Loading

Attack Discovery

Elastic Stack Technical Preview Serverless Security Technical Preview

Warning

This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.

Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst’s time, fight alert fatigue, and reduce your mean time to respond.

For a demo, refer to the following video (click to view).

Attack Discovery video

This page describes:

You need the Attack Discovery: All privilege to use Attack Discovery.

attack-discovery-rbac

By default, Attack Discovery analyzes up to 100 alerts from the last 24 hours, but you can customize how many and which alerts it analyzes using the settings menu. To open it, click the gear icon next to the Generate button.

Attack Discovery's settings menu

You can select which alerts Attack Discovery will process by filtering based on a KQL query, the time and date selector, and the Number of alerts slider. Note that sending more alerts than your chosen LLM can handle may result in an error. Under Alert summary you can view a summary of the selected alerts grouped by various fields, and under Alerts preview you can see more details about the selected alerts.

How to add non-ECS fields to Attack Discovery

Attack Discovery is designed for use with alerts based on data that complies with ECS, and by default only analyses ECS-compliant fields. However, you can enable Attack Discovery to review additional fields by following these steps:

  1. Select an alert with some of the non-ECS fields you want to analyze, and go to its details flyout. From here, use the Chat button to open AI Assistant.
  2. At the bottom of the chat window, the alert's information appears. Click Edit to open the anonymization window to this alert's fields.
  3. Search for and select the non-ECS fields you want Attack Discovery to analyze. Set them to Allowed.

The selected fields can now be analyzed the next time you run Attack Discovery.

You’ll need to select an LLM connector before you can analyze alerts. Attack Discovery uses the same LLM connectors as AI Assistant. To get started:

  1. Click the Attack Discovery page from Elastic Security's navigation menu.

  2. Select an existing connector from the dropdown menu, or add a new one.

    Recommended models

    While Attack Discovery is compatible with many different models, refer to the Large language model performance matrix to see which models perform best.

    attck disc select model empty

  3. Once you’ve selected a connector, click Generate to start the analysis.

It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one’s title to expand or collapse it. Click Generate at any time to start the Attack Discovery process again with the selected alerts.

Important

Attack Discovery uses the same data anonymization settings as Elastic AI Assistant. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.

Each discovery includes the following information describing the potential threat, generated by the connected LLM:

  1. A descriptive title and a summary of the potential threat.
  2. The number of associated alerts and which parts of the MITRE ATT&CK matrix they correspond to.
  3. The implicated entities (users and hosts), and what suspicious activity was observed for each.
Attack Discovery detail view

There are several ways you can incorporate discoveries into your Elastic Security workflows:

  • Click an entity’s name to open the entity details flyout and view more details that may be relevant to your investigation.
  • Hover over an entity’s name to either add the entity to Timeline (Add to timeline icon) or copy its field name and value to the clipboard (Copy to clipboard icon).
  • Click Take action, then select Add to new case or Add to existing case to add a discovery to a case. This makes it easy to share the information with your team and other stakeholders.
  • Click Investigate in timeline to explore the discovery in Timeline.
  • Click View in AI Assistant to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts.
Attack Discovery view in AI Assistant