[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) #173121
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrew-goldstein
added
release_note:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
spong
approved these changes
Dec 12, 2023
logeekal
reviewed
Dec 12, 2023
There was a problem hiding this comment.
@andrew-goldstein
nit: does it make sense to rename folder and file name from open_alerts to eligible_alerts or something else?
There was a problem hiding this comment.
@andrew-goldstein
nit: does it make sense to rename folder and file name fromopen_alertstoeligible_alertsor something else?
Thanks @logeekal!
-
I implemented your feedback in this commit
-
The name
eligible_alertsfelt slightly out context as a folder and file name, perhaps because it wasn't clear whateligiblemeant when looking at the file system. Based purely on feels, and with the aim of avoiding the introduction of a "new" concept likeeligible, the renamed function and folders / files now look like this (when imported):
Before:
import { getOpenAlertsTool } from './open_alerts/get_open_alerts_tool';After:
import { getOpenAndAcknowledgedAlertsTool } from './open_and_acknowledged_alerts/get_open_and_acknowledged_alerts_tool';Does that feel like a reasonable change based on the feedback?
There was a problem hiding this comment.
Yes, I agree 100%. this change makes sense. Thanks for implementing it.
andrew-goldstein
force-pushed
the
include_acknowledged_alerts
branch
from
a92be36 to
322707e
Compare
| @@ -7,6 +7,7 @@ | |||
|
|
|||
| /** By default, these fields are allowed to be sent to the assistant */ | |||
| export const DEFAULT_ALLOW = [ | |||
| '_id', | |||
There was a problem hiding this comment.
| Field | Allow by default | Anonymize by default | Value add |
|---|---|---|---|
_id |
✅ | ✅ | An anonymized _id field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). |
kibana.alert.risk_score |
✅ | ❌ | The getOpenAndAcknowledgedAlertsQuery query sorts alerts by kibana.alert.risk_score to return the n riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. |
kibana.alert.workflow_status |
✅ | ❌ | The getOpenAndAcknowledgedAlertsQuery query filters alerts by kibana.alert.workflow_status to ensure only open and acknowledged alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. |
|
I attempted to do the Desk testing but I got stuck with below error. Could it be because of the token I have? I am not sure.
Additionally, do you think below text should also be revised, since we are not looking at
|
andrew-goldstein
force-pushed
the
include_acknowledged_alerts
branch
from
322707e to
c0a29ab
Compare
…alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) This PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`. The query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.
… frequently exceeded." to settings
andrew-goldstein
force-pushed
the
include_acknowledged_alerts
branch
from
c0a29ab to
0982303
Compare
The error in the first screenshot happened because the number of alerts sent as context to the LLM exceeded the model's maximum context length.
Given the variability above, a slider is provided so users may adjust the total number of alerts sent as context. The default value for the slider is It appears in the 2nd screenshot that you may have increased the default.
Thanks for noting that this text should also be revised, because the query was updated to include acknowledged alerts.
The updates are highlighted in the screenshot below:
|
logeekal
approved these changes
Dec 13, 2023
There was a problem hiding this comment.
Desk Testing work perfectly. I was able to follow the steps mentioned and all of them passed.
I also tried changing the sorting of data in Alert Table and it changed the response from Assistant perfectly.
Great work 🚀 .
One point to note:
I hit the context limit event with 20 alerts so I had to reduce to 10. For future enhancement, I think we should instruct users on what to do for known errors such as below. I guess action will be different in different type of Conversations. Not sure if it is even feasible.
An error occurred sending your message.
ActionsClientLlm: action result status is error: an error occurred while running the action - Status code: 400. Message: API Error: model_error - This model's maximum context length is 8192 tokens. However, your messages resulted in 8996 tokens. Please reduce the length of the messages.
