Ask AI Assistant in generic entity flyout #234324
Conversation
maxcold
changed the title
maxcold
added
release_note:skip
|
Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security) |
albertoblaz
left a comment
albertoblaz
left a comment
There was a problem hiding this comment.
Looks good overall though I lack of enough context to approve this. Only had a minor comment :)
| export const ASSET_INVENTORY_ENTITY_PROMPT = i18n.translate( | ||
| 'xpack.securitySolution.flyout.entityDetails.aiAssistant.entityPrompt', | ||
| { | ||
| defaultMessage: `You are an AI Security Assistant integrated into Elastic Security. Your primary function is to analyze asset and entity data to provide security insights. You will be provided with a JSON object containing the context of a specific asset (e.g., a host, user, service or cloud resource). Your response must be structured, contextual, and directly address the user's query if one is provided. If no specific query is given, provide a general analysis based on the structure below. |
There was a problem hiding this comment.
nit: Why not reusing ENTITY_ANALYSIS here? It might be easy to introduce a change in the prompt that does not match the translation
There was a problem hiding this comment.
I believe we can't import server-side code into client-side code. Ofc it's possible, I guess, to move this const to a common package but I implemented the feature the same way it is implemented for Alerts. I think it will be better for future improvements to have the same logic and then get rid of this duplication for all AI Assistant features
|
The final prompt will most likely change based on PM's feedback, so I'm holding back on adding it to the |
There was a problem hiding this comment.
Look great! Thanks for the templates for future AI assistant work.
On Week Idea
One thing that struck me, is that we have no way to update prompts between releases for Cloud and OnPrem, I wonder if there is a way we can use Integration packages to release the prompt update changes. Or an S3 bucket 😆
| - Include relevant emojis in section headers for visual clarity (e.g., 📝, 🛡️, 🔍, 📚). | ||
| `; | ||
|
|
||
| export const ENTITY_ANALYSIS = `You are an AI Security Assistant integrated into Elastic Security. Your primary function is to analyze asset and entity data to provide security insights. You will be provided with a JSON object containing the context of a specific asset (e.g., a host, user, service or cloud resource). Your response must be structured, contextual, and directly address the user's query if one is provided. If no specific query is given, provide a general analysis based on the structure below. |
There was a problem hiding this comment.
👏 very nice.
I am just curious, if you know, do we store the context of previous User and AI messages?
There was a problem hiding this comment.
the conversations are stored in ES and available in Kibana in the chat history if that's what you ask
| **General Instructions:** | ||
| - **Context Awareness:** Your entire analysis must be derived from the provided asset context. If a piece of information is not available in the context (or appears to be anonymized), state that and proceed with the available data. | ||
| - **Query Generation:** When asked to "write a query" or a similar request, your primary output for that section should be a valid, ready-to-use ES|QL query based on the entity's schema. | ||
| - **Formatting:** Use markdown headers, tables, code blocks, and bullet points to ensure the output is clear, organized, and easily readable. Use concise, actionable language.`; |
There was a problem hiding this comment.
Did you try prompting the LLM to format with EUI tables and code blocks?
There was a problem hiding this comment.
Markdown is preferred so we don't have to do any html injection.
There was a problem hiding this comment.
@maxcold will it better to add a list of specific indices so the ES-QL will be more relevant?
There was a problem hiding this comment.
@niros1 not sure tbh. First I hope we will add the use of ESQL tool quite soon which can validate queries and self correct. Second - index patterns tend to change, especially for asset inventory / entity store which is under active developments. That means constantly update the prompt to keep up witht the changes. Plus users can ask questions about related things, like alerts, misconfigs, vulnerabiltiies, or source events with more entity info. Keeping all these index patterns in the prompt doesn't look like a scalable solution.
While Asset Inventory is under tech preview I'd start with something simple to get going and move to implementing relevant tools and/or leveraging onechat infra/tooling
x-pack/solutions/security/plugins/elastic_assistant/server/lib/prompt/prompts.ts
Outdated
Show resolved
Hide resolved
|
@seanrathier thanks for the review
This actually is already solved, check this comment out #234324 (comment) |
opauloh
left a comment
opauloh
left a comment
There was a problem hiding this comment.
LGTM - Tested locally, it works nicely!
