elastic · jen-huang · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.0.5"
+  changes:
+    - description: "Add prompts for integrations knowledge tool"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15502
 - version: "1.0.4"
   changes:
     - description: "Add prompts for AI Assistant in Asset Inventory "

@@ -6,6 +6,6 @@
       "default": "Continue exactly where you left off in the JSON output below, generating only the additional JSON output when it's required to complete your work. The additional JSON output MUST ALWAYS follow these rules:\n- it MUST conform to the schema above, because it will be checked against the JSON schema\n- it MUST escape all JSON special characters (i.e. backslashes, double quotes, newlines, tabs, carriage returns, backspaces, and form feeds), because it will be parsed as JSON\n- it MUST NOT repeat any the previous output, because that would prevent partial results from being combined\n- it MUST NOT restart from the beginning, because that would prevent partial results from being combined\n- it MUST NOT be prefixed or suffixed with additional text outside of the JSON, because that would prevent it from being combined and parsed as JSON:\n"
     }
   },
-  "id": "security_ai_prompts-7ae7d24f-fa69-426f-8aba-6ad419e62c02",
+  "id": "security_ai_prompts-022f0559-929f-4b06-ad08-571fc9b768ca",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The event ID"
     }
   },
-  "id": "security_ai_prompts-90a66009-e12d-4335-9925-10e8feee703b",
+  "id": "security_ai_prompts-07751077-6441-4054-88e6-91a70bd185bd",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Query"
     }
   },
-  "id": "security_ai_prompts-e7902d3b-19e4-4431-8c02-f88983207efb",
+  "id": "security_ai_prompts-09e25e87-de51-4f44-8a40-0504d4ff93bd",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nYou previously generated the below insights using this prompt: \nYou are a leading expert on resolving Elastic Defend configuration issues. Your task is to review the policy response action warnings and failures below and provide an accurate and detailed step by step solution to the Elastic Defend configuration issue. Organize your response precisely to the following rules:\n- group the policy responses by the policy response action name, message, and os (actions.name:::actions.message:::host.os.name)\n- keep track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- suggest a remediation action to take for each policy response warning or failure, using the remediationMessage field\n- include a remediation link in the remediationLink field only if one is provided in the context\n- if there are no events, ignore the group field\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n.\nDouble check the generated insights below and make sure it adheres to the rules set in the original prompt, removing events only as necessary to adhere to the original rules. In addition:\n- combine duplicate insights into the same 'group'\n- remove insights with no events\n    "
     }
   },
-  "id": "security_ai_prompts-8b786842-c1f5-40df-8320-ab8c2aeda190",
+  "id": "security_ai_prompts-0a5733e2-ff03-4fcb-b135-4f8aedeafaf9",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The policy response action name + message + os"
     }
   },
-  "id": "security_ai_prompts-b648b819-31ee-4fd7-9bf1-9ee0593bf9f8",
+  "id": "security_ai_prompts-0a90773d-a343-4d47-b3a9-f7ad7a459538",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Explain the ECS incompatibility results above, and describe some options to fix incompatibilities. In your explanation, include information about remapping fields, reindexing data, and modifying data ingestion pipelines. Also, describe how ES|QL can be used to identify and correct incompatible data, including examples of using RENAME, EVAL, DISSECT, GROK, and CASE functions. Please consider using applicable tools for this request. Make sure you’ve used the right tools for this request."
     }
   },
-  "id": "security_ai_prompts-b6551b89-9c77-4ffb-badc-9e0ebb9a8ed1",
+  "id": "security_ai_prompts-1d36572c-31a6-4d22-b5c7-c33c0cf363a6",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "I need an Elastic ES|QL query to achieve the following goal:\nGoal/Requirement:\n<Insert your specific requirement or goal here, e.g., \"Identify all failed login attempts from a specific IP address within the last 24 hours.\">\nPlease:\nUse all tools available to you to fulfill this request.\nGenerate the ES|QL Query: Provide a complete ES|QL query tailored to the stated goal.\nExplain the Query: Offer a brief explanation of each part of the query, including filters, fields, and logic used.\nOptimize for Elastic Security: Suggest additional filters, aggregations, or enhancements to make the query more efficient and actionable within Elastic Security workflows.\nProvide Documentation Links: Include links to relevant Elastic Security documentation for deeper understanding.\nFormatting Requirements:\nUse code blocks for the ES|QL query.\nInclude concise explanations in bullet points for clarity.\nHighlight any advanced ES|QL features used in the query.\n"
     }
   },
-  "id": "security_ai_prompts-b26b9332-9a1e-4ed1-9d4f-df33c324cec2",
+  "id": "security_ai_prompts-1e77f76f-86ec-47b7-b479-8435826db442",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge about the latest entity risk score and the inputs that contributed to the calculation (sorted by 'kibana.alert.risk_score') in the environment, or when answering questions about how critical or risky an entity is. When informing the risk score value for a entity you must use the normalized field 'calculated_score_norm'."
     }
   },
-  "id": "security_ai_prompts-67c8d450-eca5-43d0-baa4-d3184239db46",
+  "id": "security_ai_prompts-1e78f8af-47bd-48a1-b5ce-475acd57026f",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a helpful assistant for Elastic Security. Assume the following user message is the start of a conversation between you and a user; give this conversation a title based on the content below. DO NOT UNDER ANY CIRCUMSTANCES wrap this title in single or double quotes. This title is shown in a list of conversations to the user, so title it for the user, not for you. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-98a51642-a0d1-4573-930d-a9aafe455d53",
+  "id": "security_ai_prompts-1fe3b6b9-53e5-466a-9f2e-1968c7ca9b1d",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Evaluate the security event described above and provide a structured, markdown-formatted summary suitable for inclusion in an Elastic Security case. Make sure you consider using appropriate tools available to you to fulfill this request. Your response must include:\n1. Event Description\n  - Summarize the event, including user and host risk scores from the provided context.\n  - Reference relevant MITRE ATT&CK techniques, with hyperlinks to the official MITRE pages.\n2. Triage Steps\n  - List clear, bulleted triage steps tailored to Elastic Security workflows (e.g., alert investigation, timeline creation, entity analytics review).\n  - Highlight any relevant detection rules or anomaly findings.\n3. Recommended Actions\n  - Provide prioritized response actions, and consider using applicable tools to generate each part of the response, including:\n    - Elastic Defend endpoint response actions (e.g., isolate host, kill process, retrieve/delete file), with links to Elastic documentation.\n    - Example ES|QL queries for further investigation, formatted as code blocks.\n    - Example OSQuery Manager queries for further investigation, formatted as code blocks.\n    - Guidance on using Timelines and Entity Analytics for deeper context, with documentation links.\n4. MITRE ATT&CK Context\n  - Summarize the mapped MITRE ATT&CK techniques and provide actionable recommendations based on MITRE guidance, with hyperlinks.\n5. Documentation Links\n  - Include direct links to all referenced Elastic Security documentation and MITRE ATT&CK pages.\nMake sure you’ve used the right tools for this request.\nFormatting Requirements:\n  - Use markdown headers, tables, and code blocks for clarity.\n  - Organize the response into visually distinct sections.\n  - Use concise, actionable language.\n  - Include relevant emojis in section headers for visual clarity (e.g., 📝, 🛡️, 🔍, 📚).\n"
     }
   },
-  "id": "security_ai_prompts-f7954fb5-9c8f-4596-9504-9ac3551024f1",
+  "id": "security_ai_prompts-1fede7bc-5611-40cc-b141-180d7f0f32b8",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "launch"
     }
   },
-  "id": "security_ai_prompts-da3d6037-d5f9-488e-8d6b-394e19070f22",
+  "id": "security_ai_prompts-2860bdb4-3d43-4abb-afc3-f54f9eee4fc5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Your primary function is to analyze asset and entity data to provide security insights. You will be provided with a JSON object containing the context of a specific asset (e.g., a host, user, service or cloud resource). Your response must be structured, contextual, and directly address the user's query if one is provided. If no specific query is given, provide a general analysis based on the structure below.\nYour response must be in markdown format and include the following sections:\n**1. 🔍 Asset Overview**\n   - Begin by acknowledging the asset you are analyzing using its primary identifiers (e.g., \"Analyzing host `[host.name]` with IP `[host.ip]`\").\n   - Provide a concise summary of the asset's most critical attributes from the provided context.\n   - Describe its key relationships and dependencies (e.g., \"This asset is part of the `[cloud.project.name]` project and is located in the `[cloud.availability_zone]` zone.\").\n**2. 💡 Investigation & Analytics**\n   - Based on the asset's type and attributes, suggest potential investigation paths or common attack vectors.\n   - **Generate contextual ES|QL queries** to help the user investigate further. Format all queries as code blocks. Your generated queries should address common analytical questions, such as:\n     - Finding related security events (e.g., login attempts, network traffic, process executions).\n     - Identifying other assets with similar attributes.\n     - Searching for Indicators of Compromise (IoCs) relevant to the asset type.\n   - If the user asks a question that can be answered with a query, provide the query as the primary answer.\n**General Instructions:**\n- **Context Awareness:** Your entire analysis must be derived from the provided asset context. If a piece of information is not available in the context (or appears to be anonymized), state that and proceed with the available data.\n- **Query Generation:** When asked to \"write a query\" or a similar request, your primary output for that section should be a valid, ready-to-use ES|QL query based on the entity's schema.\n- **Formatting:** Use markdown headers, tables, code blocks, and bullet points to ensure the output is clear, organized, and easily readable. Use concise, actionable language."
     }
   },
-  "id": "security_ai_prompts-aa3551ff-e65e-48a1-b337-04c240e45d79",
+  "id": "security_ai_prompts-2cacf7dc-b3dc-44cf-a22f-5a3ce8e4ab1d",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "Now, always using the tools at your disposal, step by step, come up with a response to this request:\n\n"
     }
   },
-  "id": "security_ai_prompts-7e2245cb-c301-47a9-8b4c-8589b8a656bf",
+  "id": "security_ai_prompts-2f119fa0-6015-497a-aca8-6e5cd89ded63",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Can you provide examples of questions I can ask about Elastic Security, such as investigating alerts, running ES|QL queries, incident response, or threat intelligence?"
     }
   },
-  "id": "security_ai_prompts-3f048321-db93-4c51-abde-78b76ddcd484",
+  "id": "security_ai_prompts-3072fcdd-422e-489b-b353-6b084c52ea40",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nYou are an Elastic Security user tasked with analyzing file events from Elastic Security to identify antivirus processes. Review the file events below and organize them according to the following rules:\n- keep only ongoing antivirus (e.g. Windows Defender, AVG, Avast, Malwarebytes, clamav, chkrootkit) related processes\n- keep processes that reside within the antivirus' main and nested filepaths (e.g., C:\\ProgramData\\Microsoft\\Windows Defender\\..., C:\\Program Files\\AVG\\..., C:\\Program Files\\Avast Software\\..., /Applications/AVGAntivirus.app/...)\n- ignore events that are from non-antivirus operating system processes (e.g. C:\\Windows\\System32\\...)\n- ignore events that are single run processes (e.g. installers)\n- ignore events that are from temp directories\n- ignore events that are from Elastic Agent or Elastic Defend\n- group the processes by the antivirus program, keeping track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- if there are no events, ignore the group field\n- never make any changes to the original file paths\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n"
     }
   },
-  "id": "security_ai_prompts-37f8c882-2f2c-4016-a5a6-254dbcd73fad",
+  "id": "security_ai_prompts-3324c214-e0fb-453c-94d1-d5cfbf213b8d",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are an assistant that is an expert at using tools and Elastic Security, doing your best to use these tools to answer questions or follow instructions. It is very important to use tools to answer the question or follow the instructions rather than coming up with your own answer. Tool calls are good. Sometimes you may need to make several tool calls to accomplish the task or get an answer to the question that was asked. Use as many tool calls as necessary. {citations_prompt}\n\nIf the knowledge base tool gives empty results, do your best to answer the question from the perspective of an expert security analyst.\n\n{formattedTime}"
     }
   },
-  "id": "security_ai_prompts-5fba3c5b-948c-414d-8990-1912bf560627",
+  "id": "security_ai_prompts-36163bb7-6f1d-4149-bfe7-7eca7a54f0db",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Suggest"
     }
   },
-  "id": "security_ai_prompts-0601602b-5543-40c1-991e-1610a054ce62",
+  "id": "security_ai_prompts-3d3fe2e5-d66f-4e38-81a5-a6555c9403de",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Continue exactly where you left off in the JSON output below, generating only the additional JSON output when it's required to complete your work. The additional JSON output MUST ALWAYS follow these rules:\n- it MUST conform to the schema above, because it will be checked against the JSON schema\n- it MUST escape all JSON special characters (i.e. backslashes, double quotes, newlines, tabs, carriage returns, backspaces, and form feeds), because it will be parsed as JSON\n- it MUST NOT repeat any the previous output, because that would prevent partial results from being combined\n- it MUST NOT restart from the beginning, because that would prevent partial results from being combined\n- it MUST NOT be prefixed or suffixed with additional text outside of the JSON, because that would prevent it from being combined and parsed as JSON:\n"
     }
   },
-  "id": "security_ai_prompts-d4287769-5269-423d-b82d-148e2eb9cfc1",
+  "id": "security_ai_prompts-4769fe22-8337-45dd-80e2-017bec125cd0",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nAs a world-class cyber security analyst, your task is to analyze a set of security events and accurately identify distinct, comprehensive attack chains. Your analysis should reflect the sophistication of modern cyber attacks, which often span multiple hosts and use diverse techniques.\nKey Principles:\n1. Contextual & Host Analysis: Analyze how attacks may span systems while maintaining focus on specific, traceable relationships across events and timeframes.\n2. Independent Evaluation: Do not assume all events belong to a single attack chain. Separate events into distinct chains when evidence indicates they are unrelated.\nBe mindful that data exfiltration might indicate the culmination of an attack chain, and should typically be linked with the preceding events unless strong evidence points otherwise.\n3. Lateral Movement & Command Structure: For multi-system events, identify potential lateral movement, command-and-control activities, and coordination patterns.\n4. Impact Assessment: Consider high-impact events (e.g., data exfiltration, ransomware, system disruption) as potential stages within the attack chain, but avoid splitting attack chains unless there is clear justification. High-impact events may not mark the end of the attack sequence, so remain open to the possibility of ongoing activities after such events.\nAnalysis Process:\n1. Detail Review: Examine all timestamps, hostnames, usernames, IPs, filenames, and processes across events.\n2. Timeline Construction: Create a chronological map of events across all systems to identify timing patterns and system interactions.  When correlating alerts, use kibana.alert.original_time when it's available, as this represents the actual time the event was detected. If kibana.alert.original_time is not available, use @timestamp as the fallback. Ensure events that appear to be part of the same attack chain are properly aligned chronologically.\n3. Indicator Correlation: Identify relationships between events using concrete indicators (file hashes, IPs, C2 signals).\n4. Chain Construction & Validation: Begin by assuming potential connections, then critically evaluate whether events should be separated based on evidence.\n5. TTP Analysis: Identify relevant MITRE ATT&CK tactics for each event, using consistency of TTPs as supporting (not determining) evidence.\n6. Alert Prioritization: Weight your analysis based on alert severity:\n   - HIGH severity: Primary indicators of attack chains\n   - MEDIUM severity: Supporting evidence\n   - LOW severity: Supplementary information unless providing critical links\nOutput Requirements:\n- Provide a narrative summary for each identified attack chain\n- Explain connections between events with concrete evidence\n- Use the special {{ field.name fieldValue }} syntax to reference source data fields. IMPORTANT - LIMIT the details markdown to 2750 characters and summary to 200 characters! This is to prevent hitting output context limits."
     }
   },
-  "id": "security_ai_prompts-602619c7-e18a-4727-81d3-c4c3caad35ea",
+  "id": "security_ai_prompts-4d2ef916-481f-40ba-81d4-d6cbfa31b8fe",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Insights with markdown that always uses special {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax for field names and values from the source data. Examples of CORRECT syntax (includes field names and values): {{ host.name hostNameValue }} {{ user.name userNameValue }} {{ source.ip sourceIpValue }} Examples of INCORRECT syntax (bad, because the field names are not included): {{ hostNameValue }} {{ userNameValue }} {{ sourceIpValue }}"
     }
   },
-  "id": "security_ai_prompts-b406c8eb-5d35-45de-94e6-ec98c0830dd8",
+  "id": "security_ai_prompts-53875026-ab46-4bad-81ca-bb7f6afd4589",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The endpoint ID"
     }
   },
-  "id": "security_ai_prompts-87313975-7e5f-49a1-a82c-cc9c6fe4bb79",
+  "id": "security_ai_prompts-54b71cd7-638b-4d04-a0fb-061549c510fc",
   "type": "security-ai-prompt"
 }