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 13, 2023
…s in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (elastic#173121) ## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) This PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`. The query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM. ### Updated Anonymization defaults Three fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts. For example, the LLM can refer to specific alerts by ID when the `_id` field is provided. This PR makes the following additive changes to the Assistant's `Anonymization` defaults: | Field | Allow by default | Anonymize by default | Value add | |--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). | | `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. | | `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. | - Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:  ### Updated settings text The text in the settings below was also updated:  ### Desk testing To desk test this change: - Enable the `assistantRagOnAlerts` feature flag described in [elastic#172542](elastic#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Navigate to Security > Alerts 2) Click the `AI Assistant` button to open the assistant 3) Click the `Settings` gear to open the assistant settings 4) Click the `Anonymization` category 5) Click the `Reset` button, shown in the screenshot below  **Expected results** - `65` fields are allowed by default, per the screenshot above - `12` fields are anonymized by default, per the screenshot above - The `_id` field is allowed by default, per the screenshot above - The `_id` field is anonymized by default, per the screenshot above 6) Type `kibana.alert.risk` in the search box **Expected result** - The `kibana.alert.risk_score` field is allowed by default 7) Type `kibana.alert.workflow` in the search box **Expected result** - The `kibana.alert.workflow_status` field is allowed by default 8) Click `Save` 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: - `kibana.alert.workflow_status` - `_id` 12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  13) Filter the alerts page to only show `open` and `acknowledged` alerts **Expected result** - The alerts page has custom columns, sorting, and filtering, per the screenshot below:  14) Click the `AI Assistant` button to open the assistant 15) Ask the assistant: ``` What is the workflow status of my alerts? ``` **Expected result** - The assistant will report on the workflow status of alerts, per the example response below: ``` The workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system. ```  16) Close the assistant 17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The alerts table shows the updated alert, per the screenshot below:  18) Once again, open the assistant 19) Once again, ask the (same) question: ``` What is the workflow status of my alerts? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below: ``` Based on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure. ```  20) Ask the assistant for details about the acknowledged alerts: ``` What are the details of the acknowledged alerts? ``` **Expected result** The assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below: ``` In response to your previous question, here are the details of the acknowledged alerts: 1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'. 2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'. 3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'. Please, take appropriate action to address these alerts. ```  21) Ask the assistant for the `_id` of the acknowledged alert: ``` What is the id of the acknowledged alert? ``` **Expected results** - The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below: ``` The id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'. ```  - The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:  22) Click the `Show anonymized` toggle in the assistant **Expected result** - The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:  (cherry picked from commit 0d9c261)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
spong
reviewed
Dec 13, 2023
| @@ -13,17 +13,17 @@ import { DynamicTool, Tool } from 'langchain/tools'; | |||
| import { requestHasRequiredAnonymizationParams } from '../../helpers'; | |||
| import { RequestBody } from '../../types'; | |||
|
|
|||
| import { getOpenAlertsQuery } from './get_open_alerts_query'; | |||
| import { getOpenAndAcknowledgedAlertsQuery } from './get_open_and_acknowledged_alerts_query'; | |||
| import { getRawDataOrDefault, sizeIsOutOfRange } from './helpers'; | |||
|
|
|||
| export const OPEN_ALERTS_TOOL_DESCRIPTION = | |||
| 'Call this for knowledge about the latest n open alerts (sorted by `kibana.alert.risk_score`) in the environment, or when answering questions about open alerts'; | |||
There was a problem hiding this comment.
nit: open an acknowledged
Found in managing the merge w/ #172234. I got this 👍
kibanamachine
added a commit
that referenced
this pull request
Dec 13, 2023
…d alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121) (#173310) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)](#173121) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-12-13T17:39:08Z","message":"[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts)\r\n\r\nThis PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`.\r\n\r\nThe query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.\r\n\r\n### Updated Anonymization defaults\r\n\r\nThree fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts.\r\n\r\nFor example, the LLM can refer to specific alerts by ID when the `_id` field is provided.