elevate doc creation

docs/xdr/features/modules/elevate_activate.md

@@ -0,0 +1,41 @@
+# Activate Elevate on a workspace
+
+This article explains how to enable the Elevate investigation agent on your workspace so it automatically analyzes all incoming alerts.
+
+## Prerequisites
+
+- Your Sekoia plan includes the Elevate add-on. To verify, navigate to **Settings > Subscriptions** and confirm that an Elevate entry appears alongside your current plan.
+- You have administrator-level access to the workspace.
+
+## Activate the agent
+
+The Elevate investigation agent is available as soon as the Elevate add-on is enabled on your workspace. The agent is disabled by default so you control when quota consumption begins.
+
+!!! warning "Quota consumption starts immediately"
+    Enabling the agent triggers analysis of all new incoming alerts across all communities in the workspace. Each analysis consumes one unit of your monthly investigation quota. Review your quota allocation before activating.
+
+To activate the agent:
+
+1. Navigate to **Settings > AI agent**.
+2. Select **Investigation agent** under the **Workspace** section.
+3. Toggle **Auto-analyze alerts** to enabled.
+
+> 📸 [SCREENSHOT SUGGESTION: Settings > AI agent panel showing the Investigation agent section with the Auto-analyze alerts toggle switched to the enabled position. | ALT TEXT: AI agent settings panel with the Auto-analyze alerts toggle enabled.]
+
+Once enabled, the agent analyzes every new alert that arrives across all communities in the workspace.
+
+## Add agent instructions
+
+The **Instructions** field lets you provide contextual guidance the agent takes into account when analyzing alerts. Use it to describe environment-specific context, known legitimate behaviors, or investigation priorities specific to your organization.
+
+[PLACEHOLDER: Confirm field format, character limit, and add 1-2 examples of effective instructions.]
+
+## Result
+
+New incoming alerts are automatically analyzed by the Elevate agent. The **Verdict** column in the alert list updates as each investigation completes.
+
+## Related links
+
+- [Limit auto-analysis to specific rules](/xdr/features/modules/elevate_rule_filter.md): How to restrict which alerts Elevate analyzes to control quota usage.
+- [Override Elevate settings for a community](/xdr/features/modules/elevate_community_override.md): How to enable or disable Elevate independently for a specific community.
+- [Manage your Elevate investigation quota](/xdr/features/modules/elevate_quota.md): How to monitor and optimize your monthly investigation quota.

docs/xdr/features/modules/elevate_analysis_states.md

@@ -0,0 +1,27 @@
+# Elevate analysis states
+
+The **Verdict** column in the alert list displays the current state of the Elevate AI investigation for each alert. This article describes every possible state and what it means.
+
+> 📸 [SCREENSHOT SUGGESTION: Alert list view with the Verdict column highlighted, showing a variety of AI analysis states including "In progress", "Confirmed Attack", "AI analysis failed", "AI analysis timeout", and "AI limit reached". | ALT TEXT: Alert list showing different Elevate verdict states in the Verdict column.]
+
+## States reference
+
+| State | Description |
+|---|---|
+| **In progress** | The AI agent is currently analyzing the alert. Results will be available shortly. |
+| **True Positive** | The agent concluded the alert represents a real threat. A confidence score and explanation are available in the AI Investigation tab. |
+| **False Positive** | The agent concluded the alert is benign. A confidence score and explanation are available in the AI Investigation tab. |
+| **AI analysis failed** | The analysis could not be completed due to an internal error. You can retry by reassigning the alert to Roy. |
+| **AI analysis timeout** | The analysis request timed out before completing. You can retry by reassigning the alert to Roy. |
+| **AI limit reached** | Your monthly investigation quota is exhausted. No new alerts will be analyzed until the next billing cycle or until your administrator upgrades your plan. |
+
+## AI-generated vs. analyst-set verdicts
+
+Verdicts set by the Elevate agent display a sparkle icon in the alert list. When an analyst validates or overrides the AI verdict manually, the sparkle icon disappears and the verdict reflects the analyst's choice.
+
+## Related links
+
+- [Elevate](/xdr/features/modules/elevate_overview.md): Concept overview of how Elevate works and its key concepts.
+- [Validate or override an Elevate verdict](/xdr/features/modules/elevate_validate_verdict.md): How to confirm or change the AI verdict on an alert.
+- [Trigger a manual Elevate analysis](/xdr/features/modules/elevate_manual_analysis.md): How to analyze an alert that was not processed automatically.
+- [Manage your Elevate investigation quota](/xdr/features/modules/elevate_quota.md): How to monitor and optimize your monthly investigation quota.

