Skip to content
Merged
Show file tree
Hide file tree
Changes from 109 commits
Commits
Show all changes
118 commits
Select commit Hold shift + click to select a range
682a7e1
wip
stephmilovic Nov 17, 2025
a15330a
wip more, graph instructions
stephmilovic Nov 17, 2025
7bc16c0
wip
stephmilovic Nov 17, 2025
4ece3ed
working?
stephmilovic Nov 17, 2025
be8e838
idk
stephmilovic Nov 18, 2025
9eb85ed
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Nov 18, 2025
81da0e6
evaluate alert tool
stephmilovic Nov 18, 2025
801522b
Alert attachments specific workflow
stephmilovic Nov 19, 2025
fbcd6db
security specific tools
stephmilovic Nov 19, 2025
35c03a2
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Nov 19, 2025
2b41a64
fixings
stephmilovic Nov 19, 2025
372ffc9
add core alert attachment type
stephmilovic Nov 19, 2025
8a302de
Pierre change
stephmilovic Nov 19, 2025
f104122
core alert index hardcoded
stephmilovic Nov 19, 2025
bcc390e
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Nov 24, 2025
469dc18
attack discovery tool improvements
stephmilovic Nov 24, 2025
832b747
fixing
stephmilovic Nov 24, 2025
fe9b3cf
fixing
stephmilovic Nov 24, 2025
37256be
alert attachment works
stephmilovic Nov 24, 2025
a43976d
entities
stephmilovic Nov 24, 2025
8294772
cases tool added to platform
stephmilovic Nov 24, 2025
c3ce0e9
by alert id
stephmilovic Nov 24, 2025
b092f5b
cases tool better
stephmilovic Nov 24, 2025
5500486
improvements
stephmilovic Nov 24, 2025
5fb7169
attack discovery
stephmilovic Nov 24, 2025
1a0d535
revert
stephmilovic Nov 24, 2025
3fed38a
cases tool improvments
stephmilovic Nov 24, 2025
a088b66
fixing
stephmilovic Nov 24, 2025
2f49c63
agentBuilderEnabled
stephmilovic Nov 24, 2025
7ebc3c0
useAgentBuilderAttachment
stephmilovic Nov 24, 2025
348b504
add risk entity
stephmilovic Nov 24, 2025
1c2fa8a
fix entity risk
stephmilovic Nov 25, 2025
f925a78
entity risk done
stephmilovic Nov 25, 2025
866f483
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Nov 25, 2025
e5e90c7
move attachment definitons
stephmilovic Nov 25, 2025
3441fc9
fix whitespace
stephmilovic Nov 25, 2025
2786c24
fixing
stephmilovic Nov 25, 2025
34f4f1f
rm logs
stephmilovic Nov 25, 2025
627773d
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Nov 25, 2025
8738c0e
add product reference attachment
stephmilovic Nov 25, 2025
42c3fc2
rules agent step
stephmilovic Nov 25, 2025
141fbcc
pre rule creation attachment
stephmilovic Nov 25, 2025
47fa1de
coreSecurity => security
stephmilovic Nov 25, 2025
7d10732
query help added
stephmilovic Nov 25, 2025
70257fc
use query help
stephmilovic Nov 25, 2025
3124311
generic entity
stephmilovic Nov 25, 2025
c1b915e
EASE
stephmilovic Nov 25, 2025
1929c9d
cleanup
stephmilovic Nov 25, 2025
a30c59c
risk_entity => entity_risk
stephmilovic Nov 25, 2025
fc8eefe
simplify
stephmilovic Nov 25, 2025
eff1f4a
rm outdated tool refs
stephmilovic Nov 25, 2025
fcaf3d0
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Nov 25, 2025
d4f8c09
use actual AB flyout!
stephmilovic Nov 29, 2025
fbd4bd8
rm mandatory workflow, include sessionTag
stephmilovic Nov 30, 2025
a922634
entity risk conditional
stephmilovic Nov 30, 2025
3aec4f1
better
stephmilovic Nov 30, 2025
83c1709
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Nov 30, 2025
e11d926
fix structure
stephmilovic Nov 30, 2025
75adb9c
registration cleanup
stephmilovic Nov 30, 2025
19435a7
make security agent
stephmilovic Nov 30, 2025
ee63b8b
one alert attachment
stephmilovic Dec 1, 2025
8cb1c6e
simplify attachment descriptions
stephmilovic Dec 1, 2025
86bdf41
tweak
stephmilovic Dec 1, 2025
89170f3
fixes
stephmilovic Dec 2, 2025
8e667c0
move fn
stephmilovic Dec 2, 2025
cb5730d
risk_entity => entity
stephmilovic Dec 2, 2025
49f0f67
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Dec 2, 2025
6b26745
testing
stephmilovic Dec 2, 2025
e7e4f2e
zIndex
stephmilovic Dec 2, 2025
f710744
