Loading

Elastic AI SOC Engine with Elastic Security Serverless

Serverless Security Preview

Elastic AI SOC Engine (EASE) is an Elastic Security Serverless project type that provides cutting-edge AI-powered tools to augment your existing SIEM and EDR/XDR platforms. Because serverless deployments are quick to deploy and easy to configure, and because all the integrations that you can use to ingest data to EASE support fast and easy agentless deployment, you can start getting value from EASE in minutes.

This page describes how to create an EASE project, how to ingest your data, and how to use its key features.

To create an EASE project:

  1. Create an Elastic Security Serverless project, and on the Confirm your project settings page, select Elastic AI SOC Engine.

    The Confirm your project settings page

  2. Click Create serverless project, and wait for your project to be provisioned. When it's ready, open it.

To ingest third-party security data:

  1. Go to the Configurations page using the navigation menu or the global search field.

    The integrations page of an EASE project

  2. From the Integrations tab, select a SIEM and EDR/XDR platform from which you want to ingest data to view setup instructions and more information. You can ingest data from:

    • CrowdStrike
    • Elastic Security
    • Google SecOps
    • Microsoft Sentinel
    • SentinelOne
    • Splunk

EASE uses LLM connectors to enable its AI features such as Attack Discovery and AI Assistant. The Elastic Managed LLM is enabled by default. You can also configure your own third-party LLM connector. Keep in mind that different models perform differently on different tasks.

EASE provides a set of capabilities designed to help make the most of each security analyst’s time, fight alert fatigue, and reduce your mean time to respond. Once your data is ingested, you can start using the following features:

  • Attack Discovery: Helps you analyze alerts in your environment and identify threats. Each discovery represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible.

    Attack Discovery detail view

    You can schedule Attack Discovery to run automatically, and notify you of any discoveries through a range of connectors such as Slack, Teams, PagerDuty, or email.

  • AI Assistant: An LLM-powered virtual assistant specialized for digital security; it helps with data analysis, alert investigation, incident response, and ES|QL query generation. You can add custom background knowledge and data to its knowledge base and use natural language to ask for its assistance with your SOC operations.

    A new conversation with AI Assistant

    You can add custom information to AI Assistant's Knowledge Base, either in the form of individual documents or entire indices containing numerous documents. This information informs the AI Assistant's responses and can include everything from threat intelligence, to information about your team's on-call rotation, to information about your infrastructure, and more.

  • Cases: Helps you track and share related information about security issues. Track key investigation details and collect alerts in a central location.

    The Cases page in an EASE project showing the default state