elastic · stephmilovic · Jul 15, 2025 · Jul 15, 2025 · Jul 15, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.0.5"
+  changes:
+    - description: "Update KnowledgeBaseRetrievalTool and AskAboutESQLTool prompts"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14555
 - version: "0.0.4"
   changes:
     - description: "Update AI Assistant context prompts and starter prompts. Also update readme."

@@ -6,6 +6,6 @@
       "default": "\nYou previously generated the below insights using this prompt: \nYou are an Elastic Security user tasked with analyzing file events from Elastic Security to identify antivirus processes. Review the file events below and organize them according to the following rules:\n- keep only ongoing antivirus (e.g. Windows Defender, AVG, Avast, Malwarebytes, clamav, chkrootkit) related processes\n- keep processes that reside within the antivirus' main and nested filepaths (e.g., C:ProgramDataMicrosoftWindows Defender..., C:Program FilesAVG..., C:Program FilesAvast Software..., /Applications/AVGAntivirus.app/...)\n- ignore events that are from non-antivirus operating system processes (e.g. C:WindowsSystem32...)\n- ignore events that are single run processes (e.g. installers)\n- ignore events that are from temp directories\n- ignore events that are from Elastic Agent or Elastic Defend\n- group the processes by the antivirus program, keeping track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- if there are no events, ignore the group field\n- never make any changes to the original file paths\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n.\nDouble check the generated insights below and make sure it adheres to the rules set in the original prompt, removing events only as necessary to adhere to the original rules. In addition:\n- combine duplicate insights into the same 'group' (e.g. AVG + AVG Free + AVG Hub + AVG Antivirus)\n- remove insights with no events\n    "
     }
   },
-  "id": "security_ai_prompts-a46901d6-78c8-4248-9251-cfa238655b0d",
+  "id": "security_ai_prompts-08d8d517-9a67-4127-ac3f-8ac687eacb43",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nReview the JSON output from your initial analysis. Your task is to refine the attack chains by:\n\n1. Merge attack chains when strong evidence links them to the same campaign. Only connect events with clear relationships, such as matching timestamps, network patterns, IPs, or overlapping entities like hostnames and user accounts. Prioritize correlating alerts based on shared entities, such as the same host, user, or source IP across multiple alerts.\n2. Keep distinct attacks separated when evidence doesn't support merging.\n3. Strengthening justifications: For each attack chain:\n   - Explain the specific evidence connecting events (particularly across hosts)\n   - Reference relevant MITRE ATT&CK techniques that support your grouping\n   - Ensure your narrative follows the chronological progression of the attack\nOutput requirements:\n- Return your refined analysis using the exact same JSON format as your initial output, applying the same field syntax requirements.\n- Conform exactly to the JSON schema defined earlier\n- Do not include explanatory text outside the JSON\n"
     }
   },
-  "id": "security_ai_prompts-cefd48e7-e87d-4700-8bcd-6715eb7fb132",
+  "id": "security_ai_prompts-16b913ec-f0e5-4029-b6df-61b0b9e07534",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A detailed insight with markdown, where each markdown bullet contains a description of what happened that reads like a story of the attack as it played out and always uses special {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax for field names and values from the source data. Examples of CORRECT syntax (includes field names and values): {{ host.name hostNameValue }} {{ user.name userNameValue }} {{ source.ip sourceIpValue }} Examples of INCORRECT syntax (bad, because the field names are not included): {{ hostNameValue }} {{ userNameValue }} {{ sourceIpValue }}"
     }
   },
-  "id": "security_ai_prompts-22041469-419f-45ec-be9d-6dbc8810e8ba",
+  "id": "security_ai_prompts-194dc571-02f6-44d9-a206-86322ef776e6",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Use this tool to retrieve documentation about Elastic products. You can retrieve documentation about the Elastic stack, such as Kibana and Elasticsearch, or for Elastic solutions, such as Elastic Security, Elastic Observability or Elastic Enterprise Search."
     }
   },
-  "id": "security_ai_prompts-6c64eb9f-449b-4d30-b294-d9344e744c33",
+  "id": "security_ai_prompts-1b92d63c-ecd7-4798-9d66-2b854bb7ce95",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "An array of MITRE ATT&CK tactic for the insight, using one of the following values: Reconnaissance,Resource Development,Initial Access,Execution,Persistence,Privilege Escalation,Defense Evasion,Credential Access,Discovery,Lateral Movement,Collection,Command and Control,Exfiltration,Impact"
     }
   },
-  "id": "security_ai_prompts-6a0ca94b-7399-4f67-ac29-78d793823ba8",
+  "id": "security_ai_prompts-1c897f67-5f05-4bf6-893c-3b561a78f6b0",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "KnowledgeBaseRetrievalTool",
+    "promptGroupId": "security-tools",
+    "prompt": {
+      "default": "Call this tool to fetch information from the user's knowledge base. The knowledge base contains useful details the user has saved between conversation contexts.\n\nUse this tool **only in the following cases**:\n\n1. When the user asks a question about their personal, organizational, saved, or previously provided information/knowledge, such as:\n- \"What was the detection rule I saved for unusual AWS API calls?\"\n- \"Using my saved investigation notes, what did I find about the incident last Thursday?\"\n- \"What are my preferred index patterns?\"\n- \"What did I say about isolating hosts?\"\n- \"What is my favorite coffee spot near the office?\" *(non-security example)*\n\n2. Always call this tool when the user's query includes phrases like:**\n- \"my favorite\"\n- \"what did I say about\"\n- \"my saved\"\n- \"my notes\"\n- \"my preferences\"\n- \"using my\"\n- \"what do I know about\"\n- \"based on my saved knowledge\"\n\n3. When you need to retrieve saved information the user has stored in their knowledge base, whether it's security-related or not.\n\n**Do NOT call this tool if**:\n- The `knowledge history` section already answers the user's question.\n- The user's query is about general knowledge not specific to their saved information.\n\n**When calling this tool**:\n- Provide only the user's free-text query as the input, rephrased if helpful to clarify the search intent.\n- Format the input as a single, clean line of text.\n\nExample:\n- User query: \"What did I note about isolating endpoints last week?\"\n- Tool input: \"User notes about isolating endpoints.\"\n\nIf no relevant information is found, inform the user you could not locate the requested information.\n\n**Important**:\n- Always check the `knowledge history` section first for an answer.\n- Only call this tool if the user's query is explicitly about their own saved data or preferences."
+    }
+  },
+  "id": "security_ai_prompts-26cd621a-26e9-41c0-a8e8-64bba74433ce",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "Evaluate the cyber security alert from the context above. Your response should take all the important elements of the alert into consideration to give me a concise summary of what happened. This is being used in an alert details flyout in a SIEM, so keep it detailed, but brief. Limit your response to 500 characters. Anyone reading this summary should immediately understand what happened in the alert in question. Only reply with the summary, and nothing else.\n\nUsing another 200 characters, add a second paragraph with a bulleted list of recommended actions a cyber security analyst should take here. Don't invent random, potentially harmful recommended actions."
     }
   },
-  "id": "security_ai_prompts-60430e47-96fc-4987-a9b5-51e0c03dfe33",
+  "id": "security_ai_prompts-2cc08f09-c279-489b-8cf8-b9404cfa2519",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Retrieve and summarize the latest Elastic Security Labs articles one by one sorted by latest at the top, and consider using all tools available to you to fulfill this request. Ensure the response includes:\nArticle Summaries\nTitle and Link: Provide the title of each article with a hyperlink to the original content.\nPublication Date: Include the date the article was published.\nKey Insights: Summarize the main points or findings of each article in concise bullet points.\nRelevant Threats or Techniques: Highlight any specific malware, attack techniques, or adversary behaviors discussed, with references to MITRE ATT&CK techniques (include hyperlinks to the official MITRE pages).\nPractical Applications\nDetection and Response Guidance: Provide actionable steps or recommendations based on the article's content, tailored for Elastic Security workflows.\nElastic Security Features: Highlight any Elastic Security features, detection rules, or tools mentioned in the articles, with links to relevant documentation.\nExample Queries: If applicable, include example ES|QL or OSQuery Manager queries inspired by the article's findings, formatted as code blocks.\nDocumentation and Resources\nElastic Security Labs: Include a link to the Elastic Security Labs homepage.\nAdditional References: Provide links to any related Elastic documentation or external resources mentioned in the articles.\nFormatting Requirements\nUse markdown headers, tables, and code blocks for clarity.\nOrganize the response into visually distinct sections.\nUse concise, actionable language. Make sure you use tools available to you to fulfill this request."
     }
   },
-  "id": "security_ai_prompts-58cf938f-35e5-4730-be88-293a4f00ace0",
+  "id": "security_ai_prompts-2f3be4e1-a94f-4d22-ab78-c6fdbdb24272",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Research"
     }
   },
-  "id": "security_ai_prompts-f34d8813-d9d6-403b-bb62-1a26e690f11e",
+  "id": "security_ai_prompts-30bac412-1ee5-48ce-b54a-9b45c626c9c8",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Latest Elastic Security Labs research"
     }
   },
-  "id": "security_ai_prompts-03a598f7-3829-4a64-b51f-b5e49408d542",
+  "id": "security_ai_prompts-3ae9fcca-bed0-481a-bbc8-ae236e27b7ef",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "Now, always using the tools at your disposal, step by step, come up with a response to this request:\n\n"
     }
   },
-  "id": "security_ai_prompts-3f103342-b3e3-4d16-b991-52fc7aa45430",
+  "id": "security_ai_prompts-41216914-37aa-4343-9268-2565b3257400",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are a title generator for a helpful assistant for Elastic Security. Assume the following human message is the start of a conversation between you and a human. Generate a relevant conversation title for the human's message in plain text. Make sure the title is formatted for the user, without using quotes or markdown. The title should clearly reflect the content of the message and be appropriate for a list of conversations. Respond only with the title. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-5f71a813-beea-4fc9-b1bd-ab3b73ec245b",
+  "id": "security_ai_prompts-4ab8ce72-be54-45a3-b427-b7b1aca29586",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Explain the ECS incompatibility results above, and describe some options to fix incompatibilities. In your explanation, include information about remapping fields, reindexing data, and modifying data ingestion pipelines. Also, describe how ES|QL can be used to identify and correct incompatible data, including examples of using RENAME, EVAL, DISSECT, GROK, and CASE functions. Please consider using applicable tools for this request. Make sure you’ve used the right tools for this request."
     }
   },
-  "id": "security_ai_prompts-dfb62271-296d-4529-9fc6-b3cd11a017a6",
+  "id": "security_ai_prompts-4cf5eaac-645b-4756-a14e-5828cbc7a6de",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a security analyst and expert in resolving security incidents. Your role is to assist by answering questions about Elastic Security. Do not answer questions unrelated to Elastic Security. If available, use the Knowledge History provided to try and answer the question. If not provided, you can try and query for additional knowledge via the KnowledgeBaseRetrievalTool. {citations_prompt} \n{formattedTime}"
     }
   },
-  "id": "security_ai_prompts-d4f1907f-0595-4610-a1fb-8916a269b34a",
+  "id": "security_ai_prompts-540ca20d-f7c1-4728-b2e7-5914947ec678",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge about the latest n open and acknowledged alerts (sorted by `kibana.alert.risk_score`) in the environment, or when answering questions about open alerts. Do not call this tool for alert count or quantity. The output is an array of the latest n open and acknowledged alerts."
     }
   },
-  "id": "security_ai_prompts-634ec262-46df-4f72-b79e-3133cbd09d9b",
+  "id": "security_ai_prompts-5efc41d4-1a3b-4702-a0e1-adcd773c6553",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The process.executable value of the event"
     }
   },
-  "id": "security_ai_prompts-af0285e4-9942-411f-83ac-d504f461d380",
+  "id": "security_ai_prompts-5f53c893-ea14-4d05-a84c-135fe486f3a5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A markdown summary of insight, using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
     }
   },
-  "id": "security_ai_prompts-196a1357-2c34-473a-9502-faafd9518221",
+  "id": "security_ai_prompts-5fd9436e-cee1-49a6-9dd2-e7c51df10f87",
   "type": "security-ai-prompt"
 }
@@ -1,11 +1,11 @@
 {
   "attributes": {
-    "promptId": "AskAboutEsqlTool",
+    "promptId": "AskAboutESQLTool",
     "promptGroupId": "security-tools",
     "prompt": {
-      "default": "You MUST use the \"AskAboutEsqlTool\" function when the user:\n- asks for help with ES|QL\n- asks about ES|QL syntax\n- asks for ES|QL examples\n- asks for ES|QL documentation\n- asks for ES|QL best practices\n- asks for ES|QL optimization\n\nNever use this tool when they user wants to generate a ES|QL for their data."
+      "default": "You MUST use the \"AskAboutESQLTool\" function when the user:\n- asks for help with ES|QL\n- asks about ES|QL syntax\n- asks for ES|QL examples\n- asks for ES|QL documentation\n- asks for ES|QL best practices\n- asks for ES|QL optimization\n\nNever use this tool when they user wants to generate a ES|QL for their data."
     }
   },
-  "id": "security_ai_prompts-3a2a6d4d-6e99-4f18-89ad-32e8475b2566",
+  "id": "security_ai_prompts-6cdda7b1-3c69-4922-9b6f-73469e731739",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "launch"
     }
   },
-  "id": "security_ai_prompts-6c923034-9f58-42ba-94e8-86a2f470c0ad",
+  "id": "security_ai_prompts-78de0805-dd6c-4931-acd5-ddbf32f89716",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The events that the insight is based on"
     }
   },
-  "id": "security_ai_prompts-183ed724-f32a-4afb-98d9-469a59692cdf",
+  "id": "security_ai_prompts-7c151c90-40c3-4e6a-9711-9780e59f568b",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "sparkles"
     }
   },
-  "id": "security_ai_prompts-51784ae3-f454-4db7-bff9-0f96f1731467",
+  "id": "security_ai_prompts-7fc637f0-a585-40b8-8590-c996a4ec6fc3",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "I need an Elastic ES|QL query to achieve the following goal:\nGoal/Requirement:\n<Insert your specific requirement or goal here, e.g., \"Identify all failed login attempts from a specific IP address within the last 24 hours.\">\nPlease:\nUse all tools available to you to fulfill this request.\nGenerate the ES|QL Query: Provide a complete ES|QL query tailored to the stated goal.\nExplain the Query: Offer a brief explanation of each part of the query, including filters, fields, and logic used.\nOptimize for Elastic Security: Suggest additional filters, aggregations, or enhancements to make the query more efficient and actionable within Elastic Security workflows.\nProvide Documentation Links: Include links to relevant Elastic Security documentation for deeper understanding.\nFormatting Requirements:\nUse code blocks for the ES|QL query.\nInclude concise explanations in bullet points for clarity.\nHighlight any advanced ES|QL features used in the query.\n"
     }
   },
-  "id": "security_ai_prompts-1fcb4020-0a12-4d64-8b74-041ddbbe73d3",
+  "id": "security_ai_prompts-86034452-bdb5-4320-88dc-f8e6bd2187c1",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Generate ES|QL Queries"
     }
   },
-  "id": "security_ai_prompts-1ae51079-9111-4344-b7de-eef2883c489a",
+  "id": "security_ai_prompts-89ee306d-4066-49d1-9d5c-1c1513cdc105",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a helpful assistant for Elastic Security. Assume the following user message is the start of a conversation between you and a user; give this conversation a title based on the content below. DO NOT UNDER ANY CIRCUMSTANCES wrap this title in single or double quotes. This title is shown in a list of conversations to the user, so title it for the user, not for you. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-14a36c86-e37b-4dae-afdc-ee0f290ee1d8",
+  "id": "security_ai_prompts-8b96c355-3458-48d3-b5b3-8fce7358d2e9",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"NaturalLanguageESQLTool\" function when the user wants to:\n  - breakdown or filter ES|QL queries that are displayed on the current page\n  - convert queries from another language to ES|QL\n  - asks general questions about ES|QL\n  ALWAYS use this tool to generate ES|QL queries or explain anything about the ES|QL query language rather than coming up with your own answer."
     }
   },
-  "id": "security_ai_prompts-17e588ae-4daa-4d9d-904c-b17dfadf086f",
+  "id": "security_ai_prompts-8c326e64-b56a-4888-9577-c04d803382b5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A short (no more than a sentence) summary of the insight featuring only the host.name and user.name fields (when they are applicable), using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
     }
   },
-  "id": "security_ai_prompts-0ec376db-fd5d-4fdd-a0fc-922b43797140",
+  "id": "security_ai_prompts-8d3e2d8f-13b3-46d6-a7d1-30fe03131bea",
   "type": "security-ai-prompt"
 }