[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool#229497
Merged
viduni94 merged 6 commits intoelastic:mainfrom Jul 28, 2025
Merged
Conversation
viduni94
added
release_note:fix
Team:Obs AI Assistant
Contributor
|
Pinging @elastic/obs-ai-assistant (Team:Obs AI Assistant) |
botelastic
bot
added
the
ci:project-deploy-observability
Contributor
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
dgieselaar
reviewed
Jul 25, 2025
x-pack/platform/plugins/shared/observability_ai_assistant/server/functions/elasticsearch.ts
Outdated
Show resolved
Hide resolved
viduni94
commented
Jul 28, 2025
| const isSearchEndpoint = lastPathSegment === '_search'; | ||
|
|
||
| if (method !== 'GET' && !(method === 'POST' && isSearchEndpoint)) { | ||
| throw new Error( |
Contributor
Author
There was a problem hiding this comment.
In the enum of allowed methods, I left PUT, PATCH, DELETE as it is.
How it works:
- If the LLM calls the Elasticsearch API with
PUT, it won't fail tool call validations as it's an allowed method, but it will throw an error during query execution, so that the LLM knows that this method is not allowed.
The reason to leave those methods in the allowed list is because:
- When I removed them and only allowed
POST and GETin the allowed methods enums, no matter what instruction we give to some LLMs, the model tries to call the Elasticsearch tool with a disallowed method such asPUTand it gets caught to tool validations and throws an error -Invalid tool arguments(this is mostly observed with Claude) - While it works as expected, this disrupts the conversation flow for the user with an error. Therefore, instead of blocking it at the tool call arguments, if a model decides to call the Elasticsearch tool with
PUT,DELETE,PATCHorPOSTto non-search endpoint, we throw an error here and it goes in the normal correct conversation flow by informing the user that this method is not allowed to be performed by the assistant.
Example:
2 tasks
Contributor
💚 Build Succeeded
Metrics [docs]
History
cc @viduni94 |
dgieselaar
approved these changes
Jul 28, 2025
Contributor
|
Starting backport for target branches: 8.18, 8.19, 9.0, 9.1 https://github.com/elastic/kibana/actions/runs/16582110376 |
Contributor
|
Starting backport for target branches: 8.18, 8.19, 9.0, 9.1 https://github.com/elastic/kibana/actions/runs/16582110376 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 29, 2025
… tool (elastic#229497) Closes elastic#229501 ## Summary ### Problem There have been several reports that the AI Assistant goes rogue and performs destructive actions. ### Solution - Instruct the LLM to not perform destructive actions and to mention to the user that these actions can't be performed - Only allow `GET` requests and `GET`/`POST` requests to the `/_search` endpoint when executing the Elasticsearch tool - If the LLM attempts to call disallowed methods, throw an error The evaluation framework scenarios which expected deletion of an index was updated to conform to the above changes as well. ### What's not included - Guardrails for the `query` tool and `kibana` tool - Allowing destructive actions via a button click to "Confirm" ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. (cherry picked from commit 808bac6)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 29, 2025
… tool (elastic#229497) Closes elastic#229501 ## Summary ### Problem There have been several reports that the AI Assistant goes rogue and performs destructive actions. ### Solution - Instruct the LLM to not perform destructive actions and to mention to the user that these actions can't be performed - Only allow `GET` requests and `GET`/`POST` requests to the `/_search` endpoint when executing the Elasticsearch tool - If the LLM attempts to call disallowed methods, throw an error The evaluation framework scenarios which expected deletion of an index was updated to conform to the above changes as well. ### What's not included - Guardrails for the `query` tool and `kibana` tool - Allowing destructive actions via a button click to "Confirm" ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. (cherry picked from commit 808bac6)
Contributor
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
viduni94
added a commit
to viduni94/kibana
that referenced
this pull request
Jul 29, 2025
