[UII] Create integrations knowledge tool for security assistant#236197
Merged
jen-huang merged 12 commits intoelastic:mainfrom Sep 30, 2025
Merged
[UII] Create integrations knowledge tool for security assistant#236197jen-huang merged 12 commits intoelastic:mainfrom
jen-huang merged 12 commits intoelastic:mainfrom
Conversation
jen-huang
added
release_note:skip
jen-huang
commented
Sep 23, 2025
| async (input) => { | ||
| try { | ||
| // Search the .integration_knowledge index using semantic search on the content field | ||
| const response = await assistantContext.core.elasticsearch.client.asInternalUser.search({ |
Contributor
Author
There was a problem hiding this comment.
kbDataClient.getKnowledgeBaseDocumentEntries(), which is used by the security labs tool, doesn't work here since that reads from .kibana-elastic-ai-assistant-${resource}
esClient from params doesn't work because that is scoped to current user
but I found that I can access the internal client from assistantContext.core :)
Contributor
|
Pinging @elastic/fleet (Team:Fleet) |
jen-huang
changed the title
spong
reviewed
Sep 29, 2025
Member
There was a problem hiding this comment.
FYI: Adding the ci:security-genai-run-evals label to execute our evals to ensure the new tool doesn't interfere with other tool selections and result in any regressions. This'll need to run before pushing the change mentioned in this comment to only register if the .integration_knowledge exists. Otherwise we'll need to add some setup code here to initialize the index to ensure the tool is registered. Actually, we might want to do this anyway to ensure the tool is always registered and doesn't interfere.
Contributor
Author
There was a problem hiding this comment.
I went ahead and set up the index in this test suite. the evals passed in the latest CI run that includes this change
Member
There was a problem hiding this comment.
That link was only showing the agent for me, but I do see the successful eval run here 👍
Checking the eval results in LangSmith and everything looks good to me (runs prefixed with Eval Automation | Build 345505 | PR 236197). Pretty much matches historical runs from what I can tell. We will need to tune the Assistant Eval: Custom Knowledge data set, but this mostly has to due with KB configuration IIRC, not from the new added tool.
spong
reviewed
Sep 29, 2025
Comment on lines
+154
to
+161
| { | ||
| promptId: 'IntegrationKnowledgeTool', | ||
| promptGroupId, | ||
| prompt: { | ||
| default: | ||
| 'Call this for knowledge from Fleet-installed integrations, which contains information on how to configure and use integrations for data ingestion.', | ||
| }, | ||
| }, |
Member
There was a problem hiding this comment.
We've discussed this offline, but just commenting for visibility that we'll need to do release of the security_ai_prompts integration as the bot mentioned once this is merged.
While technically I don't think you need to do this (it'll just fall back to this local prompt defined here), it's a nice to have option for tweaking the prompt out of band. cc @stephmilovic
Contributor
Author
There was a problem hiding this comment.
yep! I have that as a to-do item in this PR description, instructions recommend to do the integration update after merge as well
spong
reviewed
Sep 30, 2025
spong
approved these changes
Sep 30, 2025
Member
spong
left a comment
spong
left a comment
There was a problem hiding this comment.
Checked out, tested locally and code reviewed -- LGTM!
Thanks for the collab here @jen-huang, this turned out great! Excited to now be delivering knowledge via integrations! 😀 🙌 🚀
Contributor
🤖 Prompt Changes DetectedChanges have been detected to one or more prompt files in the Elastic Assistant plugin. Please remember to update the integrations repository with your prompt changes to ensure consistency across all deployments. Next Steps:
This is an automated reminder to help maintain prompt consistency across repositories. |
Contributor
💚 Build Succeeded
Metrics [docs]
History
cc @jen-huang |
10 tasks
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
…tic#236197) ## Summary Relates to elastic/ingest-dev#5679. This PR creates a new `IntegrationKnowledgeTool` for the Security AI Assistant. This tool reads from the new `.integrations_knowledge` index for information about installed integrations that have KB content. Much of the tool definition is inspired by `SecurityLabsKnowledgeBaseTool` which is very similar in scope. `.integrations_knowledge` system index is read using an internal ES client. The user's question is queried using semantic search against its `content` field (mapped as `sematic_text`). Citations include a link to the corresponding integration details page. ## Testing 1. Upload this sample [system-2.3.3-NEXT.zip](https://github.com/user-attachments/files/22546766/system-2.3.3-NEXT.zip) package via Integrations > Create new integration - The test package just copies the existing `docs/README.md` to `docs/knowledge_base/README.md` so that Fleet ingests it into `.integrations_knowledge` 2. Use Security AI Assistant to ask questions related to system integrations, such as: - How can I collect CPU and memory data for my windows host? - What OS can I run the system integration on? - What does the system integration do? 3. Observe that the assistant returns relevant information that is cited from the system integration. <img width="685" height="837" alt="image" src="https://github.com/user-attachments/assets/5b333aaa-7757-483f-9fa2-abc6aa8abd40" /> ## To-do - [ ] Duplicate tool definition/prompts to `security-ai-prompt` package (will be done after this PR merges, so that prompts are finalized) ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
spong
added a commit
that referenced
this pull request
Dec 11, 2025
## Summary Adds an integration knowledge tool to Agent Builder that retrieves documentation from Fleet-installed integrations using semantic search on the `.integration_knowledge` index. The tool uses the conditional availability pattern and is only available when the integration knowledge index exists. <p align="center"> <img width="405" src="https://github.com/user-attachments/assets/640d4f54-34cc-47e3-b731-b3913139e84e" /> <img width="395" src="https://github.com/user-attachments/assets/fd66c044-5536-4947-98d8-45e4b168b34c" /> </p> ## Changes * Added `platform.core.integration_knowledge` builtin tool to `agent_builder_platform` that searches Fleet integration documentation * Tool is registered in plugin `setup()` with conditional availability using the `availability` configuration pattern * Availability is checked at runtime via ES search on `.integration_knowledge` index (using `size: 0` query) * Returns structured resource results with package name, version, filename, and content ## Technical Details * Tool registration added to `registerTools()` in plugin `setup()` phase, following the same pattern as `productDocumentationTool` * Uses `availability` configuration with `cacheMode: 'space'` to conditionally show/hide the tool based on index availability * Searches using Elasticsearch semantic search on the `content` field * `esClient.asInternalUser` is used for both handler execution and availability checking (index permissions require internal user) * Results include reference URLs to integration detail pages (`/app/integrations/detail/{package_name}`) ## Considerations * Tool requires Fleet to have indexed integration knowledge into `.integration_knowledge` * Tool availability is checked per-space and cached for performance * No Kibana restart required - tool appears/disappears dynamically based on index availability * This is the onechat/Agent Builder equivalent of the existing `IntegrationKnowledgeTool` in Security Solution's Assistant (#236197) and Observability Solution's Assistant (#237085) added in `9.2`. --- ## Testing > [!NOTE] > You must enable the `xpack.fleet.enableExperimental: ["installIntegrationsKnowledge"]` feature flag until this PR enabling it by default is merged (#245080). 1. Upload this sample [system-2.3.3-NEXT.zip](https://github.com/user-attachments/files/22546766/system-2.3.3-NEXT.zip) package via Integrations > Create new integration - The test package just copies the existing `docs/README.md` to `docs/knowledge_base/README.md` so that Fleet ingests it into `.integrations_knowledge` 2. Create new Agent with the new Integration Knowledge tool and ask questions related to system integrations, such as: - How can I collect CPU and memory data for my windows host? - What OS can I run the system integration on? - What does the system integration do? 3. Observe that the responses returned contain relevant information that is cited from the system integration. _PR developed with Cursor + Opus 4.5_ --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
seanrathier
pushed a commit
to seanrathier/kibana
that referenced
this pull request
Dec 15, 2025
) ## Summary Adds an integration knowledge tool to Agent Builder that retrieves documentation from Fleet-installed integrations using semantic search on the `.integration_knowledge` index. The tool uses the conditional availability pattern and is only available when the integration knowledge index exists. <p align="center"> <img width="405" src="https://github.com/user-attachments/assets/640d4f54-34cc-47e3-b731-b3913139e84e" /> <img width="395" src="https://github.com/user-attachments/assets/fd66c044-5536-4947-98d8-45e4b168b34c" /> </p> ## Changes * Added `platform.core.integration_knowledge` builtin tool to `agent_builder_platform` that searches Fleet integration documentation * Tool is registered in plugin `setup()` with conditional availability using the `availability` configuration pattern * Availability is checked at runtime via ES search on `.integration_knowledge` index (using `size: 0` query) * Returns structured resource results with package name, version, filename, and content ## Technical Details * Tool registration added to `registerTools()` in plugin `setup()` phase, following the same pattern as `productDocumentationTool` * Uses `availability` configuration with `cacheMode: 'space'` to conditionally show/hide the tool based on index availability * Searches using Elasticsearch semantic search on the `content` field * `esClient.asInternalUser` is used for both handler execution and availability checking (index permissions require internal user) * Results include reference URLs to integration detail pages (`/app/integrations/detail/{package_name}`) ## Considerations * Tool requires Fleet to have indexed integration knowledge into `.integration_knowledge` * Tool availability is checked per-space and cached for performance * No Kibana restart required - tool appears/disappears dynamically based on index availability * This is the onechat/Agent Builder equivalent of the existing `IntegrationKnowledgeTool` in Security Solution's Assistant (elastic#236197) and Observability Solution's Assistant (elastic#237085) added in `9.2`. --- ## Testing > [!NOTE] > You must enable the `xpack.fleet.enableExperimental: ["installIntegrationsKnowledge"]` feature flag until this PR enabling it by default is merged (elastic#245080). 1. Upload this sample [system-2.3.3-NEXT.zip](https://github.com/user-attachments/files/22546766/system-2.3.3-NEXT.zip) package via Integrations > Create new integration - The test package just copies the existing `docs/README.md` to `docs/knowledge_base/README.md` so that Fleet ingests it into `.integrations_knowledge` 2. Create new Agent with the new Integration Knowledge tool and ask questions related to system integrations, such as: - How can I collect CPU and memory data for my windows host? - What OS can I run the system integration on? - What does the system integration do? 3. Observe that the responses returned contain relevant information that is cited from the system integration. _PR developed with Cursor + Opus 4.5_ --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Relates to https://github.com/elastic/ingest-dev/issues/5679.
This PR creates a new
IntegrationKnowledgeToolfor the Security AI Assistant. This tool reads from the new.integrations_knowledgeindex for information about installed integrations that have KB content. Much of the tool definition is inspired bySecurityLabsKnowledgeBaseToolwhich is very similar in scope..integrations_knowledgesystem index is read using an internal ES client. The user's question is queried using semantic search against itscontentfield (mapped assematic_text). Citations include a link to the corresponding integration details page.Testing
docs/README.mdtodocs/knowledge_base/README.mdso that Fleet ingests it into.integrations_knowledgeTo-do
security-ai-promptpackage (will be done after this PR merges, so that prompts are finalized)Checklist
release_note:*label is applied per the guidelinesbackport:*labels.