[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrew-goldstein
added
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@elasticmachine merge upstream |
andrew-goldstein
force-pushed
the
assistant_rag_for_alerts
branch
from
b3f3355 to
1eaef84
Compare
stephmilovic
reviewed
Dec 5, 2023
|
|
||
| This package provides common code consumed in both the browser, i.e. the | ||
| `packages/kbn-elastic-assistant` package, and on the server, i.e. the | ||
| `plugins/elastic_assistant` plugin. |
There was a problem hiding this comment.
Should we instead consider moving the package code into plugins/elastic_assistant/public and this directory would be plugins/elastic_assistant/common? Are there arguments to be made still that it should be a package?
There was a problem hiding this comment.
Should we instead consider moving the package code into
plugins/elastic_assistant/publicand this directory would beplugins/elastic_assistant/common? Are there arguments to be made still that it should be a package?
It feels like moving the common code into plugins/elastic_assistant/public would create a circular dependency, because the elastic_assistant's x-pack/plugins/elastic_assistant/tsconfig.json already has a reference to the package @kbn/elastic-assistant:
"kbn_references": [
// ...
"@kbn/elastic-assistant", // <--existing reference
"@kbn/elastic-assistant-common", // <-- new reference
// ...
],
The anonymization functions moving to the new elastic-assistant-common are pure functions that are truly common / usable on both the client and server. (They are used on both in this PR.) Some of the helper functions may also be applicable in other contexts where anonymization is a useful feature.
It therefore feels like moving these anonymization functions to the new elastic-assistant-common is package prudent, because:
- It does not create a circular dependency
- The code is truly shared (by client and server) common functions, as described by the
@kbn/elastic-assistant-commonpackage'sx-pack/packages/kbn-elastic-assistant-common/kibana.jsonc:
{
"id": "@kbn/elastic-assistant-common",
"owner": "@elastic/security-solution",
"type": "shared-common" // <-- truly shared by client and server
}- The common functions may be applicable in other contexts that require anonymization. Given that Kibana Packages are a lighter weight abstraction for sharing code compared to Plugins (because Plugins have, for example, lifecycle), it feels prudent to make these potentially reusable functions available via the lighter weight (Package) abstraction, given they are pure functions that don't require the capabilities of a Plugin.
Most of the types imported today from @kbn/elastic-assistant by the elastic_assistant plugin may be moved to the new @kbn/elastic-assistant-common package (in a future PR). If that happened, it should be possible to remove the @kbn/elastic-assistant dependency from x-pack/plugins/elastic_assistant/tsconfig.json.
spong
reviewed
Dec 5, 2023
Comment on lines
+14
to
+20
| ## Running unit tests with code coverage | ||
|
|
||
| To (interactively) run unit tests with code coverage, run the following command: | ||
|
|
||
| ```sh | ||
| cd $KIBANA_HOME && node scripts/jest --watch x-pack/packages/kbn-elastic-assistant-common --coverage | ||
| ``` |
There was a problem hiding this comment.
Thanks for including testing instructions! 
spong
reviewed
Dec 5, 2023
| @@ -28,7 +27,7 @@ export const getAnonymizedData = ({ | |||
| rawValue: string; | |||
| }) => string; | |||
| getAnonymizedValues: GetAnonymizedValues; | |||
| rawData: Record<string, string[]>; | |||
| rawData: Record<string, unknown[]>; | |||
There was a problem hiding this comment.
Thank you for updating and making these types accurate 👍
spong
reviewed
Dec 5, 2023
| import { PerformEvaluationParams } from './settings/evaluation_settings/use_perform_evaluation'; | ||
|
|
||
| export interface FetchConnectorExecuteAction { | ||
| alerts: boolean; |
There was a problem hiding this comment.
nit: consider more human readable name for understanding role here and disambiguating ragOnAlerts: (the FF itself). canQueryAlerts, alertQueryingEnabled?
spong
reviewed
Dec 5, 2023
Comment on lines
+204
to
+206
| const getReader = error?.response?.body?.getReader; | ||
| const reader = | ||
| isStream && typeof getReader === 'function' ? getReader.call(error.response.body) : null; |
There was a problem hiding this comment.
note: this is the fix for the existing bug on main where errors were not bubbling up. Ty for the fix!
spong
reviewed
Dec 5, 2023
Comment on lines
+123
to
+124
| !ragOnAlerts || // the feature flag must be enabled | ||
| !alerts // the settings toggle must also be enabled |
There was a problem hiding this comment.
Ahh! Here's the details on the naming from above -- perfect! 🙂
spong
reviewed
Dec 5, 2023
| size?: number; | ||
| } | ||
|
|
||
| export const getOptionalRequestParams = ({ |
There was a problem hiding this comment.
Thanks for the further abstraction here 👍
spong
reviewed
Dec 5, 2023
x-pack/packages/kbn-elastic-assistant/impl/assistant/settings/translations.ts
Outdated
Show resolved
Hide resolved
spong
reviewed
Dec 5, 2023
x-pack/packages/kbn-elastic-assistant/impl/assistant/use_send_messages/index.tsx
Outdated
Show resolved
Hide resolved
spong
reviewed
Dec 5, 2023
x-pack/packages/kbn-elastic-assistant/impl/assistant/use_send_messages/index.tsx
Show resolved
Hide resolved
spong
reviewed
Dec 5, 2023
x-pack/packages/kbn-elastic-assistant/impl/assistant_context/constants.tsx
Outdated
Show resolved
Hide resolved
spong
reviewed
Dec 5, 2023
x-pack/packages/kbn-elastic-assistant/impl/assistant_context/index.tsx
Outdated
Show resolved
Hide resolved
spong
reviewed
Dec 5, 2023
| @@ -16,6 +16,7 @@ export interface MessagePresentation { | |||
| export interface Message { | |||
| role: ConversationRole; | |||
| reader?: ReadableStreamDefaultReader<Uint8Array>; | |||
| replacements?: Record<string, string>; | |||
There was a problem hiding this comment.
note: Not written to individual Message in localstorage, but rather the entire conversation as intended
spong
reviewed
Dec 5, 2023
Comment on lines
+8
to
+17
| /** | ||
| * Mock alerts in the JSON format returned by the `fields` API, with the | ||
| * following distribution of severity: | ||
| * | ||
| * 1x severity: 'low', | ||
| * 1x severity: 'medium' | ||
| * 2x severity: 'high', | ||
| * 1x severity: 'critical', | ||
| */ | ||
| export const mockAlertsFieldsApi = [ |
There was a problem hiding this comment.
nite: lotta alert data, if uniqueness not super necessary maybe templatize one and modify severity with accessor?
spong
reviewed
Dec 5, 2023
| @@ -145,24 +152,4 @@ describe('callAgentExecutor', () => { | |||
| status: 'ok', | |||
| }); | |||
| }); | |||
|
|
|||
| it('throws an error if ELSER model is not installed', async () => { | |||
There was a problem hiding this comment.
note: replacement test to come in a follow-up since control flow logic has changed here.
