[8.19] [Attack Discovery][Scheduling] Add attack discovery alerts deduplication (#12790) (#223483) (#223971)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[Attack Discovery][Scheduling] Add attack discovery alerts
deduplication (#12790)
(#223483)](#223483)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-06-13T19:35:52Z","message":"[Attack
Discovery][Scheduling] Add attack discovery alerts deduplication
(#12790) (#223483)\n\n## Summary\n\nMain ticket
([Internal\nlink](https://github.com/elastic/security-team/issues/12790))\n\nWith
these changes we add attack discovery alerts deduplication. Right\nnow
identical attack are being stored within the alerts index and to\nfilter
duplicates out we will use the next approach:\n\n1. Each alert will have
a ID generated as a SHA256 of attack attributes:\nlist of SIEM alerts
IDs and space ID\n2. After LLM generates attack discoveries we would
check whether the\nattack alert with the ID that describes the attack
based on the rule\nabove exists in the alerts index\n3. If such an
alerts exists we would drop the generated discovery\n4. Otherwise, we
would proceed with storing the attack discovery as a\nnew alert\n\n##
NOTES\n\nThe feature is hidden behind the feature flag (in
`kibana.dev.yml`):\n\n```\nfeature_flags.overrides:\n
securitySolution.attackDiscoveryAlertsEnabled:
true\n```","sha":"ed803078f99d9049ea6fcb6b7eea50ea1d3cea9d","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:
SecuritySolution","Team:Security Generative
AI","backport:version","v9.1.0","v8.19.0"],"title":"[Attack
Discovery][Scheduling] Add attack discovery alerts deduplication
(#12790)","number":223483,"url":"https://github.com/elastic/kibana/pull/223483","mergeCommit":{"message":"[Attack
Discovery][Scheduling] Add attack discovery alerts deduplication
(#12790) (#223483)\n\n## Summary\n\nMain ticket
([Internal\nlink](https://github.com/elastic/security-team/issues/12790))\n\nWith
these changes we add attack discovery alerts deduplication. Right\nnow
identical attack are being stored within the alerts index and to\nfilter
duplicates out we will use the next approach:\n\n1. Each alert will have
a ID generated as a SHA256 of attack attributes:\nlist of SIEM alerts
IDs and space ID\n2. After LLM generates attack discoveries we would
check whether the\nattack alert with the ID that describes the attack
based on the rule\nabove exists in the alerts index\n3. If such an
alerts exists we would drop the generated discovery\n4. Otherwise, we
would proceed with storing the attack discovery as a\nnew alert\n\n##
NOTES\n\nThe feature is hidden behind the feature flag (in
`kibana.dev.yml`):\n\n```\nfeature_flags.overrides:\n
securitySolution.attackDiscoveryAlertsEnabled:
true\n```","sha":"ed803078f99d9049ea6fcb6b7eea50ea1d3cea9d"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/223483","number":223483,"mergeCommit":{"message":"[Attack
Discovery][Scheduling] Add attack discovery alerts deduplication
(#12790) (#223483)\n\n## Summary\n\nMain ticket
([Internal\nlink](https://github.com/elastic/security-team/issues/12790))\n\nWith
these changes we add attack discovery alerts deduplication. Right\nnow
identical attack are being stored within the alerts index and to\nfilter
duplicates out we will use the next approach:\n\n1. Each alert will have
a ID generated as a SHA256 of attack attributes:\nlist of SIEM alerts
IDs and space ID\n2. After LLM generates attack discoveries we would
check whether the\nattack alert with the ID that describes the attack
based on the rule\nabove exists in the alerts index\n3. If such an
alerts exists we would drop the generated discovery\n4. Otherwise, we
would proceed with storing the attack discovery as a\nnew alert\n\n##
NOTES\n\nThe feature is hidden behind the feature flag (in
`kibana.dev.yml`):\n\n```\nfeature_flags.overrides:\n
securitySolution.attackDiscoveryAlertsEnabled:
true\n```","sha":"ed803078f99d9049ea6fcb6b7eea50ea1d3cea9d"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/elastic_assistant/server/__mocks__/data_clients.mock.ts

