[EA] Add rich renderer for security entity attachments#264939
Closed
opauloh wants to merge 10 commits intoelastic:mainfrom
Closed
[EA] Add rich renderer for security entity attachments#264939opauloh wants to merge 10 commits intoelastic:mainfrom
opauloh wants to merge 10 commits intoelastic:mainfrom
Conversation
Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. - Implements a "composer injection" mechanism in the conversation context, allowing attachment renderers to prefill the chat input with type-aware "Continue the conversation" prompts. - Adds module-scoped query caching for entity details to ensure performance across multiple cards/tables in a single conversation.
…tions Enhances the `security.entity` attachment renderer to match the layout of the user/host details flyout. Adds new lightweight "mini" components for the summary grid, risk contributions, and resolution groups, decoupled from Redux to work within Agent Builder. Introduces a row-action popover in the table view and follow-up chips in the card view that prefill the composer with type-aware prompts for risk analysis, asset criticality, and graph exploration.
…y search Enhances the `security.search_entities` tool to support filtering by integration keys (e.g., `crowdstrike`) and automatically generates aggregate table attachments for multi-entity results. Key changes: - Updates the AI agent instructions to render inline `` tags for entity lists. - Implements deterministic attachment IDs for search results to ensure consistent versioning within a conversation. - Adds a `sources` parameter to the search tool using ESQL `MV_CONTAINS` filtering. - Introduces UI utilities to format raw integration keys into title-cased labels for the entity table.
Enhances the `security.get_entity` tool to support exact name matches (entity.name and user.full_name) and improves the reliability of rich entity attachment creation. Key changes: - Introduces an exact name match step to resolve entities by their display name or full name. - Updates attachment logic to allow high-confidence matches from ID RLIKE fallbacks (e.g., when a prefix is missing but the ID matches). - Prevents ambiguous attachments by suppressing rich cards when multiple entities share the same display name. - Updates tool instructions to guide the agent on supported identifier formats.
… Builder Implements several workarounds for upstream markdown and tag parsing limitations to improve the reliability of rich entity attachments. Key changes: - Hashes entity attachment IDs to prevent special characters (like `@` or `.`) from triggering autolinks, which previously broke XML tag recognition in the markdown pipeline. - Updates skill instructions to require a blank line after `` tags, preventing trailing prose from being dropped by the parser. - Uses a global CSS `:has()` selector to inject missing spacing between the attachment panel and subsequent content. - Updates tools and tests to support deterministic, hash-based attachment IDs.
…istics Enhances the `security.get_entity` tool to fetch and embed full risk score breakdowns directly into the attachment payload, allowing the chat card to render detailed contribution tables without additional client-side round-trips. Key changes: - Server-side tool now queries the risk time-series index for both primary and resolution-group risk documents during attachment creation. - Implements a stripping utility to prune heavy fields (like `inputs` and `related_entities`) from risk records before persistence. - Updates the entity card to prefer attachment-supplied risk stats over the limited scores available in the entity store. - Introduces structural validation for embedded risk data to maintain backward compatibility with older attachments.
Prevents the entity table from becoming unreadable in narrow chat panels by enforcing a minimum width and enabling horizontal overflow instead of aggressive text wrapping. Key changes: - Wraps the entity table in a scrollable container with a 800px minimum width. - Assigns fixed widths to the Name and Sources columns to ensure content remains legible. - Disables default EUI table responsiveness to maintain the multi-column layout within the scrollable area.
…olution Improves the accuracy of rich entity cards by persisting the canonical `entity.id` from the entity store, ensuring that local users and other entities with composite names can be correctly rehydrated in the UI. Key changes: - Adds an optional `entityStoreId` field to the entity attachment schema and Zod validation. - Updates the client-side `useEntityForAttachment` hook to prioritize filtering by `entity.id` over name-based fallbacks. - Modifies `get_entity` and `search_entities` tools to extract and embed the raw `entity.id` into attachment payloads. - Maintains backward compatibility for legacy attachments by falling back to per-type identity fields (e.g., `user.name`, `host.name`).