There was a problem hiding this comment.
the following replacement test:
it('returns null if modelExists is false (the ELSER model is not installed)', () => {
const tool = getEsqlLanguageKnowledgeBaseTool({
assistantLangChain: true,
chain,
modelExists: false, // <-- ELSER model is not installed
});
expect(tool).toBeNull();
});is now added to x-pack/plugins/elastic_assistant/server/lib/langchain/tools/esql_language_knowledge_base/get_esql_language_knowledge_base_tool.test.ts.
The replacement test asserts the new expected behavior:
- when the ELSER model is not installed (
modelExistsisfalse) thegetEsqlLanguageKnowledgeBaseToolreturnsnull - an error will NOT thrown when the ELSER model is not installed
spong
reviewed
Dec 5, 2023
Comment on lines
+31
to
+32
| allow, | ||
| allowReplacement, |
There was a problem hiding this comment.
nit: maybe bundle anonymization fields into an object for readability (incl: onNewReplacements, replacements)
spong
reviewed
Dec 5, 2023
| tags: ['esql', 'query-generation', 'knowledge-base'], | ||
| }), | ||
| ]; | ||
| const tools: Tool[] = getApplicableTools({ |
There was a problem hiding this comment.
Yahs! Tool abstraction is here, thank you! 🎉
spong
reviewed
Dec 5, 2023
| modelExists, | ||
| onNewReplacements, | ||
| replacements, | ||
| request, |
There was a problem hiding this comment.
nit: as discussed when pairing, at some point we'll scrape the dependencies off the request and use those instead (perhaps I'll do this when wrapping up the tool registration work :).
spong
reviewed
Dec 5, 2023
| actions: ActionsPluginStart; | ||
| allow?: string[]; | ||
| allowReplacement?: string[]; | ||
| assistantLangChain: boolean; |
There was a problem hiding this comment.
nit: kinda weird this has to get injected since we're already in 'langchain land', but makes sense as required by getApplicableTools. This should get cleaner as we rework tool registration, feature flags, and remove the non-langchain path.
…eration (RAG) for Alerts This PR implements _Retrieval Augmented Generation_ (RAG) for Alerts in the Security Solution. This feature enables users to ask the assistant questions about the latest and riskiest open alerts in their environment using natural language, for example: - _How many alerts are currently open?_ - _Which alerts should I look at first?_ - _Did we have any alerts with suspicious activity on Windows machines?_ ### More context Previously, the assistant relied solely on the knowledge of the configured LLM and _singular_ alerts or events passed _by the client_ to the LLM as prompt context. This new feature: - Enables _multiple_ alerts to be passed by the _server_ as context to the LLM, via [LangChain tools](elastic#167097) - Applies the user's [anonymization](elastic#159857) settings to those alerts - Only fields allowed by the user will be sent as context to the LLM - Users may enable or disable anonymization for specific fields (via settings) - Click the conversation's `Show anonymized` toggle to see the anonymized values sent to / received from the LLM:  ### Settings This feature is enabled and configured via the `Knowledge Base` > `Alerts` settings in the screenshot below:  - The `Alerts` toggle enables or disables the feature - The slider has a range of `10` - `100` alerts (default: `20`) When the setting above is enabled, up to `n` alerts (as determined by the slider) that meet the following criteria will be returned: - the `kibana.alert.workflow_status` must be `open` - the alert must have been generated in the last `24 hours` - the alert must NOT be a `kibana.alert.building_block_type` alert - the `n` alerts are ordered by `kibana.alert.risk_score`, to prioritize the riskiest alerts ### Feature flag To use this feature: 1) Add the `assistantRagOnAlerts` feature flag to the `xpack.securitySolution.enableExperimental` setting in `config/kibana.yml` (or `config/kibana.dev.yml` in local development environments), per the example below: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` 2) Enable the `Alerts` toggle in the Assistant's `Knowledge Base` settings, per the screenshot below:  ## How it works - When the `Alerts` settings toggle is enabled, http `POST` requests to the `/internal/elastic_assistant/actions/connector/{id}/_execute` route include the following new (optional) parameters: - `alertsIndexPattern`, the alerts index for the current Kibana Space, e.g. `.alerts-security.alerts-default` - `allow`, the user's `Allowed` fields in the `Anonymization` settings, e.g. `["@timestamp", "cloud.availability_zone", "file.name", "user.name", ...]` - `allowReplacement`, the user's `Anonymized` fields in the `Anonymization` settings, e.g. `["cloud.availability_zone", "host.name", "user.name", ...]` - `replacements`, a `Record<string, string>` of replacements (generated on the server) that starts empty for a new conversation, and accumulates anonymized values until the conversation is cleared, e.g. ```json "replacements": { "e4f935c0-5a80-47b2-ac7f-816610790364": "Host-itk8qh4tjm", "cf61f946-d643-4b15-899f-6ffe3fd36097": "rpwmjvuuia", "7f80b092-fb1a-48a2-a634-3abc61b32157": "6astve9g6s", "f979c0d5-db1b-4506-b425-500821d00813": "Host-odqbow6tmc", // ... }, ``` - `size`, the numeric value set by the slider in the user's `Knowledge Base > Alerts` setting, e.g. `20` - The `postActionsConnectorExecuteRoute` function in `x-pack/plugins/elastic_assistant/server/routes/post_actions_connector_execute.ts` was updated to accept the new optional parameters, and to return an updated `replacements` with every response. (Every new request that is processed on the server may add additional anonymized values to the `replacements` returned in the response.) - The `callAgentExecutor` function in `x-pack/plugins/elastic_assistant/server/lib/langchain/execute_custom_llm_chain/index.ts` previously used a hard-coded array of LangChain tools that had just one entry, for the `ESQLKnowledgeBaseTool` tool. That hard-coded array was replaced in this PR with a call to the (new) `getApplicableTools` function: ```typescript const tools: Tool[] = getApplicableTools({ allow, allowReplacement, alertsIndexPattern, assistantLangChain, chain, esClient, modelExists, onNewReplacements, replacements, request, size, }); ``` - The `getApplicableTools` function in `x-pack/plugins/elastic_assistant/server/lib/langchain/tools/index.ts` examines the parameters in the `KibanaRequest` and only returns a filtered set of LangChain tools. If the request doesn't contain all the parameters required by a tool, it will NOT be returned by `getApplicableTools`. For example, if the required anonymization parameters are not included in the request, the `open-alerts` tool will not be returned. - The new `alert-counts` LangChain tool returned by the `getAlertCountsTool` function in `x-pack/plugins/elastic_assistant/server/lib/langchain/tools/alert_counts/get_alert_counts_tool.ts` provides the LLM the results of an aggregation on the last `24` hours of alerts (in the current Kibana Space), grouped by `kibana.alert.severity`. See the `getAlertsCountQuery` function in `x-pack/plugins/elastic_assistant/server/lib/langchain/tools/alert_counts/get_alert_counts_query.ts` for details - The new `open-alerts` LangChain tool returned by the `getOpenAlertsTool` function in `x-pack/plugins/elastic_assistant/server/lib/langchain/tools/open_alerts/get_open_alerts_tool.ts` provides the LLM up to `size` non-building-block alerts generated in the last `24` hours (in the current Kibana Space) with an `open` workflow status, ordered by `kibana.alert.risk_score` to prioritize the riskiest alerts. See the `getOpenAlertsQuery` function in `x-pack/plugins/elastic_assistant/server/lib/langchain/tools/open_alerts/get_open_alerts_query.ts` for details. - On the client, a conversation continues to accumulate additional `replacements` (and send them in subsequent requests) until the conversation is cleared - Anonymization functions that were only invoked by the browser were moved from the (browser) `kbn-elastic-assistant` package in `x-pack/packages/kbn-elastic-assistant/` to a new common package: `x-pack/packages/kbn-elastic-assistant-common` - The new `kbn-elastic-assistant-common` package is also consumed by the `elastic_assistant` (server) plugin: `x-pack/plugins/elastic_assistant`
andrew-goldstein
force-pushed
the
assistant_rag_for_alerts
branch
from
b787116 to
79918b1
Compare
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 13, 2023
…alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) This PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`. The query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.