@@ -47,6 +47,8 @@ export const conversationsDataClientMock: {
 const createAttackDiscoveryDataClientMock = (): AttackDiscoveryDataClientMock => ({
   bulkUpdateAttackDiscoveryAlerts: jest.fn(),
   createAttackDiscovery: jest.fn(),
+  getAdHocAlertsIndexPattern: jest.fn(),
+  getScheduledAndAdHocIndexPattern: jest.fn(),
   createAttackDiscoveryAlerts: jest.fn(),
   findAllAttackDiscoveries: jest.fn(),
   getAlertConnectorNames: jest.fn(),

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/evaluation/__mocks__/mock_attack_discoveries.ts

@@ -29,4 +29,33 @@ export const mockAttackDiscoveries: AttackDiscovery[] = [
     entitySummaryMarkdown:
       'Critical malware and phishing alerts detected on {{ host.name e1cb3cf0-30f3-4f99-a9c8-518b955c6f90 }} involving user {{ user.name 039c15c5-3964-43e7-a891-42fe2ceeb9ff }}.',
   },
+  {
+    alertIds: [
+      '093abac9d2431f4e87e696aee648c44a77cc9d4e7d12ba90ad71821c399baffe',
+      '57fbcbdc22ececf1cbc4d3978c8085b64e33f03f927997769353348d003b80ac',
+      '5fb3aa96aa5db16a2b8f6f6dabc1b575c80325897839e4ed4fd1c4e264ce591f',
+      '61666b168da4e77afb540a5c04b845c32d9e0113e1434f04f2e25b35980527a7',
+      '65acae68c6f518871a70f139913a031d68275808d584731f049b24fd3690f67b',
+      '87f2d1a10a41fd3ed6077cf85d96df744255fec1072834ca30d5a88525dc9c9d',
+      '8b164dbdaff8b57b7b881d11ceecca8cab0364422d2bf87a009f4f897066cf23',
+      'b1c21a113f3858b6fd0a2f3854b71f9da52bdf46fdfa2c702a3f966f8809e153',
+      'b47c3d991f071dcae02d5de601c6ebdec565e31262ae6cd3a304f6373225c65b',
+      'd7985a0a305644d27945ca0ffcb861c75f6144199d16e8ac9f681fcf26333308',
+    ],
+    detailsMarkdown:
+      '- On {{ host.name 1f217ee0-af2d-424b-b733-b0fdd726df69 }}, a suspicious process {{ process.name mimikatz.exe }} with {{ process.args "C:\\mimikatz.exe",--tr1 }} was executed by {{ user.name a2b0848d-e54f-4cb2-83db-01186ad3a33c }} from {{ user.domain 7nabs9z95j }} at {{ kibana.alert.original_time 2025-06-10T11:27:41.520Z }}, resulting in authentication failures.\n- Shortly after, the same host saw file activity on {{ file.path C:\\My Documents\\business\\January\\processName }} by process {{ process.name lsass.exe }} ({{ process.args "C:\\lsass.exe",--1ge }}) under {{ user.name 24fcfb78-d478-485f-a811-863e7f455e84 }} from {{ user.domain qevk4kbvcm }} at {{ kibana.alert.original_time 2025-06-10T11:30:47.520Z }}.\n- At {{ kibana.alert.original_time 2025-06-10T12:10:20.520Z }}, on the same host, {{ process.name powershell.exe }} and {{ file.name fake_behavior.exe }} were executed by {{ user.name 054b9510-4e58-4a0a-bc28-0286a6566e19 }} from {{ user.domain aacuihaf3x }}, with network connections from {{ source.ip 10.234.158.79 }} to {{ destination.ip 10.66.11.163 }}.\n- Simultaneously, on {{ host.name e70b7f81-e5a1-4c83-9168-568156cdc17a }}, malware {{ process.name iexlorer.exe }} was detected as {{ user.name 1e30f444-04b7-43d0-9b97-1d335d96e72c }} from {{ user.domain cwi41t2i0r }} at {{ kibana.alert.original_time 2025-06-10T12:10:12.534Z }}, suggesting propagation.\n- At {{ kibana.alert.original_time 2025-06-10T12:13:06.520Z }}, on {{ host.name 1f217ee0-af2d-424b-b733-b0fdd726df69 }}, {{ process.name explorer.exe }} ({{ process.executable C:/fake_behavior/explorer.exe }}) and {{ file.name fake_behavior.exe }} were run by {{ user.name 5b4207f4-9cf0-47b0-b875-7384b2d292d7 }} from {{ user.domain 09yzh9bg35 }}, with network connections from {{ source.ip 10.63.82.62 }} to {{ destination.ip 10.43.183.158 }}.\n- The close timing, repeated use of credential access tools, and network activity between hosts indicate a coordinated attack chain involving credential dumping, malware propagation, and data collection/exfiltration.',
+    entitySummaryMarkdown:
+      'Credential access and malware on {{ host.name 1f217ee0-af2d-424b-b733-b0fdd726df69 }}.',
+    mitreAttackTactics: [
+      'Credential Access',
+      'Execution',
+      'Collection',
+      'Command and Control',
+      'Exfiltration',
+    ],
+    summaryMarkdown:
+      'Credential dumping, malware, and data exfiltration on {{ host.name 1f217ee0-af2d-424b-b733-b0fdd726df69 }} and related hosts.',
+    timestamp: '2025-06-10T12:34:53.366Z',
+    title: 'Credential Access and Data Exfiltration',
+  },
 ];

