Skip to content

Commit 5723088

Browse files
klacabanekibanamachine
klacabane
and
kibanamachine
authored
[streams][significant events] add severity_score (#244764)
## Summary Add a `severity_score` to the queries generated by AI --------- Co-authored-by: kibanamachine <[email protected]>
1 parent d273b13 commit 5723088

File tree

14 files changed

+125
-11
lines changed

14 files changed

+125
-11
lines changed

oas_docs/bundle.json

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53918,6 +53918,9 @@
5391853918
"query"
5391953919
],
5392053920
"type": "object"
53921+
},
53922+
"severity_score": {
53923+
"type": "number"
5392153924
}
5392253925
},
5392353926
"required": [
@@ -58955,6 +58958,9 @@
5895558958
"query"
5895658959
],
5895758960
"type": "object"
58961+
},
58962+
"severity_score": {
58963+
"type": "number"
5895858964
}
5895958965
},
5896058966
"required": [
@@ -63545,6 +63551,9 @@
6354563551
"query"
6354663552
],
6354763553
"type": "object"
63554+
},
63555+
"severity_score": {
63556+
"type": "number"
6354863557
}
6354963558
},
6355063559
"required": [
@@ -68278,6 +68287,9 @@
6827868287
"query"
6827968288
],
6828068289
"type": "object"
68290+
},
68291+
"severity_score": {
68292+
"type": "number"
6828168293
}
6828268294
},
6828368295
"required": [
@@ -72870,6 +72882,9 @@
7287072882
"query"
7287172883
],
7287272884
"type": "object"
72885+
},
72886+
"severity_score": {
72887+
"type": "number"
7287372888
}
7287472889
},
7287572890
"required": [
@@ -82988,6 +83003,9 @@
8298883003
"query"
8298983004
],
8299083005
"type": "object"
83006+
},
83007+
"severity_score": {
83008+
"type": "number"
8299183009
}
8299283010
},
8299383011
"required": [
@@ -83447,6 +83465,9 @@
8344783465
],
8344883466
"type": "object"
8344983467
},
83468+
"severity_score": {
83469+
"type": "number"
83470+
},
8345083471
"title": {
8345183472
"minLength": 1,
8345283473
"type": "string"

oas_docs/bundle.serverless.json

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52997,6 +52997,9 @@
5299752997
"query"
5299852998
],
5299952999
"type": "object"
53000+
},
53001+
"severity_score": {
53002+
"type": "number"
5300053003
}
5300153004
},
5300253005
"required": [
@@ -58034,6 +58037,9 @@
5803458037
"query"
5803558038
],
5803658039
"type": "object"
58040+
},
58041+
"severity_score": {
58042+
"type": "number"
5803758043
}
5803858044
},
5803958045
"required": [
@@ -62624,6 +62630,9 @@
6262462630
"query"
6262562631
],
6262662632
"type": "object"
62633+
},
62634+
"severity_score": {
62635+
"type": "number"
6262762636
}
6262862637
},
6262962638
"required": [
@@ -67357,6 +67366,9 @@
6735767366
"query"
6735867367
],
6735967368
"type": "object"
67369+
},
67370+
"severity_score": {
67371+
"type": "number"
6736067372
}
6736167373
},
6736267374
"required": [
@@ -71949,6 +71961,9 @@
7194971961
"query"
7195071962
],
7195171963
"type": "object"
71964+
},
71965+
"severity_score": {
71966+
"type": "number"
7195271967
}
7195371968
},
7195471969
"required": [
@@ -82067,6 +82082,9 @@
8206782082
"query"
8206882083
],
8206982084
"type": "object"
82085+
},
82086+
"severity_score": {
82087+
"type": "number"
8207082088
}
8207182089
},
8207282090
"required": [
@@ -82526,6 +82544,9 @@
8252682544
],
8252782545
"type": "object"
8252882546
},
82547+
"severity_score": {
82548+
"type": "number"
82549+
},
8252982550
"title": {
8253082551
"minLength": 1,
8253182552
"type": "string"

oas_docs/output/kibana.serverless.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56049,6 +56049,8 @@ paths:
5604956049
type: string
5605056050
required:
5605156051
- query
56052+
severity_score:
56053+
type: number
5605256054
required:
5605356055
- kql
5605456056
type: array
@@ -58644,6 +58646,8 @@ paths:
5864458646
type: string
5864558647
required:
5864658648
- query
58649+
severity_score:
58650+
type: number
5864758651
required:
5864858652
- kql
5864958653
type: array
@@ -61013,6 +61017,8 @@ paths:
6101361017
type: string
6101461018
required:
6101561019
- query
61020+
severity_score:
61021+
type: number
6101661022
required:
6101761023
- kql
6101861024
type: array
@@ -63458,6 +63464,8 @@ paths:
6345863464
type: string
6345963465
required:
6346063466
- query
63467+
severity_score:
63468+
type: number
6346163469
required:
6346263470
- kql
6346363471
type: array
@@ -65827,6 +65835,8 @@ paths:
6582765835
type: string
6582865836
required:
6582965837
- query
65838+
severity_score:
65839+
type: number
6583065840
required:
6583165841
- kql
6583265842
type: array
@@ -71192,6 +71202,8 @@ paths:
7119271202
type: string
7119371203
required:
7119471204
- query
71205+
severity_score:
71206+
type: number
7119571207
required:
7119671208
- kql
7119771209
required:
@@ -71452,6 +71464,8 @@ paths:
7145271464
type: string
7145371465
required:
7145471466
- query
71467+
severity_score:
71468+
type: number
7145571469
title:
7145671470
minLength: 1
7145771471
type: string

