Open
Description
Description
What
Document new Attack Discovery Scheduling and Notification feature
New Capabilities
- Schedule Attack Discoveries - Users can now define recurring schedules for automatic Attack Discovery generation (ex: daily, weekly).
- Action-based Notifications - If discoveries are found, notifications can be sent via configured actions (ex: Slack, email, webhook).
- Configurable Notification Context - Users can customize what context is included in the notification
- Manual Generation Still Supported - Users can still manually generate discoveries regardless of an active schedule.
Why
This update removes the dependency on manual interaction, enabling more automated, proactive security monitoring through scheduled Attack Discovery and real-time alerting when suspicious activity is found.
Notes
- Reference new "Scheduling" tab or section in the Attack Discovery UI.
- Clarify how users can configure action connectors (ex: link to Actions and Connectors docs).
- Mention that users can define notification content to tailor alert context to their needs.
- Provide one or two sample use cases (ex:, "Run every 24 hours, alert the SecOps Slack channel if discoveries are found").
Resources
Epic: https://github.com/elastic/security-team/issues/10142
PR: https://github.com/elastic/security-team/issues/12006
Figma: link
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
n/a
What release is this request related to?
8.19 and 9.1
Serverless release
n/a
Collaboration model
The documentation team
Point of contact.
Stakeholders: @jamesspi