elastic · stephmilovic · Jun 24, 2025 · Jun 23, 2025 · Jun 23, 2025 · Jun 24, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.0.3"
+  changes:
+    - description: "Add new Security AI prompts (AI Assistant context prompts and starter prompts)."
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14296
 - version: "0.0.2"
   changes:
     - description: "Updated defend insights Security AI prompts."

@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptDescription4",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Discover the types of questions you can ask"
+    }
+  },
+  "id": "security_ai_prompts-1a571e31-79f5-401a-a08c-2ebab082bb6c",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "\nContinue your JSON analysis from exactly where you left off. Generate only the additional content needed to complete the response.\n\nFORMAT REQUIREMENTS:\n1. Maintain strict JSON validity:\n   - Use double quotes for all strings\n   - Properly escape special characters (\" for quotes, \\ for backslashes, \n for newlines)\n   - Avoid all control characters (ASCII 0-31)\n   - Keep text fields under 500 characters\n\n2. Output rules:\n   - Do not repeat any previously generated content\n   - Do not include explanatory text outside the JSON\n   - Do not restart from the beginning\n   - Conform exactly to the JSON schema defined earlier\n\nYour continuation should seamlessly connect with the previous output to form a complete, valid JSON document.\n"
     }
   },
-  "id": "security_ai_prompts-071954d7-cbe9-4db0-94dc-4db2126595c5",
+  "id": "security_ai_prompts-1ac8dd30-286f-40a9-ab7b-c6050acc9b99",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nYou previously generated the below insights using this prompt: \nYou are an Elastic Security user tasked with analyzing file events from Elastic Security to identify antivirus processes. Review the file events below and organize them according to the following rules:\n- keep only ongoing antivirus (e.g. Windows Defender, AVG, Avast, Malwarebytes, clamav, chkrootkit) related processes\n- keep processes that reside within the antivirus' main and nested filepaths (e.g., C:ProgramDataMicrosoftWindows Defender..., C:Program FilesAVG..., C:Program FilesAvast Software..., /Applications/AVGAntivirus.app/...)\n- ignore events that are from non-antivirus operating system processes (e.g. C:WindowsSystem32...)\n- ignore events that are single run processes (e.g. installers)\n- ignore events that are from temp directories\n- ignore events that are from Elastic Agent or Elastic Defend\n- group the processes by the antivirus program, keeping track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- if there are no events, ignore the group field\n- never make any changes to the original file paths\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n.\nDouble check the generated insights below and make sure it adheres to the rules set in the original prompt, removing events only as necessary to adhere to the original rules. In addition:\n- combine duplicate insights into the same 'group' (e.g. AVG + AVG Free + AVG Hub + AVG Antivirus)\n- remove insights with no events\n    "
     }
   },
-  "id": "security_ai_prompts-37094d32-552f-45cd-9641-cafd3dc679c0",
+  "id": "security_ai_prompts-1c2e4054-3329-4588-b7dc-b74a00290c23",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "An array of MITRE ATT&CK tactic for the insight, using one of the following values: Reconnaissance,Resource Development,Initial Access,Execution,Persistence,Privilege Escalation,Defense Evasion,Credential Access,Discovery,Lateral Movement,Collection,Command and Control,Exfiltration,Impact"
     }
   },
-  "id": "security_ai_prompts-41039939-a898-4183-be99-f532ce59f1e1",
+  "id": "security_ai_prompts-2ee8c0e9-d3aa-493c-8793-e0182ad6cf21",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Return **only a single-line stringified JSON object** without any code fences, explanations, or variable assignments. Do **not** wrap the output in triple backticks or any Markdown code block. \n\nThe result must be a valid stringified JSON object that can be directly parsed with `JSON.parse()` in JavaScript.\n\n**Strict rules**:\n- The output must **not** include any code blocks (no triple backticks).\n- The output must be **a string**, ready to be passed directly into `JSON.parse()`.\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- The summary text should just be text. It does not need any titles or leading items in bold.\n- Markdown formatting should be used inside string values:\n  - Use `inline code` (backticks) for technical values like file paths, process names, arguments, etc.\n  - Use `**bold**` for emphasis.\n  - Use `-` for bullet points.\n  - The `recommendedActions` value must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- **Do not** include any extra explanation or text. Only return the stringified JSON object.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
     }
   },
-  "id": "security_ai_prompts-03e8227e-dcc5-4418-98a8-5fd853ff889b",
+  "id": "security_ai_prompts-2f0bb50b-7435-4a79-aada-a70e63bd7047",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The event ID"
     }
   },
-  "id": "security_ai_prompts-e228c6ed-71c4-44c6-bc16-bf7673459e6f",
+  "id": "security_ai_prompts-30adaac9-6999-4a5d-a742-8e1b7bf94ef4",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for the counts of last 24 hours of open and acknowledged alerts in the environment, grouped by their severity and workflow status. The response will be JSON and from it you can summarize the information to answer the question."