andrew-goldstein
added a commit
that referenced
this pull request
Dec 13, 2023
…s in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121) ## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) This PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`. The query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM. ### Updated Anonymization defaults Three fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts. For example, the LLM can refer to specific alerts by ID when the `_id` field is provided. This PR makes the following additive changes to the Assistant's `Anonymization` defaults: | Field | Allow by default | Anonymize by default | Value add | |--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). | | `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. | | `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. | - Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:  ### Updated settings text The text in the settings below was also updated:  ### Desk testing To desk test this change: - Enable the `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Navigate to Security > Alerts 2) Click the `AI Assistant` button to open the assistant 3) Click the `Settings` gear to open the assistant settings 4) Click the `Anonymization` category 5) Click the `Reset` button, shown in the screenshot below  **Expected results** - `65` fields are allowed by default, per the screenshot above - `12` fields are anonymized by default, per the screenshot above - The `_id` field is allowed by default, per the screenshot above - The `_id` field is anonymized by default, per the screenshot above 6) Type `kibana.alert.risk` in the search box **Expected result** - The `kibana.alert.risk_score` field is allowed by default 7) Type `kibana.alert.workflow` in the search box **Expected result** - The `kibana.alert.workflow_status` field is allowed by default 8) Click `Save` 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: - `kibana.alert.workflow_status` - `_id` 12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  13) Filter the alerts page to only show `open` and `acknowledged` alerts **Expected result** - The alerts page has custom columns, sorting, and filtering, per the screenshot below:  14) Click the `AI Assistant` button to open the assistant 15) Ask the assistant: ``` What is the workflow status of my alerts? ``` **Expected result** - The assistant will report on the workflow status of alerts, per the example response below: ``` The workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system. ```  16) Close the assistant 17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The alerts table shows the updated alert, per the screenshot below:  18) Once again, open the assistant 19) Once again, ask the (same) question: ``` What is the workflow status of my alerts? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below: ``` Based on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure. ```  20) Ask the assistant for details about the acknowledged alerts: ``` What are the details of the acknowledged alerts? ``` **Expected result** The assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below: ``` In response to your previous question, here are the details of the acknowledged alerts: 1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'. 2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'. 3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'. Please, take appropriate action to address these alerts. ```  21) Ask the assistant for the `_id` of the acknowledged alert: ``` What is the id of the acknowledged alert? ``` **Expected results** - The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below: ``` The id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'. ```  - The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:  22) Click the `Show anonymized` toggle in the assistant **Expected result** - The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below: 
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 13, 2023
…s in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (elastic#173121) ## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) This PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`. The query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM. ### Updated Anonymization defaults Three fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts. For example, the LLM can refer to specific alerts by ID when the `_id` field is provided. This PR makes the following additive changes to the Assistant's `Anonymization` defaults: | Field | Allow by default | Anonymize by default | Value add | |--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). | | `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. | | `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. | - Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:  ### Updated settings text The text in the settings below was also updated:  ### Desk testing To desk test this change: - Enable the `assistantRagOnAlerts` feature flag described in [elastic#172542](elastic#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Navigate to Security > Alerts 2) Click the `AI Assistant` button to open the assistant 3) Click the `Settings` gear to open the assistant settings 4) Click the `Anonymization` category 5) Click the `Reset` button, shown in the screenshot below  **Expected results** - `65` fields are allowed by default, per the screenshot above - `12` fields are anonymized by default, per the screenshot above - The `_id` field is allowed by default, per the screenshot above - The `_id` field is anonymized by default, per the screenshot above 6) Type `kibana.alert.risk` in the search box **Expected result** - The `kibana.alert.risk_score` field is allowed by default 7) Type `kibana.alert.workflow` in the search box **Expected result** - The `kibana.alert.workflow_status` field is allowed by default 8) Click `Save` 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: - `kibana.alert.workflow_status` - `_id` 12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  13) Filter the alerts page to only show `open` and `acknowledged` alerts **Expected result** - The alerts page has custom columns, sorting, and filtering, per the screenshot below:  14) Click the `AI Assistant` button to open the assistant 15) Ask the assistant: ``` What is the workflow status of my alerts? ``` **Expected result** - The assistant will report on the workflow status of alerts, per the example response below: ``` The workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system. ```  16) Close the assistant 17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The alerts table shows the updated alert, per the screenshot below:  18) Once again, open the assistant 19) Once again, ask the (same) question: ``` What is the workflow status of my alerts? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below: ``` Based on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure. ```  20) Ask the assistant for details about the acknowledged alerts: ``` What are the details of the acknowledged alerts? ``` **Expected result** The assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below: ``` In response to your previous question, here are the details of the acknowledged alerts: 1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'. 2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'. 3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'. Please, take appropriate action to address these alerts. ```  21) Ask the assistant for the `_id` of the acknowledged alert: ``` What is the id of the acknowledged alert? ``` **Expected results** - The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below: ``` The id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'. ```  - The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:  22) Click the `Show anonymized` toggle in the assistant **Expected result** - The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:  (cherry picked from commit 0d9c261)
kibanamachine
added a commit
that referenced
this pull request
Dec 13, 2023