docs/xdr/features/modules/elevate_community_override.md

@@ -0,0 +1,34 @@
+# Override Elevate settings for a community
+
+When Elevate is activated at the workspace level, all communities inherit that configuration by default. This article explains how to override the agent settings for a specific community to enable or disable Elevate independently.
+
+## Prerequisites
+
+- Elevate is activated on your workspace. See [Activate Elevate on a workspace](/xdr/features/modules/elevate_activate.md).
+- You have administrator-level access to the workspace.
+
+## Override the configuration for a community
+
+1. Navigate to **Settings > AI agent**.
+2. Select the community you want to configure from the community list.
+3. Select **Override**.
+4. Toggle **Auto-analyze alerts** to the desired state for this community.
+
+> 📸 [SCREENSHOT SUGGESTION: AI agent settings panel for a specific community, showing the Override button and the Auto-analyze alerts toggle in a custom state with an indicator confirming that the community uses its own settings. | ALT TEXT: Community-level AI agent settings with the Override option active and a custom auto-analyze toggle state.]
+
+An indicator confirms that this community now uses its own settings and no longer inherits the workspace-level configuration.
+
+!!! note "Understanding the inherited state"
+    Before you select **Override**, the toggle reflects the workspace-level setting. It does not represent a choice made at the community level. Select **Override** to manage this community independently.
+
+## Result
+
+The community uses its own Elevate configuration independently of the workspace setting. Other communities are not affected.
+
+To revert to the workspace configuration, return to the community's AI agent settings and remove the override.
+
+## Related links
+
+- [Activate Elevate on a workspace](/xdr/features/modules/elevate_activate.md): How to enable the Elevate agent at the workspace level.
+- [Limit auto-analysis to specific rules](/xdr/features/modules/elevate_rule_filter.md): How to restrict which alerts Elevate analyzes within a workspace or community.
+- [Manage your Elevate investigation quota](/xdr/features/modules/elevate_quota.md): How to monitor and optimize your monthly investigation quota.

docs/xdr/features/modules/elevate_custom_instructions.md

@@ -0,0 +1,31 @@
+# Add custom instructions for Elevate agents
+
+If you want to refined the agent investigation results you can add custom instructions. 
+
+## Add Contextual instructions
+If you want add more context for a specific community: 
+1. Go to **Settings > AI agent**.
+2. Select the community where you want the change to be applied.
+3. Select **Agent/Alert case investigation**.
+4. Open the **Instructions** tab.
+5. Enter your custom instructions.
+6. Select **Save**.
+
+!!! note "Workspace instructions"
+   If you want this instruction to be applied on all your communities, Select your workspace instead of a specific community.
+
+## Custom detection rules agent investigation
+
+!!! tip
+   - If the triggering rules comes from a runbook you have created, you can modify the Reasoning questions sections that the agent will use. 
+   - If the triggering rules comes from a runbook build by Sekoia, you can duplicate the rule and edit the runbook but this duplicated rules won't be automatically updated by Sekoia.
+
+   1. If you want to change the reasoning questions, in the Triggered rule section, click on the **Runbook** button.
+   2. At the bottom of the runbook panel, click on **Edit Runbook**.
+   3. Modify the reasoning questions according to your preferences.
+   4. Click **Save runbook**.
+As soon as an alert is triggered by this detection rule the agent takes your modification into account.
+
+!!! note "Communities impacted"
+    These modifications apply to all the communities from your workspace.
+

docs/xdr/features/modules/elevate_investigate_alert.md

@@ -0,0 +1,63 @@
+# Investigate an alert with Elevate
+
+This article explains how to access and read the AI investigation report produced by Elevate for an alert, including the verdict, confidence score, and findings.
+
+## Prerequisites
+
+- Elevate is activated on your workspace or community. See [Activate Elevate on a workspace](/xdr/features/modules/elevate_activate.md).
+- The alert has been analyzed by the Elevate agent. Check the **Verdict** column in the alert list to confirm the analysis is complete. If the state is **In progress** or shows an error, see [Elevate analysis states](/xdr/features/modules/elevate_analysis_states.md).
+
+## Open the AI investigation report
+
+1. Navigate to **Investigate > Alerts**.
+2. Select the alert you want to review.
+
+> 📸 [SCREENSHOT SUGGESTION: Alert detail view with the AI Investigation tab selected, showing the Verdict section at the top and the Findings section below. | ALT TEXT: AI Investigation tab of an alert showing the verdict and findings sections.]
+
+## Read the verdict
+
+The **Verdict** section at the top of the AI Investigation tab contains:
+
+- The **classification**: True Positive or False Positive
+- The **confidence score**: a percentage expressing the agent's certainty in its conclusion
+- A **plain-language explanation** summarizing the key evidence and reasoning behind the classification
+
+??? example "Example verdict: False Positive at 85% confidence"
+    The spike involved four distinct hosts and included an external source IP, but there were no authentication failures, new processes, data exfiltration, privileged account usage, IoC matches, or corroborating alerts from other sensors. The lack of any malicious indicators suggests the activity is benign and therefore a false positive.
+
+## Read the findings
+
+Findings are the individual evidence items the agent collected and evaluated. Each finding is a discrete, verifiable observation drawn from your telemetry.
+
+To review the findings from the AI Investigation tab:
+
+1. Scroll to the **Findings** section below the verdict.
+2. Select the expand arrow on any finding card to view the underlying data that supports it.
+
+Findings tagged **Global** apply to the alert as a whole rather than to a specific asset or event.
+
+> 📸 [SCREENSHOT SUGGESTION: Findings section of the AI Investigation tab with several finding cards expanded, each displaying a "Global" tag and a plain-language observation. | ALT TEXT: Findings section showing expandable evidence cards with Global tags.]
+
+### Access findings from the alert timeline
+
+A summary of findings is also available directly from the alert detail view without opening the AI Investigation tab.
+
+1. In the alert detail view, locate the timeline panel.
+2. Select the **Findings** tab.
+
+The Findings tab lists all evidence items the agent collected, allowing you to review them alongside the alert timeline.
+
+> 📸 [SCREENSHOT SUGGESTION: Alert detail view with the Findings tab selected in the timeline panel, showing a bulleted list of evidence items collected by the Elevate agent. | ALT TEXT: Findings tab in the alert timeline panel showing AI-collected evidence items.]
+
+## Discover Reasoning questions
+
+To go further in your understanding of the verdict and findings methodology, scroll down to **Reasoning questions** sections. 
+
+Most of the Reasoning questions comes from our Runbooks, but Elevate agent add its own relevant investigation questions. 
+
+
+## Related links
+
+- [Validate or override an Elevate verdict](/xdr/features/modules/elevate_validate_verdict.md): How to confirm or change the AI verdict once you have reviewed the investigation.
+- [Elevate analysis states](/xdr/features/modules/elevate_analysis_states.md): Reference table of all possible AI analysis states and their meaning.
+- [Trigger a manual Elevate analysis](/xdr/features/modules/elevate_manual_analysis.md): How to analyze an alert that was not processed automatically.

docs/xdr/features/modules/elevate_manual_analysis.md

@@ -0,0 +1,32 @@
+# Trigger a manual Elevate analysis
+
+This article explains how to trigger an Elevate investigation on an alert that was not analyzed automatically, for example because it was created before Elevate was activated or because it was excluded by a rule filter.
+
+## Prerequisites
+
+- Elevate is activated on your workspace or community. See [Activate Elevate on a workspace](/xdr/features/modules/elevate_activate.md).
+- The alert has not yet been analyzed. The **Verdict** column shows no AI state, or the alert was excluded by the rule filter.
+
+## Assign the alert to Roy
+
+Roy is the Elevate investigation agent. Assigning an alert to Roy triggers an immediate analysis.
+
+1. Navigate to **Investigate > Alerts**.
+2. Select the alert you want to analyze.
+3. Select the **Assignee** field in the alert header.
+4. Select **Roy**.
+
+> 📸 [SCREENSHOT SUGGESTION: Alert detail view showing the Assignee dropdown open with Roy listed as an available option. | ALT TEXT: Alert assignee dropdown with Roy as a selectable option to trigger a manual Elevate analysis.]
+
+## Result
+
+The agent begins analyzing the alert. The **Verdict** column updates to **In progress** while the analysis runs. Once complete, the verdict and findings are available in the **AI Investigation** tab.
+
+!!! note "Quota consumption"
+    A manually triggered analysis consumes one unit of your monthly investigation quota, the same as an automatic analysis.
+
+## Related links
+
+- [Investigate an alert with Elevate](/xdr/features/modules/elevate_investigate_alert.md): How to read the AI investigation report once the analysis is complete.
+- [Elevate analysis states](/xdr/features/modules/elevate_analysis_states.md): Reference table of all possible AI analysis states and their meaning.
+- [Manage your Elevate investigation quota](/xdr/features/modules/elevate_quota.md): How to monitor and optimize your monthly investigation quota.

docs/xdr/features/modules/elevate_overview.md

@@ -0,0 +1,42 @@
+# Elevate
+
+Elevate is the AI investigation layer of Sekoia, built to automatically triage and investigate alerts end-to-end. It deploys a specialized AI agent that analyzes every incoming alert, correlates evidence across your data sources, and produces a structured investigation report so your analysts focus on decisions, response, and strategy rather than manual triage.
+
+## How Elevate works
+
+When a new alert arrives in Sekoia, the Elevate investigation agent runs a full investigation autonomously without waiting for an analyst to open the alert. It is driven by detection-specific AI runbooks curated by Sekoia's research team, one per detection rule, that define the exact logic, questions, and false-positive scenarios relevant to that alert type.
+
+For each alert, the agent:
+
+- Assesses the relevance of the alert and the likelihood of a false positive
+- Collects and correlates evidence across all available data sources
+- Enriches findings with threat intelligence and contextual signals
+- Produces a complete, audit-ready investigation report with a verdict and a confidence score
+
+## What makes Elevate different
+
+**Detection-specific AI runbooks** embed expert investigation logic directly at the rule level. Rather than applying generic playbooks across all alert types, the agent follows tailored guidance for each detection.
+
+**Human-in-the-loop by design** keeps analysts in full control. Every finding is reviewable, every verdict is overridable, and every automated decision is fully traceable. There are no black boxes.
+
+**Sovereign AI by architecture** ensures all AI computation runs on Sekoia-hosted infrastructure. No data is sent to external LLM providers, which makes Elevate suitable for regulated environments and sensitive data contexts.
+
+## Key concepts
+
+### Verdict
+
+The verdict is the outcome of the AI investigation. It classifies the alert as a **True Positive** or a **False Positive**, accompanied by a confidence score and a plain-language explanation of the reasoning. Analysts can validate or override any verdict at any time.
+
+### Findings
+
+Findings are the individual evidence items the agent collected during its investigation. Each finding is a discrete, verifiable observation drawn from your telemetry. They are visible in the **AI Investigation** tab and in the **Findings** panel of the alert timeline.
+
+### Investigation quota
+
+Elevate operates on a monthly investigation quota. Each alert analyzed by the agent consumes one unit. When the quota is exhausted, the agent stops analyzing new alerts until the next billing cycle.
+
+## Related links
+
+- [Elevate analysis states](/xdr/features/modules/elevate_analysis_states.md): Reference table of all possible AI analysis states and their meaning.
+- [Activate Elevate on a workspace](/xdr/features/modules/elevate_activate.md): How to enable the Elevate agent and configure auto-analysis.
+- [Investigate an alert with Elevate](/xdr/features/modules/elevate_investigate_alert.md): How to read an AI investigation report and interpret findings.