Movatterモバイル変換

[0]ホーム
URL:

Loading
  1. Elastic Docs/
  2. Solutions and use cases/
  3. Security solution/
  4. AI for security

Attack Discovery

Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst’s time, fight alert fatigue, and reduce your mean time to respond.

For a demo, refer to the following video (click to view).

Attack Discovery video

To use Attack Discovery, your role needs specific privileges.

Ensure your role has:

  • AllKibana privileges for theSecurity > Attack discovery Kibana feature and at leastRead privileges for theSecurity > Rules Kibana feature.

    attack-discovery-rules-rbac

  • The appropriateindex privileges, based on what you want to do with Attack Discovery alerts:

ActionIndicesElasticsearch privileges
Read Attack Discovery alerts-.alerts-security.attack.discovery.alerts-<space-id>
-.internal.alerts-security.attack.discovery.alerts-<space-id>
-.adhoc.alerts-security.attack.discovery.alerts-<space-id>
-.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>		read andview_index_metadata
Read and modify Attack Discovery alerts. This includes:
- Generating discovery alerts manually
- Generating discovery alerts using schedules
- Sharing manually created alerts with other users
- Updating a discovery's status		-.alerts-security.attack.discovery.alerts-<space-id>
-.internal.alerts-security.attack.discovery.alerts-<space-id>
-.adhoc.alerts-security.attack.discovery.alerts-<space-id>
-.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>		read,view_index_metadata,write, andmaintenance

Ensure your role has:

  • AllKibana privileges for theSecurity > Attack discovery Kibana feature and at leastRead privileges for theSecurity > Rules, Alerts, and Exceptions Kibana feature.

    attack-discovery-rbac

  • The appropriateindex privileges, based on what you want to do with Attack Discovery alerts:

ActionIndicesElasticsearch privileges
Read Attack Discovery alerts-.alerts-security.attack.discovery.alerts-<space-id>
-.internal.alerts-security.attack.discovery.alerts-<space-id>
-.adhoc.alerts-security.attack.discovery.alerts-<space-id>
-.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>		read andview_index_metadata
Read and modify Attack Discovery alerts. This includes:
- Generating discovery alerts manually
- Generating discovery alerts using schedules
- Sharing manually created alerts with other users
- Updating a discovery's status		-.alerts-security.attack.discovery.alerts-<space-id>
-.internal.alerts-security.attack.discovery.alerts-<space-id>
-.adhoc.alerts-security.attack.discovery.alerts-<space-id>
-.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>		read,view_index_metadata,write, andmaintenance

Ensure your role hasAllKibana privileges for theSecurity > Attack discovery Kibana feature.

attack-discovery-rbac

By default, Attack Discovery analyzes up to 100 alerts from the last 24 hours, but you can customize how many and which alerts it analyzes using the settings menu. To open it, click the settings icon next to theRun button.

Attack Discovery's settings menu

You can select which alerts Attack Discovery will process by filtering based on a KQL query, the time and date selector, and theNumber of alerts slider. Note that sending more alerts than your chosen LLM can handle may result in an error. UnderAlert summary you can view a summary of the selected alerts grouped by various fields, and underAlerts preview you can see more details about the selected alerts.

How to add non-ECS fields to Attack Discovery

Attack Discovery is designed for use with alerts based on data that complies with ECS, and by default only analyses ECS-compliant fields. However, you can enable Attack Discovery to review additional fields by following these steps:

  1. Select an alert with some of the non-ECS fields you want to analyze, and go to its details flyout. From here, use theAsk AI Assistant orAdd to chat button to open an AI chat.
  2. At the bottom of the chat window, the alert's information appears. ClickEdit to open the anonymization window to this alert's fields.
  3. Search for and select the non-ECS fields you want Attack Discovery to analyze. Set them toAllowed.
  4. Check theUpdate presets box to add the allowed fields to the space's default anonymization settings.

The next time you run Attack Discovery it will be able to analyze the selected fields.

You’ll need to select an LLM connector before you can analyze alerts. To get started:

  1. Click theAttack Discovery page from Elastic Security's navigation menu.

  2. Do one of the following:

    attck disc select model empty

  • Once you’ve selected a connector, do one of the following to start the analysis:

    • It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one’s title to expand or collapse it. ClickRun at any time to start the Attack Discovery process again with the selected alerts.

    Important

    Attack Discovery uses the same data anonymization settings asElastic AI Assistant. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data.

    What information does each discovery include?

    Each discovery includes the following information describing the potential threat, generated by the connected LLM:

    1. A descriptive title and a summary of the potential threat.
    2. The number of associated alerts and which parts of theMITRE ATT&CK matrix they correspond to.
    3. The implicated entities (users and hosts), and what suspicious activity was observed for each.
    Attack Discovery detail view
    ×Attack Discovery detail view

    Incorporate discoveries with other workflows

    There are several ways you can incorporate discoveries into your Elastic Security workflows:

    Attack Discovery view in AI Assistant
    ×Attack Discovery view in AI Assistant

    Schedule discoveries

    You can define recurring schedules (for example, daily or weekly) to automatically generate attack discoveries without needing manual runs. For example, you can generate discoveries every 24 hours and send a Slack notification to your SecOps channel if discoveries are found. Notifications are sent using configuredconnectors, such as Slack or email, and you can customize the notification content to tailor alert context to your needs.

    Note

    You can still generate discoveries manually at any time, regardless of an active schedule.

    To create a new schedule:

    1. In the top-right corner, selectSchedule.
    2. In theAttack discovery schedule flyout, selectCreate new schedule.
    3. Enter a name for the new schedule.
    4. Select the LLM connector to use for generating discoveries, or add a new one.
    5. Use the KQL query bar, time filter, and alerts slider to customize the set of alerts that will be analyzed.
    6. Define the schedule's frequency (for example, every 24 hours).
    7. Optionally, select theconnectors to use for receiving notifications, and define their actions.
    8. ClickCreate & enable schedule.

    After creating new schedules, you can view their status, modify them or delete them from theAttack discovery schedule flyout.

    Tip

    Scheduled discoveries are shown with aScheduled Attack discovery icon (). Click the icon to view the schedule that created it.

    View saved discoveries

    Attack discoveries are automatically saved on theAttack Discovery page each time you generate them. Once saved, discoveries remain available for later review, reporting, and tracking over time. This allows you to revisit discoveries to monitor trends, maintain audit trails, and support investigations as your environment evolves.

    Change a discovery's status

    You can set a discovery's status to indicate that it's under active investigation or that it's been resolved. To do this, clickTake action, then selectMark as acknowledged orMark as closed.

    You can choose to change the status of only the discovery, or of both the discovery and the alerts associated with it.

    Share attack discoveries

    By default, scheduled discoveries are shared with all users in a Kibana space.

    Manually generated discoveries are private by default. To share them, changeNot shared toShared next to the discovery's name.

    Note

    Once a discovery is shared, its visibility cannot be changed.

    Take bulk actions

    You can take bulk actions on multiple discoveries, such as bulk-changing their status or adding them to a case. To do this, select the checkboxes next to each discovery, then clickSelectedx Attack discoveries and choose the action you want to take.

    Search and filter saved discoveries

    You can search and filter saved discoveries to help locate relevant findings.

    [8]ページ先頭
    ©2009-2026 Movatter.jp