…d alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121) (#173310) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)](#173121) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2023-12-13T17:39:08Z","message":"[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts)\r\n\r\nThis PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`.\r\n\r\nThe query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.\r\n\r\n### Updated Anonymization defaults\r\n\r\nThree fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts.\r\n\r\nFor example, the LLM can refer to specific alerts by ID when the `_id` field is provided.\r\n\r\nThis PR makes the following additive changes to the Assistant's `Anonymization` defaults:\r\n\r\n| Field | Allow by default | Anonymize by default | Value add |\r\n|--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). |\r\n| `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. |\r\n| `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. |\r\n\r\n- Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:\r\n\r\n\r\n\r\n### Updated settings text\r\n\r\nThe text in the settings below was also updated:\r\n\r\n\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- Enable the `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Navigate to Security > Alerts\r\n\r\n2) Click the `AI Assistant` button to open the assistant\r\n\r\n3) Click the `Settings` gear to open the assistant settings\r\n\r\n4) Click the `Anonymization` category\r\n\r\n5) Click the `Reset` button, shown in the screenshot below\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- `65` fields are allowed by default, per the screenshot above\r\n- `12` fields are anonymized by default, per the screenshot above\r\n- The `_id` field is allowed by default, per the screenshot above\r\n- The `_id` field is anonymized by default, per the screenshot above\r\n\r\n6) Type `kibana.alert.risk` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.risk_score` field is allowed by default\r\n\r\n7) Type `kibana.alert.workflow` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.workflow_status` field is allowed by default\r\n\r\n8) Click `Save`\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n- `kibana.alert.workflow_status`\r\n- `_id`\r\n\r\n12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n13) Filter the alerts page to only show `open` and `acknowledged` alerts\r\n\r\n**Expected result**\r\n\r\n- The alerts page has custom columns, sorting, and filtering, per the screenshot below:\r\n\r\n\r\n\r\n14) Click the `AI Assistant` button to open the assistant\r\n\r\n15) Ask the assistant:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant will report on the workflow status of alerts, per the example response below:\r\n\r\n```\r\nThe workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system.\r\n```\r\n\r\n\r\n\r\n16) Close the assistant\r\n\r\n17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The alerts table shows the updated alert, per the screenshot below:\r\n\r\n\r\n\r\n18) Once again, open the assistant\r\n\r\n19) Once again, ask the (same) question:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below:\r\n\r\n```\r\nBased on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure.\r\n```\r\n\r\n\r\n\r\n20) Ask the assistant for details about the acknowledged alerts:\r\n\r\n```\r\nWhat are the details of the acknowledged alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\nThe assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below:\r\n\r\n```\r\nIn response to your previous question, here are the details of the acknowledged alerts:\r\n\r\n1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'.\r\n\r\n2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'.\r\n\r\n3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'.\r\n\r\nPlease, take appropriate action to address these alerts.\r\n```\r\n\r\n\r\n\r\n21) Ask the assistant for the `_id` of the acknowledged alert:\r\n\r\n```\r\nWhat is the id of the acknowledged alert?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below:\r\n\r\n```\r\nThe id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'.\r\n```\r\n\r\n\r\n\r\n- The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:\r\n\r\n\r\n\r\n22) Click the `Show anonymized` toggle in the assistant\r\n\r\n**Expected result**\r\n\r\n- The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:\r\n\r\n","sha":"0d9c261530b102e7a7a87f4d5dcdf423cdd17a2c","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Threat Hunting:Investigations","Feature:Elastic AI Assistant","v8.12.0","v8.13.0"],"number":173121,"url":"https://github.com/elastic/kibana/pull/173121","mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts)\r\n\r\nThis PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`.\r\n\r\nThe query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.\r\n\r\n### Updated Anonymization defaults\r\n\r\nThree fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts.\r\n\r\nFor example, the LLM can refer to specific alerts by ID when the `_id` field is provided.\r\n\r\nThis PR makes the following additive changes to the Assistant's `Anonymization` defaults:\r\n\r\n| Field | Allow by default | Anonymize by default | Value add |\r\n|--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). |\r\n| `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. |\r\n| `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. |\r\n\r\n- Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:\r\n\r\n\r\n\r\n### Updated settings text\r\n\r\nThe text in the settings below was also updated:\r\n\r\n\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- Enable the `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Navigate to Security > Alerts\r\n\r\n2) Click the `AI Assistant` button to open the assistant\r\n\r\n3) Click the `Settings` gear to open the assistant settings\r\n\r\n4) Click the `Anonymization` category\r\n\r\n5) Click the `Reset` button, shown in the screenshot below\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- `65` fields are allowed by default, per the screenshot above\r\n- `12` fields are anonymized by default, per the screenshot above\r\n- The `_id` field is allowed by default, per the screenshot above\r\n- The `_id` field is anonymized by default, per the screenshot above\r\n\r\n6) Type `kibana.alert.risk` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.risk_score` field is allowed by default\r\n\r\n7) Type `kibana.alert.workflow` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.workflow_status` field is allowed by default\r\n\r\n8) Click `Save`\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n- `kibana.alert.workflow_status`\r\n- `_id`\r\n\r\n12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n13) Filter the alerts page to only show `open` and `acknowledged` alerts\r\n\r\n**Expected result**\r\n\r\n- The alerts page has custom columns, sorting, and filtering, per the screenshot below:\r\n\r\n\r\n\r\n14) Click the `AI Assistant` button to open the assistant\r\n\r\n15) Ask the assistant:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant will report on the workflow status of alerts, per the example response below:\r\n\r\n```\r\nThe workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system.\r\n```\r\n\r\n\r\n\r\n16) Close the assistant\r\n\r\n17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The alerts table shows the updated alert, per the screenshot below:\r\n\r\n\r\n\r\n18) Once again, open the assistant\r\n\r\n19) Once again, ask the (same) question:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below:\r\n\r\n```\r\nBased on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure.\r\n```\r\n\r\n\r\n\r\n20) Ask the assistant for details about the acknowledged alerts:\r\n\r\n```\r\nWhat are the details of the acknowledged alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\nThe assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below:\r\n\r\n```\r\nIn response to your previous question, here are the details of the acknowledged alerts:\r\n\r\n1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'.\r\n\r\n2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'.\r\n\r\n3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'.\r\n\r\nPlease, take appropriate action to address these alerts.\r\n```\r\n\r\n\r\n\r\n21) Ask the assistant for the `_id` of the acknowledged alert:\r\n\r\n```\r\nWhat is the id of the acknowledged alert?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below:\r\n\r\n```\r\nThe id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'.\r\n```\r\n\r\n\r\n\r\n- The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:\r\n\r\n\r\n\r\n22) Click the `Show anonymized` toggle in the assistant\r\n\r\n**Expected result**\r\n\r\n- The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:\r\n\r\n","sha":"0d9c261530b102e7a7a87f4d5dcdf423cdd17a2c"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173121","number":173121,"mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts)\r\n\r\nThis PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`.\r\n\r\nThe query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.\r\n\r\n### Updated Anonymization defaults\r\n\r\nThree fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts.\r\n\r\nFor example, the LLM can refer to specific alerts by ID when the `_id` field is provided.