[Security Solution][Detection Engine] adds AI Assistant to rule create form

[vitaliidm]

Summary

• adds AI assistant for queries for every rule type, apart Machine Learning
• AI assistant is shown only when query is not empty and invalid
• When user clicks on assistant it records telemetry event open_assistant_on_rule_query_error
• hidden behind AIAssistantOnRuleCreationFormEnabled feature flag

Design

Design

Demo

new.UX.mov

Old Demoes

Note: old demo videos use old UI design, and assistant is shown even for valid queries.

list of videos

ES|QL Case 1

Simple ES|QL query validation error solving
There 2 problems in query highlighted by validation.
First, missing metadata operator
Second, operator = instead of ==
By feeding query twice in Ai Assistant, I was able to get working solution

Screen.Recording.2024-03-20.at.16.15.02.mov

ES|QL Case 2

Fixes missing _id field, when metadata operator is present

4k.Screen.Recording.2024-03-21.at.16.08.21.mov

EQL Case 1

fixes EQL typo

Screen.Recording.2024-03-21.at.16.33.26.mov

Issues

Results might not be always consistent and for more complex queries they might not correct

Screen.Recording.2024-03-21.at.16.57.00.mov

[approksiu]

@vitaliidm Some videos here do not open, could you check please?

[vitaliidm]

@vitaliidm Some videos here do not open, could you check please?

@approksiu do you see any error? can you attach a screen recording with failure?

I suspect it might be because github authentication token expired. It happens when page is opened for a long time.
Try to refresh a page and play videos.

It works for me even from incognito tab, when I am not log in as myself.

[approksiu]

@approksiu do you see any error? can you attach a screen recording with failure?

I get this error for ESQL case2 and Issues videos, refresh did not help:

[vitaliidm]

@approksiu

probably something related to browser/OS that could not play that video format. I'll share internal link to this video

[ARWNightingale]

@vitaliidm What happens if the user clicks on the Ask assistant button before any query is inputted?

[vitaliidm]

@ARWNightingale

New assistant chat would be opened with empty context:

We can hide chat button if query is empty. I left it there, so user could use it and ask assistant help with query creation

[ARWNightingale]

I think we should hide it unless there is an actual warning/error on the query. The user has the option of AI assistant in the top nav/breadcrumb bar to open it separately. We can look at how to use AI more contextually in the whole form at a later date.
Sorry for the late reply, we can always update this later if its too late.

[ARWNightingale]

We have also just rebranded the "Ask AI" button which can be seen here:

https://www.figma.com/file/3XpAIELOiJ7PpzSZDSShUy/Library---Elastic-AI-Assistant?type=design&node-id=1403%3A283386&mode=design&t=FHv2SAd9XJRPnrn6-1

[ARWNightingale]

This gives a more detail on how the ui should look. I hope it helps let me know if you need any more info.

Design

[vitaliidm]

disable before merge. Needed for CI deployment to be testable

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 800a1e5
• Cloud Deployment

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	5580	5582	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	15.6MB	15.6MB	+3.2KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	83.6KB	83.7KB	+114.0B

History

• 💚 Build #218817 succeeded 1d6f7f7
• 💔 Build #218771 failed 0b205a0
• 💚 Build #218707 succeeded 4b11f56
• 💛 Build #218541 was flaky 2a86962
• 💛 Build #218494 was flaky 0472dac

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @vitaliidm