Switches the "Last seen" column to use the top-level `@timestamp` field from the entity store record instead of `entity.lifecycle.last_activity`. This ensures that a date is always displayed even when an entity has not yet been observed in logs. Key changes: - Adds a `timestamp` field to the entity attachment schema mapping to the record's `@timestamp`. - Updates the entity table column and tooltips to use this more reliable timestamp.
Contributor
|
🤖 Jobs for this PR can be triggered through checkboxes. 🚧
ℹ️ To trigger the CI, please tick the checkbox below 👇
|
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
| } | ||
| > | ||
| <EuiSpacer size="s" /> | ||
| {hasGroup || isLoading ? ( |
Contributor
There was a problem hiding this comment.
🟠 High entity_card/resolution_mini.tsx:104
When isError is true but hasGroup is false and isLoading is false, the component renders EMPTY_LABEL ("No resolution group yet.") instead of displaying the error state. The ternary on line 104 uses hasGroup || isLoading, which excludes the error case, so ResolutionGroupTable never receives isError={true} and cannot render RESOLUTION_FETCH_ERROR. Consider updating the condition to hasGroup || isLoading || isError so error states are displayed correctly.
Suggested change
| {hasGroup || isLoading ? ( | |
| {hasGroup || isLoading || isError ? ( |
🤖 Copy this AI Prompt to have your agent fix this:
In file x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/entity_attachment/entity_card/resolution_mini.tsx around line 104:
When `isError` is true but `hasGroup` is false and `isLoading` is false, the component renders `EMPTY_LABEL` ("No resolution group yet.") instead of displaying the error state. The ternary on line 104 uses `hasGroup || isLoading`, which excludes the error case, so `ResolutionGroupTable` never receives `isError={true}` and cannot render `RESOLUTION_FETCH_ERROR`. Consider updating the condition to `hasGroup || isLoading || isError` so error states are displayed correctly.
Evidence trail:
- x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/entity_attachment/entity_card/resolution_mini.tsx lines 66-68 (early return guard includes isError check)
- x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/entity_attachment/entity_card/resolution_mini.tsx line 104 (ternary condition: `hasGroup || isLoading` - does NOT include isError)
- x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/entity_attachment/entity_card/resolution_mini.tsx lines 39-42 (EMPTY_LABEL = 'No resolution group yet.')
- x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/entity_resolution/resolution_group_table.tsx lines 216-221 (ResolutionGroupTable handles isError and returns RESOLUTION_FETCH_ERROR)
- x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/entity_resolution/translations.ts lines 145-148 (RESOLUTION_FETCH_ERROR = 'Unable to load resolution group')
Contributor
There was a problem hiding this comment.
🟡 Medium
Example 1 (lines 189-196) contradicts the guidance in Step 2 (lines 148-156). The example says "If 10 entities are returned, you MUST call the 'security.get_entity' tool 10 times" while Step 2 says "Do NOT loop security.get_entity over every row just to populate the table." This conflicting instruction causes the LLM to receive contradictory guidance about whether to batch-fetch entity profiles.
🤖 Copy this AI Prompt to have your agent fix this:
In file x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/entity_analytics/entity_analytics_skill.ts around line 193:
Example 1 (lines 189-196) contradicts the guidance in Step 2 (lines 148-156). The example says "If 10 entities are returned, you MUST call the 'security.get_entity' tool 10 times" while Step 2 says "Do NOT loop `security.get_entity` over every row just to populate the table." This conflicting instruction causes the LLM to receive contradictory guidance about whether to batch-fetch entity profiles.
