[Security Solution] Security AI Assistant persistent storage.#173487
Merged
YulNaumenko merged 175 commits intoelastic:mainfrom Mar 14, 2024
Merged
[Security Solution] Security AI Assistant persistent storage.#173487YulNaumenko merged 175 commits intoelastic:mainfrom
YulNaumenko merged 175 commits intoelastic:mainfrom
Conversation
…nt-persistant-storage-poc
…nt-persistant-storage
…nt-persistant-storage
…nt-persistant-storage # Conflicts: # x-pack/plugins/elastic_assistant/server/plugin.ts # x-pack/plugins/elastic_assistant/server/types.ts
Merged
2 tasks
…nt-persistant-storage # Conflicts: # x-pack/packages/kbn-elastic-assistant/impl/assistant/settings/use_settings_updater/use_settings_updater.tsx # x-pack/packages/kbn-elastic-assistant/impl/assistant/use_conversation/index.tsx # x-pack/packages/kbn-elastic-assistant/impl/assistant_context/index.tsx # x-pack/plugins/elastic_assistant/server/__mocks__/request_context.ts # x-pack/plugins/elastic_assistant/server/plugin.ts # x-pack/plugins/elastic_assistant/server/types.ts # x-pack/plugins/security_solution/public/assistant/provider.tsx
…nt-persistant-storage # Conflicts: # x-pack/packages/kbn-elastic-assistant/impl/assistant_context/index.tsx # x-pack/plugins/elastic_assistant/common/constants.ts # x-pack/plugins/elastic_assistant/server/plugin.ts # x-pack/plugins/elastic_assistant/server/types.ts # x-pack/plugins/security_solution/public/assistant/provider.tsx
…nt-persistant-storage
…et lastConversationId from the server
…:YulNaumenko/kibana into security-ai-assistant-persistant-storage-steph
xcrzx
approved these changes
Mar 12, 2024
Contributor
xcrzx
left a comment
xcrzx
left a comment
There was a problem hiding this comment.
The Rules Area changes are pretty straightforward, LGTM 👍
…ymized content for messages
andrew-goldstein
approved these changes
Mar 13, 2024
Contributor
andrew-goldstein
left a comment
andrew-goldstein
left a comment
There was a problem hiding this comment.
Thanks @YulNaumenko for realizing persistence of conversations, and for all the foundational APIs and abstractions created in this PR! 🙏
✅ Desk tested conversation migration, ES|QL query generation, RAG on alerts use cases, and local context (all with anonymization)
LGTM 🚀
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @YulNaumenko |
| * and suffixed with "\n```", this function will attempt to parse it and return | ||
| * the `action_input` property if it exists. | ||
| */ | ||
| export const getFormattedMessageContent = (content: string): string => { |
Contributor
There was a problem hiding this comment.
I'm wondering if we should have not deleted this? @andrew-goldstein
I see an error in our telemetry logs like:
Failed to parse. Text: "```json { "action": "Final Answer", "action_input": "Here are a few more example ES|QL queries for different data exfiltration scenarios:\n\n1. Detect large volumes of network traffic by user and process:\n```\nFROM logs-*\n| WHERE event.category == \"network\" AND agent.type == \"windows\"\n| STATS bytes = sum(network.bytes) BY process.name, user.name, source.ip, destination.ip\n| EVAL mb = bytes / (1024 * 1024)\n| WHERE mb > <network_threshold_value>\n| SORT mb DESC\n| KEEP process.name, user.name, source.ip, destination.ip, mb\n```\n2. Detect unusual file creation activity:\n```\nFROM logs-*\n| WHERE event.category == \"file\" AND event.action == \"create\" AND agent.type == \"windows\"\n| STATS count() BY process.name, user.name, host.name, file.extension\n| WHERE count() > <file_creation_threshold_value>\n| SORT count() DESC\n| KEEP process.name, user.name, host.name, file.extension, count()\n```\n3. Detect suspicious email attachments:\n```\nFROM logs-*\n| WHERE event.category == \"email\" AND event.action == \"send\" AND agent.type == \"windows\"\n| WHERE file.extension IN (\\".exe\", \\".bat\", \\".com\", \\".dll\", \\".docm\", \\".jar\", \\".js\", \\".jse\", \\".lnk\", \\".msi\", \\".ps\", \\".ps1\", \\".scr\", \\".vbs\", \\".wsf\")\n| STATS count() BY process.name, user.name, source.email, destination.email, file.name\n| WHERE count() > <email_attachment_threshold_value>\n| SORT count() DESC\n| KEEP process.name, user.name, source.email, destination.email, file.name, count()\n```\nRemember to replace `<network_threshold_value>`, `<file_creation_threshold_value>`, and `<email_attachment_threshold_value>` with values appropriate for your environment. Adjust the queries as needed based on your specific logging setup and fields." } ```". Error: SyntaxError: Expected ',' or '}' after property value in JSON at position 1101
Could this be coming from us?
There was a problem hiding this comment.
@stephmilovic , that was from my cluster.
Contributor
There was a problem hiding this comment.
but it is an 8.13 cluster, before this code was deleted.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR including both new APIs and client side changes to use data stream for Security Solution AI Assistant conversations persistence storage.
Issue https://github.com/elastic/security-team/issues/7810
Extended description
elastic-assistant plugin
All API changes are introduced in elastic-assistant plugin server
RequestContextFactory- this class helps to provide the needed context for each API request for routes handler context.AIAssistantService- This service instance is created on the plugin setup and included to the request context factory. It is responsible for the needed conversations storage resources initialization and installation. It uses DataStreamAdapter frompackages/kbn-data-stream-adapter. Conversations fieldMap definition hereAIAssistantConversationsDataClient- data client which has a set of methods to interact with conversation storage on behalf of the current user and space.ConversationDataWriter- is a helper class which implements a bulk method to interact with esClientAdded new routes using versioned router and openAPI code generator schemas:
createConversationRoutereadConversationRouteupdateConversationRoutedeleteConversationRouteappendMessagesRoutefindUserConversationsRoutebulkActionsRouteMigrated existing
knowledge_base,evaluateandpost_actions_connector_executeroutes to versioned routing and openAPI code generator schemas.kbn-elastic-assistant package
kbn-elastic-assistant-common package
transformsRowDatafunction to use async add replacements API.security_solution plugin
migrateConversationsFromLocalStoragefor existing conversations in the local storage. This migration happening only for the first time when user doesn't have any conversations persisted in the current space. After mirgation complete, the old local storage keysecuritySolution.assistantConversationwill be removed.baseConversationas a property toElasticAssistantProvideruseAssistantTelemetryto fetch information about the conversation from the conversations APIuseConversationStoreto fetch the data from the conversations API/api/elastic_assistant/conversations/current_user/_findand merge with security predefinedbaseConversationsif they are not used(persisted) yet.AssistantTabto a separate lazy loaded file to avoid unnecessary rendering/requests till this tab will be shown in Timeline.