diff --git a/images/security-attack-discovery-more-popover.png b/images/security-attack-discovery-more-popover.png new file mode 100644 index 0000000000..6e1b2b5658 Binary files /dev/null and b/images/security-attack-discovery-more-popover.png differ diff --git a/images/security-attack-discovery-settings.png b/images/security-attack-discovery-settings.png new file mode 100644 index 0000000000..2598eeb935 Binary files /dev/null and b/images/security-attack-discovery-settings.png differ diff --git a/solutions/security/ai/ai-assistant.md b/solutions/security/ai/ai-assistant.md index 2cc5e16b09..0fdcfcf31b 100644 --- a/solutions/security/ai/ai-assistant.md +++ b/solutions/security/ai/ai-assistant.md @@ -10,7 +10,7 @@ applies_to: # AI Assistant -The Elastic AI Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {{elastic-sec}} for tasks such as alert investigation, incident response, and query generation or conversion using natural language and much more. +The Elastic AI Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {{elastic-sec}} for tasks such as alert investigation, incident response, and query generation or conversation using natural language and much more. :::{image} /solutions/images/security-assistant-basic-view.png :alt: Image of AI Assistant chat window @@ -75,7 +75,7 @@ You can also chat with AI Assistant from several particular pages in {{elastic-s * [Data Quality dashboard](/solutions/security/dashboards/data-quality-dashboard.md): Select the **Incompatible fields** tab, then click **Chat**. (This is only available for fields marked red, indicating they’re incompatible). ::::{note} -Each user’s chat history (up to the 99 most recent conversations) and custom Quick Prompts are automatically saved, so you can leave {{elastic-sec}} and return to a conversation later. Chat history appears to the left of the AI Assistant chat window, and on the **Conversations** tab of the **AI Assistant settings** menu. To access the settings menu, use the global search field to search for "AI Assistant for Security". +Each user’s chat history (up to the 99 most recent conversations) and custom Quick Prompts are automatically saved, so you can leave {{elastic-sec}} and return to a conversation later. Chat history appears to the left of the AI Assistant chat window, and on the **Conversations** tab of the **AI Assistant settings** menu. To access the settings menu, use the global search field to search for "AI Assistant for Security" or open the menu in the upper-right of the AI Assistant chat window. :::: @@ -87,16 +87,16 @@ Use these features to adjust and act on your conversations with AI Assistant: * (Optional) Select a *System Prompt* at the beginning of a conversation by using the **Select Prompt** menu. System Prompts provide context to the model, informing its response. To create a System Prompt, open the System Prompts dropdown menu and click **+ Add new System Prompt…​**. * (Optional) Select a *Quick Prompt* at the bottom of the chat window to get help writing a prompt for a specific purpose, such as summarizing an alert or converting a query from a legacy SIEM to {{elastic-sec}}. - :::{image} /solutions/images/security-quick-prompts.png - :alt: Quick Prompts highlighted below a conversation - :screenshot: - ::: + :::{image} ../../images/security-quick-prompts.png + :alt: Quick Prompts highlighted below a conversation + :screenshot: + ::: * System Prompts and Quick Prompts can also be configured from the corresponding tabs on the **Security AI settings** page. - :::{image} /solutions/images/security-assistant-settings-system-prompts.png - :alt: The Security AI settings menu's System Prompts tab - ::: + :::{image} ../../images/security-assistant-settings-system-prompts.png + :alt: The Security AI settings menu's System Prompts tab + ::: * Quick Prompt availability varies based on context—for example, the **Alert summarization** Quick Prompt appears when you open AI Assistant while viewing an alert. To customize existing Quick Prompts and create new ones, click **Add Quick Prompt**. * In an active conversation, you can use the inline actions that appear on messages to incorporate AI Assistant’s responses into your workflows: @@ -117,7 +117,16 @@ AI Assistant can remember particular information you tell it to remember. For ex ## Configure AI Assistant [configure-ai-assistant] -The **Security AI settings** page allows you to configure AI Assistant. To access it, use the global search field to search for "AI Assistant for Security". +To adjust AI Assistant's settings from the chat window, click the **More** (three dots) button in the upper-right. + +::::{image} ../../../images/security-attack-discovery-more-popover.png +:alt: AI Assistant's more options popover +:screenshot: +:::: + +The first three options (**AI Assistant settings**, **Knowledge Base**, and **Anonymization**) open the corresponding tabs of the **Security AI settings** page. The **Chat options** affect display-only user settings: whether to show or hide anonymized values, and whether to include citations. When citations are enabled, AI Assistant will refer you to information sources including data you've shared with it, information you've added to the knowledge base, and content from Elastic's Security Labs and product documentation. + +The **Security AI settings** page provides a range of configuration options for AI Assistant. To access it directly, use the global search field to search for "AI Assistant for Security". It has the following tabs: diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md index 7857dc341a..763885fd73 100644 --- a/solutions/security/ai/attack-discovery.md +++ b/solutions/security/ai/attack-discovery.md @@ -31,13 +31,34 @@ This page describes: ## Role-based access control (RBAC) for Attack Discovery [attack-discovery-rbac] -The `Attack Discovery: All` privilege allows you to use Attack Discovery. +You need the `Attack Discovery: All` privilege to use Attack Discovery. ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png) +## Set up Attack Discovery + +By default, Attack Discovery analyzes up to 100 alerts from the last 24 hours, but you can customize how many and which alerts it analyzes using the settings menu. To open it, click the gear icon next to the **Generate** button. + +::::{image} ../../../images/security-attack-discovery-settings.png +:alt: Attack Discovery's settings menu +:width: 500px +:::: + +You can select which alerts Attack Discovery will process by filtering based on a KQL query, the time and date selector, and the **Number of alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. Under **Alert summary** you can view a summary of the selected alerts grouped by various fields, and under **Alerts preview** you can see more details about the selected alerts. + +:::{admonition} How to add non-ECS fields to Attack Discovery +Attack Discovery is designed for use with alerts based on data that complies with ECS, and by default only analyses ECS-compliant fields. However, you can enable Attack Discovery to review additional fields by following these steps: + +1. Select an alert with some of the non-ECS fields you want to analyze, and go to its details flyout. From here, use the **Chat** button to open AI Assistant. +2. At the bottom of the chat window, the alert's information appears. Click **Edit** to open the anonymization window to this alert's fields. +3. Search for and select the non-ECS fields you want Attack Discovery to analyze. Set them to **Allowed**. + +The selected fields can now be analyzed the next time you run Attack Discovery. +::: + ## Generate discoveries [attack-discovery-generate-discoveries] -When you access Attack Discovery for the first time, you’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [AI Assistant](/solutions/security/ai/ai-assistant.md). To get started: +You’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [AI Assistant](/solutions/security/ai/ai-assistant.md). To get started: 1. Click the **Attack Discovery** page from {{elastic-sec}}'s navigation menu. 2. Select an existing connector from the dropdown menu, or add a new one. @@ -54,26 +75,13 @@ When you access Attack Discovery for the first time, you’ll need to select an 3. Once you’ve selected a connector, click **Generate** to start the analysis. -It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. - -::::{important} -By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (![Settings icon](/solutions/images/security-icon-settings.png "title =20x20")) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. -:::: - - -:::{image} /solutions/images/security-attck-disc-alerts-number-menu.png -:alt: Attack Discovery's settings menu -:width: 600px -::: +It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one’s title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the selected alerts. ::::{important} Attack Discovery uses the same data anonymization settings as [Elastic AI Assistant](/solutions/security/ai/ai-assistant.md). To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. :::: -Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one’s title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the most current alerts. - - ## What information does each discovery include? [attack-discovery-what-info] Each discovery includes the following information describing the potential threat, generated by the connected LLM: diff --git a/solutions/security/ai/connect-to-amazon-bedrock.md b/solutions/security/ai/connect-to-amazon-bedrock.md index 74fc05a309..a9d0fb6f27 100644 --- a/solutions/security/ai/connect-to-amazon-bedrock.md +++ b/solutions/security/ai/connect-to-amazon-bedrock.md @@ -13,7 +13,7 @@ applies_to: This page provides step-by-step instructions for setting up an Amazon Bedrock connector for the first time. This connector type enables you to leverage large language models (LLMs) within {{kib}}. You’ll first need to configure AWS, then configure the connector in {{kib}}. ::::{note} -Only Amazon Bedrock’s `Anthropic` models are supported: `Claude` and `Claude instant`. +All models in Amazon Bedrock's `Claude` model group are supported. :::: @@ -99,7 +99,7 @@ Make sure the supported Amazon Bedrock LLMs are enabled: 1. Search the AWS console for Amazon Bedrock. 2. From the Amazon Bedrock page, click **Get started**. 3. Select **Model access** from the left navigation menu, then click **Manage model access**. -4. Check the boxes for **Claude** and/or **Claude Instant**, depending which model or models you plan to use. +4. Check the box for the model or models you plan to use. 5. Click **Save changes**. The following video demonstrates these steps (click to watch). @@ -115,11 +115,13 @@ Finally, configure the connector in {{kib}}: 2. Find the **Connectors** page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). Then click **Create Connector**, and select **Amazon Bedrock**. 3. Name your connector. 4. (Optional) Configure the Amazon Bedrock connector to use a different AWS region where Anthropic models are supported by editing the **URL** field, for example by changing `us-east-1` to `eu-central-1`. -5. (Optional) Add one of the following strings if you want to use a model other than the default: +5. (Optional) Add one of the following strings if you want to use a model other than the default. Note that these URLs should have a prefix of `us.