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/deduplication/index.test.ts

@@ -0,0 +1,109 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { estypes } from '@elastic/elasticsearch';
+import { elasticsearchServiceMock } from '@kbn/core/server/mocks';
+import { loggerMock } from '@kbn/logging-mocks';
+
+import { deduplicateAttackDiscoveries } from '.';
+import { mockAttackDiscoveries } from '../../evaluation/__mocks__/mock_attack_discoveries';
+import { generateAttackDiscoveryAlertHash } from '../transforms/transform_to_alert_documents';
+
+jest.mock('../transforms/transform_to_alert_documents', () => ({
+  ...jest.requireActual('../transforms/transform_to_alert_documents'),
+  generateAttackDiscoveryAlertHash: jest.fn(),
+}));
+
+const mockEsClient = elasticsearchServiceMock.createElasticsearchClient();
+const mockLogger = loggerMock.create();
+
+describe('deduplicateAttackDiscoveries', () => {
+  const uuid1 = 'test-uuid-1';
+  const uuid2 = 'test-uuid-2';
+  const [attack1, attack2] = mockAttackDiscoveries;
+  const defaultProps = {
+    attackDiscoveries: mockAttackDiscoveries,
+    connectorId: 'test-connector-1',
+    esClient: mockEsClient,
+    indexPattern: '.test.alerts-*,.adhoc.alerts-*',
+    logger: mockLogger,
+    ownerId: 'test-owner-1',
+    spaceId: 'test-space',
+  };
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockEsClient.search.mockResponse({ hits: { hits: [] } } as unknown as estypes.SearchResponse);
+    (generateAttackDiscoveryAlertHash as jest.Mock).mockImplementation(({ attackDiscovery }) => {
+      if (attackDiscovery === attack1) return uuid1;
+      if (attackDiscovery === attack2) return uuid2;
+      return 'unknown-uuid';
+    });
+  });
+
+  it('should return empty array if no attack discoveries passed to the function', async () => {
+    const result = await deduplicateAttackDiscoveries({ ...defaultProps, attackDiscoveries: [] });
+
+    expect(result).toEqual([]);
+  });
+
+  it('should return all discoveries if none are duplicates', async () => {
+    const result = await deduplicateAttackDiscoveries(defaultProps);
+    expect(result).toEqual(mockAttackDiscoveries);
+  });
+
+  it('should filter out all discoveries if all are duplicates', async () => {
+    mockEsClient.search.mockResponse({
+      hits: {
+        hits: [
+          { _source: { 'kibana.alert.instance.id': uuid1 } },
+          { _source: { 'kibana.alert.instance.id': uuid2 } },
+        ],
+      },
+    } as unknown as estypes.SearchResponse);
+    const result = await deduplicateAttackDiscoveries(defaultProps);
+    expect(result).toEqual([]);
+  });
+
+  it('should filter out only duplicates and keep new discoveries', async () => {
+    mockEsClient.search.mockResponse({
+      hits: {
+        hits: [{ _source: { 'kibana.alert.instance.id': uuid2 } }],
+      },
+    } as unknown as estypes.SearchResponse);
+    const result = await deduplicateAttackDiscoveries({
+      ...defaultProps,
+      attackDiscoveries: [attack1, attack2],
+    });
+    expect(result).toEqual([attack1]);
+  });
+
+  it('should handle ES hits with missing _source gracefully', async () => {
+    mockEsClient.search.mockResponse({
+      hits: {
+        hits: [{ _id: 'foo' }],
+      },
+    } as unknown as estypes.SearchResponse);
+    const result = await deduplicateAttackDiscoveries({
+      ...defaultProps,
+      attackDiscoveries: [attack1],
+    });
+    expect(result).toEqual([attack1]);
+  });
+
+  it('should log when duplicates are found', async () => {
+    mockEsClient.search.mockResponse({
+      hits: {
+        hits: [{ _source: { 'kibana.alert.instance.id': uuid1 } }],
+      },
+    } as unknown as estypes.SearchResponse);
+    await deduplicateAttackDiscoveries(defaultProps);
+    expect(mockLogger.info).toHaveBeenCalledWith(
+      'Found 1 duplicate alert(s), skipping report for those.'
+    );
+  });
+});