\r\n\r\nThis PR makes the following additive changes to the Assistant's `Anonymization` defaults:\r\n\r\n| Field | Allow by default | Anonymize by default | Value add |\r\n|--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). |\r\n| `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. |\r\n| `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. |\r\n\r\n- Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:\r\n\r\n\r\n\r\n### Updated settings text\r\n\r\nThe text in the settings below was also updated:\r\n\r\n\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- Enable the `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Navigate to Security > Alerts\r\n\r\n2) Click the `AI Assistant` button to open the assistant\r\n\r\n3) Click the `Settings` gear to open the assistant settings\r\n\r\n4) Click the `Anonymization` category\r\n\r\n5) Click the `Reset` button, shown in the screenshot below\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- `65` fields are allowed by default, per the screenshot above\r\n- `12` fields are anonymized by default, per the screenshot above\r\n- The `_id` field is allowed by default, per the screenshot above\r\n- The `_id` field is anonymized by default, per the screenshot above\r\n\r\n6) Type `kibana.alert.risk` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.risk_score` field is allowed by default\r\n\r\n7) Type `kibana.alert.workflow` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.workflow_status` field is allowed by default\r\n\r\n8) Click `Save`\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n- `kibana.alert.workflow_status`\r\n- `_id`\r\n\r\n12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n13) Filter the alerts page to only show `open` and `acknowledged` alerts\r\n\r\n**Expected result**\r\n\r\n- The alerts page has custom columns, sorting, and filtering, per the screenshot below:\r\n\r\n\r\n\r\n14) Click the `AI Assistant` button to open the assistant\r\n\r\n15) Ask the assistant:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant will report on the workflow status of alerts, per the example response below:\r\n\r\n```\r\nThe workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system.\r\n```\r\n\r\n\r\n\r\n16) Close the assistant\r\n\r\n17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The alerts table shows the updated alert, per the screenshot below:\r\n\r\n\r\n\r\n18) Once again, open the assistant\r\n\r\n19) Once again, ask the (same) question:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below:\r\n\r\n```\r\nBased on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure.\r\n```\r\n\r\n\r\n\r\n20) Ask the assistant for details about the acknowledged alerts:\r\n\r\n```\r\nWhat are the details of the acknowledged alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\nThe assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below:\r\n\r\n```\r\nIn response to your previous question, here are the details of the acknowledged alerts:\r\n\r\n1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'.\r\n\r\n2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'.\r\n\r\n3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'.\r\n\r\nPlease, take appropriate action to address these alerts.\r\n```\r\n\r\n\r\n\r\n21) Ask the assistant for the `_id` of the acknowledged alert:\r\n\r\n```\r\nWhat is the id of the acknowledged alert?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below:\r\n\r\n```\r\nThe id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'.\r\n```\r\n\r\n\r\n\r\n- The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:\r\n\r\n\r\n\r\n22) Click the `Show anonymized` toggle in the assistant\r\n\r\n**Expected result**\r\n\r\n- The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:\r\n\r\n","sha":"0d9c261530b102e7a7a87f4d5dcdf423cdd17a2c","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Threat Hunting:Investigations","Feature:Elastic AI Assistant","v8.12.0","v8.13.0"],"number":173121,"url":"https://github.com/elastic/kibana/pull/173121","mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts)\r\n\r\nThis PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`.\r\n\r\nThe query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.\r\n\r\n### Updated Anonymization defaults\r\n\r\nThree fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts.\r\n\r\nFor example, the LLM can refer to specific alerts by ID when the `_id` field is provided.\r\n\r\nThis PR makes the following additive changes to the Assistant's `Anonymization` defaults:\r\n\r\n| Field | Allow by default | Anonymize by default | Value add |\r\n|--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). |\r\n| `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. |\r\n| `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. |\r\n\r\n- Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:\r\n\r\n\r\n\r\n### Updated settings text\r\n\r\nThe text in the settings below was also updated:\r\n\r\n\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- Enable the `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Navigate to Security > Alerts\r\n\r\n2) Click the `AI Assistant` button to open the assistant\r\n\r\n3) Click the `Settings` gear to open the assistant settings\r\n\r\n4) Click the `Anonymization` category\r\n\r\n5) Click the `Reset` button, shown in the screenshot below\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- `65` fields are allowed by default, per the screenshot above\r\n- `12` fields are anonymized by default, per the screenshot above\r\n- The `_id` field is allowed by default, per the screenshot above\r\n- The `_id` field is anonymized by default, per the screenshot above\r\n\r\n6) Type `kibana.alert.risk` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.risk_score` field is allowed by default\r\n\r\n7) Type `kibana.alert.workflow` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.workflow_status` field is allowed by default\r\n\r\n8) Click `Save`\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n- `kibana.alert.workflow_status`\r\n- `_id`\r\n\r\n12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n13) Filter the alerts page to only show `open` and `acknowledged` alerts\r\n\r\n**Expected result**\r\n\r\n- The alerts page has custom columns, sorting, and filtering, per the screenshot below:\r\n\r\n\r\n\r\n14) Click the `AI Assistant` button to open the assistant\r\n\r\n15) Ask the assistant:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant will report on the workflow status of alerts, per the example response below:\r\n\r\n```\r\nThe workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system.\r\n```\r\n\r\n\r\n\r\n16) Close the assistant\r\n\r\n17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The alerts table shows the updated alert, per the screenshot below:\r\n\r\n\r\n\r\n18) Once again, open the assistant\r\n\r\n19) Once again, ask the (same) question:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below:\r\n\r\n```\r\nBased on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure.\r\n```\r\n\r\n\r\n\r\n20) Ask the assistant for details about the acknowledged alerts:\r\n\r\n```\r\nWhat are the details of the acknowledged alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\nThe assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below:\r\n\r\n```\r\nIn response to your previous question, here are the details of the acknowledged alerts:\r\n\r\n1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'.\r\n\r\n2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'.\r\n\r\n3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'.\r\n\r\nPlease, take appropriate action to address these alerts.\r\n```\r\n\r\n\r\n\r\n21) Ask the assistant for the `_id` of the acknowledged alert:\r\n\r\n```\r\nWhat is the id of the acknowledged alert?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below:\r\n\r\n```\r\nThe id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'.\r\n```\r\n\r\n\r\n\r\n- The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:\r\n\r\n\r\n\r\n22) Click the `Show anonymized` toggle in the assistant\r\n\r\n**Expected result**\r\n\r\n- The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:\r\n\r\n","sha":"0d9c261530b102e7a7a87f4d5dcdf423cdd17a2c"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173121","number":173121,"mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include acknowledged alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts) (#173121)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts)\r\n\r\nThis PR updates the query used by [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) to include alerts with a `kibana.alert.workflow_status` value of `acknowledged`.\r\n\r\nThe query previously only returned alerts with a status of `open`. This change ensures both `open` and `acknowledged` alerts are provided as context to the LLM.\r\n\r\n### Updated Anonymization defaults\r\n\r\nThree fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts.\r\n\r\nFor example, the LLM can refer to specific alerts by ID when the `_id` field is provided.\r\n\r\nThis PR makes the following additive changes to the Assistant's `Anonymization` defaults:\r\n\r\n| Field | Allow by default | Anonymize by default | Value add |\r\n|--------------------------------|------------------|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\r\n| `_id` | ✅ | ✅ | An anonymized `_id` field enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs). |\r\n| `kibana.alert.risk_score` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query sorts alerts by `kibana.alert.risk_score` to return the `n` riskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses. |\r\n| `kibana.alert.workflow_status` | ✅ | ❌ | The `getOpenAndAcknowledgedAlertsQuery` query filters alerts by `kibana.alert.workflow_status` to ensure only `open` and `acknowledged` alerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses. |\r\n\r\n- Clicking the `Reset` button shown in the screenshot below will reset the user's `Anonymization` defaults, such that they include the additive changes in the table above:\r\n\r\n\r\n\r\n### Updated settings text\r\n\r\nThe text in the settings below was also updated:\r\n\r\n\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- Enable the `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Navigate to Security > Alerts\r\n\r\n2) Click the `AI Assistant` button to open the assistant\r\n\r\n3) Click the `Settings` gear to open the assistant settings\r\n\r\n4) Click the `Anonymization` category\r\n\r\n5) Click the `Reset` button, shown in the screenshot below\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- `65` fields are allowed by default, per the screenshot above\r\n- `12` fields are anonymized by default, per the screenshot above\r\n- The `_id` field is allowed by default, per the screenshot above\r\n- The `_id` field is anonymized by default, per the screenshot above\r\n\r\n6) Type `kibana.alert.risk` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.risk_score` field is allowed by default\r\n\r\n7) Type `kibana.alert.workflow` in the search box\r\n\r\n**Expected result**\r\n\r\n- The `kibana.alert.workflow_status` field is allowed by default\r\n\r\n8) Click `Save`\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n- `kibana.alert.workflow_status`\r\n- `_id`\r\n\r\n12) Sort the table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n13) Filter the alerts page to only show `open` and `acknowledged` alerts\r\n\r\n**Expected result**\r\n\r\n- The alerts page has custom columns, sorting, and filtering, per the screenshot below:\r\n\r\n\r\n\r\n14) Click the `AI Assistant` button to open the assistant\r\n\r\n15) Ask the assistant:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant will report on the workflow status of alerts, per the example response below:\r\n\r\n```\r\nThe workflow status for your alerts is currently 'open'. This status was observed on alerts related to processes started by Mimikatz, a known tool used in many cyberattacks, and sequences of processes that are often indicative of malicious activity. The severity of most of these alerts is 'high' or 'critical'. You may want to investigate these alerts further to ensure there's no ongoing threat to your system.\r\n```\r\n\r\n\r\n\r\n16) Close the assistant\r\n\r\n17) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The alerts table shows the updated alert, per the screenshot below:\r\n\r\n\r\n\r\n18) Once again, open the assistant\r\n\r\n19) Once again, ask the (same) question:\r\n\r\n```\r\nWhat is the workflow status of my alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response below:\r\n\r\n```\r\nBased on the latest information, your alerts mainly show 'open' status, indicating that they have not been resolved yet. Some alerts have been acknowledged. Most of these unaddressed alerts have a critical severity rating and are primarily triggered by a Mimikatz process start and an EQL process sequence. You may want to prioritize these if the severity of the threat they pose is truly high or critical. It's also noteworthy that some alerts have a high severity rating. You should review all of these alerts as soon as possible to ensure your systems are secure.