[Request] Retrieval Augemented Generation (RAG) for Alerts #4456
Assignees
Labels
Docset: ESS
Issues that apply to docs in the Stack release
Docset: Serverless
Issues for Serverless Security
v8.12.0
Comments
|
@benironside @joepeeples please let us know if you want to get together for a live demo of this feature. |
jmikell821
added
v8.12.0
Docset: ESS
|
Thanks for documenting this feature! We made a few small changes in this PR: elastic/kibana#173121
We're happy to improve the settings text with your feedback if you're willing to provide it. |
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this issue
Dec 21, 2023
…ugmented Generation (RAG) for Alerts_ Feature Flag This PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542). Deleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:  This PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged. ### Desk testing To desk test this change: 1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` 2) Start Kibana 3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 4) Navigate to Security > Alerts 5) Click the `AI Assistant` button to open the assistant 6) Click the `X` button to clear the conversation 7) Click the assistant's `Settings` gear 8) Click the `Knowledge Base` category **Expected result** - The `Alerts` toggle shown in the screenshot below is available  9) Click the `Alerts` toggle to enable the feature 10) Click the `Save` button to close settings 11) Enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - A response with alert counts grouped by workflow status will be returned, similar to the example below: ``` You currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged. ``` 12) Enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** A response with alert details, similar to the following is returned: ``` Based on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47. ``` 13) Once again, click the assistant's `Settings` gear 14) Click the `Knowledge Base` category 15) Click the `Alerts` toggle to disable the feature 16) Click the `Save` button to close settings 17) Once again, enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response: ``` I'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts. ``` 18) One more time, enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** - The assistant does NOT respond with alert details. Instead it replies with something like the following example response: ``` As an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact. ```
andrew-goldstein
added a commit
to elastic/kibana
that referenced
this issue
Dec 21, 2023
…ented Generation (RAG) for Alerts_ Feature Flag (#173809) ## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag This PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](#172542). Deleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:  This PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged. This PR also includes @benironside improvements to the Alerts setting in the video below: https://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9 ### Desk testing To desk test this change: 1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` 2) Start Kibana 3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 4) Navigate to Security > Alerts 5) Click the `AI Assistant` button to open the assistant 6) Click the `X` button to clear the conversation 7) Click the assistant's `Settings` gear 8) Click the `Knowledge Base` category **Expected result** - The `Alerts` toggle shown in the screenshot below is available  9) Click the `Alerts` toggle to enable the feature 10) Click the `Save` button to close settings 11) Enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - A response with alert counts grouped by workflow status will be returned, similar to the example below: ``` You currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged. ``` 12) Enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** A response with alert details, similar to the following is returned: ``` Based on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47. ``` 13) Once again, click the assistant's `Settings` gear 14) Click the `Knowledge Base` category 15) Click the `Alerts` toggle to disable the feature 16) Click the `Save` button to close settings 17) Once again, enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response: ``` I'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts. ``` 18) One more time, enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** - The assistant does NOT respond with alert details. Instead it replies with something like the following example response: ``` As an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact. ```
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 21, 2023
…ented Generation (RAG) for Alerts_ Feature Flag (elastic#173809) ## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag This PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts elastic#172542](elastic#172542). Deleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:  This PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged. This PR also includes @benironside improvements to the Alerts setting in the video below: https://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9 ### Desk testing To desk test this change: 1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`: ``` xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts'] ``` 2) Start Kibana 3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`) 4) Navigate to Security > Alerts 5) Click the `AI Assistant` button to open the assistant 6) Click the `X` button to clear the conversation 7) Click the assistant's `Settings` gear 8) Click the `Knowledge Base` category **Expected result** - The `Alerts` toggle shown in the screenshot below is available  9) Click the `Alerts` toggle to enable the feature 10) Click the `Save` button to close settings 11) Enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - A response with alert counts grouped by workflow status will be returned, similar to the example below: ``` You currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged. ``` 12) Enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** A response with alert details, similar to the following is returned: ``` Based on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47. ``` 13) Once again, click the assistant's `Settings` gear 14) Click the `Knowledge Base` category 15) Click the `Alerts` toggle to disable the feature 16) Click the `Save` button to close settings 17) Once again, enter the following prompt: ``` How many open alerts do I have? ``` **Expected result** - The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response: ``` I'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts. ``` 18) One more time, enter the following prompt: ``` Which alerts should I look at first? ``` **Expected result** - The assistant does NOT respond with alert details. Instead it replies with something like the following example response: ``` As an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact. ``` (cherry picked from commit ec05dd7)
kibanamachine
added a commit
to elastic/kibana
that referenced
this issue
Dec 22, 2023
…al Augmented Generation (RAG) for Alerts_ Feature Flag (#173809) (#173883) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)](#173809) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-12-21T23:01:15Z","message":"[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)\n\n## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag\r\n\r\nThis PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542).\r\n\r\nDeleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:\r\n\r\n\r\n\r\nThis PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged.\r\n\r\nThis PR also includes @benironside improvements to the Alerts setting in the video below:\r\n\r\nhttps://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n2) Start Kibana\r\n\r\n3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n4) Navigate to Security > Alerts\r\n\r\n5) Click the `AI Assistant` button to open the assistant\r\n\r\n6) Click the `X` button to clear the conversation\r\n\r\n7) Click the assistant's `Settings` gear\r\n\r\n8) Click the `Knowledge Base` category\r\n\r\n**Expected result**\r\n\r\n- The `Alerts` toggle shown in the screenshot below is available\r\n\r\n\r\n\r\n9) Click the `Alerts` toggle to enable the feature\r\n\r\n10) Click the `Save` button to close settings\r\n\r\n11) Enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- A response with alert counts grouped by workflow status will be returned, similar to the example below:\r\n\r\n```\r\nYou currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged.\r\n```\r\n\r\n12) Enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\nA response with alert details, similar to the following is returned:\r\n\r\n```\r\nBased on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47.\r\n```\r\n\r\n13) Once again, click the assistant's `Settings` gear\r\n\r\n14) Click the `Knowledge Base` category\r\n\r\n15) Click the `Alerts` toggle to disable the feature\r\n\r\n16) Click the `Save` button to close settings\r\n\r\n17) Once again, enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response:\r\n\r\n```\r\nI'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts.\r\n```\r\n\r\n18) One more time, enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with alert details. Instead it replies with something like the following example response:\r\n\r\n```\r\nAs an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact.\r\n```","sha":"ec05dd7afddaef353d27f0bcbc7046ff09c0a5d6","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Threat Hunting:Investigations","Feature:Elastic AI Assistant","v8.12.0","v8.13.0"],"number":173809,"url":"https://github.com/elastic/kibana/pull/173809","mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)\n\n## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag\r\n\r\nThis PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542).\r\n\r\nDeleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:\r\n\r\n\r\n\r\nThis PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged.\r\n\r\nThis PR also includes @benironside improvements to the Alerts setting in the video below:\r\n\r\nhttps://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n2) Start Kibana\r\n\r\n3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n4) Navigate to Security > Alerts\r\n\r\n5) Click the `AI Assistant` button to open the assistant\r\n\r\n6) Click the `X` button to clear the conversation\r\n\r\n7) Click the assistant's `Settings` gear\r\n\r\n8) Click the `Knowledge Base` category\r\n\r\n**Expected result**\r\n\r\n- The `Alerts` toggle shown in the screenshot below is available\r\n\r\n\r\n\r\n9) Click the `Alerts` toggle to enable the feature\r\n\r\n10) Click the `Save` button to close settings\r\n\r\n11) Enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- A response with alert counts grouped by workflow status will be returned, similar to the example below:\r\n\r\n```\r\nYou currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged.\r\n```\r\n\r\n12) Enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\nA response with alert details, similar to the following is returned:\r\n\r\n```\r\nBased on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47.\r\n```\r\n\r\n13) Once again, click the assistant's `Settings` gear\r\n\r\n14) Click the `Knowledge Base` category\r\n\r\n15) Click the `Alerts` toggle to disable the feature\r\n\r\n16) Click the `Save` button to close settings\r\n\r\n17) Once again, enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response:\r\n\r\n```\r\nI'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts.\r\n```\r\n\r\n18) One more time, enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with alert details. Instead it replies with something like the following example response:\r\n\r\n```\r\nAs an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact.\r\n```","sha":"ec05dd7afddaef353d27f0bcbc7046ff09c0a5d6"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173809","number":173809,"mergeCommit":{"message":"[Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag (#173809)\n\n## [Security Solution] [Elastic AI Assistant] Delete the _Retrieval Augmented Generation (RAG) for Alerts_ Feature Flag\r\n\r\nThis PR deletes the `assistantRagOnAlerts` feature flag introduced in [[Security Solution] [Elastic AI Assistant] Retrieval Augmented Generation (RAG) for Alerts #172542](https://github.com/elastic/kibana/pull/172542).\r\n\r\nDeleting the `assistantRagOnAlerts` feature flag makes the `Alerts` toggle available in the assistant settings, per the screenshot below:\r\n\r\n\r\n\r\nThis PR should not be merged until the docs describing the feature in <elastic/security-docs#4456> have been merged.\r\n\r\nThis PR also includes @benironside improvements to the Alerts setting in the video below:\r\n\r\nhttps://github.com/elastic/kibana/assets/4459398/73ea2717-ad2a-4998-afe2-cc154d8d19a9\r\n\r\n### Desk testing\r\n\r\nTo desk test this change:\r\n\r\n1) Delete the following `assistantRagOnAlerts` feature flag from your local `config/kibana.dev.yml`:\r\n\r\n```\r\nxpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']\r\n```\r\n\r\n2) Start Kibana\r\n\r\n3) Generate alerts with a variety of severity (e.g. `low`, `medium`, `high`, and `critical`)\r\n\r\n4) Navigate to Security > Alerts\r\n\r\n5) Click the `AI Assistant` button to open the assistant\r\n\r\n6) Click the `X` button to clear the conversation\r\n\r\n7) Click the assistant's `Settings` gear\r\n\r\n8) Click the `Knowledge Base` category\r\n\r\n**Expected result**\r\n\r\n- The `Alerts` toggle shown in the screenshot below is available\r\n\r\n\r\n\r\n9) Click the `Alerts` toggle to enable the feature\r\n\r\n10) Click the `Save` button to close settings\r\n\r\n11) Enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- A response with alert counts grouped by workflow status will be returned, similar to the example below:\r\n\r\n```\r\nYou currently have 48 open alerts in your system. These are categorized by severity as following: 19 of them are low severity, 16 are high severity, 12 are of medium severity and 1 is of critical severity. There is also 1 critical severity alert which is acknowledged.\r\n```\r\n\r\n12) Enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\nA response with alert details, similar to the following is returned:\r\n\r\n```\r\nBased on the latest information, the alerts to prioritize first are those related to a mimikatz process starting on the hosts, which have a critical severity and the highest risk score of 99. There are also a series of alerts related to an EQL process sequence with a high severity and risk scores of 73. There is one alert about an Elastic Endpoint Security alert with a medium severity and risk score of 47.\r\n```\r\n\r\n13) Once again, click the assistant's `Settings` gear\r\n\r\n14) Click the `Knowledge Base` category\r\n\r\n15) Click the `Alerts` toggle to disable the feature\r\n\r\n16) Click the `Save` button to close settings\r\n\r\n17) Once again, enter the following prompt:\r\n\r\n```\r\nHow many open alerts do I have?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with a breakdown of alerts by severity. Instead it replies with something like the following example response:\r\n\r\n```\r\nI'm sorry for any confusion, but as an AI, I don't have real-time access to your data or system to provide the number of your current open alerts. You can check your Elastic Security dashboard or use the appropriate querying commands to get the updated count of your open alerts.\r\n```\r\n\r\n18) One more time, enter the following prompt:\r\n\r\n```\r\nWhich alerts should I look at first?\r\n```\r\n\r\n**Expected result**\r\n\r\n- The assistant does NOT respond with alert details. Instead it replies with something like the following example response:\r\n\r\n```\r\nAs an AI model, I don't have the capability to access real-time data. However, when it comes to managing alerts in Elastic Security, it's generally recommended to first look at the ones with the highest severity and risk score. Alerts related to malware, unauthorized access attempts, and abnormal data transfers or process activities, for example, may need immediate attention due to their potential high impact.\r\n```","sha":"ec05dd7afddaef353d27f0bcbc7046ff09c0a5d6"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
What: We're implementing Retrieval Augmented Generation for Alerts
Why: Currently, the AI Assistant provides one alert or event at a time as context to the LLM, but has no way to answer questions about multiple alerts in the alerts index. With this functionality, the assistant can provide the riskiest, latest alerts as context to the LLM, with data anonymized per a user’s settings. Example of new questions users can ask:
_- How many alerts are currently open?
How:
Show anonymizedtoggle to see the anonymized values sent to / received from the LLM:Settings
This feature is enabled and configured via the
Knowledge Base>Alertssettings in the screenshot below:Alertstoggle enables or disables the feature10-100alerts (default:20)When the setting above is enabled, up to
nalerts (as determined by the slider) that meet the following criteria will be returned:kibana.alert.workflow_statusmust beopen24 hourskibana.alert.building_block_typealertnalerts are ordered bykibana.alert.risk_score, to prioritize the riskiest alertsBackground & resources
Which documentation set does this change impact?
ESS and serverless
ESS release
8.12
Serverless release
tbd
Feature differences
N/A
API docs impact
n/a
Prerequisites, privileges, feature flags
Feature flag
To use this feature:
Add the assistantRagOnAlerts feature flag to the xpack.securitySolution.enableExperimental setting in config/kibana.yml (or config/kibana.dev.yml in local development environments), per the example below:
xpack.securitySolution.enableExperimental: ['assistantRagOnAlerts']
Enable the Alerts toggle in the Assistant's Knowledge Base settings, per the screenshot below:
The text was updated successfully, but these errors were encountered: