Spike: Data Source Catalog for Detection Engineering

[patrykkopycinski]

Summary

Spike/PoC for a unified Data Source Catalog (@kbn/data-source-catalog) that provides queryable metadata about available Elasticsearch indices, data streams, and Fleet integrations. This directly addresses how the Automatic Index Summarization (SML) concept could be applied to Detection Engineering in Elastic Security.

Problem

Security Solution has 15+ independent mechanisms for discovering index metadata. Each AI feature (AI Assistant, Attack Discovery, AI Rule Creation, SIEM Migration) builds its own ad-hoc view of available data sources using different ES APIs. This creates:

• No shared understanding — AI features can't answer "what security data exists?" without expensive runtime discovery
• No semantic context — index names like logs-endpoint.events.process-default are opaque to LLMs
• No validation — required_fields and related_integrations on rules are informational-only
• Duplicated effort — SIEM Migration, ES|QL tools, and Timeline UI each build their own index discoverer

Solution

A shared Kibana package that maintains a unified, queryable catalog of data source metadata in a .kibana-data-source-catalog Elasticsearch index, refreshed on Fleet integration events and periodically via TaskManager. Three tiers of metadata — all built in this spike.

---

What this spike builds

Tier 1 — @kbn/data-source-catalog package (static metadata)

Component	Description
Types & Schema	DataSourceEntry, FieldMetadata, IntegrationMetadata with strict ES mapping
CatalogClient	CRUD for .kibana-data-source-catalog index (race-condition safe via resource_already_exists_exception handling)
CatalogQuery	Typed search: filter by name pattern, integration, field existence, full-text, kNN vector search
IndexMetadataProvider	Discovers indices via resolveIndex + getMapping + getIndexTemplate
IntegrationProvider	Enriches entries with Fleet package metadata (name, description, data streams)
CatalogRefresh	Orchestrates: discover → merge integrations → stats → heuristic summaries → persist
globToRegex utility	Safe glob-to-regex conversion with proper metacharacter escaping

Tier 2 — Stats and consumer integrations

Component	Description
IndexStatsProvider	Doc counts, store size, freshness (live/recent/stale/empty) via indices.stats + msearch
TaskManager refresh	security:data-source-catalog:refresh-stats — configurable periodic refresh (default 6h)
AI Assistant tool	DataSourceCatalogTool — LangChain tool for querying catalog from conversations (with telemetry)
Attack Discovery	dataSourceContext parameter threaded through graph → injected into LLM prompt
AI Rule Creation	DISCOVER_DATA_SOURCES graph node — queries catalog, pre-populates suggestedRequiredFields + suggestedRelatedIntegrations
formatCatalogContextForPrompt	Shared formatter for LLM consumption (used by tool + consumers)

Tier 3 — Semantic layer + MITRE mapping

Component	Description
Heuristic Summary Provider	Generates summaries without LLM — using field names, integration metadata, ECS coverage
Topic inference	Automatically detects: process execution, network, file activity, authentication, cloud, etc.
MITRE ATT&CK mapping	Infers techniques from field names (T1059, T1071, T1078, T1083, T1112, etc.)
Dense vector + kNN search	Index mapping includes dense_vector (384 dims, cosine), CatalogQuery supports kNN hybrid search

Consumer integrations

Consumer	Integration
AI Assistant	DataSourceCatalogTool with shared formatting and telemetry schema
Attack Discovery	Environmental data source context injected into LLM prompt
AI Rule Creation	DISCOVER_DATA_SOURCES node with suggestedRequiredFields + suggestedRelatedIntegrations
SIEM Migration	CatalogIntegrationEnricher supplements ELSER matches with catalog metadata (freshness, fields, topics)
Rule Creation UI	useCatalogDataSources hook + CatalogSuggestions panel + CatalogDataSourceBadge (freshness badges)
required_fields	validateRequiredFields server-side validation + RequiredFieldsCatalogWarnings UI component

---

E2E verification results

Tested on a live Kibana + Elasticsearch instance:

Verification	Result
.kibana-data-source-catalog index created on startup	✅ Strict mapping with all fields
Catalog populated from ES + Fleet	✅ 16 entries in 1.8 seconds
Fleet integration matching (Elastic Defend, System)	✅ 3 Endpoint + 2 System data streams matched
Freshness computed (live/stale/empty)	✅ Correct for all entries
CatalogQuery: filter by integration	✅ Found 3 Elastic Defend streams
CatalogQuery: wildcard name pattern	✅ Found 8 logs-* sources
Security aliases discovered	✅ .alerts-security.*, .siem-signals-*

Code review findings addressed

Finding	Fix
ReDoS vulnerability in glob-to-regex	Extracted globToRegex utility with proper metacharacter escaping
ensureIndex race condition (multi-node TOCTOU)	Catch resource_already_exists_exception
Conflicting index settings	Removed number_of_replicas, kept auto_expand_replicas
Missing telemetry schema	Added DataSourceCatalogTool to event_based_telemetry.ts
Non-null assertions on entry.integration!	Replaced with .flatMap narrowing pattern
Duplicated formatting logic	Tool now calls shared formatCatalogContextForPrompt
N+1 sequential queries in validation	Batched into single catalog query + Set lookup
indexPatterns[0] silent truncation	Changed parameter to explicit indexPattern: string

Files changed (86 files, +4,937 lines)

New package: x-pack/platform/packages/shared/kbn-data-source-catalog/ (24 files)
Security Solution consumer: server/lib/data_source_catalog/ (10 files)
Attack Discovery integration: elastic_assistant/server/lib/attack_discovery/ (7 files)
AI Rule Creation integration: ai_rule_creation/agent/ (5 files)
SIEM Migration integration: siem_migrations/rules/task/ (8 files)
Rule Creation UI: public/detection_engine/rule_creation_ui/ (5 files)
Plugin wiring: server/plugin.ts + telemetry

Test coverage

Suite	Tests
@kbn/data-source-catalog package	34
Security Solution catalog consumers	20
AI Rule Creation discover node	8
SIEM Migration enricher	4
Attack Discovery (existing, all pass)	369
Defend Insights (existing, all pass)	125
Total new tests	66

Related

• Spec: Data Source Catalog Design
• Phase 1 Plan
• Phase 2 Plan
• elasticsearch-index-summarizer (SML PoC by Mark J. Hoy)
• Agent Builder experiments: index_explorer accuracy (Sean Story)

Test plan

• All 66 new unit tests pass across 13 test files
• All 494 existing tests in affected areas pass (Attack Discovery, Defend Insights, AI Rule Creation)
• E2E: catalog index created and populated on live Kibana startup (16 entries)
• E2E: Fleet integration metadata correctly matched to data streams
• E2E: CatalogQuery returns correct results for filter, wildcard, and integration searches
• E2E: Heuristic summaries generate topics and MITRE techniques
• Type check passes with zero errors in the new package
• ESLint passes with zero errors
• Code review findings from Garrett + Viduni reviews addressed

🤖 Generated with Claude Code

Production-Readiness Checklist — Agent Skills Ecosystem

Generated against [Epic] Creation of the Agent Skills Ecosystem for Elastic Security.

Narrative role: Shared context layer for Detection Engineering (and by extension every other skill that needs "what security data exists?"). Applies the epic's "Entity Analytics as a horizontal enrichment layer" pattern to data sources.

Must-do before this can ship

• File a formal RFC. This spike proposes a new system-of-record (.kibana-data-source-catalog) that 15+ features will depend on — review scope is larger than a code review
• Decide and document the embedding model for kNN search (ELSER vs E5 vs user-supplied) and publish the cost model
• Widen the consumer contract before shipping: AESOP (#258980), SIEM Migration, AI Assistant, ES|QL tools — not just Detection Engineering. Define read API and versioning now
• Stress-test the resource_already_exists_exception handling for catalog-index bootstrap under concurrent Kibana nodes
• Task Manager refresh cadence + kill switch + backoff on Fleet-event storms
• Privacy / access control: catalog contains index names and field metadata — restrict to users with the relevant index privileges (do not leak schema of indices the caller cannot read)

Follow-ups (post-merge)

• Expose the catalog as an Agent Builder read-tool so skills (Triage, Hunt, DE) can call it instead of re-implementing index discovery
• Make required_fields and related_integrations on detection rules validatable against the catalog (today informational only)

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!