Evidence trail:
x-pack/solutions/security/plugins/security_solution/server/agent_builder/skills/entity_analytics/entity_analytics_skill.ts lines 148-156 (Step 2 guidance: 'Do NOT loop security.get_entity over every row') and lines 189-196 (Example 1: 'you MUST call the security.get_entity tool 10 times') at REVIEWED_COMMIT
opauloh
added a commit
that referenced
this pull request
Apr 24, 2026
Note: This is a combined work of #264849 and #264939 ## Summary Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. ## Screenshots ### Entity Analytics Table Attachment <img width="601" height="665" alt="image" src="https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d" /> ### Entity Analytics Card Attachment <img width="668" height="699" alt="image" src="https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138" /> ### Entity Analytics Dashboard Attachment <img width="1221" height="826" alt="image" src="https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc" /> --------- Co-authored-by: YulNaumenko <jo.naumenko@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
smith
pushed a commit
to smith/kibana
that referenced
this pull request
Apr 24, 2026
Note: This is a combined work of elastic#264849 and elastic#264939 ## Summary Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. ## Screenshots ### Entity Analytics Table Attachment <img width="601" height="665" alt="image" src="https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d" /> ### Entity Analytics Card Attachment <img width="668" height="699" alt="image" src="https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138" /> ### Entity Analytics Dashboard Attachment <img width="1221" height="826" alt="image" src="https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc" /> --------- Co-authored-by: YulNaumenko <jo.naumenko@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
hop-dev
added a commit
that referenced
this pull request
Apr 24, 2026
…265572) # Backport This will backport the following commits from `main` to `9.4`: - [[EA] Add Chat-First experience to Entity Analytics (#264985)](#264985) <!--- Backport version: 11.0.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Paulo Silva","email":"paulo.henrique@elastic.co"},"sourceCommit":{"committedDate":"2026-04-24T15:18:34Z","message":"[EA] Add Chat-First experience to Entity Analytics (#264985)\n\nNote: This is a combined work of\nhttps://github.com//pull/264849 and\nhttps://github.com//pull/264939\n\n## Summary\n\nIntroduces a rich visual renderer for `security.entity` attachments in\nAgent Builder, gated behind the `entityAttachmentRichRenderer`\nexperimental flag.\n\nKey changes:\n- Supports both single-entity (card) and multi-entity (table) payload\nshapes in the UI and server-side validation.\n- Updates the `security.get_entity` tool to automatically persist a\n`security.entity` attachment as a side effect when a single entity is\nresolved.\n\n## Screenshots\n\n### Entity Analytics Table Attachment\n\n<img width=\"601\" height=\"665\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d\"\n/>\n\n### Entity Analytics Card Attachment\n\n<img width=\"668\" height=\"699\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138\"\n/>\n\n### Entity Analytics Dashboard Attachment\n\n<img width=\"1221\" height=\"826\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc\"\n/>\n\n---------\n\nCo-authored-by: YulNaumenko <jo.naumenko@gmail.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: jaredburgettelastic <jared.burgett@elastic.co>","sha":"bd98c9f51c3094a6f70c18ccfd069e344f11d15b","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:feature","Team:Cloud Security","ci:build-cloud-image","ci:cloud-deploy","Team:Entity Analytics","backport:version","v9.4.0","evals:entity-analytics","v9.5.0"],"title":"[EA] Add Chat-First experience to Entity Analytics","number":264985,"url":"https://github.com/elastic/kibana/pull/264985","mergeCommit":{"message":"[EA] Add Chat-First experience to Entity Analytics (#264985)\n\nNote: This is a combined work of\nhttps://github.com//pull/264849 and\nhttps://github.com//pull/264939\n\n## Summary\n\nIntroduces a rich visual renderer for `security.entity` attachments in\nAgent Builder, gated behind the `entityAttachmentRichRenderer`\nexperimental flag.\n\nKey changes:\n- Supports both single-entity (card) and multi-entity (table) payload\nshapes in the UI and server-side validation.\n- Updates the `security.get_entity` tool to automatically persist a\n`security.entity` attachment as a side effect when a single entity is\nresolved.