Ask AI Assistant in generic entity flyout (#234324)

## Summary

This PR adds basic "Ask AI Assistant" functionality to the Generic
Entity flyout in Asset Inventory. The Asset Inventory is still in Tech
Preview and behind a feature flag, so this functionality when merged
will have the same availability. The implementation follows the approach
of the same functionality available for Alerts

The feature will be under Technical Preview as Asset Inventory itself is
under Technical preview and behind an Advanced Setting

Contributes to:
- elastic/security-team#13836

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

### How to test

0. set up AI Assistant LLM Connectors, eg via `kibana.dev.yml` flag
`xpack.actions.preconfigured`. You will need LLM credentials for that.
Reach out to @maxcold if you don't have it. make sure to run
elasticsearch cluster without the flag `xpack.ml.enabled=false`
1. Install Cloud Asset Discovery integration
https://localhost:5601/app/integrations/detail/cloud_asset_inventory
2. Reindex Asset Inventory, you will need credentials from an env with
asset inventory data, reach out to @maxcold if you don't have it:
```
POST _reindex?wait_for_completion=true
{
  "conflicts": "proceed", 
  "source": {
    "remote": {
      "host": "${ES_REMOTE_HOST}",
      "username": "${ES_REMOTE_USER}",
      "password": "${ES_REMOTE_PASS}"
    },
    "index": "logs-cloud_asset_inventory*",
    "query": {
      "bool": {
        "must": [
          {
            "range": {
              "@timestamp": {
                "gte": "now-1d"
              }
            }
          }
        ]
      }
    }
  },
  "dest": {
    "op_type": "create",
    "index": "logs-cloud_asset_inventory.asset_inventory-default"
  }
}
```
3. Enable Asset Inventory on Kibana Settings
4. Enable Asset Inventory on Security -> Inventory page.

### Screenshots

<img width="1728" height="873" alt="Screenshot 2025-09-12 at 13 25 38"
src="https://github.com/user-attachments/assets/9abf8597-b404-467a-a4fe-24b4df5fa722"
/>

<img width="1728" height="875" alt="Screenshot 2025-09-12 at 13 25 46"
src="https://github.com/user-attachments/assets/e43e0f87-ff13-4b8e-b6e5-5da3dd4e9a86"
/>

Preview mode - hide 'Ask AI Assistant' button - aligned with alert
flyout in preview mode:
<img width="1477" height="932" alt="image"
src="https://github.com/user-attachments/assets/c9f2eeb0-3d60-49e9-8a7b-671cb57a1431"
/>


<img width="1727" height="871" alt="Screenshot 2025-09-12 at 13 26 23"
src="https://github.com/user-attachments/assets/41cb16d7-6d25-4601-b5c1-3a28c31e9be2"
/>

---------

Co-authored-by: Steph Milovic <[email protected]>
Co-authored-by: alex prozorov <[email protected]>

Author: 3 people

x-pack/solutions/security/plugins/elastic_assistant/common/anonymization/index.ts

@@ -14,12 +14,18 @@ export const DEFAULT_ALLOW = [
   'actions.status',
   'actions.context',
   'agent.id',
+  'cloud.account.name',
   'cloud.availability_zone',
   'cloud.provider',
   'cloud.region',
+  'cloud.service.name',
   'destination.ip',
   'dns.question.name',
   'dns.question.type',
+  'entity.id',
+  'entity.name',
+  'entity.sub_type',
+  'entity.type',
   'event.category',
   'event.dataset',
   'event.module',
@@ -30,12 +36,14 @@ export const DEFAULT_ALLOW = [
   'file.path',
   'group.id',
   'group.name',
+  'host.architecture',
   'host.asset.criticality',
   'host.name',
   'host.os.name',
   'host.os.version',
   'host.risk.calculated_level',
   'host.risk.calculated_score_norm',
+  'host.type',
   'kibana.alert.original_time',
   'kibana.alert.risk_score',
   'kibana.alert.rule.description',
@@ -117,6 +125,8 @@ export const DEFAULT_ALLOW = [
 
 /** By default, these fields will be anonymized */
 export const DEFAULT_ALLOW_REPLACEMENT = [
+  'cloud.account.name',
+  'entity.name',
   'host.ip', // not a default allow field, but anonymized by default
   'host.name',
   'user.name',

x-pack/solutions/security/plugins/elastic_assistant/server/lib/prompt/local_prompt_object.ts