` or `eu.`, depending on your region, for example `us.anthropic.claude-3-5-sonnet-20240620-v1:0` or `eu.anthropic.claude-3-5-sonnet-20240620-v1:0`. - * For Haiku: `anthropic.claude-3-haiku-20240307-v1:0` - * For Sonnet: `anthropic.claude-3-sonnet-20240229-v1:0` - * For Opus: `anthropic.claude-3-opus-20240229-v1:0` + * Sonnet 3.5: `us.anthropic.claude-3-5-sonnet-20240620-v1:0` or `eu.anthropic.claude-3-5-sonnet-20240620-v1:0` + * Sonnet 3.5 v2: `us.anthropic.claude-3-5-sonnet-20241022-v2:0` or `eu.anthropic.claude-3-5-sonnet-20241022-v2:0` + * Sonnet 3.7: `us.anthropic.claude-3-7-sonnet-20250219-v1:0` or `eu.anthropic.claude-3-7-sonnet-20250219-v1:0` + * Haiku 3.5: `us.anthropic.claude-3-5-haiku-20241022-v1:0` or `eu.anthropic.claude-3-5-haiku-20241022-v1:0` + * Opus: `us.anthropic.claude-3-opus-20240229-v1:0` or `eu.anthropic.claude-3-opus-20240229-v1:0` 6. Enter the **Access Key** and **Secret** that you generated earlier, then click **Save**. diff --git a/solutions/security/ai/identify-investigate-document-threats.md b/solutions/security/ai/identify-investigate-document-threats.md index 495609c732..3494016f58 100644 --- a/solutions/security/ai/identify-investigate-document-threats.md +++ b/solutions/security/ai/identify-investigate-document-threats.md @@ -22,7 +22,12 @@ In this guide, you’ll learn how to: ## Use Attack discovery to identify threats [use-case-incident-reporting-use-attack-discovery-to-identify-threats] -Attack discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack discovery generates a detailed summary of each potential threat, which can serve as the basis for further analysis. Learn how to [get started with Attack discovery](/solutions/security/ai/attack-discovery.md). +Attack discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack discovery generates a detailed summary of each potential threat and can highlight avenues for further investigation. Learn how to [get started with Attack discovery](/solutions/security/ai/attack-discovery.md). + +:::{important} +To ensure that Attack Discovery analyzes related alerts together (and can therefore identify their connections), pay attention to the [alert filtering](/solutions/security/ai/attack-discovery.md) settings. This allows you to target Attack Discovery at specific groups of alerts, such as those related to a particular host, user, date and time, incident, or customer. + +::: :::{image} /solutions/images/security-attck-disc-11-alerts-disc.png :alt: An Attack discovery card showing an attack with 11 related alerts diff --git a/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md b/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md index 09afd73260..8181581563 100644 --- a/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md +++ b/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md @@ -8,17 +8,34 @@ applies_to: security: all --- -# Set up connectors for large language models (LLM) +# Enable large language model (LLM) access -This section contains instructions for setting up connectors for LLMs so you can use [Elastic AI Assistant](/solutions/security/ai/ai-assistant.md) and [Attack discovery](/solutions/security/ai/attack-discovery.md). +{{elastic-sec}} uses large language models (LLMs) for some of its advanced analytics features. To enable these features, you can connect to Elastic LLM, a third-party LLM provider, or a custom local LLM. -Setup guides are available for the following LLM providers: +:::{important} +Different LLMs have varying performance when used to power different features and use-cases. For more information about how various models perform on different tasks in {{elastic-sec}}, refer to the [Large language model performance matrix](/solutions/security/ai/large-language-model-performance-matrix.md). +::: + + +## Connect to Elastic LLM + +Elastic LLM is enabled by default for any user with the necessary Elastic license or subscription. To use it: + +1. Navigate to a feature that uses an LLM, such as AI Assistant. +2. Use the model selection menu to select the Elastic LLM*. + +## Connect to a third-party LLM + +Follow these guides to connect to one or more third-party LLM providers: * [Azure OpenAI](/solutions/security/ai/connect-to-azure-openai.md) * [Amazon Bedrock](/solutions/security/ai/connect-to-amazon-bedrock.md) * [OpenAI](/solutions/security/ai/connect-to-openai.md) * [Google Vertex](/solutions/security/ai/connect-to-google-vertex.md) -* [LM Studio (custom local LLM)](/solutions/security/ai/connect-to-own-local-llm.md) + +## Connect to a custom local LLM + +You can [connect to LM Studio](/solutions/security/ai/connect-to-own-local-llm.md) to use a custom LLM deployed and managed by you. diff --git a/solutions/security/ai/use-cases.md b/solutions/security/ai/use-cases.md index 9cd3b28232..be26704959 100644 --- a/solutions/security/ai/use-cases.md +++ b/solutions/security/ai/use-cases.md @@ -8,9 +8,9 @@ applies_to: security: all --- -# Use cases +# Example AI workflows -The guides in this section describe use cases for AI Assistant and Attack discovery. Refer to them for examples of each tool’s individual capabilities and of what they can do together. +The guides in this section describe example workflows for AI Assistant and Attack discovery. Refer to them for examples of each tool’s individual capabilities and how they can work together. * [Triage alerts](/solutions/security/ai/triage-alerts.md) * [Identify, investigate, and document threats](/solutions/security/ai/identify-investigate-document-threats.md)