kibana
kibana copied to clipboard
Published
20 hours ago •
elastic
elastic
[Security AI Assistant] Chat complete API
Summary
Current PR introduces the new public chat/complete API for Security Assistant.
Use cases:
POST http://localhost:5601/api/security_ai_assistant/chat/complete
- Simplest Q&A:
User:
{
"connectorId": "my-gen-ai",
"persist": false,
"messages": [
{
"role": "user",
"content": "As an expert user of Elastic Security, please generate an accurate and valid ESQL query to detect the use case below. Your response should be formatted to be able to use immediately in an Elastic Security timeline or detection rule. Take your time with the answer, check your knowledge really well on all the functions I am asking for. For ES|QL answers specifically, you should only ever answer with what's available in your private knowledge. I cannot afford for queries to be inaccurate. Assume I am using the Elastic Common Schema and Elastic Agent.Ensure the answers are formatted in a way which is easily copyable as a separate code block in markdown."
}
]
}
Assistant:
{
"connector_id": "my-gen-ai",
"data": "Of course, I'd be happy to help with that. Could you please provide me with the specific use case or details of the activity you're looking to detect using the ESQL query?",
"trace_data": {
"transaction_id": "0aa30f21b107cd03",
"trace_id": "e5c63c37804e974b8022a86b3a3d88bc"
},
"replacements": {},
"status": "ok"
}
- Q&A with the data and anonymization fields list + centralized anonymization applied:
User:
{
"connectorId": "my-gen-ai",
"persist": false,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
"data": {
"event.category": "process",
"process.pid": 69516,
"host.os.version": 14.5,
"host.os.name": "macOS",
"host.name": "Yuliias-MBP",
"process.name": "biomesyncd",
"user.name": "yuliianaumenko",
"process.working_directory":"/",
"event.module":"system",
"process.executable": "/usr/libexec/biomesyncd",
"process.args": "/usr/libexec/biomesyncd",
"message": "Process biomesyncd (PID: 69516) by user yuliianaumenko STOPPED"
},
"fields_to_anonymize": ["host.os.name", "event.module"]
}
]
}
Assistant:
{
"connector_id": "my-gen-ai",
"data": "## Event Evaluation\n\n### Description\n\nThe event details a process named `biomesyncd` with PID 69516, initiated by the user `yuliianaumenko`, being stopped on a host with the name `138fea45-b182-450d-bfc7-169baf807073`. The process was executed from `/usr/libexec/biomesyncd` with the same name as the executable, and it was operating from the root directory `/`. The host is running an operating system named `509de90a-a77f-4a48-97b0-453fce3a9846` with version `14.5`.\n\n### Recommended Actions\n\n1. **Initial Assessment**: Determine if `biomesyncd` is a legitimate process for the host's operating system and the user's typical behavior.\n2. **Investigate Process History**: Use Elastic Security's timeline feature to trace the history of `biomesyncd` executions and any related events.\n3. **User Behavior Analysis**: Analyze the user `yuliianaumenko`'s behavior for any anomalies using Elastic Security's entity analytics.\n4. **Host Risk Score Evaluation**: Review the risk score assigned to the host `138fea45-b182-450d-bfc7-169baf807073` to prioritize investigation.\n5. **Endpoint Response**: Consider using Elastic Security's endpoint response actions to isolate the host if malicious activity is suspected.\n6. **OSQuery Manager Integration**: Utilize the Elastic Agent OSQuery manager to run queries for further investigation.\n\n### Triage Steps\n\n1. **Verify Process Authenticity**:\n - Check if `biomesyncd` is known to be a part of the host's operating system or if it's potentially malicious.\n2. **Timeline Analysis**:\n - Navigate to Elastic Security's [Timelines](https://www.elastic.co/guide/en/security/current/timelines-ui.html) to investigate related events before and after the process stoppage.\n3. **User and Host Risk Score**:\n - Assess the risk scores provided by Elastic Security for both the user and the host to prioritize your investigation.\n4. **Endpoint Isolation**:\n - If suspicious activity is confirmed, use [Endpoint Response Actions](https://www.elastic.co/guide/en/security/current/responses-ui.html) to isolate the host.\n5. **OSQuery for Further Investigation**:\n - Use the [Elastic Agent OSQuery Manager](https://www.elastic.co/guide/en/fleet/current/osquery.html) integration to execute queries like `SELECT * FROM processes WHERE name = 'biomesyncd';` to gather more information about the process and its activities.\n\n### MITRE ATT&CK Context\n\nGiven the information, it's unclear which specific MITRE ATT&CK technique might be relevant without further investigation. However, monitoring and investigating unexpected or unauthorized process terminations can be related to various techniques such as [T1569.002: System Services: Service Stop](https://attack.mitre.org/techniques/T1569/002/). It's crucial to determine whether this event is part of regular maintenance or indicative of malicious activity.\n\n### Additional Resources\n\n- Elastic Security Documentation: [Elastic Security](https://www.elastic.co/guide/en/security/current/index.html)\n- MITRE ATT&CK: [MITRE ATT&CK Techniques](https://attack.mitre.org/techniques/enterprise/)\n- Elastic Agent OSQuery Manager: [OSQuery Manager](https://www.elastic.co/guide/en/fleet/current/osquery.html)\n\nPlease proceed with the recommended actions and triage steps to further investigate this event and determine the appropriate response.",
"trace_data": {
"transactionId": "bd446038ccb07011",
"traceId": "58727f2954b316f45182dd3e55c5564d"
},
"replacements": {
"509de90a-a77f-4a48-97b0-453fce3a9846": "macOS",
"138fea45-b182-450d-bfc7-169baf807073": "Yuliias-MBP",
"ed31954a-42db-4cef-be6e-cd53d3b71a21": "yuliianaumenko",
"9c8740a5-6f23-4469-829f-ddcb35809723": "system"
},
"status": "ok"
}
- Q&A as a part of the existing conversation by id:
User:
{
"conversationId": "1d59bf07-144e-407b-9da0-3a55c69e5c10",
"connectorId": "my-gen-ai",
"persist": true,
"messages": [
{
"role": "user",
"content": "As an expert user of Elastic Security, please generate an accurate and valid ESQL query to detect the use case below. Your response should be formatted to be able to use immediately in an Elastic Security timeline or detection rule. Take your time with the answer, check your knowledge really well on all the functions I am asking for. For ES|QL answers specifically, you should only ever answer with what's available in your private knowledge. I cannot afford for queries to be inaccurate. Assume I am using the Elastic Common Schema and Elastic Agent.Ensure the answers are formatted in a way which is easily copyable as a separate code block in markdown."
}
]
}
Assistant:
{
"connector_id": "my-gen-ai",
"data": "It seems like there might have been a misunderstanding or a technical issue, as the specific use case details you're looking to detect with the ESQL query were not provided in your message. To generate an accurate and valid ESQL query, I need to know the specific behaviors, events, or conditions you wish to identify. This could include, but is not limited to, suspicious process executions, unusual network connections, file modifications, or any other security-relevant events.\n\nPlease provide the details of the use case you're interested in, and I'll be more than happy to assist you with crafting the appropriate ESQL query.",
"trace_data": {
"transactionId": "e4fdba10ed34e0b2",
"traceId": "c06fc9704498ee026f832443154c8033"
},
"replacements": {},
"status": "ok"
}
- Q&A with creation of the new conversation:
User:
{
"connectorId": "my-gen-ai",
"persist": true,
"messages": [
{
"role": "user",
"content": "As an expert user of Elastic Security, please generate an accurate and valid ESQL query to detect the use case below. Your response should be formatted to be able to use immediately in an Elastic Security timeline or detection rule. Take your time with the answer, check your knowledge really well on all the functions I am asking for. For ES|QL answers specifically, you should only ever answer with what's available in your private knowledge. I cannot afford for queries to be inaccurate. Assume I am using the Elastic Common Schema and Elastic Agent.Ensure the answers are formatted in a way which is easily copyable as a separate code block in markdown."
}
]
}
Assistant:
{
"connector_id": "my-gen-ai",
"data": "To provide you with an accurate and valid ESQL query, I need the specific use case you're looking to detect with Elastic Security. Could you please provide me with the details of the scenario or behavior you're aiming to monitor or detect?",
"trace_data": {
"transactionId": "09f6bc2cf03931b6",
"traceId": "8dd3743ac6fc92d33194ea84222ba58c"
},
"replacements": {},
"status": "ok"
}
- The most complex use case with the data, anonymization and adding the Q&A to the existing conversation:
User:
{
"connectorId": "my-gen-ai",
"conversationId": "d574ec43-03d2-4c24-83ce-08002f755f73",
"persist": true,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
"data": {
"event.category": "process",
"process.pid": 69516,
"host.os.version": 14.5,
"host.os.name": "macOS",
"host.name": "Yuliias-MBP",
"process.name": "biomesyncd",
"user.name": "yuliianaumenko",
"process.working_directory":"/",
"event.module":"system",
"process.executable": "/usr/libexec/biomesyncd",
"process.args": "/usr/libexec/biomesyncd",
"message": "Process biomesyncd (PID: 69516) by user yuliianaumenko STOPPED"
},
"fields_to_anonymize": ["host.os.name", "event.module"]
}
]
}
Assistant:
- Streaming support:
User:
{
"connectorId": "my-gen-ai",
"isStream": true,
"persist": false,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
"data": {
"event.category": "process",
"process.pid": 69516,
"host.os.version": 14.5,
"host.os.name": "macOS",
"host.name": "Yuliias-MBP",
"process.name": "biomesyncd",
"user.name": "yuliianaumenko",
"process.working_directory":"/",
"event.module":"system",
"process.executable": "/usr/libexec/biomesyncd",
"process.args": "/usr/libexec/biomesyncd",
"message": "Process biomesyncd (PID: 69516) by user yuliianaumenko STOPPED"
},
"fields_to_anonymize": ["host.os.name", "event.module"]
}
]
}
