[Request][8.15 & Serverless] AI Assistant for rule creation

[nastasha-solomon]

Description

This feature allows users to leverage AI Assistant within the context of Detection rule creation. If a rule query has validation errors because of incorrect/missing syntax, format errors, missing info, typos, etc., an Ask Assistant prompt appears under the query bar. Refer to elastic/kibana#179091 for more info.

Misc. notes

• If I doc this feature outside of the core AI Assistant docs, I might also need to mention that there are set-up, license, and priv reqs for using AI Assistant.
• The way users interact with AI Assistant from the alert details flyout, Rules pages, DQ dashboard, and Timeline differs from the way they interact with Assistant from the rule creation form. When they open Assistant from rule creation form, they don't need to enter a question or select a system or quick prompt. Instead, a message asking Assistant to explain the errors in the query is auto-written and you just have to submit it. After submitting the question, Assistant provides the corrected query or suggests a better one.

Questions

• Do users need to have Knowledge base for ES|QL enabled for Assistant to suggest corrected or sample ES|QL queries? - Yes
• Any gotchas that users need to be aware of? In the related PR, there's a note in the description that says "that results might not be always consistent and for more complex queries they might not correct". Do we need to doc this as a warning, or is it a known issue that'll be eventually fixed? - TBD
• In situations where the suggested query is still wrong, what should users do to correct it? Do they need to go through the same workflow? Should they ask Assistant specific questions or use certain quick prompts? - Check with Ben on advice or disclaimers that we provide.

Background & resources

• PRs: [Security Solution][Detection Engine] adds AI Assistant to rule create form kibana#179091
• Issues/metas: https://github.com/elastic/security-team/issues/8959
• Point of contact: @vitaliidm
• Test environments: Still needed

Which documentation set does this change impact?

ESS and serverless

ESS release

8.15

Serverless release

July 22, 2024

Feature differences

N/A

Doc Impact

ESS docs

(Check with Ben on the first two)

• Add a bullet to the list of pages where users can begin a convo with AI Assistant.
• Add a bullet to the list of ways that users can interact with AI Assistant.
  • Note: Not sure if want to doc the feature here. This section explains how to interact with Assistant from the modal and the instructions are not context or page-specific.
• Add a tip to each of the rule types (except ML rules) wherever writing a query is mentioned.

Serverless docs

• Same as ESS docs

API docs impact

N/A

Prerequisites, privileges, feature flags

N/A

[nastasha-solomon]

Chatted with @benironside and we agreed that the best place to doc this functionality is in the Start chatting section. I'll update the description for the second bullet in the list to show that Assistant can help you with creating rules.

cc: @vitaliidm