may be relevant to your investigation. -* Hover over an entity's name to either add the entity to Timeline (image:images/icons/timeline.svg[Timeline]) or copy its field name and value to the clipboard (image:images/icons/copyClipboard.svg[Copy to clipboard]). -* Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a case. This makes it easy to share the information with your team and other stakeholders. -* Click **Investigate in timeline** to explore the discovery in Timeline. -* Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow up questions about the discovery or associated alerts. +* Hover over an entity's name to either add the entity to Timeline (image:images/icons/timelineWithArrow.svg[Add to timeline icon,17,18]) or copy its field name and value to the clipboard (image:images/icons/copyClipboard.svg[Copy to clipboard icon,17,18]). +* Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a <>. This makes it easy to share the information with your team and other stakeholders. +* Click **Investigate in timeline** to explore the discovery in <>. +* Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts. -[role="screenshot"] -image::images/attack-discovery/add-discovery-to-conversation.gif[Attack discovery view in AI Assistant] +image::images/add-discovery-to-assistant.gif[Attack Discovery view in AI Assistant] diff --git a/docs/serverless/AI-for-security/connect-to-byo-llm.asciidoc b/docs/serverless/AI-for-security/connect-to-byo-llm.asciidoc index 1a774d2c76..2164ddd100 100644 --- a/docs/serverless/AI-for-security/connect-to-byo-llm.asciidoc +++ b/docs/serverless/AI-for-security/connect-to-byo-llm.asciidoc @@ -219,5 +219,5 @@ Setup is now complete. You can use the model you've loaded in LM Studio to power [NOTE] ==== -While local models work well for <>, we recommend you use one of <> for interacting with <>. As local models become more performant over time, this is likely to change. +While local models work well for <>, we recommend you use one of <> for interacting with <>. As local models become more performant over time, this is likely to change. ==== diff --git a/docs/serverless/AI-for-security/images/add-discovery-to-assistant.gif b/docs/serverless/AI-for-security/images/add-discovery-to-assistant.gif new file mode 100644 index 0000000000..e532c7ecc0 Binary files /dev/null and b/docs/serverless/AI-for-security/images/add-discovery-to-assistant.gif differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png b/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png index e6319da2b4..f36bf0424a 100644 Binary files a/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png and b/docs/serverless/AI-for-security/images/attck-disc-11-alerts-disc.png differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-example-disc.png b/docs/serverless/AI-for-security/images/attck-disc-example-disc.png new file mode 100644 index 0000000000..f36bf0424a Binary files /dev/null and b/docs/serverless/AI-for-security/images/attck-disc-example-disc.png differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-rbac.png b/docs/serverless/AI-for-security/images/attck-disc-rbac.png new file mode 100644 index 0000000000..36a3c27e42 Binary files /dev/null and b/docs/serverless/AI-for-security/images/attck-disc-rbac.png differ diff --git a/docs/serverless/AI-for-security/images/attck-disc-select-model-empty.png b/docs/serverless/AI-for-security/images/attck-disc-select-model-empty.png new file mode 100644 index 0000000000..b1eb9488f1 Binary files /dev/null and b/docs/serverless/AI-for-security/images/attck-disc-select-model-empty.png differ diff --git a/docs/serverless/AI-for-security/llm-connector-guides.asciidoc b/docs/serverless/AI-for-security/llm-connector-guides.asciidoc index 56c981acbb..b77480d407 100644 --- a/docs/serverless/AI-for-security/llm-connector-guides.asciidoc +++ b/docs/serverless/AI-for-security/llm-connector-guides.asciidoc @@ -4,7 +4,7 @@ // :description: Set up LLM connectors to enable AI features in {elastic-sec} // :keywords: security, overview, get-started -This section contains instructions for setting up connectors for LLMs so you can use <> and <>. +This section contains instructions for setting up connectors for LLMs so you can use <> and <>. Setup guides are available for the following LLM providers: diff --git a/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc b/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc index 7a6b86ca45..3dafe9f8c1 100644 --- a/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc +++ b/docs/serverless/AI-for-security/llm-performance-matrix.asciidoc @@ -4,7 +4,7 @@ // :description: Learn how different models perform on different tasks in {elastic-sec}. // :keywords: security, overview, get-started -This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <> or <>. +This table describes the performance of various large language models (LLMs) for different use cases in {elastic-sec}, based on our internal testing. To learn more about these use cases, refer to <> or <>. |=== | **Feature**| **Model**| | | | | | diff --git a/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc b/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc index 57c6d262d1..c8adfd44b3 100644 --- a/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc +++ b/docs/serverless/AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc @@ -6,7 +6,7 @@ :frontmatter-tags-content-type: [guide] :frontmatter-tags-user-goals: [get-started] -Together, <> and <> can help you identify and mitigate threats, investigate incidents, and generate incident reports in various languages so you can monitor and protect your environment. +Together, <> and <> can help you identify and mitigate threats, investigate incidents, and generate incident reports in various languages so you can monitor and protect your environment. In this guide, you'll learn how to: @@ -19,7 +19,7 @@ In this guide, you'll learn how to: [[use-case-incident-reporting-use-attack-discovery-to-identify-threats]] == Use Attack discovery to identify threats -Attack discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack discovery generates a detailed summary of each potential threat, which can serve as the basis for further analysis. Learn how to <>. +Attack Discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack Discovery generates a detailed summary of each potential threat, which can serve as the basis for further analysis. Learn how to <>. [role="screenshot"] image::images/attck-disc-11-alerts-disc.png[An Attack discovery card showing an attack with 11 related alerts]