Attack Discovery | Elastic documentation
The Attack Discovery feature is currently in technical preview, which means it may change in the future. Exercise caution when using it in production environments as features in technical preview are not subject to the support SLA of GA features.
Attack Discovery utilizes large language models (LLMs) to analyze alerts in your environment and identify potential threats. Each "discovery" represents a possible attack and provides insights into relationships among multiple alerts, users, hosts, correspondence to the MITRE ATT&CK matrix, and the potential threat actors involved. This can help optimize security analyst efficiency, combat alert fatigue, and reduce mean time to respond.
Demo Video
For a demonstration, you can watch the following video: 
Privilege Requirements
To use Attack Discovery, you need the Attack Discovery: All privilege. By default, Attack Discovery analyzes up to 100 alerts from the last 24 hours. However, you can customize the number and types of alerts it processes using the settings menu.
Filter options include KQL queries, time/date selectors, and an alert quantity slider. Sending more alerts than your chosen LLM can manage might result in errors. The tool provides an Alert summary and an Alerts preview section for a detailed overview of selected alerts.
Configuration
Attack Discovery is designed to work with ECS-compliant data fields. You can enable the tool to review additional fields by following the specified steps.
A selected LLM connector is necessary to analyze alerts. Attack Discovery shares LLM connectors with AI Assistant. Various models are compatible with Attack Discovery, and the performance matrix can help choose the most suitable one.
Analysis Process
The analysis duration varies depending on the number of alerts and the chosen model. Once completed, identified threats appear as discoveries. Click on each title to view detailed information and use the Generate button to start the process again.
Data Anonymization
Attack Discovery adopts the same data anonymization settings as Elastic AI Assistant. Configure which alert fields are sent to the LLM and select fields to obfuscate in the Elastic AI Assistant settings.
Ensure compliance with third-party LLM privacy policies when sharing sensitive data.
Integration
Each discovery provides detailed information on the potential threat generated by the connected LLM. Discoveries can be seamlessly integrated into your Elastic Security workflows for efficient threat management.
© 2025 Elasticsearch B.V. All Rights Reserved. Elasticsearch is a trademark of Elasticsearch B.V., registered in the U.S. and other countries. Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS, and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
Welcome to the docs for the latest Elastic product versions, including Elastic Stack 9.0 and Elastic Cloud Serverless. Visit elastic.co/guide for previous versions.