|
Related PR in the integration repo elastic/integrations#15393 |
alexreal1314
force-pushed
the
csp-ai-assistant-asset-inventory-phase1
branch
from
8597c3f to
236ae04
Compare
alexreal1314
force-pushed
the
csp-ai-assistant-asset-inventory-phase1
branch
from
b0855ad to
019b3a8
Compare
alexreal1314
force-pushed
the
csp-ai-assistant-asset-inventory-phase1
branch
from
076bcd1 to
e05692d
Compare
…/prompt/prompts.ts Co-authored-by: Steph Milovic <[email protected]>
alexreal1314
force-pushed
the
csp-ai-assistant-asset-inventory-phase1
branch
from
e05692d to
a2d8a06
Compare
🤖 Prompt Changes DetectedChanges have been detected to one or more prompt files in the Elastic Assistant plugin. Please remember to update the integrations repository with your prompt changes to ensure consistency across all deployments. Next Steps:
This is an automated reminder to help maintain prompt consistency across repositories. |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
History
|
## Summary This PR adds basic "Ask AI Assistant" functionality to the Generic Entity flyout in Asset Inventory. The Asset Inventory is still in Tech Preview and behind a feature flag, so this functionality when merged will have the same availability. The implementation follows the approach of the same functionality available for Alerts The feature will be under Technical Preview as Asset Inventory itself is under Technical preview and behind an Advanced Setting Contributes to: - elastic/security-team#13836 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### How to test 0. set up AI Assistant LLM Connectors, eg via `kibana.dev.yml` flag `xpack.actions.preconfigured`. You will need LLM credentials for that. Reach out to @maxcold if you don't have it. make sure to run elasticsearch cluster without the flag `xpack.ml.enabled=false` 1. Install Cloud Asset Discovery integration https://localhost:5601/app/integrations/detail/cloud_asset_inventory 2. Reindex Asset Inventory, you will need credentials from an env with asset inventory data, reach out to @maxcold if you don't have it: ``` POST _reindex?wait_for_completion=true { "conflicts": "proceed", "source": { "remote": { "host": "${ES_REMOTE_HOST}", "username": "${ES_REMOTE_USER}", "password": "${ES_REMOTE_PASS}" }, "index": "logs-cloud_asset_inventory*", "query": { "bool": { "must": [ { "range": { "@timestamp": { "gte": "now-1d" } } } ] } } }, "dest": { "op_type": "create", "index": "logs-cloud_asset_inventory.asset_inventory-default" } } ``` 3. Enable Asset Inventory on Kibana Settings 4. Enable Asset Inventory on Security -> Inventory page. ### Screenshots <img width="1728" height="873" alt="Screenshot 2025-09-12 at 13 25 38" src="https://github.com/user-attachments/assets/9abf8597-b404-467a-a4fe-24b4df5fa722" /> <img width="1728" height="875" alt="Screenshot 2025-09-12 at 13 25 46" src="https://github.com/user-attachments/assets/e43e0f87-ff13-4b8e-b6e5-5da3dd4e9a86" /> Preview mode - hide 'Ask AI Assistant' button - aligned with alert flyout in preview mode: <img width="1477" height="932" alt="image" src="https://github.com/user-attachments/assets/c9f2eeb0-3d60-49e9-8a7b-671cb57a1431" /> <img width="1727" height="871" alt="Screenshot 2025-09-12 at 13 26 23" src="https://github.com/user-attachments/assets/41cb16d7-6d25-4601-b5c1-3a28c31e9be2" /> --------- Co-authored-by: Steph Milovic <[email protected]> Co-authored-by: alex prozorov <[email protected]>
## Summary This PR adds basic "Ask AI Assistant" functionality to the Generic Entity flyout in Asset Inventory. The Asset Inventory is still in Tech Preview and behind a feature flag, so this functionality when merged will have the same availability. The implementation follows the approach of the same functionality available for Alerts The feature will be under Technical Preview as Asset Inventory itself is under Technical preview and behind an Advanced Setting Contributes to: - elastic/security-team#13836 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### How to test 0. set up AI Assistant LLM Connectors, eg via `kibana.dev.yml` flag `xpack.actions.preconfigured`. You will need LLM credentials for that. Reach out to @maxcold if you don't have it. make sure to run elasticsearch cluster without the flag `xpack.ml.enabled=false` 1. Install Cloud Asset Discovery integration https://localhost:5601/app/integrations/detail/cloud_asset_inventory 2. Reindex Asset Inventory, you will need credentials from an env with asset inventory data, reach out to @maxcold if you don't have it: ``` POST _reindex?wait_for_completion=true { "conflicts": "proceed", "source": { "remote": { "host": "${ES_REMOTE_HOST}", "username": "${ES_REMOTE_USER}", "password": "${ES_REMOTE_PASS}" }, "index": "logs-cloud_asset_inventory*", "query": { "bool": { "must": [ { "range": { "@timestamp": { "gte": "now-1d" } } } ] } } }, "dest": { "op_type": "create", "index": "logs-cloud_asset_inventory.asset_inventory-default" } } ``` 3. Enable Asset Inventory on Kibana Settings 4. Enable Asset Inventory on Security -> Inventory page. ### Screenshots <img width="1728" height="873" alt="Screenshot 2025-09-12 at 13 25 38" src="https://github.com/user-attachments/assets/9abf8597-b404-467a-a4fe-24b4df5fa722" /> <img width="1728" height="875" alt="Screenshot 2025-09-12 at 13 25 46" src="https://github.com/user-attachments/assets/e43e0f87-ff13-4b8e-b6e5-5da3dd4e9a86" /> Preview mode - hide 'Ask AI Assistant' button - aligned with alert flyout in preview mode: <img width="1477" height="932" alt="image" src="https://github.com/user-attachments/assets/c9f2eeb0-3d60-49e9-8a7b-671cb57a1431" /> <img width="1727" height="871" alt="Screenshot 2025-09-12 at 13 26 23" src="https://github.com/user-attachments/assets/41cb16d7-6d25-4601-b5c1-3a28c31e9be2" /> --------- Co-authored-by: Steph Milovic <[email protected]> Co-authored-by: alex prozorov <[email protected]>
Summary
This PR adds basic "Ask AI Assistant" functionality to the Generic Entity flyout in Asset Inventory. The Asset Inventory is still in Tech Preview and behind a feature flag, so this functionality when merged will have the same availability. The implementation follows the approach of the same functionality available for Alerts
The feature will be under Technical Preview as Asset Inventory itself is under Technical preview and behind an Advanced Setting
Contributes to:
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.How to test
kibana.dev.ymlflagxpack.actions.preconfigured. You will need LLM credentials for that. Reach out to @maxcold if you don't have it. make sure to run elasticsearch cluster without the flagxpack.ml.enabled=falseScreenshots
Preview mode - hide 'Ask AI Assistant' button - aligned with alert flyout in preview mode:
