[Security Solution] [Attack discovery] Attack discovery

packages/deeplinks/security/deep_links.ts

@@ -8,9 +8,9 @@
 
 export enum SecurityPageName {
   administration = 'administration',
-  aiInsights = 'ai_insights',
   alerts = 'alerts',
   assets = 'assets',
+  attackDiscovery = 'attack_discovery',
   blocklist = 'blocklist',
   /*
    * Warning: Computed values are not permitted in an enum with string valued members

x-pack/packages/kbn-elastic-assistant-common/impl/capabilities/index.ts

@@ -14,6 +14,6 @@ export type AssistantFeatures = { [K in keyof typeof defaultAssistantFeatures]:
  * Default features available to the elastic assistant
  */
 export const defaultAssistantFeatures = Object.freeze({
-  assistantAlertsInsights: false,
   assistantModelEvaluation: false,
+  attackDiscoveryEnabled: false,
 });

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/attack_discovery/post_attack_discovery_route.gen.ts

@@ -0,0 +1,75 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { z } from 'zod';
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Attack discovery API endpoint
+ *   version: 1
+ */
+
+import { AnonymizationFieldResponse } from '../anonymization_fields/bulk_crud_anonymization_fields_route.gen';
+import { Replacements, TraceData } from '../conversations/common_attributes.gen';
+
+/**
+ * An attack discovery generated from one or more alerts
+ */
+export type AttackDiscovery = z.infer<typeof AttackDiscovery>;
+export const AttackDiscovery = z.object({
+  /**
+   * The alert IDs that the attack discovery is based on
+   */
+  alertIds: z.array(z.string()),
+  /**
+   * Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.
+   */
+  detailsMarkdown: z.string(),
+  /**
+   * A short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax
+   */
+  entitySummaryMarkdown: z.string(),
+  /**
+   * An array of MITRE ATT&CK tactic for the attack discovery
+   */
+  mitreAttackTactics: z.array(z.string()).optional(),
+  /**
+   * A markdown summary of attack discovery, using the same syntax
+   */
+  summaryMarkdown: z.string(),
+  /**
+   * A title for the attack discovery, in plain text
+   */
+  title: z.string(),
+});
+
+export type AttackDiscoveryPostRequestBody = z.infer<typeof AttackDiscoveryPostRequestBody>;
+export const AttackDiscoveryPostRequestBody = z.object({
+  alertsIndexPattern: z.string(),
+  anonymizationFields: z.array(AnonymizationFieldResponse),
+  connectorId: z.string(),
+  actionTypeId: z.string(),
+  langSmithProject: z.string().optional(),
+  langSmithApiKey: z.string().optional(),
+  model: z.string().optional(),
+  replacements: Replacements.optional(),
+  size: z.number(),
+  subAction: z.enum(['invokeAI', 'invokeStream']),
+});
+export type AttackDiscoveryPostRequestBodyInput = z.input<typeof AttackDiscoveryPostRequestBody>;
+
+export type AttackDiscoveryPostResponse = z.infer<typeof AttackDiscoveryPostResponse>;
+export const AttackDiscoveryPostResponse = z.object({
+  connector_id: z.string().optional(),
+  attackDiscoveries: z.array(AttackDiscovery).optional(),
+  replacements: Replacements.optional(),
+  status: z.string().optional(),
+  trace_data: TraceData.optional(),
+});

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/insights/alerts/post_alerts_insights_route.schema.yaml → x-pack/packages/kbn-elastic-assistant-common/impl/schemas/attack_discovery/post_attack_discovery_route.schema.yaml

@@ -1,13 +1,13 @@
 openapi: 3.0.0
 info:
-  title: Alerts insights API endpoint
+  title: Attack discovery API endpoint
   version: '1'
 components:
   x-codegen-enabled: true
   schemas:
-    AlertsInsight:
+    AttackDiscovery:
       type: object
-      description: An insight generated from one or more alerts
+      description: An attack discovery generated from one or more alerts
       required:
         - 'alertIds'
         - 'detailsMarkdown'
@@ -16,38 +16,38 @@ components:
         - 'title'
       properties:
         alertIds:
-          description: The alert IDs that the insight is based on
+          description: The alert IDs that the attack discovery is based on
           items:
             type: string
           type: array
         detailsMarkdown:
-          description: A detailed insight with bulleted markdown that always uses special syntax for field names and values from the source data.
+          description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.
           type: string
         entitySummaryMarkdown:
-          description: A short (no more than a sentence) summary of the insight featuring only the host.name and user.name fields (when they are applicable), using the same syntax
+          description: A short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax
           type: string
         mitreAttackTactics:
-          description: An array of MITRE ATT&CK tactic for the insight
+          description: An array of MITRE ATT&CK tactic for the attack discovery
           items:
             type: string
           type: array
         summaryMarkdown:
-          description: A markdown summary of insight, using the same syntax
+          description: A markdown summary of attack discovery, using the same syntax
           type: string
         title:
-          description: A title for the insight, in plain text
+          description: A title for the attack discovery, in plain text
           type: string
 
 
 paths:
-  /internal/elastic_assistant/insights/alerts:
+  /internal/elastic_assistant/attack_discovery:
     post:
-      operationId: AlertsInsightsPost
+      operationId: AttackDiscoveryPost
       x-codegen-enabled: true
-      description: Generate insights from alerts
-      summary: Generate insights from alerts via the Elastic Assistant
+      description: Generate attack discoveries from alerts
+      summary: Generate attack discoveries from alerts via the Elastic Assistant
       tags:
-        - insights
+        - attack_discovery
         - alerts
       requestBody:
         required: true
@@ -67,7 +67,7 @@ paths:
                   type: string
                 anonymizationFields:
                   items:
-                    $ref: '../../anonymization_fields/bulk_crud_anonymization_fields_route.schema.yaml#/components/schemas/AnonymizationFieldResponse'
+                    $ref: '../anonymization_fields/bulk_crud_anonymization_fields_route.schema.yaml#/components/schemas/AnonymizationFieldResponse'
                   type: array
                 connectorId:
                   type: string
@@ -80,7 +80,7 @@ paths:
                 model:
                   type: string
                 replacements:
-                  $ref: '../../conversations/common_attributes.schema.yaml#/components/schemas/Replacements'
+                  $ref: '../conversations/common_attributes.schema.yaml#/components/schemas/Replacements'
                 size:
                   type: number
                 subAction:
@@ -98,16 +98,16 @@ paths:
                 properties:
                   connector_id:
                     type: string
-                  insights:
+                  attackDiscoveries:
                     type: array
                     items:
-                        $ref: '#/components/schemas/AlertsInsight'
+                        $ref: '#/components/schemas/AttackDiscovery'
                   replacements:
-                    $ref: '../../conversations/common_attributes.schema.yaml#/components/schemas/Replacements'
+                    $ref: '../conversations/common_attributes.schema.yaml#/components/schemas/Replacements'
                   status:
                     type: string
                   trace_data:
-                    $ref: '../../conversations/common_attributes.schema.yaml#/components/schemas/TraceData'
+                    $ref: '../conversations/common_attributes.schema.yaml#/components/schemas/TraceData'
         '400':
           description: Bad request
           content:

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/capabilities/get_capabilities_route.gen.ts

@@ -18,6 +18,6 @@ import { z } from 'zod';
 
 export type GetCapabilitiesResponse = z.infer<typeof GetCapabilitiesResponse>;
 export const GetCapabilitiesResponse = z.object({
-  assistantAlertsInsights: z.boolean(),
   assistantModelEvaluation: z.boolean(),
+  attackDiscoveryEnabled: z.boolean(),
 });

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/capabilities/get_capabilities_route.schema.yaml

@@ -19,13 +19,13 @@ paths:
               schema:
                 type: object
                 properties:
-                  assistantAlertsInsights:
-                    type: boolean
                   assistantModelEvaluation:
                     type: boolean
+                  attackDiscoveryEnabled:
+                    type: boolean
                 required:
-                  - assistantAlertsInsights
                   - assistantModelEvaluation
+                  - attackDiscoveryEnabled
         '400':
           description: Generic Error
           content:

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/index.ts

@@ -18,8 +18,8 @@ export const API_VERSIONS = {
 export const PUBLIC_API_ACCESS = 'public';
 export const INTERNAL_API_ACCESS = 'internal';
 
-// Alerts Insights Schemas
-export * from './insights/alerts/post_alerts_insights_route.gen';
+// Attack discovery Schemas
+export * from './attack_discovery/post_attack_discovery_route.gen';
 
 // Evaluation Schemas
 export * from './evaluation/post_evaluate_route.gen';

x-pack/packages/kbn-elastic-assistant/impl/assistant/api/capabilities/use_capabilities.test.tsx

@@ -14,9 +14,9 @@ import { useCapabilities, UseCapabilitiesParams } from './use_capabilities';
 import { API_VERSIONS } from '@kbn/elastic-assistant-common';
 
 const statusResponse = {
-  assistantAlertsInsights: false,
   assistantModelEvaluation: true,
   assistantStreamingEnabled: false,
+  attackDiscoveryEnabled: false,
 };
 
 const http = {

x-pack/packages/kbn-elastic-assistant/impl/assistant/prompt_context/types.ts

@@ -57,7 +57,7 @@ export interface PromptContext {
   id: string;
 
   /**
-   * Replacements associated with the context, i.e. replacements for an insight provided as context
+   * Replacements associated with the context, i.e. replacements for an attack discovery provided as context
    */
   replacements?: Replacements;
 
@@ -82,7 +82,7 @@ export interface SelectedPromptContext {
   promptContextId: string;
   /** this data is not anonymized  */
   rawData: string | Record<string, string[]>;
-  /** replacements associated with the context, i.e. replacements for an insight provided as context */
+  /** replacements associated with the context, i.e. replacements for an attack discovery provided as context */
   replacements?: Replacements;
 }
 

x-pack/packages/kbn-elastic-assistant/impl/assistant/use_assistant_overlay/index.tsx

@@ -73,7 +73,7 @@ export const useAssistantOverlay = (
   tooltip: PromptContext['tooltip'],
 
   /**
-   * Optionally provide a map of replacements associated with the context, i.e. replacements for an insight that's provided as context
+   * Optionally provide a map of replacements associated with the context, i.e. replacements for an attack discovery that's provided as context
    */
   replacements?: Replacements | null
 ): UseAssistantOverlay => {

x-pack/packages/kbn-elastic-assistant/impl/assistant_context/constants.tsx

@@ -7,7 +7,7 @@
 
 import { KnowledgeBaseConfig } from '../assistant/types';
 
-export const AI_INSIGHTS_STORAGE_KEY = 'aiInsights';
+export const ATTACK_DISCOVERY_STORAGE_KEY = 'attackDiscovery';
 export const DEFAULT_ASSISTANT_NAMESPACE = 'elasticAssistantDefault';
 export const QUICK_PROMPT_LOCAL_STORAGE_KEY = 'quickPrompts';
 export const SYSTEM_PROMPT_LOCAL_STORAGE_KEY = 'systemPrompts';

x-pack/packages/kbn-elastic-assistant/impl/assistant_context/index.tsx

@@ -277,16 +277,16 @@ export const AssistantProvider: React.FC<AssistantProviderProps> = ({
 
   // Fetch assistant capabilities
   const { data: capabilities } = useCapabilities({ http, toasts });
-  const { assistantAlertsInsights, assistantModelEvaluation: modelEvaluatorEnabled } =
+  const { assistantModelEvaluation: modelEvaluatorEnabled, attackDiscoveryEnabled } =
     capabilities ?? defaultAssistantFeatures;
 
   const value = useMemo(
     () => ({
       actionTypeRegistry,
       alertsIndexPattern,
-      assistantAlertsInsights,
       assistantAvailability,
       assistantTelemetry,
+      attackDiscoveryEnabled,
       augmentMessageCodeBlocks,
       allQuickPrompts: localStorageQuickPrompts ?? [],
       allSystemPrompts: localStorageSystemPrompts ?? [],
@@ -324,9 +324,9 @@ export const AssistantProvider: React.FC<AssistantProviderProps> = ({
     [
       actionTypeRegistry,
       alertsIndexPattern,
-      assistantAlertsInsights,
       assistantAvailability,
       assistantTelemetry,
+      attackDiscoveryEnabled,
       augmentMessageCodeBlocks,
       localStorageQuickPrompts,
       localStorageSystemPrompts,

x-pack/packages/kbn-elastic-assistant/impl/connectorland/connector_selector_inline/connector_selector_inline.tsx

@@ -187,7 +187,6 @@ export const ConnectorSelectorInline: React.FC<Props> = React.memo(
             <span>
               <EuiButtonEmpty
                 className={placeholderButtonClassName}
-                color={'text'}
                 data-test-subj="connectorSelectorPlaceholderButton"
                 iconSide={'right'}
                 iconType="arrowDown"