elastic · benironside · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
@@ -6,7 +6,7 @@
 :frontmatter-tags-content-type: [overview]
 :frontmatter-tags-user-goals: [get-started]
 
-The Elastic AI Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {elastic-sec} for tasks such as alert investigation, incident response, and query generation or conversion using natural language and much more.
+The Elastic AI Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {elastic-sec} for tasks such as alert investigation, incident response, and query generation or conversation using natural language and much more.
 
 [role="screenshot"]
 image::images/assistant-basic-view.png[Image of AI Assistant chat window,90%]
@@ -101,9 +101,13 @@ TIP: AI Assistant can remember particular information you tell it to remember. F
 [discrete]
 [[configure-ai-assistant]]
 == Configure AI Assistant
-The *Security AI settings* page allows you to configure AI Assistant. To access it, use the global search field to search for "AI Assistant for Security".
+To adjust AI Assistant's settings from the chat window, click the **More** (three dots) button in the upper-right. 
 
-It has the following tabs:
+image::images/security-attack-discovery-more-popover.png[The Security AI settings popover,90%]
+
+The first three options (**AI Assistant settings**, **Knowledge Base**, and **Anonymization**) open the corresponding tabs of the **Security AI settings** page. The **Chat options** affect display-only user settings: whether to show or hide anonymized values, and whether to include citations. When citations are enabled, AI Assistant will refer you to information sources including data you've shared with it, information you've added to the knowledge base, and content from Elastic's Security Labs and product documentation.
+
+The **Security AI settings** page provides a range of configuration options for AI Assistant. To access it directly, use the global search field to search for "AI Assistant for Security". It has the following tabs:
 
 * **Conversations:** When you open AI Assistant from certain pages, such as **Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant's responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
 * **Connectors:** Manage all LLM connectors.
@@ -144,7 +148,7 @@ The **Knowledge base** tab of the **Security AI settings** page allows you to en
 [discrete]
 [[ai-assistant-queries]]
 [[rag-for-esql]]
-### Get the most from your queries
+=== Get the most from your queries
 
 Elastic AI Assistant allows you to take full advantage of the {elastic-sec} platform to improve your security operations. It can help you write an {esql} query for a particular use case, or answer general questions about how to use the platform. Its ability to assist you depends on the specificity and detail of your questions. The more context and detail you provide, the more tailored and useful its responses will be. 
 

@@ -37,15 +37,37 @@ This page describes:
 [[attack-discovery-rbac]]
 == Role-based access control (RBAC) for Attack Discovery
 
-The `Attack Discovery: All` privilege allows you to use Attack Discovery.
+You need the `Attack Discovery: All` privilege to use Attack Discovery.
 
 image::images/attck-disc-rbac.png[Attack Discovery's RBAC settings,60%]
 
+[discrete]
+== Set up Attack Discovery
+
+By default, Attack Discovery analyzes up to 100 alerts from the last 24 hours, but you can customize how many and which alerts it analyzes using the settings menu. To open it, click the gear icon next to the **Generate** button.
+
+image::images/security-attack-discovery-settings.png[Attack Discovery's settings menu,60%]
+
+You can select which alerts Attack Discovery will process by filtering based on a KQL query, the time and date selector, and the **Number of alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. Under **Alert summary** you can view a summary of the selected alerts grouped by various fields, and under **Alerts preview** you can see more details about the selected alerts.
+
+[NOTE]
+====
+*How to add non-ECS fields to Attack Discovery*
+
+Attack Discovery is designed for use with alerts based on data that complies with ECS, and by default only analyses ECS-compliant fields. However, you can enable Attack Discovery to review additional fields by following these steps:
+
+1. Select an alert with some of the non-ECS fields you want to analyze, and go to its details flyout. From here, use the **Chat** button to open AI Assistant.
+2. At the bottom of the chat window, the alert's information appears. Click **Edit** to open the anonymization window to this alert's fields.
+3.  Search for and select the non-ECS fields you want Attack Discovery to analyze. Set them to **Allowed**. 
+
+The selected fields can now be analyzed the next time you run Attack Discovery.
+====
+
 [[attack-discovery-generate-discoveries]]
 [discrete]
 == Generate discoveries
 
-When you access Attack Discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as <<security-assistant>>. To get started:
+You'll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as <<security-assistant>>. To get started:
 
 . Click the **Attack Discovery** page from {elastic-sec}'s navigation menu.
 . Select an existing connector from the dropdown menu, or add a new one.
@@ -60,16 +82,10 @@ image::images/attck-disc-select-model-empty.png[]
 +
 . Once you've selected a connector, click **Generate** to start the analysis.
 
-It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. 
-
-IMPORTANT: By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (image:images/icon-settings.png[Settings icon,17,17]) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
-
-image::images/attck-disc-alerts-number-menu.png["Attack Discovery's settings menu",75%]
+It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one’s title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the selected alerts.
 
 IMPORTANT: Attack Discovery uses the same data anonymization settings as <<security-assistant, Elastic AI Assistant>>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.
 
-Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack Discovery process again with the most current alerts.
-
 [[attack-discovery-what-info]]
 [discrete]
 == What information does each discovery include?

@@ -1,12 +1,29 @@
 [[llm-connector-guides]]
-= Set up connectors for large language models (LLM)
+= Enable large language model (LLM) access
 
-This section contains instructions for setting up connectors for LLMs so you can use <<security-assistant, Elastic AI Assistant>> and <<attack-discovery, Attack discovery>>. 
+{elastic-sec} uses large language models (LLMs) for some of its advanced analytics features. To enable these features, you can connect to Elastic LLM, a third-party LLM provider, or a custom local LLM. 
 
-Setup guides are available for the following LLM providers:
+IMPORTANT: Different LLMs have varying performance when used to power different features and use-cases. For more information about how various models perform on different tasks in {elastic-sec}, refer to the <<llm-performance-matrix>>.
+
+[discrete]
+== Connect to Elastic LLM 
+
+Elastic LLM is enabled by default for any user with the necessary {stack} subscription. To use it:
+
+1. Navigate to a feature that uses an LLM, such as AI Assistant.
+2. Use the model selection menu to select the Elastic LLM*.
+
+[discrete]
+== Connect to a third-party LLM
+
+Follow these guides to connect to one or more third-party LLM providers:
 
 * <<assistant-connect-to-azure-openai, Azure OpenAI>>
 * <<assistant-connect-to-bedrock, Amazon Bedrock>>
 * <<assistant-connect-to-openai, OpenAI>>
 * <<connect-to-vertex, Google Vertex>>
-* <<connect-to-byo-llm, LM Studio (custom local LLM)>>
+
+[discrete]
+== Connect to a custom local LLM
+
+You can <<connect-to-byo-llm, connect to LM studio>> to use a custom LLM deployed and managed by you.
@@ -19,7 +19,9 @@ In this guide, you'll learn how to:
 [discrete]
 [[use-case-incident-reporting-use-attack-discovery-to-identify-threats]]
 == Use Attack discovery to identify threats
-Attack discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack discovery generates a detailed summary of each potential threat, which can serve as the basis for further analysis. Learn how to <<attack-discovery,get started with Attack discovery>>.
+Attack discovery can detect a wide range of threats by finding relationships among alerts that may indicate a coordinated attack. This enables you to comprehend how threats move through and affect your systems. Attack discovery generates a detailed summary of each potential threat and can highlight avenues for further investigation. Learn how to <<attack-discovery,get started with Attack discovery>>.
+
+IMPORTANT: To ensure that Attack Discovery analyzes related alerts together (and can therefore identify their connections), pay attention to the <<attack-discovery, Attack Discovery alert filtering>> settings. This allows you to target Attack Discovery at specific groups of alerts, such as those related to a particular host, user, date and time, incident, or customer.
 
 image::images/attck-disc-11-alerts-disc.png[An Attack discovery card showing an attack with 11 related alerts,90%]
 

@@ -1,7 +1,7 @@
 [[assistant-use-cases]]
-= Use cases
+= Example AI workflows
 
-The guides in this section describe use cases for AI Assistant and Attack discovery. Refer to them for examples of each tool's individual capabilities and of what they can do together.
+The guides in this section describe example workflows for AI Assistant and Attack discovery. Refer to them for examples of each tool's individual capabilities and how they can work together.
 
 * <<assistant-triage>>
 * <<attack-discovery-ai-assistant-incident-reporting>>