\r\n```\r\n\r\n\r\n\r\n20) Ask the assistant for details about the acknowledged alerts:\r\n\r\n```\r\nWhat are the details of the acknowledged alerts?\r\n```\r\n\r\n**Expected result**\r\n\r\nThe assistant for details about the acknowledged alert that, for example, includes the `kibana.alert.risk_score`, per the example response below:\r\n\r\n```\r\nIn response to your previous question, here are the details of the acknowledged alerts:\r\n\r\n1. There is a 'mimikatz process started' alert, which is of 'critical' severity and 'acknowledged' status. It has a high risk score of 99. Its threat tactic is 'Command and Control'. The process involved was 'mimikatz.exe' running with arguments '--fo1'.\r\n\r\n2. A 'Threshold rule' alert of 'critical' severity and 'open' status has also been detected with a risk score of 99 and threat tactic 'Collection'.\r\n\r\n3. Lastly, there are several 'EQL process sequence' alerts of 'high' severity with 'open' status. These alerts involve execution of various processes including 'mimikatz.exe', 'lsass.exe', and 'notepad.exe'. Risk score for these alerts is 73 and the threat tactic involved is 'Execution'.\r\n\r\nPlease, take appropriate action to address these alerts.\r\n```\r\n\r\n\r\n\r\n21) Ask the assistant for the `_id` of the acknowledged alert:\r\n\r\n```\r\nWhat is the id of the acknowledged alert?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The response from the assistant contains the `_id` of the `acknowledged` alert, per the example response below:\r\n\r\n```\r\nThe id of the acknowledged alert is 'db9e3dbaf40a37e3b7b95d8015e99c5721b416731e04b9140536675f6e4fd170'. This alert was for a 'mimikatz process started' event with a severity rating of 'critical' and a risk score of 99. The host name associated with this alert is 'Host-terkvbzvtj'.\r\n```\r\n\r\n\r\n\r\n- The `_id` shown in the assistant is the same `_id` of the acknowledged alert on the alerts page, per the screeenshot below:\r\n\r\n\r\n\r\n22) Click the `Show anonymized` toggle in the assistant\r\n\r\n**Expected result**\r\n\r\n- The `_id` shown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below:\r\n\r\n","sha":"0d9c261530b102e7a7a87f4d5dcdf423cdd17a2c"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <[email protected]>
Merged
3 tasks
spong
added a commit
that referenced
this pull request
Dec 14, 2023
… tool registration (#172234) ## Summary Adds support for arbitrary tool registration on plugin start, allowing any plugin consuming the `elastic_assistant` plugin to register tools specific to their use case. This was achieved by introducing an `AppContextService`, with functions `registerTools` and `getRegisteredTools`. When registering within another plugin's start contract, call `registerTools`, e.g. ``` ts // Assistant Tool and Feature Registration plugins.elasticAssistant.registerTools(APP_UI_ID, getAssistantTools()); ``` and to get any tools for a given plugin, call `getRegisteredTools` with the plugin's name. E.g here within the assistant request handler: ```ts // Fetch any tools registered by the request's originating plugin const pluginName = getPluginNameFromRequest({ request, logger }); const assistantTools = (await context.elasticAssistant).getRegisteredTools(pluginName); ``` > [!NOTE] > Use the plugin name that corresponds to your application as defined in the `x-kbn-context` header of requests made from your application. This is the value used to fetch relevant tools, which may be different than your plugin's registered `APP_ID`. ### Test instructions Since no new tool functionality has been enabled here, you can just follow the test instructions from #173121, and ensure that enabling/disabling the KB or RAG on Alerts still functions as expected. You should see the registered tools as a debug logger, e.g. ``` [DEBUG][plugins.elasticAssistant] AppContextService:getRegisteredTools [DEBUG][plugins.elasticAssistant] pluginName: securitySolutionUI [DEBUG][plugins.elasticAssistant] tools: AlertCountsTool, ESQLKnowledgeBaseTool, OpenAndAcknowledgedAlertsTool [DEBUG][plugins.elasticAssistant] applicable tools: "alert-counts, ESQLKnowledgeBaseTool, open-alerts" ``` ### Checklist Delete any items that are not applicable to this PR. - [ ] ~Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)~ - [ ] ~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials~ - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 20, 2023
…alerts in the LangChain `AlertCountsTool` aggregation This PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) - This PR is similar to <elastic#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts - In contrast to [elastic#173121](elastic#173121), this PR is focused on the alert counts _aggregation_ - This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker: ```json "range": { "@timestamp": { "gte": "now-24h", "lte": "now" } } ``` ### Desk testing To desk test this change: - The `assistantRagOnAlerts` feature flag described in [elastic#172542](elastic#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 2) After the alerts have been generated, disable all detection rules to keep the counts static during testing 3) Navigate to Security > Alerts 4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker 5) Click the `Treemap` button to select the Treemap visualization 6) In the Treemap's `Group by` input, enter `kibana.alert.severity` 7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status` 8) Click the `AI Assistant` button to open the assistant 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: ``` kibana.alert.workflow_status _id ``` 12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  **Expected results** - The alerts page date range is `Last 24 hours` - The `Treemap` is selected - The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status` - The alerts table has custom sorting and columns, per the screenshot below:  13) Click the `AI Assistant` button to open the assistant 14) Ask the assistant: ``` How many open alerts do I have? ``` **Expected results** - The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below: ``` You have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity. ```  15) Make note of the counts shown in the assistant, then close the assistant Expected result: - The counts from the assistant match the counts in the treemap legend, per the example screenshot below:  16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:  17) Once again, open the assistant 18) Once again, ask the (same) question: ``` How many open alerts do I have? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below: ``` Based on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged). ``` 
