Multiple Attack Discoveries enhancements (#354)

* Refreshes screenshots, updates model recommendation note, and adds technical preview tag and note

* tweaks technical preview note

* Updates generate discoveries section

* minor reorg

* minor edits

* minor edit

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update docs/attack-discovery/attack-discovery.mdx

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* fixes image

* removes weird gif

* crops gif

---------

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

attack-discovery/attack-discovery.mdx

@@ -7,45 +7,46 @@ tags: [ 'serverless', 'security', 'overview', 'LLM', 'artificial intelligence' ]
 status: in review
 ---
 
-<DocBadge template="beta" />
+<DocBadge template="technical preview" />
 
-Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This makes the most of each security analyst's time, helps fight alert fatigue, and can reduce your mean time to respond.
-
-<DocCallOut title="Note">
-Attack discovery currently only analyzes alerts from the past 24 hours.
+<DocCallOut title="Technical preview" color="warning">
+This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features.
 </DocCallOut>
 
+Attack discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. This can help make the most of each security analyst's time, fight alert fatigue, and reduce your mean time to respond.
+
 This page describes:
 
 - <DocLink id="attackDiscovery" section="generate-discoveries">How to start generating discoveries</DocLink>
 - <DocLink id="attackDiscovery" section="discovery-info">What information each discovery includes</DocLink>
-- <DocLink id="attackDiscovery" section="workflows">How you can interact with discoveries to enhance ((elastic-sec)) workflows</DocLink>.
+- <DocLink id="attackDiscovery" section="workflows">How you can interact with discoveries to enhance ((elastic-sec)) workflows</DocLink>
 
 
 <div id="generate-discoveries"></div>
 ## Generate discoveries
 
-To use Attack discovery:
+When you access Attack discovery for the first time, you'll need to select an LLM connector before you can analyze alerts. Attack discovery uses the same LLM connectors as <DocLink id="serverlessSecurityAIAssistant">Elastic AI Assistant</DocLink>. To get started:
 
-1. Click the **Attack discovery** page from ((elastic-sec))'s navigation menu.
+1. Click the **Attack discovery** page from ((elastic-sec))'s navigation menu. 
 
-2. When you open the page for the first time, you'll need to select an LLM connector before you can analyze alerts. Select an existing connector from the dropdown menu, or add a new one. 
+2. Select an existing connector from the dropdown menu, or add a new one. 
 
-<DocCallOut title="Note">
-Attack discovery uses the same LLM connectors as <DocLink id="serverlessSecurityAIAssistant">Elastic AI Assistant</DocLink>. If you've already configured one, you can use it here without further configuration. In general, models with larger context windows are more effective for Attack discovery.
+<DocCallOut title="Recommended models">
+While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3 Sonnet and Claude 3 Opus. In general, models with larger context windows are more effective for Attack discovery.
 </DocCallOut>
 
 ![Attack discovery empty state](../images/attack-discovery/select-model-empty-state.png)
 
 3. Once you've selected a connector, click **Generate** to start the analysis. 
 
-It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
+It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected. Note that Attack discovery only analyzes alerts from the past 24 hours.
+
 
 <DocCallOut title="Important">
 Attack discovery uses the same data anonymization settings as <DocLink id="serverlessSecurityAIAssistant">Elastic AI Assistant</DocLink>. To configure which alert fields are sent to the LLM and which of those fields are obfuscated, use the Elastic AI Assistant settings. Consider the privacy policies of third-party LLMs before sending them sensitive data. 
 </DocCallOut>
 
-Once the analysis is complete, any threats it identifies will appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts.
+Once the analysis is complete, any threats it identifies appear as discoveries. Click each one's title to expand or collapse it. Click **Generate** at any time to start the Attack discovery process again with the most current alerts.
 
 <div id="discovery-info"></div>
 ## What information does each discovery include?
@@ -69,4 +70,4 @@ There are several ways you can incorporate discoveries into your ((elastic-sec))
 - Click **Investigate in timeline** to explore the discovery in Timeline.
 - Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow up questions about the discovery or associated alerts. 
 
-![Attack discovery view in AI Assistant](../images/attack-discovery/add-discovery-to-assistant.gif)
+![Attack discovery view in AI Assistant](../images/attack-discovery/add-discovery-to-conversation.gif)