Skip to content

Documents new RBAC for value reports #3817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
+65 −38
Open

Documents new RBAC for value reports #3817

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
379e164
Documents RBAC for AI SOC value report
benironside Nov 5, 2025
c23c007
links to kibana privs docs
benironside Nov 5, 2025
6f777b5
adds value report page to ToC again
benironside Nov 5, 2025
9409e81
fixes applies to
benironside Nov 5, 2025
5881e0a
Update solutions/security/ai/ease/ease-value-report.md
benironside Nov 6, 2025
5046908
Merge branch 'main' into 3720-value-report
benironside Nov 6, 2025
51da14b
Incorporates reviews
benironside Nov 6, 2025
7796dc2
Merge branch 'main' into 3720-value-report
benironside Nov 6, 2025
2e6db25
Moves Features section up on EASE intro page
benironside Nov 7, 2025
ef68d09
Merge branch 'main' into 3720-value-report
benironside Nov 7, 2025
a206241
Incorporates Florent's review
benironside Nov 12, 2025
df53f89
Merge branch 'main' into 3720-value-report
benironside Nov 12, 2025
9cb7ded
Merge branch 'main' into 3720-value-report
benironside Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions solutions/_snippets/value-report-intro.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
The **Value report** page estimates your savings from using Elastic's AI SOC features for alert triage, in terms of **Analyst time saved** and **Cost Savings**. The message at the top of the page explains how those numbers were determined, and how many alerts were **Escalated** and **Filtered** by AI.

You can interact with the page in the following ways:

- **Update the time range:** Use the time selector in the upper right corner to select the time range for which to show value metrics.
- **Export report:** Select **Export report** in the upper right corner to download a sharable PDF of the value report.


:::{image} /solutions/images/security-ease-value-report.png
:alt: The Value Report in an EASE project
:::
Binary file modified solutions/images/security-ease-value-report.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added solutions/images/security-value-report-rbac.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
63 changes: 34 additions & 29 deletions solutions/security/ai/ease/ease-intro.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,40 @@ Elastic AI SOC Engine (EASE) is an {{sec-serverless}} project type that provides

This page describes how to create an EASE project, how to ingest your data, and how to use its key features.


## Features

EASE provides a set of capabilities designed to help make the most of each security analyst’s time, fight alert fatigue, and reduce your mean time to respond. Once your data is ingested, you can start using the following features:

- **[Attack Discovery](/solutions/security/ai/attack-discovery.md)**: Helps you analyze alerts in your environment and identify threats. Each discovery represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible.

:::{image} /solutions/images/security-attck-disc-example-disc.png
:alt: Attack Discovery detail view
:width: 600px
:::

You can [schedule](/solutions/security/ai/attack-discovery.md#schedule-discoveries) Attack Discovery to run automatically, and notify you of any discoveries through a range of connectors such as Slack, Teams, PagerDuty, or email.

- **[AI Assistant](/solutions/security/ai/ai-assistant.md)**: An LLM-powered virtual assistant specialized for digital security; it helps with data analysis, alert investigation, incident response, and {{esql}} query generation. You can add custom background knowledge and data to its [knowledge base](/solutions/security/ai/ai-assistant-knowledge-base.md) and use natural language to ask for its assistance with your SOC operations.

:::{image} /solutions/images/security-ease-ai-assistant.png
:alt: A new conversation with AI Assistant
:width: 450px
:::

You can add custom information to AI Assistant's [Knowledge Base](/solutions/security/ai/ai-assistant-knowledge-base.md), either in the form of individual documents or entire indices containing numerous documents. This information informs the AI Assistant's responses and can include everything from threat intelligence, to information about your team's on-call rotation, to information about your infrastructure, and more.

- **[Cases](/solutions/security/investigate/cases.md)**: Helps you track and share related information about security issues. Track key investigation details and collect alerts in a central location.

:::{image} /solutions/images/security-ease-cases.png
:alt: The Cases page in an EASE project showing the default state
:::

- **[Value report](/solutions/security/ai/ease/ease-value-report.md)**:

:::{include} /solutions/_snippets/value-report-intro.md
:::

## Create an EASE project

To create an EASE project:
Expand Down Expand Up @@ -47,32 +81,3 @@ To ingest third-party security data:

EASE uses LLM connectors to enable its AI features such as Attack Discovery and AI Assistant. The Elastic Managed LLM is enabled by default. You can also [configure your own third-party LLM connector](/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md). Keep in mind that different models [perform differently](/solutions/security/ai/large-language-model-performance-matrix.md) on different tasks.


## Features

EASE provides a set of capabilities designed to help make the most of each security analyst’s time, fight alert fatigue, and reduce your mean time to respond. Once your data is ingested, you can start using the following features:

- **[Attack Discovery](/solutions/security/ai/attack-discovery.md)**: Helps you analyze alerts in your environment and identify threats. Each discovery represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible.

:::{image} /solutions/images/security-attck-disc-example-disc.png
:alt: Attack Discovery detail view
:width: 600px
:::

You can [schedule](/solutions/security/ai/attack-discovery.md#schedule-discoveries) Attack Discovery to run automatically, and notify you of any discoveries through a range of connectors such as Slack, Teams, PagerDuty, or email.

- **[AI Assistant](/solutions/security/ai/ai-assistant.md)**: An LLM-powered virtual assistant specialized for digital security; it helps with data analysis, alert investigation, incident response, and {{esql}} query generation. You can add custom background knowledge and data to its [knowledge base](/solutions/security/ai/ai-assistant-knowledge-base.md) and use natural language to ask for its assistance with your SOC operations.

:::{image} /solutions/images/security-ease-ai-assistant.png
:alt: A new conversation with AI Assistant
:width: 450px
:::

You can add custom information to AI Assistant's [Knowledge Base](/solutions/security/ai/ai-assistant-knowledge-base.md), either in the form of individual documents or entire indices containing numerous documents. This information informs the AI Assistant's responses and can include everything from threat intelligence, to information about your team's on-call rotation, to information about your infrastructure, and more.

- **[Cases](/solutions/security/investigate/cases.md)**: Helps you track and share related information about security issues. Track key investigation details and collect alerts in a central location.

:::{image} /solutions/images/security-ease-cases.png
:alt: The Cases page in an EASE project showing the default state
:::

27 changes: 19 additions & 8 deletions solutions/security/ai/ease/ease-value-report.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,29 @@ navigation_title: Value report
applies_to:
serverless:
security: preview
stack: preview 9.3
---

# EASE Value Report
# Value report

The **Value report** page estimates your savings from using Elastic AI SOC Engine (EASE) for alert triage, in terms of **Analyst time saved** and **Cost Savings**. The message at the top of the page explains how those numbers were determined, and how many alerts were **Escalated** and **Filtered** by AI.
:::{include} /solutions/_snippets/value-report-intro.md
:::

You can interact with the page in the following ways:
## Requirements

- **Update the time range:** Use the time selector in the upper right corner to select the time range for which to show value metrics.
- **Export report:** Select **Export report** in the upper right corner to download a sharable PDF of the value report.
```{applies_to}
serverless: preview
stack: preview 9.3
```
Comment on lines +16 to +19
Copy link
Contributor

@florent-leborgne florent-leborgne Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice usage of applies_to. One thing though:

  • "stack" doesn't exist at the page level. Is the feature available there too?
  • This also sounds confusing to me because EASE is a serverless project type and we're in the EASE docs.

Can you look into this? Happy to provide input about what to do once we know more exactly what is available where and what do we need to call out (or locate things) exactly

Copy link
Contributor Author

@benironside benironside Nov 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point Florent. This page was initially introduced just for the EASE feature tier of the Serverless Security project type. It's now available in the security analytics complete feature tier of Serverless Security — and also planned for Stack 9.3.

I've added stack: preview 9.3 at the page level. Also, as part of this PR I made it so that this page appears in two places in the ToC:

  • The original place, within the EASE docs (which is a sub-section within the AI docs section)
  • A new place, within the AI docs section but not within the EASE sub-section.
    My thinking here is that this page should still be findable in the EASE docs since it's one of this feature tier's core features, and it should also be findable when a user is just looking at the AI for Security docs, but not EASE specifically.

What do you think?

Copy link
Contributor Author

@benironside benironside Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, to address your comment about possibly linking to this page from this section, I'd recommend against it. The pages in that section are dedicated specifically to requirements — they aren't feature pages with requirements sections, such as the one this PR updates. I think the link would be out of place there.

Copy link
Contributor

@florent-leborgne florent-leborgne Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the link would be out of place there.

Fine by me, thanks for explaining!

I made it so that this page appears in two places in the ToC

I understand your reasoning here but this isn't well supported in our docs system (it creates 2 pages with the same URL, especially in this case where the 2 pages are close in the TOC, could impair linking, etc.). So we must work around this.

Since it's a core feature of EASE security projects, one approach we could take is:

Happy to hear your thoughts on this but I believe we have to find a way to keep only one occurrence of this page, that using snippets wouldn't make sense either here since the entirety of the page makes sense, and that better referencing it from the EASE docs should be sufficient.

Copy link
Contributor Author

@benironside benironside Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love this. Implemented it. Thanks!

Copy link
Contributor Author

@benironside benironside Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reused much of the content from the EASE value reports page in the Features section. I think it works, but it might be a bit repetitive since the content now appears on both pages. Thoughts?


* To access the **Value report** page, your subscription must include AI-powered features. For {{sec-serverless}}, this means you need either the Elastic AI SOC Engine (EASE) or Security Analytics Complete [feature tier](https://www.elastic.co/pricing/serverless-security).

:::{image} /solutions/images/security-ease-value-report.png
:alt: The Value Report in an EASE project
:::
* To access the **Value report** page, you need the **SOC Management** Security sub-feature [{{kib}} privilege](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md).

![value report RBAC setting](/solutions/images/security-value-report-rbac.png "=50%")

::::{note}
The following default roles have the **SOC Management** privilege by default:
- EASE feature tier: ` _search_ai_lake_soc_manager`
- Security Analytics Complete: `admin` and `soc_manager`
::::
2 changes: 1 addition & 1 deletion solutions/toc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
project: "Solutions and use cases"
toc:
- file: index.md
Expand Down Expand Up @@ -558,7 +558,6 @@
- file: security/ai/ease/ease-intro.md
children:
- file: security/ai/ease/ease-alerts.md
- file: security/ai/ease/ease-value-report.md
- file: security/ai/ease/ease-upgrade.md
- file: security/ai/ai-assistant.md
children:
Expand All @@ -578,6 +577,7 @@
- file: security/ai/triage-alerts.md
- file: security/ai/identify-investigate-document-threats.md
- file: security/ai/generate-customize-learn-about-esorql-queries.md
- file: security/ai/ease/ease-value-report.md
- file: security/detect-and-alert.md
children:
- file: security/detect-and-alert/detections-requirements.md
Expand Down