@@ -29,6 +29,7 @@ import {
   RULE_ANALYSIS,
   DATA_QUALITY_ANALYSIS,
   ALERT_EVALUATION,
+  ENTITY_ANALYSIS,
   starterPromptTitle1,
   starterPromptDescription1,
   starterPromptIcon1,
@@ -101,6 +102,7 @@ export const promptDictionary = {
     'defendInsights-policyResponseFailureRemediationLink',
   // context prompts
   alertEvaluation: `alertEvaluation`,
+  assetAnalysis: `assetAnalysis`,
   dataQualityAnalysis: 'dataQualityAnalysis',
   ruleAnalysis: 'ruleAnalysis',
   // starter prompts
@@ -416,6 +418,13 @@ export const localPrompts: Prompt[] = [
       default: ALERT_EVALUATION,
     },
   },
+  {
+    promptId: promptDictionary.assetAnalysis,
+    promptGroupId: promptGroupId.aiAssistant,
+    prompt: {
+      default: ENTITY_ANALYSIS,
+    },
+  },
   {
     promptId: promptDictionary.dataQualityAnalysis,
     promptGroupId: promptGroupId.aiAssistant,

x-pack/solutions/security/plugins/elastic_assistant/server/lib/prompt/prompts.ts

@@ -219,6 +219,24 @@ Formatting Requirements:
   - Include relevant emojis in section headers for visual clarity (e.g., 📝, 🛡️, 🔍, 📚).
 `;
 
+export const ENTITY_ANALYSIS = `Your primary function is to analyze asset and entity data to provide security insights. You will be provided with a JSON object containing the context of a specific asset (e.g., a host, user, service or cloud resource). Your response must be structured, contextual, and directly address the user's query if one is provided. If no specific query is given, provide a general analysis based on the structure below.
+Your response must be in markdown format and include the following sections:
+**1. 🔍 Asset Overview**
+   - Begin by acknowledging the asset you are analyzing using its primary identifiers (e.g., "Analyzing host \`[host.name]\` with IP \`[host.ip]\`").
+   - Provide a concise summary of the asset's most critical attributes from the provided context.
+   - Describe its key relationships and dependencies (e.g., "This asset is part of the \`[cloud.project.name]\` project and is located in the \`[cloud.availability_zone]\` zone.").
+**2. 💡 Investigation & Analytics**
+   - Based on the asset's type and attributes, suggest potential investigation paths or common attack vectors.
+   - **Generate contextual ES|QL queries** to help the user investigate further. Format all queries as code blocks. Your generated queries should address common analytical questions, such as:
+     - Finding related security events (e.g., login attempts, network traffic, process executions).
+     - Identifying other assets with similar attributes.
+     - Searching for Indicators of Compromise (IoCs) relevant to the asset type.
+   - If the user asks a question that can be answered with a query, provide the query as the primary answer.
+**General Instructions:**
+- **Context Awareness:** Your entire analysis must be derived from the provided asset context. If a piece of information is not available in the context (or appears to be anonymized), state that and proceed with the available data.
+- **Query Generation:** When asked to "write a query" or a similar request, your primary output for that section should be a valid, ready-to-use ES|QL query based on the entity's schema.
+- **Formatting:** Use markdown headers, tables, code blocks, and bullet points to ensure the output is clear, organized, and easily readable. Use concise, actionable language.`;
+
 export const starterPromptTitle1 = 'Alerts';
 export const starterPromptDescription1 = 'Most important alerts from the last 24 hrs';
 export const starterPromptIcon1 = 'bell';

x-pack/solutions/security/plugins/security_solution/public/assistant/content/prompt_contexts/index.tsx

@@ -10,11 +10,13 @@ import * as i18nDataQuality from '@kbn/ecs-data-quality-dashboard';
 import * as i18n from './translations';
 import * as i18nDetections from '../../../detection_engine/common/translations';
 import * as i18nEventDetails from '../../../common/components/event_details/translations';
+import * as i18nEntityDetails from '../../../flyout/entity_details/shared/translations';
 
 export const PROMPT_CONTEXT_ALERT_CATEGORY = 'alert';
 export const PROMPT_CONTEXT_EVENT_CATEGORY = 'event';
 export const PROMPT_CONTEXT_DETECTION_RULES_CATEGORY = 'detection-rules';
 export const DATA_QUALITY_DASHBOARD_CATEGORY = 'data-quality-dashboard';
+export const PROMPT_CONTEXT_ASSET_CATEGORY = 'asset';
 