oas_docs/output/kibana.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60423,6 +60423,8 @@ paths:
6042360423
type: string
6042460424
required:
6042560425
- query
60426+
severity_score:
60427+
type: number
6042660428
required:
6042760429
- kql
6042860430
type: array
@@ -63018,6 +63020,8 @@ paths:
6301863020
type: string
6301963021
required:
6302063022
- query
63023+
severity_score:
63024+
type: number
6302163025
required:
6302263026
- kql
6302363027
type: array
@@ -65387,6 +65391,8 @@ paths:
6538765391
type: string
6538865392
required:
6538965393
- query
65394+
severity_score:
65395+
type: number
6539065396
required:
6539165397
- kql
6539265398
type: array
@@ -67832,6 +67838,8 @@ paths:
6783267838
type: string
6783367839
required:
6783467840
- query
67841+
severity_score:
67842+
type: number
6783567843
required:
6783667844
- kql
6783767845
type: array
@@ -70201,6 +70209,8 @@ paths:
7020170209
type: string
7020270210
required:
7020370211
- query
70212+
severity_score:
70213+
type: number
7020470214
required:
7020570215
- kql
7020670216
type: array
@@ -75566,6 +75576,8 @@ paths:
7556675576
type: string
7556775577
required:
7556875578
- query
75579+
severity_score:
75580+
type: number
7556975581
required:
7557075582
- kql
7557175583
required:
@@ -75826,6 +75838,8 @@ paths:
7582675838
type: string
7582775839
required:
7582875840
- query
75841+
severity_score:
75842+
type: number
7582975843
title:
7583075844
minLength: 1
7583175845
type: string

x-pack/platform/packages/shared/kbn-streams-ai/src/significant_events/generate_significant_events.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,9 @@ interface Query {
2222
kql: string;
2323
title: string;
2424
category: SignificantEventType;
25+
severity_score: number;
2526
}
27+
2628
/**
2729
* Generate significant event definitions, based on:
2830
* - the description of the feature (or stream if feature is undefined)

x-pack/platform/packages/shared/kbn-streams-ai/src/significant_events/prompt.ts

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,8 +63,13 @@ export const GenerateSignificantEventsPrompt = createPrompt({
6363
SIGNIFICANT_EVENT_TYPE_SECURITY,
6464
],
6565
},
66+
severity_score: {
67+
type: 'number',
68+
minimum: 0,
69+
maximum: 100,
70+
},
6671
},
67-
required: ['kql', 'title', 'category'],
72+
required: ['kql', 'title', 'category', 'severity_score'],
6873
},
6974
},
7075
},

x-pack/platform/packages/shared/kbn-streams-ai/src/significant_events/system_prompt.text

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ Your primary goal is to analyze the provided context about a user's system—inc
1818

1919
| Tool | Function | Notes |
2020
| :--- | :--- | :--- |
21-
| `add_queries` | Submits one or more KQL queries for the user. | Payload is a list of objects, each with `title`, `kql`, and `category`. |
21+
| `add_queries` | Submits one or more KQL queries for the user. | Payload is a list of objects, each with `title`, `kql`, `category`, and `severity_score`. |
2222
| `reason()` | **Begin a Reasoning Monologue** | Outputs your private thoughts. Must use sentinel tags (`<<<BEGIN_INTERNAL>>>`...`<<<END_INTERNAL>>>`). |
2323
| `complete()` | Declare readiness to answer | Ends the loop and triggers the **Definitive Output**. |
2424

@@ -54,15 +54,15 @@ PLAN> Describe your next action in natural language. If you are ready to answer,
5454

5555
### Example 1: Calling `add_queries` with a single query
5656

57-
`>>> ACTION: add_queries(queries=[{"title": "View all errors", "kql": "error.message:*", "category": "error"}])`
57+
`>>> ACTION: add_queries(queries=[{"title": "View all errors", "kql": "error.message:*", "category": "error", "severity_score": 60}])`
5858