andrew-goldstein
added a commit
that referenced
this pull request
Dec 21, 2023
…rts in the LangChain `AlertCountsTool` aggregation (#173701) ## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation This PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542) - This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_ - This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker: ```json "range": { "@timestamp": { "gte": "now-24h", "lte": "now" } } ``` ### Desk testing To desk test this change: - The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 2) After the alerts have been generated, disable all detection rules to keep the counts static during testing 3) Navigate to Security > Alerts 4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker 5) Click the `Treemap` button to select the Treemap visualization 6) In the Treemap's `Group by` input, enter `kibana.alert.severity` 7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status` 8) Click the `AI Assistant` button to open the assistant 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: ``` kibana.alert.workflow_status _id ``` 12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  **Expected results** - The alerts page date range is `Last 24 hours` - The `Treemap` is selected - The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status` - The alerts table has custom sorting and columns, per the screenshot below:  13) Click the `AI Assistant` button to open the assistant 14) Ask the assistant: ``` How many open alerts do I have? ``` **Expected results** - The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below: ``` You have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity. ```  15) Make note of the counts shown in the assistant, then close the assistant Expected result: - The counts from the assistant match the counts in the treemap legend, per the example screenshot below:  16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:  17) Once again, open the assistant 18) Once again, ask the (same) question: ``` How many open alerts do I have? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below: ``` Based on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged). ``` 
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 21, 2023
…rts in the LangChain `AlertCountsTool` aggregation (elastic#173701) This PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542) - This PR is similar to <elastic#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts - In contrast to [elastic#173121](elastic#173121), this PR is focused on the alert counts _aggregation_ - This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker: ```json "range": { "@timestamp": { "gte": "now-24h", "lte": "now" } } ``` To desk test this change: - The `assistantRagOnAlerts` feature flag described in [elastic#172542](elastic#172542) must be enabled, per the following example: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` - The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:  1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 2) After the alerts have been generated, disable all detection rules to keep the counts static during testing 3) Navigate to Security > Alerts 4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker 5) Click the `Treemap` button to select the Treemap visualization 6) In the Treemap's `Group by` input, enter `kibana.alert.severity` 7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status` 8) Click the `AI Assistant` button to open the assistant 9) Click the `X` button to clear the conversation 10) Close the assistant 11) Add the following two fields as columns to the Alerts page table: ``` kibana.alert.workflow_status _id ``` 12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:  **Expected results** - The alerts page date range is `Last 24 hours` - The `Treemap` is selected - The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status` - The alerts table has custom sorting and columns, per the screenshot below:  13) Click the `AI Assistant` button to open the assistant 14) Ask the assistant: ``` How many open alerts do I have? ``` **Expected results** - The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below: ``` You have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity. ```  15) Make note of the counts shown in the assistant, then close the assistant Expected result: - The counts from the assistant match the counts in the treemap legend, per the example screenshot below:  16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged` **Expected result** - The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:  17) Once again, open the assistant 18) Once again, ask the (same) question: ``` How many open alerts do I have? ``` **Expected result** - The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below: ``` Based on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged). ```  (cherry picked from commit 081f52b)
andrew-goldstein
added a commit
that referenced
this pull request
Dec 21, 2023