     }
   },
-  "id": "security_ai_prompts-5e338c8d-ef8d-4259-be2a-7c3a7daae928",
+  "id": "security_ai_prompts-338037f0-dd3d-4391-8fb9-3be9514c51d7",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"AskAboutEsqlTool\" function when the user:\n- asks for help with ES|QL\n- asks about ES|QL syntax\n- asks for ES|QL examples\n- asks for ES|QL documentation\n- asks for ES|QL best practices\n- asks for ES|QL optimization\n\nNever use this tool when they user wants to generate a ES|QL for their data."
     }
   },
-  "id": "security_ai_prompts-9142f40d-66ec-4152-ad52-dc2c8d6eaf94",
+  "id": "security_ai_prompts-363edccc-84d1-446a-93a2-22df49835a3a",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptTitle1",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Alerts"
+    }
+  },
+  "id": "security_ai_prompts-376cef46-351e-448a-8094-d580f174b6c9",
+  "type": "security-ai-prompt"
+}
@@ -7,6 +7,6 @@
       "default": "You are a strictly rule-following assistant for Elastic Security.\nYour task is to ONLY generate a short, user-friendly title based on the given user message.\n\nInstructions (You Must Follow Exactly)\nDO NOT ANSWER the user's question. You are forbidden from doing so.\nYour response MUST contain only the generated title. Nothing else.\nAbsolutely NO explanations, disclaimers, or additional text.\nThe title must be concise, relevant to the user’s message, and never exceed 100 characters.\nDO NOT wrap the title in quotes or any other formatting.\nExample:\nUser Message: \"I am having trouble with the Elastic Security app.\"\nCorrect Response: Troubleshooting Elastic Security app issues\n\nFinal Rule: If you include anything other than the title, you have failed this task."
     }
   },
-  "id": "security_ai_prompts-366e4470-f26d-4722-a30e-b5d8594f8c0d",
+  "id": "security_ai_prompts-3914b9f0-4639-4b90-addc-d56552b59785",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptIcon2",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "launch"
+    }
+  },
+  "id": "security_ai_prompts-49951528-89a3-4443-8d07-d669a5fede55",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptTitle4",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Suggest"
+    }
+  },
+  "id": "security_ai_prompts-513500b0-c90c-48ef-b67e-d08642cac1fc",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptDescription1",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Most important alerts from the last 24 hrs"
+    }
+  },
+  "id": "security_ai_prompts-5228ac77-80fd-4a09-8b62-f558bc8bd73c",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptTitle2",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Research"
+    }
+  },
+  "id": "security_ai_prompts-56fed434-29a8-4750-9de2-56f7d4ba955c",
+  "type": "security-ai-prompt"
+}
@@ -7,6 +7,6 @@
       "default": "You are a title generator for a helpful assistant for Elastic Security. Assume the following human message is the start of a conversation between you and a human. Generate a relevant conversation title for the human's message in plain text. Make sure the title is formatted for the user, without using quotes or markdown. The title should clearly reflect the content of the message and be appropriate for a list of conversations. Respond only with the title. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-16921138-8d02-458d-a591-fdfaae93a070",
+  "id": "security_ai_prompts-5b3f1148-213d-45ce-baa7-05a44738aa5e",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptPrompt4",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Can you provide examples of questions I can ask about Elastic Security, such as investigating alerts, running ES|QL queries, incident response, or threat intelligence?"
+    }
+  },
+  "id": "security_ai_prompts-62062c28-6ddc-44a0-9273-abac12ed3236",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptDescription2",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Latest Elastic Security Labs research"
+    }
+  },
+  "id": "security_ai_prompts-65ab4b6e-9efb-4b9b-981e-4f99e9d51388",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "A detailed insight with markdown, where each markdown bullet contains a description of what happened that reads like a story of the attack as it played out and always uses special {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax for field names and values from the source data. Examples of CORRECT syntax (includes field names and values): {{ host.name hostNameValue }} {{ user.name userNameValue }} {{ source.ip sourceIpValue }} Examples of INCORRECT syntax (bad, because the field names are not included): {{ hostNameValue }} {{ userNameValue }} {{ sourceIpValue }}"
     }
   },
-  "id": "security_ai_prompts-7bff8189-278d-4bdb-89bf-4eaf244e1b4d",
+  "id": "security_ai_prompts-6887505f-6491-40fd-95a9-57f136fc0a03",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"NaturalLanguageESQLTool\" function when the user wants to:\n  - breakdown or filter ES|QL queries that are displayed on the current page\n  - convert queries from another language to ES|QL\n  - asks general questions about ES|QL\n  ALWAYS use this tool to generate ES|QL queries or explain anything about the ES|QL query language rather than coming up with your own answer."
     }
   },
-  "id": "security_ai_prompts-ab6ac870-a485-4224-81cb-7a8536985c96",
+  "id": "security_ai_prompts-69240d50-bb0c-41e2-b3af-7912be210fe6",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Evaluate the cyber security alert from the context above. Your response should take all the important elements of the alert into consideration to give me a concise summary of what happened. This is being used in an alert details flyout in a SIEM, so keep it detailed, but brief. Limit your response to 500 characters. Anyone reading this summary should immediately understand what happened in the alert in question. Only reply with the summary, and nothing else.\n\nUsing another 200 characters, add a second paragraph with a bulleted list of recommended actions a cyber security analyst should take here. Don't invent random, potentially harmful recommended actions."
     }
   },
-  "id": "security_ai_prompts-2e513a45-cf29-4712-b01e-0594d3af3e56",
+  "id": "security_ai_prompts-7269e081-806a-4eab-b2ab-f8505028efeb",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for writing details to the user's knowledge base. The knowledge base contains useful information the user wants to store between conversation contexts. Input will be the summarized knowledge base entry to store, a short UI friendly name for the entry, and whether or not the entry is required."
     }
   },
-  "id": "security_ai_prompts-b30e56d5-4a0b-4277-9463-bf375ad0cd27",
+  "id": "security_ai_prompts-739b6bc0-796d-425a-be02-38444632f4bd",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for Elastic Defend insights."
     }
   },
-  "id": "security_ai_prompts-d9b9d49d-9169-4842-8418-f5d07c1ad36e",
+  "id": "security_ai_prompts-78c8a139-30f7-45de-8a60-1db6a3faab8a",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptIcon3",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "esqlVis"
+    }
+  },
+  "id": "security_ai_prompts-7c509002-6dd6-495b-a27e-6cc56ab25380",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "\nReview the JSON output from your initial analysis. Your task is to refine the attack chains by:\n\n1. Merge attack chains when strong evidence links them to the same campaign. Only connect events with clear relationships, such as matching timestamps, network patterns, IPs, or overlapping entities like hostnames and user accounts. Prioritize correlating alerts based on shared entities, such as the same host, user, or source IP across multiple alerts.\n2. Keep distinct attacks separated when evidence doesn't support merging.\n3. Strengthening justifications: For each attack chain:\n   - Explain the specific evidence connecting events (particularly across hosts)\n   - Reference relevant MITRE ATT&CK techniques that support your grouping\n   - Ensure your narrative follows the chronological progression of the attack\nOutput requirements:\n- Return your refined analysis using the exact same JSON format as your initial output, applying the same field syntax requirements.\n- Conform exactly to the JSON schema defined earlier\n- Do not include explanatory text outside the JSON\n"
     }
   },
-  "id": "security_ai_prompts-bbdc4662-e373-4b4d-8d3e-c015f8f1fc5e",
+  "id": "security_ai_prompts-7d5522b8-aace-4145-b494-fdc86b41f720",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge from Elastic Security Labs content, which contains information on malware, attack techniques, and more."
     }
   },
-  "id": "security_ai_prompts-b6b11bba-731e-49fd-b99a-4c903b53f279",
+  "id": "security_ai_prompts-7eefa3a5-5ccf-47ef-9b2a-b21533c4037e",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A short (no more than a sentence) summary of the insight featuring only the host.name and user.name fields (when they are applicable), using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
     }
   },
-  "id": "security_ai_prompts-56f6a358-86dc-4941-a133-4b42f7da6f01",
+  "id": "security_ai_prompts-80678ceb-7e84-43e9-bafe-6e9346dfeb3d",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are an assistant that is an expert at using tools and Elastic Security, doing your best to use these tools to answer questions or follow instructions. It is very important to use tools to answer the question or follow the instructions rather than coming up with your own answer. Tool calls are good. Sometimes you may need to make several tool calls to accomplish the task or get an answer to the question that was asked. Use as many tool calls as necessary. {citations_prompt} If the knowledge base tool gives empty results, do your best to answer the question from the perspective of an expert security analyst. \n{formattedTime}"
     }
   },
-  "id": "security_ai_prompts-0dda9291-ac45-4642-89f6-6e2a93372338",
+  "id": "security_ai_prompts-8286ee8d-56b7-48b4-8c2c-9ecacb1df3af",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Use this tool to retrieve documentation about Elastic products. You can retrieve documentation about the Elastic stack, such as Kibana and Elasticsearch, or for Elastic solutions, such as Elastic Security, Elastic Observability or Elastic Enterprise Search."
     }
   },
-  "id": "security_ai_prompts-2c413e3d-3f97-4d6c-9113-3a3553c92d70",
+  "id": "security_ai_prompts-846c4b94-f35a-4ea7-962b-e1ee8c3bac3b",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "dataQualityAnalysis",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "Explain the ECS incompatibility results above, and describe some options to fix incompatibilities. In your explanation, include information about remapping fields, reindexing data, and modifying data ingestion pipelines. Also, describe how ES|QL can be used to identify and correct incompatible data, including examples of using RENAME, EVAL, DISSECT, GROK, and CASE functions."
+    }
+  },
+  "id": "security_ai_prompts-8a3aaeae-5259-4b89-98c9-729e359e490d",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "starterPromptPrompt3",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "I need an Elastic ES|QL query to achieve the following goal:\nGoal/Requirement:\n<Insert your specific requirement or goal here, e.g., \"Identify all failed login attempts from a specific IP address within the last 24 hours.\">\nPlease:\nGenerate the ES|QL Query: Provide a complete ES|QL query tailored to the stated goal.\nExplain the Query: Offer a brief explanation of each part of the query, including filters, fields, and logic used.\nOptimize for Elastic Security: Suggest additional filters, aggregations, or enhancements to make the query more efficient and actionable within Elastic Security workflows.\nProvide Documentation Links: Include links to relevant Elastic Security documentation for deeper understanding.\nFormatting Requirements:\nUse code blocks for the ES|QL query.\nInclude concise explanations in bullet points for clarity.\nHighlight any advanced ES|QL features used in the query.\n"
+    }
+  },
+  "id": "security_ai_prompts-935971f4-a2c2-4f8b-a05f-6a51f8129882",
+  "type": "security-ai-prompt"
+}
@@ -7,6 +7,6 @@
       "default": "Now, always using the tools at your disposal, step by step, come up with a response to this request:\n\n"
     }
   },
-  "id": "security_ai_prompts-eaa6f487-41a7-4727-ab7b-17e0f6b2c64a",
+  "id": "security_ai_prompts-958909a0-8b3d-43db-81af-735c8b6ddc0f",
   "type": "security-ai-prompt"
 }