elastic · shashank-elastic · Dec 7, 2023 · Dec 7, 2023 · Dec 7, 2023 · Dec 7, 2023
@@ -0,0 +1,35 @@
+name: Delete serverless directory in backports
+
+on:
+  pull_request:
+    branches:
+      - '7.*'
+      - '8.*'
+
+jobs:
+  check-and-delete-serverless:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Check for existence of docs/serverless directory
+      id: check_serverless
+      run: |
+        if [ -d "docs/serverless" ]; then
+          echo "SERVERLESS_EXISTS=true" >> $GITHUB_ENV
+        else
+          echo "SERVERLESS_EXISTS=false" >> $GITHUB_ENV
+        fi
+    - name: Delete docs/serverless directory if it exists
+      if: env.SERVERLESS_EXISTS == 'true'
+      run: |
+        rm -rf docs/serverless
+        git config pull.rebase true
+        git config --global user.name 'github-actions[bot]'
+        git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+        git add .
+        git commit -m "Delete docs/serverless directory and its contents"
+        git pull origin ${{ github.head_ref }}
+        git push origin HEAD:${{ github.head_ref }}
@@ -1,9 +1,9 @@
 [[behavioral-detection-use-cases]]
 = Behavioral detection use cases
 
-Behavioral detection identifies potential internal and external threats based on user and host activity. It employs a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. 
+Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. 
 
-{elastic-sec} builds the behavioral detection feature  on its foundational SIEM detection capabilities, leveraging {ml} algorithms to enable proactive threat detection and hunting.
+The behavioral detection feature is built on {elastic-sec}'s foundational SIEM detection capabilities, leveraging {ml} algorithms to enable proactive threat detection and hunting.
 
 [float]
 [[ml-integrations]]
@@ -14,7 +14,7 @@ Behavioral detection integrations provide a convenient way to enable behavioral
 .Requirements
 [sidebar]
 --
-* Elastic integrations require a https://www.elastic.co/pricing[Platinum subscription] or higher.
+* Behavioral detection integrations require a https://www.elastic.co/pricing[Platinum subscription] or higher.
 * To learn more about the requirements for using {ml} jobs, refer to <<ml-requirements, Machine learning job and rule requirements>>.
 --
 

@@ -22,10 +22,6 @@ If you have the `machine_learning_admin` role, you can use the *ML job settings*
 [role="screenshot"]
 image::images/ml-ui.png[ML job settings UI on the Alerts page]
 
-TIP: To add a custom job to the *ML job settings* interface, add `Security` to
-the job's `Groups` field (*{kib}* -> *{ml-cap}* -> *Create/Edit job* -> *Job
-details*).
-
 [float]
 [[manage-ml-rules]]
 === Manage {ml} detection rules

@@ -43,7 +43,7 @@ image::images/preview-risky-entities.png[Preview of risky entities]
 If you're installing the risk scoring engine for the first time:
 
 . Go to **Manage** -> **Entity Risk Score**.
-. Turn the **Entity risk scoring** toggle on.
+. Turn the **Entity risk score** toggle on.
 
 [role="screenshot"]
 image::images/turn-on-risk-engine.png[Turn on entity risk scoring]
@@ -69,7 +69,7 @@ image::images/risk-engine-upgrade-prompt.png[Prompt to upgrade to the latest ris
 [role="screenshot"]
 image::images/risk-score-start-update.png[Start the risk engine upgrade]
 . On the confirmation message, click **Yes, update now**. The old transform is removed and the latest risk engine is installed.
-. When the installation is complete, confirm that the **Entity risk scoring** toggle is on.
+. When the installation is complete, confirm that the **Entity risk score** toggle is on.
 +
 [role="screenshot"]
 image::images/turn-on-risk-engine.png[Turn on entity risk scoring]

@@ -0,0 +1,61 @@
+[[assistant-triage]]
+= Triage alerts with Elastic AI Assistant
+Elastic AI Assistant can help you enhance and streamline your alert triage workflows by assessing multiple recent alerts in your environment, and helping you interpret an alert and its context. 
+
+When you view an alert in {elastic-sec}, details such as related documents, hosts, and users appear alongside a synopsis of the events that triggered the alert. This data provides a starting point for understanding a potential threat. AI Assistant can answer questions about this data and offer insights and actionable recommendations to remediate the issue.
+
+To enable AI Assistant to answer questions about alerts, you need to provide alert data as context for your prompts. You can either provide multiple alerts using the <<ai-assistant-knowledge-base, knowledge base>> feature, or provide individual alerts directly.
+
+[[ai-assistant-triage-alerts-knowledge-base]]
+[discrete]
+== Use AI Assistant to triage multiple alerts
+Enable the <<configure-ai-assistant, knowledge base>> **Alerts** setting to send AI Assistant data for up to 100 alerts as context for each of your prompts. With this setting enabled, you can ask AI Assistant questions such as "How many alerts are present in my environment?", "What are my most urgent alerts?", "Which alerts should I triage first?", "Do any of the alerts in my environment indicate data exfiltration from a Windows machine?", and more. 
+
+For more information, refer to <<ai-assistant-knowledge-base, knowledge base>>.
+
+For a demo of AI Assistant's alert triage capabilities, refer to the following video.
+=======
+++++
+<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
+<img
+  style="width: 100%; margin: auto; display: block;"
+  class="vidyard-player-embed"
+  src="https://play.vidyard.com/v2dQtzmm6SoTFYc7dJzq7m.jpg"
+  data-uuid="v2dQtzmm6SoTFYc7dJzq7m"
+  data-v="4"
+  data-type="inline"
+/>
+</br>
+++++
+=======
+
+[[ai-assistant-triage-alerts-instructions]]
+[discrete]
+== Use AI Assistant to triage a specific alert
+Once you have chosen an alert to investigate:
+
+. Click its **View details** button from the Alerts table.
+. In the alert details flyout, click **Chat** to launch the AI assistant. Data related to the selected alert is automatically added to the prompt. 
+. Click **Alert (from summary)** to view which alert fields will be shared with AI Assistant.
++
+NOTE: For more information about selecting which fields to send, and to learn about anonymizing your data, refer to <<security-assistant, AI Assistant>>.
++
+. (Optional) Click a quick prompt to use it as a starting point for your query, for example **Alert summarization**. Improve the quality of AI Assistant's response by customizing the prompt and adding detail. 
++
+Once you’ve submitted your query, AI Assistant will process the information and provide a detailed response. Depending on your prompt and the alert data that you included, its response can include a thorough analysis of the alert that highlights key elements such as the nature of the potential threat, potential impact, and suggested response actions.
++
+. (Optional) Ask AI Assistant follow-up questions, provide additional information for further analysis, and request clarification. The response is not a static report.
+
+[discrete]
+[[ai-triage-reportgen]]
+== Generate triage reports
+Elastic AI Assistant can streamline the documentation and report generation process by providing clear records of security incidents, their scope and impact, and your remediation efforts. You can use AI Assistant to create summaries or reports for stakeholders that include key event details, findings, and diagrams. Once the AI Assistant has finished analyzing one or more alerts, you can generate reports by using prompts such as:
+
+* “Generate a detailed report about this incident including timeline, impact analysis, and response actions. Also, include a diagram of events.”
+* “Generate a summary of this incident/alert and include diagrams of events.”
+* “Provide more details on the mitigation strategies used.”
+
+After you review the report, click **Add to existing case** at the top of AI Assistant's response. This allows you to save a record of the report and make it available to your team.
+
+[role="screenshot"]
+image::images/ai-triage-add-to-case.png[An AI Assistant dialogue with the add to existing case button highlighted]
@@ -1,5 +1,4 @@
 [[security-assistant]]
-[chapter]
 = AI Assistant
 
 :frontmatter-description: The Elastic AI Assistant is a generative AI open-code chat assistant.
@@ -41,7 +40,7 @@ For example, refer to OpenAI's documentation on https://platform.openai.com/docs
 [[data-information]]
 == Your data and AI Assistant
 
-Elastic does not store or examine prompts or results used by AI Assistant, or use this data for model training. This includes anything you send the model, such as alert or event data, detection rule configurations, queries, and prompts. However, any data you provide to AI Assistant will be processed by the third-party provider you chose when setting up the OpenAI connector as part of the assistant setup.
+Elastic does not store or examine prompts or results used by AI Assistant, or use this data for model training. This includes anything you send the model, such as alert or event data, detection rule configurations, queries, and prompts. However, any data you provide to AI Assistant will be processed by the third-party large language model (LLM) provider you connected to as part of AI Assistant setup.
 
 Elastic does not control third-party tools, and assumes no responsibility or liability for their content, operation, or use, nor for any loss or damage that may arise from your using such tools. Please exercise caution when using AI tools with personal, sensitive, or confidential information. Any data you submit may be used by the provider for AI training or other purposes. There is no guarantee that the provider will keep any information you provide secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use.
 
@@ -100,7 +99,7 @@ This opens the *Welcome* chat interface, where you can ask general questions abo
 You can also chat with AI Assistant from several particular pages in {elastic-sec} where you can easily send context-specific data and prompts to AI Assistant.
 
 * <<view-alert-details, Alert details>> or Event details flyout: Click *Chat* while viewing the details of an alert or event.
-* <<rules-ui-management, Rules page>>: Select one or more rules, then click the magic wand icon (🪄✨) at the top of the page next to the *Rules* title.
+* <<rules-ui-management, Rules page>>: Select one or more rules, then click the **Chat** button at the top right of the page.
 * <<data-quality-dash, Data Quality dashboard>>: Select the *Incompatible fields* tab, then click *Chat*. (This is only available for fields marked red, indicating they're incompatible).
 * <<timelines-ui, Timeline>>: Select the *Security Assistant* tab.
 
@@ -144,40 +143,70 @@ The *Settings* menu (image:images/icon-settings.png[Settings icon,17,17]) allows
 [role="screenshot"]
 image::images/assistant-settings-menu.png[AI Assistant's settings menu, open to the Conversations tab]
 
-The *Settings* menu has four tabs:
+The *Settings* menu has the following tabs:
 
 * **Conversations:** When you open AI Assistant from certain pages, such as Timeline or Alerts, it defaults to the relevant conversation type. Choose the default system prompt for each conversation type, the connector, and model (if applicable).
 * **Quick Prompts:** Modify existing quick prompts or create new ones. To create a new quick prompt, type a unique name in the *Name* field, then press *enter*. Under *Prompt*, enter or update the quick prompt's text. Under *Contexts*, select where the quick prompt should appear.
 * **System Prompts:** Edit existing system prompts or create new ones. To create a new system prompt, type a unique name in the *Name* field, then press *enter*. Under *Prompt*, enter or update the system prompt's text. Under *Contexts*, select where the system prompt should appear.
 +
 NOTE: To delete a custom prompt, open the *Name* drop-down menu, hover over the prompt you want to delete, and click the *X* that appears. You cannot delete the default prompts.
 
-* **Anonymization:** When you provide an event to AI Assistant as context, you can select fields to include as plaintext, to obfuscate, and to not send. The **Anonymization** tab allows you to define default data anonymization behavior. You can update these settings for individual events when you include them in the chat.
-+
+* **Anonymization:** Select fields to include as plaintext, to obfuscate, and to not send when you provide events to AI Assistant as context. <<ai-assistant-anonymization, Learn more>>.
+
+* **Knowledge base:** Provide additional context to AI Assistant so it can answer questions about {esql} and alerts in your environment. <<ai-assistant-knowledge-base, Learn more>>.
+
+[discrete]
+[[ai-assistant-anonymization]]
+=== Anonymization
+
+The **Anonymization** tab of the AI Assistant settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. You can update these settings for individual events when you include them in the chat.
+
 [role="screenshot"]
 image::images/assistant-anonymization-menu.png[AI Assistant's settings menu, open to the Anonymization tab]
-+
+
 The fields on this list are among those most likely to provide relevant context to AI Assistant. Fields with *Allowed* toggled on are included. *Allowed* fields with *Anonymized* set to *Yes* are included, but with their values obfuscated.
-+
+
 [role="screenshot"]
 image::images/add-alert-context.gif[A video that shows an alert being added as context to an AI Assistant chat message]
-+
+
 When you include a particular event as context, you can use a similar interface to adjust anonymization behavior. Be sure the anonymization behavior meets your specifications before sending a message with the event attached.
-+
+
 The *Show anonymized* toggle controls whether you see the obfuscated or plaintext versions of the fields you sent to AI Assistant. It doesn't control what gets obfuscated — that's determined by the anonymization settings. It also doesn't affect how event fields appear _before_ being sent to AI Assistant. Instead, it controls how fields that were already sent and obfuscated appear to you.
 
-* **Knowledge base:** Use retrieval-augmented generation to provide specialized knowledge of the Elastic Search Query Language ({esql}) to AI Assistant. For example, with the knowledge base active, you can ask AI Assistant to help you write an {esql} query for a particular use case, or ask it to answer general questions about {esql} syntax and usage. Without the knowledge base enabled, AI Assistant will not be able to answer questions about {esql}.
-+
-beta::[]
-+
-To enable the knowledge base:
-+
+
+[discrete]
+[[ai-assistant-knowledge-base]]
+=== Knowledge base
+beta::["Do not use {esql} on production environments. This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features."]
+
+The **Knowledge base** tab of the AI Assistant settings menu allows you to enable AI Assistant to answer questions about the Elastic Search Query Language ({esql}), and about alerts in your environment.
+
+[discrete]
+[[rag-for-esql]]
+==== Knowledge base for {esql}
+When this feature is enabled, AI Assistant can help you write an {esql} query for a particular use case, or answer general questions about {esql} syntax and usage. To enable AI Assistant to answer questions about {esql}:
+
 . Enable the Elastic Learned Sparse EncodeR (ELSER). This model provides additional context to the third-party LLM. To learn more, refer to {ml-docs}/ml-nlp-elser.html#download-deploy-elser[Configure ELSER].
 . Initialize the knowledge base by clicking *Initialize*.
 . Turn on the *Knowledge Base* option.
-. Click *Save*. The knowledge base is now active.
+. Click *Save*. The knowledge base is now active. A quick prompt for {esql} queries becomes available, which provides a good starting point for your {esql} conversations and questions. 
+
+NOTE: To update AI Assistant so that it uses the most current {esql} documentation to answer your questions, click **Delete** next to **Knowledge Base**, and toggle the **Knowledge Base** slider off and then on. 
+
+[discrete]
+[[rag-for-alerts]]
+==== Knowledge base for alerts
+When this feature is enabled, AI Assistant will receive multiple alerts as context for each of your prompts. It will receive alerts from the last 24 hours that have a status of `open` or `acknowledged`, ordered first by risk score, then by recency. Building block alerts are excluded. This enables it to answer questions about multiple alerts in your environment, rather than just the individual alerts you choose to include as context. 
+
+To enable RAG for alerts:
+
+. Turn on the **Alerts** setting.
+. Use the slider to select the number of alerts to send to AI Assistant. 
 +
-When the knowledge base is active, a quick prompt for {esql} queries becomes available. It provides a good starting point for your {esql} conversations and questions.
+[role="screenshot"]
+image::images/knowledge-base-settings.png["AI Assistant's settings menu open to the Knowledge Base tab",75%]
+
+NOTE: Including a large number of alerts may cause your request to exceed the maximum token length of your third-party generative AI provider. If this happens, try selecting a lower number of alerts to send.
 
 [discrete]
 [[ai-assistant-queries]]
@@ -191,3 +220,6 @@ In addition to practical advice, AI Assistant can offer conceptual advice, tips,
 
 * “How do I set up a {ml} job in {elastic-sec} to detect anomalies in network traffic volume over time?”
 * “I need to monitor for unusual file creation patterns that could indicate ransomware activity. How would I construct this query using EQL?”
+
+
+include::ai-alert-triage.asciidoc[leveloffset=+1]
@@ -183,6 +183,9 @@ image::images/cases-files.png[A list of files attached to a case]
 
 You can set file types and sizes by configuring your {kibana-ref}/cases-settings.html[{kib} case settings].
 
+To download or delete the file, or copy the file hash to your clipboard, open the **Actions** menu (**…**).
+The available hash functions are MD5, SHA-1, and SHA-256.
+
 When you add a file, a comment is added to the case activity log.
 To view an image, click its name in the activity or file list.
 

@@ -92,14 +92,14 @@ When you add an indicator to Timeline, a new Timeline opens with an auto-generat
 
 The following image shows a file hash indictor being investigated in Timeline. The indicator field-value pair is:
 
-`threat.indicator.file.hash.sha256 : c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba`
+`threat.indicator.file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a`
 
 [role="screenshot"]
 image::images/indicator-in-timeline.png[Shows the results of an indicator being investigated in Timeline]
 
 The auto-generated query contains the indicator field-value pair (mentioned previously) and the auto-mapped source event field-value pair, which is:
 
-`file.hash.sha256 : c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba`
+`file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a`
 
 The query results show an alert with a matching `file.hash.sha256` field value, which may indicate suspicious or malicious activity in the environment.