 /**
  * Global list of PromptContexts intended to be used throughout Security Solution.
@@ -61,4 +63,13 @@ export const getPromptContexts = (
     description: i18nDetections.RULE_MANAGEMENT_CONTEXT_DESCRIPTION,
     tooltip: i18nDetections.RULE_MANAGEMENT_CONTEXT_TOOLTIP,
   },
+  /**
+   * Entity context, made available on the Asset Inventory page in the entity details flyout
+   */
+  [PROMPT_CONTEXT_ASSET_CATEGORY]: {
+    category: PROMPT_CONTEXT_ASSET_CATEGORY,
+    suggestedUserPrompt: prompts[PROMPT_CONTEXT_ASSET_CATEGORY],
+    description: i18nEntityDetails.ENTITY_CONTEXT_DESCRIPTION,
+    tooltip: i18nEntityDetails.ENTITY_CONTEXT_TOOLTIP,
+  },
 });

x-pack/solutions/security/plugins/security_solution/public/assistant/content/prompt_contexts/use_find_prompt_contexts.test.tsx

@@ -12,6 +12,7 @@ import { useFindPrompts } from '@kbn/elastic-assistant';
 import { DATA_QUALITY_SUGGESTED_USER_PROMPT } from '@kbn/ecs-data-quality-dashboard';
 import { EXPLAIN_THEN_SUMMARIZE_RULE_DETAILS } from '../../../detection_engine/common/translations';
 import { EXPLAIN_THEN_SUMMARIZE_SUGGEST_INVESTIGATION_GUIDE } from '../prompts/user/translations';
+import { ASSET_INVENTORY_ENTITY_PROMPT } from '../../../flyout/entity_details/shared/translations';
 
 const mockPrompts = [
   {
@@ -26,6 +27,10 @@ const mockPrompts = [
     promptId: 'ruleAnalysis',
     prompt: 'RULE ANALYSIS',
   },
+  {
+    promptId: 'assetAnalysis',
+    prompt: 'ASSET ANALYSIS',
+  },
 ];
 jest.mock('@kbn/elastic-assistant');
 
@@ -47,6 +52,12 @@ describe('useFindPromptContexts', () => {
         suggestedUserPrompt: 'ALERT EVALUATION',
         tooltip: 'Add this alert as context',
       },
+      asset: {
+        category: 'asset',
+        description: 'Entity details',
+        suggestedUserPrompt: 'ASSET ANALYSIS',
+        tooltip: 'Asset details from inventory',
+      },
       'data-quality-dashboard': {
         category: 'data-quality-dashboard',
         description: 'Data Quality (index)',
@@ -83,6 +94,12 @@ describe('useFindPromptContexts', () => {
         suggestedUserPrompt: EXPLAIN_THEN_SUMMARIZE_SUGGEST_INVESTIGATION_GUIDE,
         tooltip: 'Add this alert as context',
       },
+      asset: {
+        category: 'asset',
+        description: 'Entity details',
+        suggestedUserPrompt: ASSET_INVENTORY_ENTITY_PROMPT,
+        tooltip: 'Asset details from inventory',
+      },
       'data-quality-dashboard': {
         category: 'data-quality-dashboard',
         description: 'Data Quality (index)',

x-pack/solutions/security/plugins/security_solution/public/assistant/content/prompt_contexts/use_find_prompt_contexts.tsx