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/deduplication/index.ts

@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ElasticsearchClient, Logger } from '@kbn/core/server';
+import { ALERT_INSTANCE_ID } from '@kbn/rule-data-utils';
+import { AttackDiscoveries } from '@kbn/elastic-assistant-common';
+
+import { AttackDiscoveryAlertDocument } from '../../schedules/types';
+import { generateAttackDiscoveryAlertHash } from '../transforms/transform_to_alert_documents';
+
+interface DeduplicateAttackDiscoveriesParams {
+  attackDiscoveries: AttackDiscoveries;
+  connectorId: string;
+  esClient: ElasticsearchClient;
+  indexPattern: string;
+  logger: Logger;
+  ownerId: string;
+  spaceId: string;
+}
+
+export const deduplicateAttackDiscoveries = async ({
+  attackDiscoveries,
+  connectorId,
+  esClient,
+  indexPattern,
+  logger,
+  ownerId,
+  spaceId,
+}: DeduplicateAttackDiscoveriesParams): Promise<AttackDiscoveries> => {
+  if (!attackDiscoveries || attackDiscoveries.length === 0) {
+    return attackDiscoveries;
+  }
+
+  // 1. Transform all attackDiscoveries to alert documents and collect alertUuids
+  const alertDocs = attackDiscoveries.map((attack) => {
+    const alertHash = generateAttackDiscoveryAlertHash({
+      attackDiscovery: attack,
+      connectorId,
+      ownerId,
+      spaceId,
+    });
+    return { attack, alertHash };
+  });
+  const alertUuids = alertDocs.map((doc) => doc.alertHash);
+
+  // 2. Search for existing alerts in ES
+  const searchResult = await esClient.search<AttackDiscoveryAlertDocument>({
+    index: indexPattern,
+    size: alertUuids.length,
+    query: { bool: { must: [{ terms: { [ALERT_INSTANCE_ID]: alertUuids } }] } },
+    ignore_unavailable: true,
+  });
+
+  // 3. Collect found alert IDs
+  const foundIds = new Set(
+    searchResult.hits.hits.map((hit) => hit._source && hit._source[ALERT_INSTANCE_ID])
+  );
+
+  // 4. Filter out duplicates
+  const newDiscoveries = alertDocs
+    .filter((doc) => !foundIds.has(doc.alertHash))
+    .map((doc) => doc.attack);
+
+  const numDuplicates = attackDiscoveries.length - newDiscoveries.length;
+  if (numDuplicates > 0) {
+    logger.info(`Found ${numDuplicates} duplicate alert(s), skipping report for those.`);
+    logger.debug(() => `Duplicated alerts:\n ${JSON.stringify([...foundIds].sort(), null, 2)}`);
+  }
+
+  return newDiscoveries;
+};

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/get_scheduled_and_ad_hoc_index_pattern/index.test.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ATTACK_DISCOVERY_ALERTS_COMMON_INDEX_PREFIX } from '@kbn/elastic-assistant-common';
+
+import { getScheduledIndexPattern } from '.';
+
+describe('getScheduledIndexPattern', () => {
+  it('returns the expected scheduled index pattern for a given spaceId', () => {
+    const spaceId = 'test-space';
+    const result = getScheduledIndexPattern(spaceId);
+    expect(result).toBe(`${ATTACK_DISCOVERY_ALERTS_COMMON_INDEX_PREFIX}-test-space`);
+  });
+
+  it('returns the expected pattern for empty spaceId', () => {
+    const result = getScheduledIndexPattern('');
+    expect(result).toBe(`${ATTACK_DISCOVERY_ALERTS_COMMON_INDEX_PREFIX}-`);
+  });
+});

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/get_scheduled_and_ad_hoc_index_pattern/index.ts

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ATTACK_DISCOVERY_ALERTS_COMMON_INDEX_PREFIX } from '@kbn/elastic-assistant-common';
+
+export const getScheduledIndexPattern = (spaceId: string): string => {
+  return `${ATTACK_DISCOVERY_ALERTS_COMMON_INDEX_PREFIX}-${spaceId}`;
+};

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/get_scheduled_index_pattern/index.test.ts

@@ -38,7 +38,7 @@ import { getCombinedFilter } from './get_combined_filter';
 import { getFindAttackDiscoveryAlertsAggregation } from './get_find_attack_discovery_alerts_aggregation';
 import { AttackDiscoveryAlertDocument } from '../schedules/types';
 import { transformSearchResponseToAlerts } from './transforms/transform_search_response_to_alerts';
-import { getScheduledAndAdHocIndexPattern } from './get_scheduled_and_ad_hoc_index_pattern';
+import { getScheduledIndexPattern } from './get_scheduled_index_pattern';
 import { getUpdateAttackDiscoveryAlertsQuery } from '../get_update_attack_discovery_alerts_query';
 
 const FIRST_PAGE = 1; // CAUTION: sever-side API uses a 1-based page index convention (for consistency with similar existing APIs)
@@ -106,6 +106,20 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
     });
   };
 
+  public getAdHocAlertsIndexPattern = () => {
+    if (this.adhocAttackDiscoveryDataClient === undefined) {
+      throw new Error('`adhocAttackDiscoveryDataClient` is required');
+    }
+    return this.adhocAttackDiscoveryDataClient.indexNameWithNamespace(this.spaceId);
+  };
+
+  public getScheduledAndAdHocIndexPattern = () => {
+    return [
+      getScheduledIndexPattern(this.spaceId), // scheduled
+      this.getAdHocAlertsIndexPattern(), // ad-hoc
+    ].join(',');
+  };
+
   public createAttackDiscoveryAlerts = async ({
     authenticatedUser,
     createAttackDiscoveryAlertsParams,
@@ -211,8 +225,7 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
       perPage = DEFAULT_PER_PAGE,
     } = findAttackDiscoveryAlertsParams;
 
-    const spaceId = this.spaceId;
-    const index = getScheduledAndAdHocIndexPattern(spaceId, this.adhocAttackDiscoveryDataClient);
+    const index = this.getScheduledAndAdHocIndexPattern();
 
     const filter = combineFindAttackDiscoveryFilters({
       alertIds,
@@ -336,10 +349,7 @@ export class AttackDiscoveryDataClient extends AIAssistantDataClient {
 
     const esClient = await this.options.elasticsearchClientPromise;
 
-    const indexPattern = getScheduledAndAdHocIndexPattern(
-      this.spaceId,
-      this.adhocAttackDiscoveryDataClient
-    );
+    const indexPattern = this.getScheduledAndAdHocIndexPattern();
 
     if (ids.length === 0) {
       logger.debug(