… tool (elastic#229497) Closes elastic#229501 ## Summary ### Problem There have been several reports that the AI Assistant goes rogue and performs destructive actions. ### Solution - Instruct the LLM to not perform destructive actions and to mention to the user that these actions can't be performed - Only allow `GET` requests and `GET`/`POST` requests to the `/_search` endpoint when executing the Elasticsearch tool - If the LLM attempts to call disallowed methods, throw an error The evaluation framework scenarios which expected deletion of an index was updated to conform to the above changes as well. ### What's not included - Guardrails for the `query` tool and `kibana` tool - Allowing destructive actions via a button click to "Confirm" ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. (cherry picked from commit 808bac6) # Conflicts: # x-pack/solutions/observability/plugins/observability_ai_assistant_app/scripts/evaluation/scenarios/elasticsearch/index.spec.ts
viduni94
added a commit
to viduni94/kibana
that referenced
this pull request
Jul 29, 2025
… tool (elastic#229497) Closes elastic#229501 ## Summary ### Problem There have been several reports that the AI Assistant goes rogue and performs destructive actions. ### Solution - Instruct the LLM to not perform destructive actions and to mention to the user that these actions can't be performed - Only allow `GET` requests and `GET`/`POST` requests to the `/_search` endpoint when executing the Elasticsearch tool - If the LLM attempts to call disallowed methods, throw an error The evaluation framework scenarios which expected deletion of an index was updated to conform to the above changes as well. ### What's not included - Guardrails for the `query` tool and `kibana` tool - Allowing destructive actions via a button click to "Confirm" ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. (cherry picked from commit 808bac6) # Conflicts: # x-pack/solutions/observability/plugins/observability_ai_assistant_app/scripts/evaluation/scenarios/elasticsearch/index.spec.ts
viduni94
added a commit
that referenced
this pull request
Jul 29, 2025
…search tool (#229497) (#229810) # Backport This will backport the following commits from `main` to `9.0`: - [[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)](#229497) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Viduni Wickramarachchi","email":"viduni.wickramarachchi@elastic.co"},"sourceCommit":{"committedDate":"2025-07-28T22:52:20Z","message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Obs AI Assistant","ci:project-deploy-observability","backport:version","v9.2.0","v9.1.1","v8.19.1"],"title":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool","number":229497,"url":"https://github.com/elastic/kibana/pull/229497","mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/229497","number":229497,"mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},{"branch":"9.1","label":"v9.1.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Viduni Wickramarachchi <viduni.wickramarachchi@elastic.co>
viduni94
added a commit
that referenced
this pull request
Jul 29, 2025
…search tool (#229497) (#229811) # Backport This will backport the following commits from `main` to `9.1`: - [[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)](#229497) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Viduni Wickramarachchi","email":"viduni.wickramarachchi@elastic.co"},"sourceCommit":{"committedDate":"2025-07-28T22:52:20Z","message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Obs AI Assistant","ci:project-deploy-observability","backport:version","v9.2.0","v9.1.1","v8.19.1"],"title":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool","number":229497,"url":"https://github.com/elastic/kibana/pull/229497","mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/229497","number":229497,"mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},{"branch":"9.1","label":"v9.1.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Viduni Wickramarachchi <viduni.wickramarachchi@elastic.co>
viduni94
added a commit
that referenced
this pull request
Jul 29, 2025
…csearch tool (#229497) (#229817) # Backport This will backport the following commits from `main` to `8.18`: - [[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)](#229497) <!--- Backport version: 10.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Viduni Wickramarachchi","email":"viduni.wickramarachchi@elastic.co"},"sourceCommit":{"committedDate":"2025-07-28T22:52:20Z","message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Obs AI Assistant","ci:project-deploy-observability","backport:version","v9.2.0","v9.1.1","v8.19.1"],"title":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool","number":229497,"url":"https://github.com/elastic/kibana/pull/229497","mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/229497","number":229497,"mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},{"branch":"9.1","label":"v9.1.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/229811","number":229811,"state":"OPEN"},{"branch":"8.19","label":"v8.19.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"url":"https://github.com/elastic/kibana/pull/229810","number":229810,"branch":"9.0","state":"OPEN"}]}] BACKPORT-->
viduni94
added a commit
that referenced
this pull request
Jul 29, 2025
…csearch tool (#229497) (#229816) # Backport This will backport the following commits from `main` to `8.19`: - [[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)](#229497) <!--- Backport version: 10.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Viduni Wickramarachchi","email":"viduni.wickramarachchi@elastic.co"},"sourceCommit":{"committedDate":"2025-07-28T22:52:20Z","message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Obs AI Assistant","ci:project-deploy-observability","backport:version","v9.2.0","v9.1.1","v8.19.1"],"title":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool","number":229497,"url":"https://github.com/elastic/kibana/pull/229497","mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/229497","number":229497,"mergeCommit":{"message":"[Obs AI Assistant] Disallow destructive actions via the Elasticsearch tool (#229497)\n\nCloses https://github.com/elastic/kibana/issues/229501\n\n## Summary\n\n### Problem\nThere have been several reports that the AI Assistant goes rogue and\nperforms destructive actions.\n\n### Solution\n- Instruct the LLM to not perform destructive actions and to mention to\nthe user that these actions can't be performed\n- Only allow `GET` requests and `GET`/`POST` requests to the `/_search`\nendpoint when executing the Elasticsearch tool\n- If the LLM attempts to call disallowed methods, throw an error\n\nThe evaluation framework scenarios which expected deletion of an index\nwas updated to conform to the above changes as well.\n\n### What's not included\n- Guardrails for the `query` tool and `kibana` tool\n- Allowing destructive actions via a button click to \"Confirm\"\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"808bac66e62492547326aaefc812e2b743f50e9b"}},{"branch":"9.1","label":"v9.1.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/229811","number":229811,"state":"OPEN"},{"branch":"8.19","label":"v8.19.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"url":"https://github.com/elastic/kibana/pull/229810","number":229810,"branch":"9.0","state":"OPEN"}]}] BACKPORT-->
sorenlouv
reviewed
Jul 30, 2025
Comment on lines
+56
to
+61
| const [pathWithoutQuery] = path.split('?'); | ||
| const pathSegments = pathWithoutQuery.replace(/^\//, '').split('/'); | ||
| const lastPathSegment = pathSegments[pathSegments.length - 1]; | ||
| const isSearchEndpoint = lastPathSegment === '_search'; | ||
|
|
||
| if (method !== 'GET' && !(method === 'POST' && isSearchEndpoint)) { |
Contributor
There was a problem hiding this comment.
Can you extract this to a well-named helper (eg isOperationAllowed) to contain this logic?
sorenlouv
reviewed
Jul 30, 2025
Contributor
sorenlouv
left a comment
sorenlouv
left a comment
There was a problem hiding this comment.
We should have a test (API test is probably a good fit) to ensure that only certain operations are allowed. You can use the LLM proxy to validate that any attempts by the LLM to perform mutating operations using the elasticsearch tool will be rejected
delanni
pushed a commit
to delanni/kibana
that referenced
this pull request
Aug 5, 2025
… tool (elastic#229497) Closes elastic#229501 ## Summary ### Problem There have been several reports that the AI Assistant goes rogue and performs destructive actions. ### Solution - Instruct the LLM to not perform destructive actions and to mention to the user that these actions can't be performed - Only allow `GET` requests and `GET`/`POST` requests to the `/_search` endpoint when executing the Elasticsearch tool - If the LLM attempts to call disallowed methods, throw an error The evaluation framework scenarios which expected deletion of an index was updated to conform to the above changes as well. ### What's not included - Guardrails for the `query` tool and `kibana` tool - Allowing destructive actions via a button click to "Confirm" ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #229501
Summary
Problem
There have been several reports that the AI Assistant goes rogue and performs destructive actions.
Solution
GETrequests andGET/POSTrequests to the/_searchendpoint when executing the Elasticsearch toolThe evaluation framework scenarios which expected deletion of an index was updated to conform to the above changes as well.
What's not included
querytool andkibanatoolChecklist
release_note:*label is applied per the guidelinesbackport:*labels.