Consolidated issue. This tracks the Attack flyout v2 (Discover) build-out for Attack Discovery. It absorbs #7298 (the Overview tab's Insights section — implicated entities + correlated alerts). This is Attack Discovery / Security AI work, not Elastic Workflows (the "One Workflow" label on the PRs is incidental), so it has been moved out of the Workflows checklist. Hold documentation until the v2 flyout is fully assembled and confirmed as the shipped UI (PR-4/PR-5 of a series; "See all" links are still placeholder stubs). Doc target: Attack Discovery > "What information does each discovery include?"
Absorbed PRs: kibana#273080 (Visualizations / Attack Chain accordion), kibana#273081 (Insights section — entities & correlations).
Summary
Adds a Visualizations accordion (containing the Attack Chain / MITRE tactics diagram) to the Overview tab of the in-progress 'attack flyout v2' surface, which the PR describes as appearing in Discover. This is explicitly PR-4 of a multi-PR build-out series for a new flyout that is not yet complete (an Insights section is still deferred to a future PR), and the change has no associated experimental feature flag in the codebase.
Why this needs docs: Confidence is reduced because the diff only confirms an internal component build-out step for a flyout that isn't fully assembled or clearly exposed as a distinct, documented entry point yet (no feature flag found, no matching 'flyout v2' concept in the current Attack Discovery docs) — documenting it now risks describing a UI that will keep changing shape across PR-5 and beyond.
Resources
- PR #273080 — [Security Solution] Attack flyout v2 in Discover — visualizations section
Availability
| Channel |
Details |
| Stack |
v9.5.0 |
| Serverless |
Jul 6–Jul 10 |
| Feature flag |
None — active by default |
Created with Docs Quest Scanner by @nastasha-solomon
Suggested edits
Attack Discovery > What information does each discovery include?
- What the docs say: Describes discoveries as an expandable/collapsible list item showing title, summary, associated alerts, MITRE ATT&CK mapping, and implicated entities — with no mention of a flyout with tabs (Overview, etc.) or a dedicated Visualizations/Attack Chain accordion.
- What to add: If and when the v2 attack flyout (with its Overview tab, AI Summary section, and now Visualizations/Attack Chain accordion) becomes the primary, stable way users view discovery details, this section would need a rewrite to describe the flyout's tab structure and the new Visualizations accordion, replacing or supplementing the current 'click title to expand' description. Hold off until the flyout v2 build-out (PR-4 of a series, with Insights still pending in PR-5) is complete and confirmed as the shipped UI. Not yet applicable — internal build-out in progress, no confirmed release version or feature flag to scope against.
TriageBot — Complete
2026-07-09
Type: documentation
Section check:
- ✅ What information is missing or unclear: clearly stated — the current docs lack flyout v2 structure; update is deferred until v2 is fully assembled and confirmed as shipped UI.
Cross-references:
elastic/docs-content#7298 — closed (absorbed into this consolidated issue, as noted in the body — expected)
kibana#273080, kibana#273081 — referenced PRs; external repo, not verified but links are well-formed
Next step: none — issue is complete. Hold documentation until the v2 flyout build-out is finished and confirmed as the shipped UI.
Generated by Gh Aw Issue Triage for issue #7296 · 17.6 AIC · ⌖ 5.99 AIC · ⊞ 9.1K · ◷
Elastic Docs AI Scoping 🤖
Docs issue scope
Summary
The issue requests documentation for the attack flyout v2 in Discover, specifically the Overview tab's Visualizations/Attack Chain accordion (kibana#273080, PR-4) and Insights section — entities and correlations (kibana#273081, PR-5). The issue was created with a "hold" note because PR-5 was still pending; both PRs are now merged to v9.5.0 (June 30 and July 2). The current attack-discovery.md page describes the legacy expand/collapse list pattern with no mention of a flyout with tabs, a Visualizations/Attack Chain accordion, or an Insights section with entities and correlations counts. The code changes directly correspond to the issue request.
Request accuracy
Accurate — both PRs are merged and the v2 flyout Overview tab is complete; the original "hold" no longer applies.
Next action for author
Update the "What information does each discovery include?" section in solutions/security/ai/attack-discovery.md to describe the v2 flyout tab structure, Visualizations/Attack Chain accordion, and Insights section for 9.5+ and serverless.
Impact: High
Scope boundary
The legacy expand/collapse description (pre-9.5 behavior), RBAC section, schedule setup, and triage page do not appear to need changes. The "see all" links in the Insights section are confirmed stubs (TODO in code), so do not document navigation to a left panel yet.
Recommended documentation targets
| Page |
URL |
Action |
Impact |
Confidence |
Why this page? |
| Attack Discovery |
https://www.elastic.co/docs/solutions/security/ai/attack-discovery |
Update existing page |
High |
High |
The "What information does each discovery include?" section directly describes discovery detail view; needs a versioned block for 9.5+ describing the flyout tab structure, Visualizations/Attack Chain accordion, and Insights (entities + correlations) |
Recommendations
- In
solutions/security/ai/attack-discovery.md, update the "What information does each discovery include?" section (lines 146–158) to add a versioned {applies_to: stack: ga 9.5+, serverless: ga} block describing: the v2 flyout's Overview tab structure (AI Summary → Visualizations → Insights), the Visualizations accordion with the Attack Chain / MITRE tactics diagram (collapsible, state persisted in localStorage), and the Insights section showing related entities (users, hosts) and correlations (related alerts count). Retain the existing three-item bullet list for pre-9.5 behavior.
- Replace or supplement the existing screenshot (
security-attck-disc-example-disc.png) with a 9.5-specific screenshot showing the v2 flyout Overview tab, scoped to stack: ga 9.5+.
Notes
- The Insights "see all" navigation links are stub no-ops in the merged code (no v2 left panel yet) — do not document those links until a follow-up PR ships them.
applies_to for the new content: stack: ga 9.5+ and serverless: ga to match the PR label (v9.5.0) and issue availability table.
- Consider whether the existing screenshot at line 154 should use a versioned
applies-switch block or remain as a fallback image — align with the pattern used elsewhere in the file.
Generated by Issue Scope Analyzer for issue #7296 · 25.2 AIC · ⌖ 4.87 AIC · ⊞ 8.8K · ◷
Summary
Adds a Visualizations accordion (containing the Attack Chain / MITRE tactics diagram) to the Overview tab of the in-progress 'attack flyout v2' surface, which the PR describes as appearing in Discover. This is explicitly PR-4 of a multi-PR build-out series for a new flyout that is not yet complete (an Insights section is still deferred to a future PR), and the change has no associated experimental feature flag in the codebase.
Why this needs docs: Confidence is reduced because the diff only confirms an internal component build-out step for a flyout that isn't fully assembled or clearly exposed as a distinct, documented entry point yet (no feature flag found, no matching 'flyout v2' concept in the current Attack Discovery docs) — documenting it now risks describing a UI that will keep changing shape across PR-5 and beyond.
Resources
Availability
Created with Docs Quest Scanner by
@nastasha-solomonSuggested edits
Attack Discovery > What information does each discovery include?
TriageBot — Complete
2026-07-09
Type: documentation
Section check:
Cross-references:
elastic/docs-content#7298— closed (absorbed into this consolidated issue, as noted in the body — expected)kibana#273080,kibana#273081— referenced PRs; external repo, not verified but links are well-formedNext step: none — issue is complete. Hold documentation until the v2 flyout build-out is finished and confirmed as the shipped UI.
Elastic Docs AI Scoping 🤖
Docs issue scope
Summary
The issue requests documentation for the attack flyout v2 in Discover, specifically the Overview tab's Visualizations/Attack Chain accordion (kibana#273080, PR-4) and Insights section — entities and correlations (kibana#273081, PR-5). The issue was created with a "hold" note because PR-5 was still pending; both PRs are now merged to v9.5.0 (June 30 and July 2). The current
attack-discovery.mdpage describes the legacy expand/collapse list pattern with no mention of a flyout with tabs, a Visualizations/Attack Chain accordion, or an Insights section with entities and correlations counts. The code changes directly correspond to the issue request.Request accuracy
Accurate — both PRs are merged and the v2 flyout Overview tab is complete; the original "hold" no longer applies.
Next action for author
Update the "What information does each discovery include?" section in
solutions/security/ai/attack-discovery.mdto describe the v2 flyout tab structure, Visualizations/Attack Chain accordion, and Insights section for 9.5+ and serverless.Impact: High
Scope boundary
The legacy expand/collapse description (pre-9.5 behavior), RBAC section, schedule setup, and triage page do not appear to need changes. The "see all" links in the Insights section are confirmed stubs (TODO in code), so do not document navigation to a left panel yet.
Recommended documentation targets
Recommendations
solutions/security/ai/attack-discovery.md, update the "What information does each discovery include?" section (lines 146–158) to add a versioned{applies_to: stack: ga 9.5+, serverless: ga}block describing: the v2 flyout's Overview tab structure (AI Summary → Visualizations → Insights), the Visualizations accordion with the Attack Chain / MITRE tactics diagram (collapsible, state persisted in localStorage), and the Insights section showing related entities (users, hosts) and correlations (related alerts count). Retain the existing three-item bullet list for pre-9.5 behavior.security-attck-disc-example-disc.png) with a 9.5-specific screenshot showing the v2 flyout Overview tab, scoped tostack: ga 9.5+.Notes
applies_tofor the new content:stack: ga 9.5+andserverless: gato match the PR label (v9.5.0) and issue availability table.applies-switchblock or remain as a fallback image — align with the pattern used elsewhere in the file.