Changes from node scripts/lint_ts_projects --fix
kibanamachine Dec 2, 2025
83697e6
Changes from node scripts/regenerate_moon_projects.js --update
kibanamachine Dec 2, 2025
95afa72
fix import
stephmilovic Dec 2, 2025
0e2c037
Merge branch 'security_alert_attachment_with_tool' of github.com:step…
stephmilovic Dec 2, 2025
1b2a73c
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Dec 2, 2025
583cffd
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Dec 2, 2025
6a3aecd
use real platformCoreTools.productDocumentation tool
stephmilovic Dec 2, 2025
97797ab
Changes from node scripts/eslint_all_files --no-cache --fix
kibanamachine Dec 2, 2025
2763503
fixing
stephmilovic Dec 2, 2025
f9cbc4d
Merge branch 'security_alert_attachment_with_tool' of github.com:step…
stephmilovic Dec 2, 2025
3f95673
new agent builder dirs to CODEOWNERS
stephmilovic Dec 2, 2025
0ca2a14
ownFocus={false}
stephmilovic Dec 2, 2025
cf2090a
fix lint
stephmilovic Dec 2, 2025
12d5723
fixes
stephmilovic Dec 2, 2025
8f7807f
more fixies
stephmilovic Dec 2, 2025
a556166
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Dec 2, 2025
de68208
fixing
stephmilovic Dec 2, 2025
d8d5013
rm unused file
stephmilovic Dec 3, 2025
6456fda
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Dec 3, 2025
742b6d9
Changes from node scripts/lint_ts_projects --fix
kibanamachine Dec 3, 2025
4854790
Changes from node scripts/regenerate_moon_projects.js --update
kibanamachine Dec 3, 2025
b70225b
roles
stephmilovic Dec 3, 2025
db2a842
Merge branch 'security_alert_attachment_with_tool' of github.com:step…
stephmilovic Dec 3, 2025
6fb5cc0
rule attachment type
stephmilovic Dec 3, 2025
22fb29a
type fix
stephmilovic Dec 3, 2025
73db09d
test fix
stephmilovic Dec 3, 2025
46d3e3b
type fixing
stephmilovic Dec 3, 2025
99d4ca3
moar
stephmilovic Dec 3, 2025
2efe7e3
another
stephmilovic Dec 3, 2025
5359728
nother
stephmilovic Dec 3, 2025
1751dbe
rm export file
stephmilovic Dec 3, 2025
1abd9e1
Merge remote-tracking branch 'upstream/main' into security_alert_atta…
stephmilovic Dec 3, 2025
d886267
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Dec 3, 2025
8f183ee
rm unused prompt
stephmilovic Dec 3, 2025
5e29ae0
attack discovery availability
stephmilovic Dec 3, 2025
33c6c19
Changes from node scripts/eslint_all_files --no-cache --fix
kibanamachine Dec 3, 2025
56079e4
role fix
stephmilovic Dec 3, 2025
3ac7821
Merge branch 'security_alert_attachment_with_tool' of github.com:step…
stephmilovic Dec 3, 2025
4bc5f23
rm todo
stephmilovic Dec 3, 2025
7cece48
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Dec 3, 2025
03a8729
maxim PR comments
stephmilovic Dec 3, 2025
63e3b9e
robot button!
stephmilovic Dec 3, 2025
b49a60f
better entity tool
stephmilovic Dec 3, 2025
43a2c38
update onechat limits
stephmilovic Dec 3, 2025
1b7fdc3
test fixing
stephmilovic Dec 3, 2025
f89221c
Merge branch 'main' into security_alert_attachment_with_tool
elasticmachine Dec 3, 2025
3babba1
fix type
stephmilovic Dec 3, 2025
13a5e8a
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Dec 3, 2025
3372463
Merge branch 'main' into security_alert_attachment_with_tool
stephmilovic Dec 4, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -2478,6 +2478,8 @@ x-pack/platform/test/functional/page_objects/search_profiler_page.ts @elastic/se
/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/automatic_import @elastic/integration-experience
/x-pack/solutions/security/plugins/security_solution/public/configurations @elastic/security-generative-ai
/x-pack/solutions/security/plugins/security_solution_serverless/public/navigation/ai_soc @elastic/security-solution @elastic/security-threat-hunting-investigations
/x-pack/solutions/security/plugins/security_solution/public/agent_builder @elastic/security-generative-ai
/x-pack/solutions/security/plugins/security_solution/server/agent_builder @elastic/security-generative-ai

# AI4DSOC in Security Solution
/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc @elastic/security-engineering-productivity
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ viewer:
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_dataQuality.all
- feature_agentBuilder.read

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

resources: '*'
run_as: []

Expand Down Expand Up @@ -159,6 +160,7 @@ editor:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'
run_as: []

Expand Down Expand Up @@ -218,6 +220,7 @@ t1_analyst:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

t2_analyst:
Expand Down Expand Up @@ -280,6 +283,7 @@ t2_analyst:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

t3_analyst:
Expand Down Expand Up @@ -362,6 +366,7 @@ t3_analyst:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

threat_intelligence_analyst:
Expand Down Expand Up @@ -432,6 +437,7 @@ threat_intelligence_analyst:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

rule_author:
Expand Down Expand Up @@ -513,6 +519,7 @@ rule_author:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

soc_manager:
Expand Down Expand Up @@ -610,6 +617,7 @@ soc_manager:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

detections_admin:
Expand Down Expand Up @@ -684,6 +692,7 @@ detections_admin:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

platform_engineer:
Expand Down Expand Up @@ -764,6 +773,7 @@ platform_engineer:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

endpoint_operations_analyst:
Expand Down Expand Up @@ -849,6 +859,7 @@ endpoint_operations_analyst:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

endpoint_policy_manager:
Expand Down Expand Up @@ -936,6 +947,7 @@ endpoint_policy_manager:
- feature_maps_v2.all
- feature_visualize_v2.all
- feature_savedQueryManagement.all
- feature_agentBuilder.all
resources: '*'

# admin role defined in elasticsearch controller
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ _search_ai_lake_analyst:
- "feature_savedQueryManagement.read"
- "feature_indexPatterns.read"
- "feature_fleetv2.read"
- "feature_agentBuilder.all"
resources: "*"

_search_ai_lake_soc_manager:
Expand Down Expand Up @@ -134,4 +135,5 @@ _search_ai_lake_soc_manager:
- "feature_ml.all"
- "feature_fleetv2.all"
- "feature_advancedSettings.all"
- "feature_agentBuilder.all"
resources: "*"
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
export const internalNamespaces = {
platformCore: 'platform.core',
observability: 'observability',
security: 'security',
} as const;

/**
Expand All @@ -20,6 +21,7 @@ export const internalNamespaces = {
export const protectedNamespaces: string[] = [
internalNamespaces.platformCore,
internalNamespaces.observability,
internalNamespaces.security,
];

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ export const platformCoreTools = {
createVisualization: platformCoreTool('create_visualization'),
getWorkflowExecutionStatus: platformCoreTool('get_workflow_execution_status'),
productDocumentation: platformCoreTool('product_documentation'),
cases: platformCoreTool('cases'),
} as const;

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import { platformCoreTools } from '@kbn/onechat-common/tools';
import { internalNamespaces } from '@kbn/onechat-common/base/namespaces';

/**
* This is a manually maintained list of all built-in tools registered in Agent Builder.
Expand All @@ -21,6 +22,10 @@ export const AGENT_BUILDER_BUILTIN_TOOLS: string[] = [
'observability.get_alerts',
'observability.get_services',
'observability.get_downstream_dependencies',
// Security Solution
`${internalNamespaces.security}.entity_risk_score`,

@machadoum machadoum Nov 26, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for context:
For 9.4, we plan to remove the entity_risk_score tool and replace it with a natural-language threat-hunting agent/tool. Read more in the POC: #240398

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, you will need to do this for both assistant and the new agent builder tool I've added here. I can help

`${internalNamespaces.security}.attack_discovery_search`,
`${internalNamespaces.security}.security_labs_search`,
];

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
"configPath": ["xpack", "agentBuilderPlatform"],
"requiredPlugins": ["onechat"],
"requiredBundles": [],
"optionalPlugins": ["llmTasks", "workflowsManagement"],
"optionalPlugins": ["cases", "llmTasks", "workflowsManagement"],
"extraPublicDirs": []
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ dependsOn:
- '@kbn/esql-validation-autocomplete'
- '@kbn/inference-common'
- '@kbn/llm-tasks-plugin'
- '@kbn/cases-plugin'
- '@kbn/core-http-server'
- '@kbn/spaces-plugin'
tags:
- plugin
- prod
Expand Down
Loading