@@ -12,12 +12,14 @@ import type { FindSecurityAIPromptsRequestQuery } from '@kbn/elastic-assistant-c
 import { DATA_QUALITY_SUGGESTED_USER_PROMPT } from '@kbn/ecs-data-quality-dashboard';
 import { EXPLAIN_THEN_SUMMARIZE_RULE_DETAILS } from '../../../detection_engine/common/translations';
 import { EXPLAIN_THEN_SUMMARIZE_SUGGEST_INVESTIGATION_GUIDE } from '../prompts/user/translations';
+import { ASSET_INVENTORY_ENTITY_PROMPT } from '../../../flyout/entity_details/shared/translations';
 import {
   DATA_QUALITY_DASHBOARD_CATEGORY,
   getPromptContexts,
   PROMPT_CONTEXT_ALERT_CATEGORY,
   PROMPT_CONTEXT_DETECTION_RULES_CATEGORY,
   PROMPT_CONTEXT_EVENT_CATEGORY,
+  PROMPT_CONTEXT_ASSET_CATEGORY,
 } from '.';
 export interface UseFindPromptContextsParams {
   context: {
@@ -47,6 +49,9 @@ export const useFindPromptContexts = (payload: UseFindPromptContextsParams) => {
     [PROMPT_CONTEXT_DETECTION_RULES_CATEGORY]:
       prompts.find(({ promptId }) => promptId === 'ruleAnalysis')?.prompt ??
       EXPLAIN_THEN_SUMMARIZE_RULE_DETAILS,
+    [PROMPT_CONTEXT_ASSET_CATEGORY]:
+      prompts.find(({ promptId }) => promptId === 'assetAnalysis')?.prompt ??
+      ASSET_INVENTORY_ENTITY_PROMPT,
   });
   return PROMPT_CONTEXTS;
 };

x-pack/solutions/security/plugins/security_solution/public/assistant/provider.tsx

@@ -42,7 +42,7 @@ export const AssistantProvider: FC<PropsWithChildren<unknown>> = ({ children })
     },
     params: {
       prompt_group_id: 'aiAssistant',
-      prompt_ids: ['alertEvaluation', 'dataQualityAnalysis', 'ruleAnalysis'],
+      prompt_ids: ['alertEvaluation', 'dataQualityAnalysis', 'ruleAnalysis', 'assetAnalysis'],
     },
   });
   const promptContext = useObservable(

x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/generic_right/footer.tsx

@@ -10,6 +10,7 @@ import { EuiFlyoutFooter, EuiPanel, EuiFlexGroup, EuiFlexItem, EuiLink } from '@
 import type { EntityEcs } from '@kbn/securitysolution-ecs/src/entity';
 import { useExpandableFlyoutApi } from '@kbn/expandable-flyout';
 import { i18n } from '@kbn/i18n';
+import { NewChatByTitle } from '@kbn/elastic-assistant';
 import { DocumentEventTypes } from '../../../common/lib/telemetry';
 import { TakeAction } from '../shared/components/take_action';
 import {
@@ -19,19 +20,31 @@ import {
 import { GenericEntityPanelKey } from '../shared/constants';
 import { GENERIC_ENTITY_PREVIEW_BANNER } from '../../document_details/preview/constants';
 import { useKibana } from '../../../common/lib/kibana';
+import { ASK_AI_ASSISTANT } from '../shared/translations';
+import { useAssetInventoryAssistant } from './hooks/use_asset_inventory_assistant';
+
+interface GenericEntityFlyoutFooterProps {
+  entityId: EntityEcs['id'];
+  isPreviewMode: boolean;
+  scopeId: string;
+  entityFields: Record<string, string[]>;
+}
 
 export const GenericEntityFlyoutFooter = ({
   entityId,
   isPreviewMode,
   scopeId,
-}: {
-  entityId: EntityEcs['id'];
-  isPreviewMode: boolean;
-  scopeId: string;
-}) => {
+  entityFields,
+}: GenericEntityFlyoutFooterProps) => {
   const { openFlyout } = useExpandableFlyoutApi();
   const { telemetry } = useKibana().services;
 
+  const { showAssistant, showAssistantOverlay } = useAssetInventoryAssistant({
+    entityId,
+    entityFields,
+    isPreviewMode,
+  });
+
   const openDocumentFlyout = useCallback(() => {
     openFlyout({
       right: {
@@ -70,6 +83,11 @@ export const GenericEntityFlyoutFooter = ({
         <EuiFlexGroup justifyContent="flexEnd" alignItems="center">
           {isPreviewMode && <EuiFlexItem grow={false}>{fullDetailsLink}</EuiFlexItem>}
 
+          {showAssistant && (
+            <EuiFlexItem grow={false}>
+              <NewChatByTitle showAssistantOverlay={showAssistantOverlay} text={ASK_AI_ASSISTANT} />
+            </EuiFlexItem>
+          )}
           <EuiFlexItem grow={false}>
             <TakeAction
               isDisabled={!entityId}