…ed` alerts in the LangChain `AlertCountsTool` aggregation (#173701) (#173801) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)](#173701) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-12-21T04:41:11Z","message":"[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation\r\n\r\nThis PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542)\r\n\r\n- This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts\r\n - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_\r\n\r\n- This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker:\r\n\r\n```json\r\n \"range\": {\r\n \"@timestamp\": {\r\n \"gte\": \"now-24h\",\r\n \"lte\": \"now\"\r\n }\r\n }\r\n```\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n2) After the alerts have been generated, disable all detection rules to keep the counts static during testing\r\n\r\n3) Navigate to Security > Alerts\r\n\r\n4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker\r\n\r\n5) Click the `Treemap` button to select the Treemap visualization\r\n\r\n6) In the Treemap's `Group by` input, enter `kibana.alert.severity`\r\n\r\n7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status`\r\n\r\n8) Click the `AI Assistant` button to open the assistant\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n```\r\nkibana.alert.workflow_status\r\n_id\r\n```\r\n\r\n12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- The alerts page date range is `Last 24 hours`\r\n- The `Treemap` is selected\r\n- The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status`\r\n- The alerts table has custom sorting and columns, per the screenshot below:\r\n\r\n\r\n\r\n13) Click the `AI Assistant` button to open the assistant\r\n\r\n14) Ask the assistant:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below:\r\n\r\n```\r\nYou have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity.\r\n```\r\n\r\n\r\n\r\n15) Make note of the counts shown in the assistant, then close the assistant\r\n\r\nExpected result:\r\n\r\n- The counts from the assistant match the counts in the treemap legend, per the example screenshot below:\r\n\r\n\r\n\r\n16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:\r\n\r\n\r\n\r\n17) Once again, open the assistant\r\n\r\n18) Once again, ask the (same) question:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below:\r\n\r\n```\r\nBased on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged).\r\n```\r\n\r\n","sha":"081f52bfe3fbbaf5bb9476c656c308f7f9430df2","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team: SecuritySolution","Team:Threat Hunting:Investigations","Feature:Elastic AI Assistant","v8.12.0","v8.13.0"],"number":173701,"url":"https://github.com/elastic/kibana/pull/173701","mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation\r\n\r\nThis PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542)\r\n\r\n- This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts\r\n - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_\r\n\r\n- This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker:\r\n\r\n```json\r\n \"range\": {\r\n \"@timestamp\": {\r\n \"gte\": \"now-24h\",\r\n \"lte\": \"now\"\r\n }\r\n }\r\n```\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n2) After the alerts have been generated, disable all detection rules to keep the counts static during testing\r\n\r\n3) Navigate to Security > Alerts\r\n\r\n4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker\r\n\r\n5) Click the `Treemap` button to select the Treemap visualization\r\n\r\n6) In the Treemap's `Group by` input, enter `kibana.alert.severity`\r\n\r\n7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status`\r\n\r\n8) Click the `AI Assistant` button to open the assistant\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n```\r\nkibana.alert.workflow_status\r\n_id\r\n```\r\n\r\n12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- The alerts page date range is `Last 24 hours`\r\n- The `Treemap` is selected\r\n- The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status`\r\n- The alerts table has custom sorting and columns, per the screenshot below:\r\n\r\n\r\n\r\n13) Click the `AI Assistant` button to open the assistant\r\n\r\n14) Ask the assistant:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below:\r\n\r\n```\r\nYou have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity.\r\n```\r\n\r\n\r\n\r\n15) Make note of the counts shown in the assistant, then close the assistant\r\n\r\nExpected result:\r\n\r\n- The counts from the assistant match the counts in the treemap legend, per the example screenshot below:\r\n\r\n\r\n\r\n16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:\r\n\r\n\r\n\r\n17) Once again, open the assistant\r\n\r\n18) Once again, ask the (same) question:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below:\r\n\r\n```\r\nBased on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged).\r\n```\r\n\r\n","sha":"081f52bfe3fbbaf5bb9476c656c308f7f9430df2"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173701","number":173701,"mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation (#173701)\n\n## [Security Solution] [Elastic AI Assistant] Include `acknowledged` alerts in the LangChain `AlertCountsTool` aggregation\r\n\r\nThis PR updates the LangChain `AlertCountsTool` aggregation, which answers questions like `How many open alerts do I have?`, to include `acknowledged` alerts. The `AlertCountsTool` was introduced as part of [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542)\r\n\r\n- This PR is similar to <#173121>, where `acknowledged` alerts were added to the `OpenAndAcknowledgedAlertsTool`, which returns the _details_ of alerts\r\n - In contrast to [#173121](#173121), this PR is focused on the alert counts _aggregation_\r\n\r\n- This PR also updates the `range` of **both** the `AlertCountsTool` and the `OpenAndAcknowledgedAlertsTool` queries to standardize on the following syntax, which aligns with the `Last 24 hours` option in the _Commonly used_ section of the Kibana date picker:\r\n\r\n```json\r\n \"range\": {\r\n \"@timestamp\": {\r\n \"gte\": \"now-24h\",\r\n \"lte\": \"now\"\r\n }\r\n }\r\n```\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n- The `assistantRagOnAlerts` feature flag described in [#172542](#172542) must be enabled, per the following example:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n- The `Alerts` feature must be enabled in the assistant settings, per the screenshot below:\r\n\r\n \r\n\r\n1) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n2) After the alerts have been generated, disable all detection rules to keep the counts static during testing\r\n\r\n3) Navigate to Security > Alerts\r\n\r\n4) Select `Last 24 hours` from the _Commonly used_ section of the global date picker\r\n\r\n5) Click the `Treemap` button to select the Treemap visualization\r\n\r\n6) In the Treemap's `Group by` input, enter `kibana.alert.severity`\r\n\r\n7) Next, in the Treemap's `Group by top` input, enter `kibana.alert.workflow_status`\r\n\r\n8) Click the `AI Assistant` button to open