5959
### Example 2: Calling `add_queries` with multiple queries
6060

6161
```
6262
>>> ACTION: add_queries(queries=[
63-
{"title": "Application startup", "kql": "message:\"Started Application\"", "category": "operational"},
64-
{"title": "Failed login attempts", "kql": "body.text:\"Failed password for\"", "category": "security"},
65-
{"title": "Out of memory errors", "kql": "body.text:\"java.lang.OutOfMemoryError\"", "category": "error"}
63+
{"title": "Application startup", "kql": "message:\"Started Application\"", "category": "operational", "severity_score": 25},
64+
{"title": "Failed login attempts", "kql": "body.text:\"Failed password for\"", "category": "security", "severity_score": 75},
65+
{"title": "Out of memory errors", "kql": "body.text:\"java.lang.OutOfMemoryError\"", "category": "error", "severity_score": 85}
6666
])
6767
```
6868

@@ -113,10 +113,10 @@ This is the final, user-facing response that follows the `complete()` call from
113113
**Scenario:** You attempt to add a query with invalid KQL syntax.
114114

115115
**Initial Flawed Action:**
116-
`>>> ACTION: add_queries(queries=[{"title": "Invalid KQL syntax", "kql": "body.text:value AND", "category": "error"}])`
116+
`>>> ACTION: add_queries(queries=[{"title": "Invalid KQL syntax", "kql": "body.text:value AND", "category": "error", "severity_score": 60}])`
117117

118118
**Tool Response (simulated):**
119-
`Failed to add 1 of 1 queries. Invalid: [{"title": "Invalid KQL syntax", "kql": "body.text:value AND", "category": "error", "error": "KQL syntax error: trailing boolean operator"}]`
119+
`Failed to add 1 of 1 queries. Invalid: [{"title": "Invalid KQL syntax", "kql": "body.text:value AND", "category": "error", "severity_score": 60, "error": "KQL syntax error: trailing boolean operator"}]`
120120

121121
**Reasoning Monologue for Repair:**
122122
`<<<BEGIN_INTERNAL>>>`
@@ -127,7 +127,7 @@ This is the final, user-facing response that follows the `complete()` call from
127127
`<<<END_INTERNAL>>>`
128128

129129
**Corrected Action:**
130-
`>>> ACTION: add_queries(queries=[{"title": "Corrected KQL", "kql": "body.text:value", "category": "error"}])`
130+
`>>> ACTION: add_queries(queries=[{"title": "Corrected KQL", "kql": "body.text:value", "category": "error", "severity_score": 60}])`
131131

132132
---
133133

@@ -155,7 +155,23 @@ This is the final, user-facing response that follows the `complete()` call from
155155

156156
---
157157

158-
## 8. Tips & hints
158+
## 8. Severity Scoring
159+
160+
Assign a `severity_score` (0-100) based on category baseline + modifiers:
161+
162+
| Category | Base | Modifiers |
163+
|----------|------|-----------|
164+
| `security` | 70 | +15 privilege escalation, +10 repeated failures |
165+
| `error` | 60 | +25 crash/OOM/deadlock, +10 data integrity risk |
166+
| `resource_health` | 50 | +15 exhaustion, +10 degradation warnings |
167+
| `operational` | 30 | -10 expected lifecycle events |
168+
| `configuration` | 25 | +10 security-related changes |
169+
170+
**Score ranges:** 80-100 critical, 60-79 high, 40-59 medium, 0-39 low
171+
172+
---
173+
174+
## 9. Tips & hints
159175

160176
* **Focus on Actionable Insights:** Generate queries that a user would find genuinely helpful for debugging, monitoring, or security. Avoid trivial queries (e.g., `message:*`).
161177
* **Categorize Correctly:** Use the provided categories (`operational`, `configuration`, `resource_health`, `error`, `security`). If a query fits multiple, choose the most specific one.

x-pack/platform/packages/shared/kbn-streams-schema/src/api/significant_events/index.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ interface GeneratedSignificantEventQuery {
5252
filter: Condition;
5353
type: string;
5454
};
55+
severity_score: number;
5556
}
5657

5758
type SignificantEventsGenerateResponse = Observable<

x-pack/platform/packages/shared/kbn-streams-schema/src/queries/index.ts

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ export interface StreamQueryKql extends StreamQueryBase {
2626
kql: {
2727
query: string;
2828
};
29+
// from 0 to 100. aligned with anomaly detection scoring
30+
severity_score?: number;
2931
}
3032

3133
export type StreamQuery = StreamQueryKql;
@@ -47,6 +49,7 @@ export const streamQueryKqlSchema: z.Schema<StreamQueryKql> = z.intersection(
4749
kql: z.object({
4850
query: z.string(),
4951
}),
52+
severity_score: z.number().optional(),
5053
})
5154
);
5255

@@ -67,6 +70,7 @@ export const upsertStreamQueryRequestSchema = z.object({
6770
kql: z.object({
6871
query: z.string(),
6972
}),
73+
severity_score: z.number().optional(),
7074
});
7175

7276
export const isStreamQueryKql = createIsNarrowSchema(streamQuerySchema, streamQueryKqlSchema);

0 commit comments

Comments
 (0)