elastic · denar50 · Dec 5, 2025 · Dec 2, 2025 · Dec 2, 2025 · Dec 4, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.0.12"
+  changes:
+    - description: "Improvements to Value Report prompt to limit the character size of the response."
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16210
 - version: "1.0.11"
   changes:
     - description: "Improvements to Attack Discovery prompts to reduce false positives."

@@ -6,6 +6,6 @@
       "default": "Call this for knowledge from Elastic Security Labs content, which contains information on malware, attack techniques, and more."
     }
   },
-  "id": "security_ai_prompts-29671a04-f777-4d33-ae79-6e1491bab168",
+  "id": "security_ai_prompts-00725554-3b3f-4cc6-963f-4094485ef803",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The endpoint ID"
     }
   },
-  "id": "security_ai_prompts-49329488-992b-4375-83c1-4ae31d2a1ef3",
+  "id": "security_ai_prompts-068ca74b-1e48-434e-b649-9a3ceffd4b4a",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"GenerateESQLTool\" function when the user wants to:\n- generate an ES|QL query\n- convert queries from another language to ES|QL they can run on their cluster\n\nALWAYS use this tool to generate ES|QL queries and never generate ES|QL any other way."
     }
   },
-  "id": "security_ai_prompts-00bc8bdc-cc7f-4191-9a91-7e5b7fdfff33",
+  "id": "security_ai_prompts-06947906-3563-406c-a9ec-6ce21034449f",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge about the latest entity risk score and the inputs that contributed to the calculation (sorted by 'kibana.alert.risk_score') in the environment, or when answering questions about how critical or risky an entity is. When informing the risk score value for a entity you must use the normalized field 'calculated_score_norm'."
     }
   },
-  "id": "security_ai_prompts-617f3a46-d62b-4c39-90ab-b7a09497fa7d",
+  "id": "security_ai_prompts-09966b98-6a44-4d87-bc95-a785b05a2bf5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A short (no more than a sentence) summary of the insight featuring only the host.name and user.name fields (when they are applicable), using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
     }
   },
-  "id": "security_ai_prompts-26a66384-6a5b-4907-a9b9-8e3a89ca2946",
+  "id": "security_ai_prompts-0ed02f5b-236d-45f0-809e-2650655b3e1f",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "launch"
     }
   },
-  "id": "security_ai_prompts-73c19c7c-4d4a-46cd-9b59-d75036b5ee4c",
+  "id": "security_ai_prompts-0ef73ced-c9ee-4735-91e2-b6b21ac961c2",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The policy response ID"
     }
   },
-  "id": "security_ai_prompts-3c2ace9c-2906-4e64-b8bb-c7ae9e8a71da",
+  "id": "security_ai_prompts-10a2378c-6437-4afb-9c74-96f31ee1364c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The events that the insight is based on"
     }
   },
-  "id": "security_ai_prompts-61719fd0-9452-4309-952e-e7e633ce6ebd",
+  "id": "security_ai_prompts-13ffb553-100f-40fd-b1f7-a7a84f54c3aa",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The actions.message value of the policy response"
     }
   },
-  "id": "security_ai_prompts-0417a42d-ddb9-4f4b-996b-24fb5588cd1e",
+  "id": "security_ai_prompts-205726db-bdf1-4b66-a657-293b3c1172e8",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The endpoint ID"
     }
   },
-  "id": "security_ai_prompts-a3a9e5b3-08c6-4018-98dd-03a57bc8735e",
+  "id": "security_ai_prompts-2481658b-7a20-4304-a922-3fc6fa0f29d9",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A markdown summary of insight, using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
     }
   },
-  "id": "security_ai_prompts-ab736de0-c88c-4756-a162-3bfdb8106d65",
+  "id": "security_ai_prompts-25985bcc-3577-45c9-abc2-8df718090da9",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The policy response action name + message + os"
     }
   },
-  "id": "security_ai_prompts-943624c6-d3f1-4188-9cf6-aea25e7512a0",