\r\n\r\nThis PR makes the following additive changes to the Assistant's `Anonymization` defaults:\r\n\r\n| Field | Allow by default | Anonymize by default | Value add |\r\n|--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). |\r\n| `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. |\r\n| `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. |\r\n\r\n- Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:\r\n\r\n\r\n\r\n### Updated settings text\r\n\r\nThe text in the settings below was also updated:\r\n\r\n\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- Enable the `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Navigate to Security > Alerts\r\n\r\n2) Click the `AI Assistant` button to open the assistant\r\n\r\n3) Click the `Settings` gear to open the assistant settings\r\n\r\n4) Click the `Anonymization` category\r\n\r\n5) Click the `Reset` button, shown in the screenshot below\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- `65` fields are allowed by default, per the screenshot above\r\n- `12` fields are anonymized by default, per the screenshot above\r\n- The `_id` field is allowed by default, per the screenshot above\r\n- The `_id` field is anonymized by default, per the screenshot above\r\n\r\n6) Type `kibana.alert.risk` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.risk_score` field is allowed by default\r\n\r\n7) Type `kibana.alert.workflow` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.workflow_status` field is allowed by default\r\n\r\n8) Click `Save`\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n- `kibana.alert.workflow_status`\r\n- `_id`\r\n\r\n12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n13) Filter the alerts page to only show `open` and `acknowledged` alerts\r\n\r\n**Expected result**\r\n\r\n- The alerts page has custom columns, sorting, and filtering, per the screenshot below:\r\n\r\n\r\n\r\n14) Click the `AI Assistant` button to open the assistant\r\n\r\n15) Ask the assistant:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant will report on the workflow status of alerts, per the example response below:\r\n\r\n```\r\nThe workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system.\r\n```\r\n\r\n\r\n\r\n16) Close the assistant\r\n\r\n17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The alerts table shows the updated alert, per the screenshot below:\r\n\r\n\r\n\r\n18) Once again, open the assistant\r\n\r\n19) Once again, ask the (same) question:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below:\r\n\r\n```\r\nBased on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure.\r\n```\r\n\r\n\r\n\r\n20) Ask the assistant for details about the acknowledged alerts:\r\n\r\n```\r\nWhat are the details of the acknowledged alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\nThe assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below:\r\n\r\n```\r\nIn response to your previous question, here are the details of the acknowledged alerts:\r\n\r\n1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'.\r\n\r\n2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'.\r\n\r\n3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'.\r\n\r\nPlease, take appropriate action to address these alerts.\r\n```\r\n\r\n\r\n\r\n21) Ask the assistant for the `_id` of the acknowledged alert:\r\n\r\n```\r\nWhat is the id of the acknowledged alert?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below:\r\n\r\n```\r\nThe id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'.\r\n```\r\n\r\n\r\n\r\n- The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:\r\n\r\n\r\n\r\n22) Click the `Show anonymized` toggle in the assistant\r\n\r\n**Expected result**\r\n\r\n- The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:\r\n\r\n","sha":"0d9c261530b102e7a7a87f4d5dcdf423cdd17a2c"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 20, 2023
…alerts in the LangChain `AlertCountsTool` aggregation This PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) - This PR is similar to <elastic#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts - In contrast to [elastic#173121](elastic#173121), this PR is focused on the alert counts _aggregation_ - This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker: ```json "range": { "@timestamp": { "gte": "now-24h", "lte": "now" } } ``` ### Desk testing To desk test this change: - The `assistantRagOnAlerts` feature flag described in [elastic#172542](elastic#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 2) After the alerts have been generated, disable all detection rules to keep the counts static during testing 3) Navigate to Security > Alerts 4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker 5) Click the `Treemap` button to select the Treemap visualization 6) In the Treemap's `Group by` input, enter `kibana.alert.severity` 7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status` 8) Click the `AI Assistant` button to open the assistant 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: ``` kibana.alert.workflow_status _id ``` 12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  **Expected results** - The alerts page date range is `Last 24 hours` - The `Treemap` is selected - The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status` - The alerts table has custom sorting and columns, per the screenshot below:  13) Click the `AI Assistant` button to open the assistant 14) Ask the assistant: ``` How many open alerts do I have? ``` **Expected results** - The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below: ``` You have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity. ```  15) Make note of the counts shown in the assistant, then close the assistant Expected result: - The counts from the assistant match the counts in the treemap legend, per the example screenshot below:  16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:  17) Once again, open the assistant 18) Once again, ask the (same) question: ``` How many open alerts do I have? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below: ``` Based on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged). ``` 
andrew-goldstein
added a commit
that referenced
this pull request
Dec 21, 2023
…rts in the LangChain `AlertCountsTool` aggregation (#173701) ## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation This PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) - This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_ - This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker: ```json "range": { "@timestamp": { "gte": "now-24h", "lte": "now" } } ``` ### Desk testing To desk test this change: - The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 2) After the alerts have been generated, disable all detection rules to keep the counts static during testing 3) Navigate to Security > Alerts 4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker 5) Click the `Treemap` button to select the Treemap visualization 6) In the Treemap's `Group by` input, enter `kibana.alert.severity` 7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status` 8) Click the `AI Assistant` button to open the assistant 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: ``` kibana.alert.workflow_status _id ``` 12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  **Expected results** - The alerts page date range is `Last 24 hours` - The `Treemap` is selected - The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status` - The alerts table has custom sorting and columns, per the screenshot below:  13) Click the `AI Assistant` button to open the assistant 14) Ask the assistant: ``` How many open alerts do I have? ``` **Expected results** - The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below: ``` You have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity. ```  15) Make note of the counts shown in the assistant, then close the assistant Expected result: - The counts from the assistant match the counts in the treemap legend, per the example screenshot below:  16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:  17) Once again, open the assistant 18) Once again, ask the (same) question: ``` How many open alerts do I have? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below: ``` Based on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged). ``` 
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 21, 2023
