Security attachments in Agent Builder#243574
Conversation
botelastic
Bot
added
ci:project-deploy-observability
|
Pinging @elastic/fleet (Team:Fleet) |
|
Pinging @elastic/obs-presentation-team (Team:obs-presentation) |
|
Pinging @elastic/obs-ai-team (Team:obs-ai) |
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
stephmilovic
force-pushed
the
security_alert_attachment_with_tool
branch
from
7f9c9b3 to
3babba1
Compare
PhilippeOberti
left a comment
PhilippeOberti
left a comment
There was a problem hiding this comment.
Left a couple comments just as fyi, none are blockers!
| 'rule.reference', | ||
|
|
||
| /* Kibana alert fields */ | ||
| 'kibana.alert.uuid', |
There was a problem hiding this comment.
Just an idea, but we could retrieve some of these from here which is a platform share package?
| const isAgentBuilderEnabled = useIsExperimentalFeatureEnabled('agentBuilderEnabled'); | ||
|
|
||
| const alertData = useMemo(() => { | ||
| const rawData = getRawData(dataFormattedForFieldBrowser ?? []); | ||
| return stringifyEssentialAlertData(rawData); | ||
| }, [dataFormattedForFieldBrowser]); | ||
|
|
||
| const { openAgentBuilderFlyout } = useAgentBuilderAttachment({ | ||
| attachmentType: SecurityAgentBuilderAttachments.alert, | ||
| attachmentData: { alert: alertData }, | ||
| attachmentPrompt: isAlert ? ALERT_ATTACHMENT_PROMPT : EVENT_ATTACHMENT_PROMPT, | ||
| }); |
There was a problem hiding this comment.
Unless I'm mistaken, this piece of code is duplicated between here and the ease flyout. What do you think about moving this into a hook that would be shared between the 2 flyouts?
I'm bringing this up because we will also need this code again in the new attacks flyout (see the footer here). At this time we do not have the Ask AI assistant button there, but it's coming very soon (cc @agusruidiazgd)
There was a problem hiding this comment.
They have different prompt arguments. I think its fine to call useAgentBuilderAttachment directly, but if you want to create a hook when the time comes feel free
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
|
15 participants
Summary
Adds one platform tool, three security attachment types, and three security tools to the Agent Builder in order to implement existing "Ask in Assistant" workflows within Agent Builder.
Platform additions are always available; security additions are gated behind the
xpack.securitySolution.enableExperimental:["agentBuilderEnabled"]experimental feature flag (default:false).Platform-Level Additions
New Platform Tool: Cases Tool (
platform.core.cases)Location:
x-pack/platform/plugins/shared/onechat/server/services/tools/builtin/definitions/cases/Retrieves and searches cases across Elastic Security, Observability, and Stack Management. Supports:
Note: Always registered; not conditional on any feature flag.
Security Solution Additions
Feature Flag: All security additions are gated behind the
agentBuilderEnabledexperimental feature flag (xpack.securitySolution.experimentalFeatures.agentBuilderEnabled), which defaults tofalse. When disabled, security attachments and tools are not registered, and UI components fall back to legacy AI Assistant functionality.New Security Attachment Types
security.alert) — Attaches security alert data (or attack discovery) with workflow to gather risk scores, attack discoveries, cases, Security Labs, and ES|QL queries.security.entity) — Attaches entity risk info (host/user/service/generic) with workflow to query risk scores.security.rule) — Attaches rule or rule query with workflow to generate working queries or find documentation.New Security Tools
security.entity_risk_score) — Gets latest entity risk scores and contributing inputs with normalized scores (0-100) and enhanced alert data.security.attack_discovery_search) — Searches attack discoveries by alert IDs using ES|QL, filters last 7 days, returns up to 100 results.security.security_labs_search) — Searches Security Labs knowledge base with natural language queries, filters to Security Labs content, limits to 3 results.Additional Changes
NewAgentBuilderAttachmentcomponent anduseAgentBuilderAttachmenthookagentBuilderEnabledflagSecurityAgentBuilderAttachmentsenum,securityToolhelper,casestoplatformCoreTools,product_referencetoAttachmentTypeenumOpen in Agent Builder flyout
The
useAgentBuilderAttachmenthook returns a function that will open the Agent Builder flyout.TODO: Fix cases where the flyout was opened from another flyout, the zIndex is not high enough on AB flyout
Screenshots of
NewAgentBuilderAttachmentadditionsNOTE: These screenshots below have an outdated Agent button icon, I've updated to use the robot icon. The buttons now have the proper icon: