-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds new page about triaging alerts with AI Assistant #4359
Merged
Merged
Changes from 28 commits
Commits
Show all changes
32 commits
Select commit
Hold shift + click to select a range
ef7ef87
Adds new page about triaging alerts with AI Assistant
benironside 407a27d
Merge branch 'main' into 4358-Alert-triage-page
benironside 0fd7625
Merge branch 'main' into 4358-Alert-triage-page
benironside 084a1cf
Merge branch 'main' into 4358-Alert-triage-page
benironside cf97a32
troubleshoots ToC
benironside c5ba5e6
Merge branch '4358-Alert-triage-page' of https://github.com/elastic/s…
benironside d694f96
troubleshoots build error
benironside db015b2
updates section title
benironside e14e938
Update docs/assistant/ai-alert-triage.asciidoc
benironside 62a6db5
Update docs/assistant/ai-alert-triage.asciidoc
benironside b8ae6d1
Update docs/assistant/ai-alert-triage.asciidoc
benironside 97de8bf
Update docs/assistant/ai-alert-triage.asciidoc
benironside bf618c3
Update docs/assistant/ai-alert-triage.asciidoc
benironside b787953
Update docs/assistant/ai-alert-triage.asciidoc
benironside e4c4d86
Update docs/assistant/ai-alert-triage.asciidoc
benironside 25eb2d3
Update docs/assistant/ai-alert-triage.asciidoc
benironside 98eb02f
Update docs/assistant/ai-alert-triage.asciidoc
benironside 7818049
Merge branch 'main' into 4358-Alert-triage-page
benironside 40b2488
Incorporates rest of Nastasha's feedback
benironside 5816d21
Merge branch '4358-Alert-triage-page' of https://github.com/elastic/s…
benironside bf3986c
Merge branch 'main' into 4358-Alert-triage-page
benironside 2208378
save work
benironside 7380eec
updates triage page with RAG for alerts info
benironside 84089f6
fixes anchor tag
benironside 6851f03
Update docs/assistant/ai-alert-triage.asciidoc
benironside d18e34b
Update docs/assistant/ai-alert-triage.asciidoc
benironside 35f1ccb
Merge branch 'main' into 4358-Alert-triage-page
benironside afee6bd
Merge branch 'main' into 4358-Alert-triage-page
benironside 407df3a
Update docs/assistant/ai-alert-triage.asciidoc
benironside 1c3c93a
Update docs/assistant/ai-alert-triage.asciidoc
benironside 7dbf3e4
Merge branch 'main' into 4358-Alert-triage-page
benironside 92db498
Merge branch 'main' into 4358-Alert-triage-page
benironside File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
[[assistant-triage]] | ||
= Triage alerts with Elastic AI Assistant | ||
Elastic AI Assistant can help you enhance and streamline your alert triage workflows by assessing multiple recent alerts in your environment, and helping you interpret an alert and its context. | ||
|
||
When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue. | ||
|
||
To enable AI Assistant to answer questions about alerts, you need to provide alert data as context for your prompts. You can either provide multiple alerts using the <<configure-ai-assistant, knowledge base>> feature, or provide individual alerts directly. | ||
benironside marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
[[ai-assistant-triage-alerts-knowledge-base]] | ||
[discrete] | ||
benironside marked this conversation as resolved.
Show resolved
Hide resolved
|
||
== Use AI Assistant to triage multiple alerts | ||
Enable the <<configure-ai-assistant, knowledge base>> **Alerts** setting to send AI Assistant data for up to 100 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. | ||
|
||
For more information, refer to <<configure-ai-assistant, knowledge base>>. | ||
benironside marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
[[ai-assistant-triage-alerts-instructions]] | ||
[discrete] | ||
== Use AI Assistant to triage a specific alert | ||
Once you have chosen an alert to investigate: | ||
|
||
. Click its **View details** button from the Alerts table. | ||
. In the alert details flyout, click **Chat** to launch the AI assistant. Data related to the selected alert is automatically added to the prompt. | ||
. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant. | ||
+ | ||
NOTE: For more information about selecting which fields to send, and to learn about anonymizing your data, refer to <<security-assistant, AI Assistant>>. | ||
+ | ||
. (Optional) Click a quick prompt to use it as a starting point for your query, for example **Alert summarization**. Improve the quality of AI Assistant's response by customizing the prompt and adding detail. | ||
+ | ||
Once you’ve submitted your query, AI Assistant will process the information and provide a detailed response. Depending on your prompt and the alert data that you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions. | ||
+ | ||
. (Optional) Ask AI Assistant follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report. | ||
benironside marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
[discrete] | ||
[[ai-triage-reportgen]] | ||
== Generate triage reports | ||
Elastic AI Assistant can streamline the documentation and report generation process by providing clear records of security incidents, their scope and impact, and your remediation efforts. You can use AI Assistant to create summaries or reports for stakeholders that include key event details, findings, and diagrams. Once the AI Assistant has finished analyzing one or more alerts, you can generate reports by using prompts such as: | ||
|
||
* “Generate a detailed report about this incident including timeline, impact analysis, and response actions. Also, include a diagram of events.” | ||
* “Generate a summary of this incident/alert and include diagrams of events.” | ||
* “Provide more details on the mitigation strategies used.” | ||
|
||
After you review the report, click **Add to existing case** at the top of AI Assistant's response. This allows you to save a record of the report and make it available to your team. | ||
|
||
[role="screenshot"] | ||
image::images/ai-triage-add-to-case.png[An AI Assistant dialogue with the add to existing case button highlighted] |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: is it possible for the
knowledge base
links to jump to a KB-specific anchor? (I'm wondering if it's a quirk of the docs preview)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes 100%. I am planning to do this but I have to merge the updates to the AI Assistant page before I can link to that section.