the assistant\r\n\r\n9) Click the `X` button to clear the conversation\r\n\r\n10) Close the assistant\r\n\r\n11) Add the following two fields as columns to the Alerts page table:\r\n\r\n```\r\nkibana.alert.workflow_status\r\n_id\r\n```\r\n\r\n12) Sort the Alerts table, first by `kibana.alert.risk_score` from high to low, and then by `@timestamp` from new to old, per the screenshot below:\r\n\r\n\r\n\r\n**Expected results**\r\n\r\n- The alerts page date range is `Last 24 hours`\r\n- The `Treemap` is selected\r\n- The treemap is grouped by `kibana.alert.severity` and then `kibana.alert.workflow_status`\r\n- The alerts table has custom sorting and columns, per the screenshot below:\r\n\r\n\r\n\r\n13) Click the `AI Assistant` button to open the assistant\r\n\r\n14) Ask the assistant:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected results**\r\n\r\n- The assistant will report on the counts and workflow status of alerts, per the example response and screenshot below:\r\n\r\n```\r\nYou have a total of 47 open alerts. Here's the breakdown: 24 alerts with low severity, 12 alerts with medium severity, 7 alerts with high severity, and 4 alerts with critical severity.\r\n```\r\n\r\n\r\n\r\n15) Make note of the counts shown in the assistant, then close the assistant\r\n\r\nExpected result:\r\n\r\n- The counts from the assistant match the counts in the treemap legend, per the example screenshot below:\r\n\r\n\r\n\r\n16) Change the workflow status of an alert in the Alerts table from `open` to `acknowledged`\r\n\r\n**Expected result**\r\n\r\n- The treemap and alerts table and include the updated (`acknowledged`) alert, per the screenshot below:\r\n\r\n\r\n\r\n17) Once again, open the assistant\r\n\r\n18) Once again, ask the (same) question:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The response from the assistant makes reference to the alert who's workflow status was changed from `open` to `acknowledged`, per the example response and screenshot below:\r\n\r\n```\r\nBased on the latest data I had received, you have a total of 47 open alerts. Here's the breakdown: 24 alerts are of low severity, 12 alerts are of medium severity, 7 alerts are of high severity, and 4 alerts are of critical severity (Note: One of the critical severity alerts has been acknowledged).\r\n```\r\n\r\n","sha":"081f52bfe3fbbaf5bb9476c656c308f7f9430df2"}}]}] BACKPORT-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Security Solution] [Elastic AI Assistant] Include
acknowledgedalerts in the context sent to the LLM (Retrieval Augmented Generation (RAG) for Alerts)This PR updates the query used by [Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542 to include alerts with a
kibana.alert.workflow_statusvalue ofacknowledged.The query previously only returned alerts with a status of
open. This change ensures bothopenandacknowledgedalerts are provided as context to the LLM.Updated Anonymization defaults
Three fields, detailed below, were added as anonymization defaults because they improve the quality of responses from the LLM when it answers questions about alerts.
For example, the LLM can refer to specific alerts by ID when the
_idfield is provided.This PR makes the following additive changes to the Assistant's
Anonymizationdefaults:_id_idfield enables responses from the LLM to refer to specific documents (but doesn't provide it the actual document IDs).kibana.alert.risk_scoregetOpenAndAcknowledgedAlertsQueryquery sorts alerts bykibana.alert.risk_scoreto return thenriskiest alerts. Allowing this field (by default) enables the LLM to include actual alert risk scores in responses.kibana.alert.workflow_statusgetOpenAndAcknowledgedAlertsQueryquery filters alerts bykibana.alert.workflow_statusto ensure onlyopenandacknowledgedalerts are provided as context to the LLM. Allowing this field (by default) enables the LLM answer questions about workflow status, and echo the workflow status of alerts in responses.Resetbutton shown in the screenshot below will reset the user'sAnonymizationdefaults, such that they include the additive changes in the table above:Updated settings text
The text in the settings below was also updated:
Desk testing
To desk test this change:
assistantRagOnAlertsfeature flag described in #172542 must be enabled, per the following example:Alertsfeature must be enabled in the assistant settings, per the screenshot below:Navigate to Security > Alerts
Click the
AI Assistantbutton to open the assistantClick the
Settingsgear to open the assistant settingsClick the
AnonymizationcategoryClick the
Resetbutton, shown in the screenshot belowExpected results
65fields are allowed by default, per the screenshot above12fields are anonymized by default, per the screenshot above_idfield is allowed by default, per the screenshot above_idfield is anonymized by default, per the screenshot abovekibana.alert.riskin the search boxExpected result
kibana.alert.risk_scorefield is allowed by defaultkibana.alert.workflowin the search boxExpected result
kibana.alert.workflow_statusfield is allowed by defaultClick
SaveClick the
Xbutton to clear the conversationClose the assistant
Add the following two fields as columns to the Alerts page table:
kibana.alert.workflow_status_idkibana.alert.risk_scorefrom high to low, and then by@timestampfrom new to old, per the screenshot below:openandacknowledgedalertsExpected result
Click the
AI Assistantbutton to open the assistantAsk the assistant:
Expected result
Close the assistant
Change the workflow status of an alert in the Alerts table from
opentoacknowledgedExpected result
Once again, open the assistant
Once again, ask the (same) question:
Expected result
opentoacknowledged, per the example response below:Expected result
The assistant for details about the acknowledged alert that, for example, includes the
kibana.alert.risk_score, per the example response below:_idof the acknowledged alert:Expected results
_idof theacknowledgedalert, per the example response below:_idshown in the assistant is the same_idof the acknowledged alert on the alerts page, per the screeenshot below:Show anonymizedtoggle in the assistantExpected result
_idshown in the latest result is replaced with the actual anonymized value that was sent to the LLM, per the example screenshot below: