Skip to content

[Security] Attack Discovery scheduling and saved discoveries #2023

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified solutions/images/security-attack-discovery-settings.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
77 changes: 67 additions & 10 deletions solutions/security/ai/attack-discovery.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ mapped_pages:
- https://www.elastic.co/guide/en/security/current/attack-discovery.html
- https://www.elastic.co/guide/en/serverless/current/attack-discovery.html
applies_to:
stack: preview
stack: ga
serverless:
security: preview
security: ga
products:
- id: security
- id: cloud-serverless
Expand All @@ -20,13 +20,6 @@ For a demo, refer to the following video (click to view).
[![Attack Discovery video](https://play.vidyard.com/eT92arEbpRddmSM4JeyzdX.jpg)](https://videos.elastic.co/watch/eT92arEbpRddmSM4JeyzdX?)


This page describes:

* [How to generate discoveries](/solutions/security/ai/attack-discovery.md#attack-discovery-generate-discoveries)
* [What information each discovery includes](/solutions/security/ai/attack-discovery.md#attack-discovery-what-info)
* [How you can interact with discoveries to enhance {{elastic-sec}} workflows](/solutions/security/ai/attack-discovery.md#attack-discovery-workflows)


## Role-based access control (RBAC) for Attack Discovery [attack-discovery-rbac]

You need the `Attack Discovery: All` privilege to use Attack Discovery.
Expand Down Expand Up @@ -54,7 +47,7 @@ Attack Discovery is designed for use with alerts based on data that complies wit
The selected fields can now be analyzed the next time you run Attack Discovery.
:::

## Generate discoveries [attack-discovery-generate-discoveries]
## Generate discoveries manually[attack-discovery-generate-discoveries]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider the following updates in this section; (sorry, GH won't let me comment on the specific lines because they are unchanged):

  1. Select an existing connector from the dropdown menu, or add a new one.
  • In the new design, the user must first click the gear icon next to the Generate button to access the connector dropdown. Note: This is different than the Connector filter (located next to the Status filter) on the main page.

  • The screenshot in this section may be updated to illustrate the updated "empty" state, for example:

attack_discovery_empty_state

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the What information does each discovery include? section (sorry, GH won't let me comment on the unchanged line numbers), consider updating the following image:

:::{image} /solutions/images/security-attck-disc-example-disc.png
:alt: Attack Discovery detail view
:::

to the following (or a similar) refreshed screenshot, which includes the new status and sharing indicators:

latest_example

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need to add a Index privileges section describing minimum requirements for the user to be able to interact with the new attack discovery alerts.


You’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as [AI Assistant](/solutions/security/ai/ai-assistant.md). To get started:

Expand Down Expand Up @@ -106,3 +99,67 @@ There are several ways you can incorporate discoveries into your {{elastic-sec}}
:::{image} /solutions/images/security-add-discovery-to-assistant.gif
:alt: Attack Discovery view in AI Assistant
:::

## Schedule discoveries

```yaml {applies_to}
stack: ga 9.1
serverless: ga
```

You can define recurring schedules (for example, daily or weekly) to automatically generate attack discoveries without needing manual runs. For example, you can generate discoveries every 24 hours and send a Slack notification to your SecOps channel if discoveries are found. Notifications are sent using configured [connectors](/deploy-manage/manage-connectors.md), such as Slack or email, and you can customize the notification content to tailor alert context to your needs.

Scheduled discoveries are shared by default with all users in a {{kib}} space.

:::{note}
You can still generate discoveries manually at any time, regardless of an active schedule.
:::

To create a new schedule:

1. Click the gear icon to open the settings menu, then select **Schedule**.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a note, this flow will be changed soon. Design team currently finalising mockups where "Schedule" tab will be opened by clicking on a separate button within the main page.

2. Select **Create new schedule**.
3. Enter a name for the new schedule.
4. Select the LLM connector to use for generating discoveries, or add a new one.
5. Use the KQL query bar, time filter, and alerts slider to customize the set of alerts that will be analyzed.
6. Define the schedule's frequency (for example, every 24 hours).
7. Optionally, select the [connectors](/deploy-manage/manage-connectors.md) to use for receiving notifications, and define their actions.
8. Click **Create & enable schedule**.

After creating new schedules, you can view their status, modify them or delete them from the **Schedule** tab in the settings menu.

:::{tip}
Scheduled discoveries are shown with a **Scheduled Attack discovery** icon ({icon}`calendar`). Click the icon to view the schedule that created it.
:::

## View saved discoveries

```yaml {applies_to}
stack: ga 9.1
serverless: ga
```

Attack discoveries are automatically saved each time you generate them. Once saved, discoveries remain available for later review, reporting, and tracking over time. This allows you to revisit discoveries to monitor trends, maintain audit trails, and support investigations as your environment evolves.

### Change a discovery's status

You can set a discovery's status to indicate that it's under active investigation or that it's been resolved. To do this, click **Take action**, then select **Mark as acknowledged** or **Mark as closed**.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attack discoveries have a new (introduced in 8.19.0 / 9.1.0) workflow status, illustrated by the screenshot below:

workflow_status

This workflow status (of the discovery itself), is separate from the alerts associated with the attack discovery.

Consider documenting the option for users to (optionally) update the workflow status of the alerts associated an attack discovery, as illustrated by the following screenshot, which appears when user click the Mark as open | acknowledged | closed Take action menu items:

update_alerts

The updated alerts associated with the attack discovery are illustrated by the screenshot below:

updated_alerts


### Take bulk actions

You can take bulk actions on multiple discoveries, such as bulk-changing their status or adding them to a case. To do this, select the checkboxes next to each discovery, then click **Selected *x* Attack discoveries** and choose the action you want to take.

### Search and filter saved discoveries

You can search and filter saved discoveries to help locate relevant findings.

* Use the search box to perform full-text searches across your generated discoveries.

* **Visibility**: Use this filter to, for example, show only shared discoveries.

* **Status**: Filter discoveries by their current status.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider creating a new Sharing Attack discoveries section to document this feature introduced in 8.19.0 / 9.1.0, which is illustrated by the screenshot below:

sharing_status

Consider speaking to the following nuances:

  • Manually generated discoveries are initially Not shared
  • Scheduled discoveries are (automatically) Shared
  • Once shared, the visibility of shared discoveries cannot be changed, as illustrated by the screenshot below:

shared_cannot_be_changed


* **Connector**: Filter discoveries by connector name. Connectors that are deleted after discoveries have been generated are shown with a **Deleted** tag.

* Time filter: Adjust the time filter to view discoveries generated within a specific timeframe.

Loading