+  "id": "security_ai_prompts-25cedcc5-ddbe-4a80-88d8-125bab4c89e7",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nAs a world-class cyber security analyst, your task is to analyze a set of security events and accurately identify distinct, comprehensive attack chains. Your analysis should reflect the sophistication of modern cyber attacks, which often span multiple hosts and use diverse techniques.\nKey Principles:\n1. \"Attack Chain\" Definition: For this task, we define an \"Attack Chain\" as 2 or more alerts that demonstrate a progression of a real or simulated (red team) adversary. Attack chains must consist of alerts from more than one rule. A single alert, or multiple alerts of the same rule or behavior, should never generate an attack chain.\n2. False Positives: Most alerts are false positives, even if they look alarming or anomalous at first glance. Exclude alerts or attacks that are likely false positives. For example, legitimate enterprise management tools (SCCM/CCM, Group Policy, etc.) often trigger security alerts during normal operations. Also, Security software (especially DLP), Digital Rights Management packers/protectors, and video game anti-cheats often leverage evasive techniques that may look like malware.\n3. Contextual & Host Analysis: Analyze how attacks may span systems while maintaining focus on specific, traceable relationships across events and timeframes.\n4. Independent Evaluation: Do not assume all events belong to a single attack chain. Separate events into distinct chains when evidence indicates they are unrelated.\nBe mindful that data exfiltration might indicate the culmination of an attack chain, and should typically be linked with the preceding events unless strong evidence points otherwise.\n5. Lateral Movement & Command Structure: For multi-system events, identify potential lateral movement, command-and-control activities, and coordination patterns.\n6. Impact Assessment: Consider high-impact events (e.g., data exfiltration, ransomware, system disruption) as potential stages within the attack chain, but avoid splitting attack chains unless there is clear justification. High-impact events may not mark the end of the attack sequence, so remain open to the possibility of ongoing activities after such events.\nAnalysis Process:\n1. Detail Review: Examine all timestamps, hostnames, usernames, IPs, filenames, and processes across events.\n2. Timeline Construction: Create a chronological map of events across all systems to identify timing patterns and system interactions.  When correlating alerts, use kibana.alert.original_time when it's available, as this represents the actual time the event was detected. If kibana.alert.original_time is not available, use @timestamp as the fallback. Ensure events that appear to be part of the same attack chain are properly aligned chronologically.\n3. Indicator Correlation: Identify relationships between events using concrete indicators (file hashes, IPs, C2 signals, process trees). Do not group alerts solely because they occur on the same host in a short timeframe. They must demonstrate a direct correlation. For example, a malware alert triggers on one process, then a child of this process accesses credentials.\n4. Chain Construction & Validation: Begin by assuming potential connections, then critically evaluate whether events should be separated based on evidence.\n5. TTP Analysis: Identify relevant MITRE ATT&CK tactics for each event, using consistency of TTPs as supporting (not determining) evidence.\n6. Alert Prioritization: Weight your analysis based on alert severity:\n   - HIGH severity: Primary indicators of attack chains\n   - MEDIUM severity: Supporting evidence\n   - LOW severity: Supplementary information unless providing critical links\n\nOutput Requirements:\n- Think through the problem step by step. Show your reasoning before the json output section. This is the only output that is allowed outside of the defined json schema.\n- Provide a narrative summary for each identified attack chain\n- Explain connections between events with concrete evidence\n- Use the special {{ field.name fieldValue }} syntax to reference source data fields. IMPORTANT - LIMIT the details markdown to 2750 characters and summary to 200 characters! This is to prevent hitting output context limits."
     }
   },
-  "id": "security_ai_prompts-b7ca3eaf-a009-4d84-b6c0-685b15dc56eb",
+  "id": "security_ai_prompts-33ac75df-4292-48da-a34c-27b078ca2378",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The program which is triggering the events"
     }
   },
-  "id": "security_ai_prompts-7f0fddf6-7781-4a8a-860d-f297fd34dc93",
+  "id": "security_ai_prompts-36e68507-e0fa-47c5-a1bd-07ec94f196ca",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Generate ES|QL Queries"
     }
   },
-  "id": "security_ai_prompts-b4a5296e-7fdb-419e-b513-7f6ff8213e4d",
+  "id": "security_ai_prompts-3762a127-7e87-4caf-96a5-2577cb47a7d4",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Alerts"
     }
   },
-  "id": "security_ai_prompts-3cfd0038-1214-4d9c-b71e-2c5c4c88a80e",
+  "id": "security_ai_prompts-3be6090f-251c-4f5a-b091-5383d72c0beb",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are given Elasticsearch Lens aggregation results showing cost savings over time:"
     }
   },
-  "id": "security_ai_prompts-5422a953-770b-45bb-a004-dd4911741fa2",
+  "id": "security_ai_prompts-3f9a490f-a755-45ad-b926-8b644bb8484c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"AskAboutESQLTool\" function when the user:\n- asks for help with ES|QL\n- asks about ES|QL syntax\n- asks for ES|QL examples\n- asks for ES|QL documentation\n- asks for ES|QL best practices\n- asks for ES|QL optimization\n\nNever use this tool when they user wants to generate a ES|QL for their data."
     }
   },
-  "id": "security_ai_prompts-6402ff9b-d589-4324-a048-faaede3dc27f",
+  "id": "security_ai_prompts-41a2c313-b8af-48ea-916c-040f7505df91",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are an assistant that is an expert at using tools and Elastic Security, doing your best to use these tools to answer questions or follow instructions. It is very important to use tools to answer the question or follow the instructions rather than coming up with your own answer. Tool calls are good. Sometimes you may need to make several tool calls to accomplish the task or get an answer to the question that was asked. Use as many tool calls as necessary. {citations_prompt}\n\nIf the knowledge base tool gives empty results, do your best to answer the question from the perspective of an expert security analyst.\n\n{formattedTime}"
     }
   },
-  "id": "security_ai_prompts-195e4aa6-4ef0-4d8a-a68a-fcbc5f63f6d1",
+  "id": "security_ai_prompts-43185e9d-0019-4589-985d-30b171f92dce",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Return **only a single-line stringified JSON object** without any code fences, explanations, or variable assignments. Do **not** wrap the output in triple backticks or any Markdown code block. \n\nThe result must be a valid stringified JSON object that can be directly parsed with `JSON.parse()` in JavaScript.\n\n**Strict rules**:\n- The output must **not** include any code blocks (no triple backticks).\n- The output must be **a string**, ready to be passed directly into `JSON.parse()`.\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- The summary text should just be text. It does not need any titles or leading items in bold.\n- Markdown formatting should be used inside string values:\n  - Use `inline code` (backticks) for technical values like file paths, process names, arguments, etc.\n  - Use `**bold**` for emphasis.\n  - Use `-` for bullet points.\n  - The `recommendedActions` value must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- **Do not** include any extra explanation or text. Only return the stringified JSON object.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
     }
   },
-  "id": "security_ai_prompts-54b15ed8-2419-4434-ac2d-9ee48e5a1cc3",
+  "id": "security_ai_prompts-475d1674-9c72-4594-8aac-e1c009f0e6af",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Suggest"
     }
   },
-  "id": "security_ai_prompts-e8f12368-36ac-465f-9cd5-c3238251af62",
+  "id": "security_ai_prompts-4a7af249-6f05-4994-b45c-7b95a1ca7e6b",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nYou are an Elastic Security user tasked with analyzing file events from Elastic Security to identify antivirus processes. Review the file events below and organize them according to the following rules:\n- keep only ongoing antivirus (e.g. Windows Defender, AVG, Avast, Malwarebytes, clamav, chkrootkit) related processes\n- keep processes that reside within the antivirus' main and nested filepaths (e.g., C:\\ProgramData\\Microsoft\\Windows Defender\\..., C:\\Program Files\\AVG\\..., C:\\Program Files\\Avast Software\\..., /Applications/AVGAntivirus.app/...)\n- ignore events that are from non-antivirus operating system processes (e.g. C:\\Windows\\System32\\...)\n- ignore events that are single run processes (e.g. installers)\n- ignore events that are from temp directories\n- ignore events that are from Elastic Agent or Elastic Defend\n- group the processes by the antivirus program, keeping track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- if there are no events, ignore the group field\n- never make any changes to the original file paths\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n"
     }
   },
-  "id": "security_ai_prompts-e6e41b64-7b8d-45c2-8dc4-0c334f1c1c39",
+  "id": "security_ai_prompts-4e2b2683-a7d8-4dca-9b21-0415fd2545e9",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for Elastic Defend insights."
     }
   },
-  "id": "security_ai_prompts-8eed0075-beee-48e5-b146-9f9c0971c45a",
+  "id": "security_ai_prompts-4eecdcda-b499-4914-a700-05ce8bc965b5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nYou previously generated the below insights using this prompt: \nYou are an Elastic Security user tasked with analyzing file events from Elastic Security to identify antivirus processes. Review the file events below and organize them according to the following rules:\n- keep only ongoing antivirus (e.g. Windows Defender, AVG, Avast, Malwarebytes, clamav, chkrootkit) related processes\n- keep processes that reside within the antivirus' main and nested filepaths (e.g., C:\\ProgramData\\Microsoft\\Windows Defender\\..., C:\\Program Files\\AVG\\..., C:\\Program Files\\Avast Software\\..., /Applications/AVGAntivirus.app/...)\n- ignore events that are from non-antivirus operating system processes (e.g. C:\\Windows\\System32\\...)\n- ignore events that are single run processes (e.g. installers)\n- ignore events that are from temp directories\n- ignore events that are from Elastic Agent or Elastic Defend\n- group the processes by the antivirus program, keeping track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- if there are no events, ignore the group field\n- never make any changes to the original file paths\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n.\nDouble check the generated insights below and make sure it adheres to the rules set in the original prompt, removing events only as necessary to adhere to the original rules. In addition:\n- combine duplicate insights into the same 'group' (e.g. AVG + AVG Free + AVG Hub + AVG Antivirus)\n- remove insights with no events\n    "
     }
   },
-  "id": "security_ai_prompts-6443bb46-25d7-4b04-9c2b-2b4ca0f46464",
+  "id": "security_ai_prompts-524f96d9-1cb5-49e9-b980-2dfdfeead812",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The suggested remediation action to take for the policy response failure"
     }
   },
-  "id": "security_ai_prompts-80662ff0-f9f5-4c68-b512-8c6a167bf201",
+  "id": "security_ai_prompts-535ea853-5a14-445b-9657-d147b0135531",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "costSavingsInsightPart2",
+    "promptGroupId": "aiForSoc",
+    "prompt": {
+      "default": "Generate a concise bulleted summary in mdx markdown, no more than 500 characters. Follow the style and tone of the example below, highlighting key trends, averages, peaks, and projections:\n\n```\n- Between July 18 and August 18, daily cost savings **averaged around $135K**\n- The lowest point, **just above $70K**, occurred in early August.\n- **Peaks near $160K** appeared in late July and mid-August.\n- After a mid-period decline, savings steadily recovered and grew toward the end of the month.\n- At this pace, projected annual savings **exceed $48M**, confirming strong and predictable ROI.\n```\n\nRespond only with the markdown. Do not include any explanation or extra text."
+    }
+  },
+  "id": "security_ai_prompts-54107934-db12-477f-870a-ea228568525a",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "Can you provide examples of questions I can ask about Elastic Security, such as investigating alerts, running ES|QL queries, incident response, or threat intelligence?"
     }
   },
-  "id": "security_ai_prompts-173bfe03-3bfb-4a88-96d5-8806dce28d89",
+  "id": "security_ai_prompts-5416ca1e-cdb0-4ee3-959b-7ba516c095de",
   "type": "security-ai-prompt"
 }