\n\n## Screenshots\n\n### Entity Analytics Table Attachment\n\n<img width=\"601\" height=\"665\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d\"\n/>\n\n### Entity Analytics Card Attachment\n\n<img width=\"668\" height=\"699\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138\"\n/>\n\n### Entity Analytics Dashboard Attachment\n\n<img width=\"1221\" height=\"826\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc\"\n/>\n\n---------\n\nCo-authored-by: YulNaumenko <jo.naumenko@gmail.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: jaredburgettelastic <jared.burgett@elastic.co>","sha":"bd98c9f51c3094a6f70c18ccfd069e344f11d15b"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/264985","number":264985,"mergeCommit":{"message":"[EA] Add Chat-First experience to Entity Analytics (#264985)\n\nNote: This is a combined work of\nhttps://github.com//pull/264849 and\nhttps://github.com//pull/264939\n\n## Summary\n\nIntroduces a rich visual renderer for `security.entity` attachments in\nAgent Builder, gated behind the `entityAttachmentRichRenderer`\nexperimental flag.\n\nKey changes:\n- Supports both single-entity (card) and multi-entity (table) payload\nshapes in the UI and server-side validation.\n- Updates the `security.get_entity` tool to automatically persist a\n`security.entity` attachment as a side effect when a single entity is\nresolved.\n\n## Screenshots\n\n### Entity Analytics Table Attachment\n\n<img width=\"601\" height=\"665\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d\"\n/>\n\n### Entity Analytics Card Attachment\n\n<img width=\"668\" height=\"699\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138\"\n/>\n\n### Entity Analytics Dashboard Attachment\n\n<img width=\"1221\" height=\"826\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc\"\n/>\n\n---------\n\nCo-authored-by: YulNaumenko <jo.naumenko@gmail.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: jaredburgettelastic <jared.burgett@elastic.co>","sha":"bd98c9f51c3094a6f70c18ccfd069e344f11d15b"}}]}] BACKPORT--> --------- Co-authored-by: Paulo Silva <paulo.henrique@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
rbrtj
pushed a commit
to walterra/kibana
that referenced
this pull request
Apr 27, 2026
Note: This is a combined work of elastic#264849 and elastic#264939 ## Summary Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. ## Screenshots ### Entity Analytics Table Attachment <img width="601" height="665" alt="image" src="https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d" /> ### Entity Analytics Card Attachment <img width="668" height="699" alt="image" src="https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138" /> ### Entity Analytics Dashboard Attachment <img width="1221" height="826" alt="image" src="https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc" /> --------- Co-authored-by: YulNaumenko <jo.naumenko@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this pull request
Apr 27, 2026
Note: This is a combined work of elastic#264849 and elastic#264939 ## Summary Introduces a rich visual renderer for `security.entity` attachments in Agent Builder, gated behind the `entityAttachmentRichRenderer` experimental flag. Key changes: - Supports both single-entity (card) and multi-entity (table) payload shapes in the UI and server-side validation. - Updates the `security.get_entity` tool to automatically persist a `security.entity` attachment as a side effect when a single entity is resolved. ## Screenshots ### Entity Analytics Table Attachment <img width="601" height="665" alt="image" src="https://github.com/user-attachments/assets/08502c67-fb5a-4143-96d1-03a445b5fc7d" /> ### Entity Analytics Card Attachment <img width="668" height="699" alt="image" src="https://github.com/user-attachments/assets/f83fb6ab-138b-493e-9f19-9facbd533138" /> ### Entity Analytics Dashboard Attachment <img width="1221" height="826" alt="image" src="https://github.com/user-attachments/assets/dd300123-e72d-4979-8b49-ee855fb5bfbc" /> --------- Co-authored-by: YulNaumenko <jo.naumenko@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces a rich visual renderer for
security.entityattachments in Agent Builder, gated behind theentityAttachmentRichRendererexperimental flag.Key changes:
security.get_entitytool to automatically persist asecurity.entityattachment as a side effect when a single entity is resolved.Entities table attachment
Entity card attachment