…rts in the LangChain `AlertCountsTool` aggregation (elastic#173701) This PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) - This PR is similar to <elastic#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts - In contrast to [elastic#173121](elastic#173121), this PR is focused on the alert counts _aggregation_ - This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker: ```json "range": { "@timestamp": { "gte": "now-24h", "lte": "now" } } ``` To desk test this change: - The `assistantRagOnAlerts` feature flag described in [elastic#172542](elastic#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 2) After the alerts have been generated, disable all detection rules to keep the counts static during testing 3) Navigate to Security > Alerts 4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker 5) Click the `Treemap` button to select the Treemap visualization 6) In the Treemap's `Group by` input, enter `kibana.alert.severity` 7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status` 8) Click the `AI Assistant` button to open the assistant 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: ``` kibana.alert.workflow_status _id ``` 12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  **Expected results** - The alerts page date range is `Last 24 hours` - The `Treemap` is selected - The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status` - The alerts table has custom sorting and columns, per the screenshot below:  13) Click the `AI Assistant` button to open the assistant 14) Ask the assistant: ``` How many open alerts do I have? ``` **Expected results** - The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below: ``` You have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity. ```  15) Make note of the counts shown in the assistant, then close the assistant Expected result: - The counts from the assistant match the counts in the treemap legend, per the example screenshot below:  16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:  17) Once again, open the assistant 18) Once again, ask the (same) question: ``` How many open alerts do I have? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below: ``` Based on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged). ```  (cherry picked from commit 081f52b)
andrew-goldstein
added a commit
that referenced
this pull request
Dec 21, 2023
…ed` alerts in the LangChain `AlertCountsTool` aggregation (#173701) (#173801) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)](#173701) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2023-12-21T04:41:11Z","message":"[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation\r\n\r\nThis PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542)\r\n\r\n- This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts\r\n - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_\r\n\r\n- This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker:\r\n\r\n```json\r\n \"range\": {\r\n \"@timestamp\": {\r\n \"gte\": \"now-24h\",\r\n \"lte\": \"now\"\r\n }\r\n }\r\n```\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n2) After the alerts have been generated, disable all detection rules to keep the counts static during testing\r\n\r\n3) Navigate to Security > Alerts\r\n\r\n4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker\r\n\r\n5) Click the `Treemap` button to select the Treemap visualization\r\n\r\n6) In the Treemap's `Group by` input, enter `kibana.alert.severity`\r\n\r\n7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status`\r\n\r\n8) Click the `AI Assistant` button to open the assistant\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n```\r\nkibana.alert.workflow_status\r\n_id\r\n```\r\n\r\n12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- The alerts page date range is `Last 24 hours`\r\n- The `Treemap` is selected\r\n- The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status`\r\n- The alerts table has custom sorting and columns, per the screenshot below:\r\n\r\n\r\n\r\n13) Click the `AI Assistant` button to open the assistant\r\n\r\n14) Ask the assistant:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below:\r\n\r\n```\r\nYou have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity.\r\n```\r\n\r\n\r\n\r\n15) Make note of the counts shown in the assistant, then close the assistant\r\n\r\nExpected result:\r\n\r\n- The counts from the assistant match the counts in the treemap legend, per the example screenshot below:\r\n\r\n\r\n\r\n16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:\r\n\r\n\r\n\r\n17) Once again, open the assistant\r\n\r\n18) Once again, ask the (same) question:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below:\r\n\r\n```\r\nBased on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged).\r\n```\r\n\r\n","sha":"081f52bfe3fbbaf5bb9476c656c308f7f9430df2","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team: SecuritySolution","Team:Threat Hunting:Investigations","Feature:Elastic AI Assistant","v8.12.0","v8.13.0"],"number":173701,"url":"https://github.com/elastic/kibana/pull/173701","mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation\r\n\r\nThis PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542)\r\n\r\n- This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts\r\n - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_\r\n\r\n- This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker:\r\n\r\n```json\r\n \"range\": {\r\n \"@timestamp\": {\r\n \"gte\": \"now-24h\",\r\n \"lte\": \"now\"\r\n }\r\n }\r\n```\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n2) After the alerts have been generated, disable all detection rules to keep the counts static during testing\r\n\r\n3) Navigate to Security > Alerts\r\n\r\n4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker\r\n\r\n5) Click the `Treemap` button to select the Treemap visualization\r\n\r\n6) In the Treemap's `Group by` input, enter `kibana.alert.severity`\r\n\r\n7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status`\r\n\r\n8) Click the `AI Assistant` button to open the assistant\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n```\r\nkibana.alert.workflow_status\r\n_id\r\n```\r\n\r\n12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- The alerts page date range is `Last 24 hours`\r\n- The `Treemap` is selected\r\n- The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status`\r\n- The alerts table has custom sorting and columns, per the screenshot below:\r\n\r\n\r\n\r\n13) Click the `AI Assistant` button to open the assistant\r\n\r\n14) Ask the assistant:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below:\r\n\r\n```\r\nYou have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity.\r\n```\r\n\r\n\r\n\r\n15) Make note of the counts shown in the assistant, then close the assistant\r\n\r\nExpected result:\r\n\r\n- The counts from the assistant match the counts in the treemap legend, per the example screenshot below:\r\n\r\n\r\n\r\n16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:\r\n\r\n\r\n\r\n17) Once again, open the assistant\r\n\r\n18) Once again, ask the (same) question:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below:\r\n\r\n```\r\nBased on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged).\r\n```\r\n\r\n","sha":"081f52bfe3fbbaf5bb9476c656c308f7f9430df2"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173701","number":173701,"mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation\r\n\r\nThis PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542)\r\n\r\n- This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts\r\n - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_\r\n\r\n- This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker:\r\n\r\n```json\r\n \"range\": {\r\n \"@timestamp\": {\r\n \"gte\": \"now-24h\",\r\n \"lte\": \"now\"\r\n }\r\n }\r\n```\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n2) After the alerts have been generated, disable all detection rules to keep the counts static during testing\r\n\r\n3) Navigate to Security > Alerts\r\n\r\n4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker\r\n\r\n5) Click the `Treemap` button to select the Treemap visualization\r\n\r\n6) In the Treemap's `Group by` input, enter `kibana.alert.severity`\r\n\r\n7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status`\r\n\r\n8) Click the `AI Assistant` button to open the assistant\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n```\r\nkibana.alert.workflow_status\r\n_id\r\n```\r\n\r\n12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- The alerts page date range is `Last 24 hours`\r\n- The `Treemap` is selected\r\n- The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status`\r\n- The alerts table has custom sorting and columns, per the screenshot below:\r\n\r\n\r\n\r\n13) Click the `AI Assistant` button to open the assistant\r\n\r\n14) Ask the assistant:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below:\r\n\r\n```\r\nYou have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity.\r\n```\r\n\r\n\r\n\r\n15) Make note of the counts shown in the assistant, then close the assistant\r\n\r\nExpected result:\r\n\r\n- The counts from the assistant match the counts in the treemap legend, per the example screenshot below:\r\n\r\n\r\n\r\n16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:\r\n\r\n\r\n\r\n17) Once again, open the assistant\r\n\r\n18) Once again, ask the (same) question:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below:\r\n\r\n```\r\nBased on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged).\r\n```\r\n\r\n","sha":"081f52bfe3fbbaf5bb9476c656c308f7f9430df2"}}]}] BACKPORT-->
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 21, 2023
…ugmented Generation (RAG) for Alerts_ Feature Flag This PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542). Deleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:  This PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged. ### Desk testing To desk test this change: 1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` 2) Start Kibana 3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 4) Navigate to Security > Alerts 5) Click the `AI Assistant` button to open the assistant 6) Click the `X` button to clear the conversation 7) Click the assistant's `Settings` gear 8) Click the `Knowledge Base` category **Expected result** - The `Alerts` toggle shown in the screenshot below is available  9) Click the `Alerts` toggle to enable the feature 10) Click the `Save` button to close settings 11) Enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - A response with alert counts grouped by workflow status will be returned, similar to the example below: ``` You currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged. ``` 12) Enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** A response with alert details, similar to the following is returned: ``` Based on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47. ``` 13) Once again, click the assistant's `Settings` gear 14) Click the `Knowledge Base` category 15) Click the `Alerts` toggle to disable the feature 16) Click the `Save` button to close settings 17) Once again, enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response: ``` I'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts. ``` 18) One more time, enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** - The assistant does NOT respond with alert details. Instead it replies with something like the following example response: ``` As an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact. ```
andrew-goldstein
added a commit
that referenced
this pull request
Dec 21, 2023
…ented Generation (RAG) for Alerts_ Feature Flag (#173809) ## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag This PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542). Deleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:  This PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged. This PR also includes @benironside improvements to the Alerts setting in the video below: https://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9 ### Desk testing To desk test this change: 1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` 2) Start Kibana 3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 4) Navigate to Security > Alerts 5) Click the `AI Assistant` button to open the assistant 6) Click the `X` button to clear the conversation 7) Click the assistant's `Settings` gear 8) Click the `Knowledge Base` category **Expected result** - The `Alerts` toggle shown in the screenshot below is available  9) Click the `Alerts` toggle to enable the feature 10) Click the `Save` button to close settings 11) Enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - A response with alert counts grouped by workflow status will be returned, similar to the example below: ``` You currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged. ``` 12) Enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** A response with alert details, similar to the following is returned: ``` Based on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47. ``` 13) Once again, click the assistant's `Settings` gear 14) Click the `Knowledge Base` category 15) Click the `Alerts` toggle to disable the feature 16) Click the `Save` button to close settings 17) Once again, enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response: ``` I'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts. ``` 18) One more time, enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** - The assistant does NOT respond with alert details. Instead it replies with something like the following example response: ``` As an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact. ```
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 21, 2023
…ented Generation (RAG) for Alerts_ Feature Flag (elastic#173809) ## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag This PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542). Deleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:  This PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged. This PR also includes @benironside improvements to the Alerts setting in the video below: https://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9 ### Desk testing To desk test this change: 1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` 2) Start Kibana 3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 4) Navigate to Security > Alerts 5) Click the `AI Assistant` button to open the assistant 6) Click the `X` button to clear the conversation 7) Click the assistant's `Settings` gear 8) Click the `Knowledge Base` category **Expected result** - The `Alerts` toggle shown in the screenshot below is available  9) Click the `Alerts` toggle to enable the feature 10) Click the `Save` button to close settings 11) Enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - A response with alert counts grouped by workflow status will be returned, similar to the example below: ``` You currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged. ``` 12) Enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** A response with alert details, similar to the following is returned: ``` Based on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47. ``` 13) Once again, click the assistant's `Settings` gear 14) Click the `Knowledge Base` category 15) Click the `Alerts` toggle to disable the feature 16) Click the `Save` button to close settings 17) Once again, enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response: ``` I'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts. ``` 18) One more time, enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** - The assistant does NOT respond with alert details. Instead it replies with something like the following example response: ``` As an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact. ``` (cherry picked from commit ec05dd7)
kibanamachine
added a commit
that referenced
this pull request
Dec 22, 2023
…al Augmented Generation (RAG) for Alerts_ Feature Flag (#173809) (#173883) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)](#173809) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2023-12-21T23:01:15Z","message":"[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)\n\n## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag\r\n\r\nThis PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542).\r\n\r\nDeleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:\r\n\r\n\r\n\r\nThis PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged.\r\n\r\nThis PR also includes @benironside improvements to the Alerts setting in the video below:\r\n\r\nhttps://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n2) Start Kibana\r\n\r\n3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n4) Navigate to Security > Alerts\r\n\r\n5) Click the `AI Assistant` button to open the assistant\r\n\r\n6) Click the `X` button to clear the conversation\r\n\r\n7) Click the assistant's `Settings` gear\r\n\r\n8) Click the `Knowledge Base` category\r\n\r\n**Expected result**\r\n\r\n- The `Alerts` toggle shown in the screenshot below is available\r\n\r\n\r\n\r\n9) Click the `Alerts` toggle to enable the feature\r\n\r\n10) Click the `Save` button to close settings\r\n\r\n11) Enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- A response with alert counts grouped by workflow status will be returned, similar to the example below:\r\n\r\n```\r\nYou currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged.\r\n```\r\n\r\n12) Enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\nA response with alert details, similar to the following is returned:\r\n\r\n```\r\nBased on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47.\r\n```\r\n\r\n13) Once again, click the assistant's `Settings` gear\r\n\r\n14) Click the `Knowledge Base` category\r\n\r\n15) Click the `Alerts` toggle to disable the feature\r\n\r\n16) Click the `Save` button to close settings\r\n\r\n17) Once again, enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response:\r\n\r\n```\r\nI'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts.\r\n```\r\n\r\n18) One more time, enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with alert details. Instead it replies with something like the following example response:\r\n\r\n```\r\nAs an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact.\r\n```","sha":"ec05dd7afddaef353d27f0bcbc7046ff09c0a5d6","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Threat Hunting:Investigations","Feature:Elastic AI Assistant","v8.12.0","v8.13.0"],"number":173809,"url":"https://github.com/elastic/kibana/pull/173809","mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)\n\n## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag\r\n\r\nThis PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542).\r\n\r\nDeleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:\r\n\r\n\r\n\r\nThis PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged.\r\n\r\nThis PR also includes @benironside improvements to the Alerts setting in the video below:\r\n\r\nhttps://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n2) Start Kibana\r\n\r\n3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n4) Navigate to Security > Alerts\r\n\r\n5) Click the `AI Assistant` button to open the assistant\r\n\r\n6) Click the `X` button to clear the conversation\r\n\r\n7) Click the assistant's `Settings` gear\r\n\r\n8) Click the `Knowledge Base` category\r\n\r\n**Expected result**\r\n\r\n- The `Alerts` toggle shown in the screenshot below is available\r\n\r\n\r\n\r\n9) Click the `Alerts` toggle to enable the feature\r\n\r\n10) Click the `Save` button to close settings\r\n\r\n11) Enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- A response with alert counts grouped by workflow status will be returned, similar to the example below:\r\n\r\n```\r\nYou currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged.\r\n```\r\n\r\n12) Enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\nA response with alert details, similar to the following is returned:\r\n\r\n```\r\nBased on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47.\r\n```\r\n\r\n13) Once again, click the assistant's `Settings` gear\r\n\r\n14) Click the `Knowledge Base` category\r\n\r\n15) Click the `Alerts` toggle to disable the feature\r\n\r\n16) Click the `Save` button to close settings\r\n\r\n17) Once again, enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response:\r\n\r\n```\r\nI'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts.\r\n```\r\n\r\n18) One more time, enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with alert details. Instead it replies with something like the following example response:\r\n\r\n```\r\nAs an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact.\r\n```","sha":"ec05dd7afddaef353d27f0bcbc7046ff09c0a5d6"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173809","number":173809,"mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)\n\n## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag\r\n\r\nThis PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542).\r\n\r\nDeleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:\r\n\r\n\r\n\r\nThis PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged.\r\n\r\nThis PR also includes @benironside improvements to the Alerts setting in the video below:\r\n\r\nhttps://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n2) Start Kibana\r\n\r\n3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n4) Navigate to Security > Alerts\r\n\r\n5) Click the `AI Assistant` button to open the assistant\r\n\r\n6) Click the `X` button to clear the conversation\r\n\r\n7) Click the assistant's `Settings` gear\r\n\r\n8) Click the `Knowledge Base` category\r\n\r\n**Expected result**\r\n\r\n- The `Alerts` toggle shown in the screenshot below is available\r\n\r\n\r\n\r\n9) Click the `Alerts` toggle to enable the feature\r\n\r\n10) Click the `Save` button to close settings\r\n\r\n11) Enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- A response with alert counts grouped by workflow status will be returned, similar to the example below:\r\n\r\n```\r\nYou currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged.\r\n```\r\n\r\n12) Enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\nA response with alert details, similar to the following is returned:\r\n\r\n```\r\nBased on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47.\r\n```\r\n\r\n13) Once again, click the assistant's `Settings` gear\r\n\r\n14) Click the `Knowledge Base` category\r\n\r\n15) Click the `Alerts` toggle to disable the feature\r\n\r\n16) Click the `Save` button to close settings\r\n\r\n17) Once again, enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response:\r\n\r\n```\r\nI'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts.\r\n```\r\n\r\n18) One more time, enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with alert details. Instead it replies with something like the following example response:\r\n\r\n```\r\nAs an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact.\r\n```","sha":"ec05dd7afddaef353d27f0bcbc7046ff09c0a5d6"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts
This PR implements Retrieval Augmented Generation (RAG) for Alerts in the Security Solution. This feature enables users to ask the assistant questions about the latest and riskiest open alerts in their environment using natural language, for example:
More context
Previously, the assistant relied solely on the knowledge of the configured LLM and singular alerts or events passed by the client to the LLM as prompt context. This new feature:
Show anonymizedtoggle to see the anonymized values sent to / received from the LLM:Settings
This feature is enabled and configured via the
Knowledge Base>Alertssettings in the screenshot below:Alertstoggle enables or disables the feature10-100alerts (default:20)When the setting above is enabled, up to
nalerts (as determined by the slider) that meet the following criteria will be returned:kibana.alert.workflow_statusmust beopen24 hourskibana.alert.building_block_typealertnalerts are ordered bykibana.alert.risk_score, to prioritize the riskiest alertsFeature flag
To use this feature:
assistantRagOnAlertsfeature flag to thexpack.securitySolution.enableExperimentalsetting inconfig/kibana.yml(orconfig/kibana.dev.ymlin local development environments), per the example below:Alertstoggle in the Assistant'sKnowledge Basesettings, per the screenshot below:How it works
Alertssettings toggle is enabled, httpPOSTrequests to the/internal/elastic_assistant/actions/connector/{id}/_executeroute include the following new (optional) parameters:alertsIndexPattern, the alerts index for the current Kibana Space, e.g..alerts-security.alerts-defaultallow, the user'sAllowedfields in theAnonymizationsettings, e.g.["@timestamp", "cloud.availability_zone", "file.name", "user.name", ...]allowReplacement, the user'sAnonymizedfields in theAnonymizationsettings, e.g.["cloud.availability_zone", "host.name", "user.name", ...]replacements, aRecord<string, string>of replacements (generated on the server) that starts empty for a new conversation, and accumulates anonymized values until the conversation is cleared, e.g.size, the numeric value set by the slider in the user'sKnowledge Base > Alertssetting, e.g.20The
postActionsConnectorExecuteRoutefunction inx-pack/plugins/elastic_assistant/server/routes/post_actions_connector_execute.tswas updated to accept the new optional parameters, and to return an updatedreplacementswith every response. (Every new request that is processed on the server may add additional anonymized values to thereplacementsreturned in the response.)The
callAgentExecutorfunction inx-pack/plugins/elastic_assistant/server/lib/langchain/execute_custom_llm_chain/index.tspreviously used a hard-coded array of LangChain tools that had just one entry, for theESQLKnowledgeBaseTooltool. That hard-coded array was replaced in this PR with a call to the (new)getApplicableToolsfunction:The
getApplicableToolsfunction inx-pack/plugins/elastic_assistant/server/lib/langchain/tools/index.tsexamines the parameters in theKibanaRequestand only returns a filtered set of LangChain tools. If the request doesn't contain all the parameters required by a tool, it will NOT be returned bygetApplicableTools. For example, if the required anonymization parameters are not included in the request, theopen-alertstool will not be returned.The new
alert-countsLangChain tool returned by thegetAlertCountsToolfunction inx-pack/plugins/elastic_assistant/server/lib/langchain/tools/alert_counts/get_alert_counts_tool.tsprovides the LLM the results of an aggregation on the last24hours of alerts (in the current Kibana Space), grouped bykibana.alert.severity. See thegetAlertsCountQueryfunction inx-pack/plugins/elastic_assistant/server/lib/langchain/tools/alert_counts/get_alert_counts_query.tsfor detailsThe new
open-alertsLangChain tool returned by thegetOpenAlertsToolfunction inx-pack/plugins/elastic_assistant/server/lib/langchain/tools/open_alerts/get_open_alerts_tool.tsprovides the LLM up tosizenon-building-block alerts generated in the last24hours (in the current Kibana Space) with anopenworkflow status, ordered bykibana.alert.risk_scoreto prioritize the riskiest alerts. See thegetOpenAlertsQueryfunction inx-pack/plugins/elastic_assistant/server/lib/langchain/tools/open_alerts/get_open_alerts_query.tsfor details.On the client, a conversation continues to accumulate additional
replacements(and send them in subsequent requests) until the conversation is clearedAnonymization functions that were only invoked by the browser were moved from the (browser)
kbn-elastic-assistantpackage inx-pack/packages/kbn-elastic-assistant/to a new common package:x-pack/packages/kbn-elastic-assistant-commonkbn-elastic-assistant-commonpackage is also consumed by theelastic_assistant(server) plugin:x-pack/plugins/elastic_assistant