elastic · stephmilovic · Feb 10, 2025 · Mar 26, 2025 · Mar 26, 2025 · Mar 26, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -350,6 +350,7 @@
 /packages/sailpoint_identity_sc @elastic/security-service-integrations
 /packages/salesforce @elastic/obs-infraobs-integrations
 /packages/santa @elastic/security-service-integrations
+/packages/security_ai_prompts @elastic/security-generative-ai
 /packages/security_detection_engine @elastic/protections
 /packages/sentinel_one @elastic/security-service-integrations
 /packages/sentinel_one_cloud_funnel @elastic/security-service-integrations

@@ -257,6 +257,7 @@ body:
         - Salesforce [salesforce]
         - Google Santa [santa]
         - Prebuilt Security Detection Rules [security_detection_engine]
+        - Security AI Prompts [security_ai_prompts]
         - SentinelOne [sentinel_one]
         - SentinelOne Cloud Funnel [sentinel_one_cloud_funnel]
         - ServiceNow [servicenow]

@@ -257,6 +257,7 @@ body:
         - Salesforce [salesforce]
         - Google Santa [santa]
         - Prebuilt Security Detection Rules [security_detection_engine]
+        - Security AI Prompts [security_ai_prompts]
         - SentinelOne [sentinel_one]
         - SentinelOne Cloud Funnel [sentinel_one_cloud_funnel]
         - ServiceNow [servicenow]

@@ -74,7 +74,7 @@ require (
 	github.com/envoyproxy/go-control-plane v0.13.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -231,3 +231,5 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+replace github.com/elastic/package-spec/v3 => github.com/patrykkopycinski/package-spec/v3 v3.0.0-20250327205710-ad2c8bf1da72
@@ -151,8 +151,6 @@ github.com/elastic/kbncontent v0.1.4 h1:GoUkJkqkn2H6iJTnOHcxEqYVVYyjvcebLQVaSR1a
 github.com/elastic/kbncontent v0.1.4/go.mod h1:kOPREITK9gSJsiw/WKe7QWSO+PRiZMyEFQCw+CMLAHI=
 github.com/elastic/package-registry v1.28.0 h1:5VmNq6TCutlh861RHUCrrQbZ+96gppI/udYHR+gmqnU=
 github.com/elastic/package-registry v1.28.0/go.mod h1:d+c6R6ygKDkcfBKb2XTl8tdrxvqv9g5Iwl8YiV3+Lks=
-github.com/elastic/package-spec/v3 v3.3.2 h1:hUoGvVZU19akdx7gyOtSNGVHjWXeN50NDSqtcGxXtJk=
-github.com/elastic/package-spec/v3 v3.3.2/go.mod h1:worvQ1JmqxT8/SaW3Tijspa5nKR/X7jS6u/hmAxa93w=
 github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtzpL63nKAU=
 github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -165,8 +163,8 @@ github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6
 github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
 github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
 github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
-github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
+github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
@@ -405,6 +403,8 @@ github.com/otiai10/copy v1.14.1 h1:5/7E6qsUMBaH5AnQ0sSLzzTg1oTECmcCmT6lvF45Na8=
 github.com/otiai10/copy v1.14.1/go.mod h1:oQwrEDDOci3IM8dJF0d8+jnbfPDllW6vUjNc3DoZm9I=
 github.com/otiai10/mint v1.6.3 h1:87qsV/aw1F5as1eH1zS/yqHY85ANKVMgkDrf9rcxbQs=
 github.com/otiai10/mint v1.6.3/go.mod h1:MJm72SBthJjz8qhefc4z1PYEieWmy8Bku7CjcAqyUSM=
+github.com/patrykkopycinski/package-spec/v3 v3.0.0-20250327205710-ad2c8bf1da72 h1:BgfEKjLbOFGurdOnrmGkrR3a2IcJhrOsVyQj3Wr9aQ8=
+github.com/patrykkopycinski/package-spec/v3 v3.0.0-20250327205710-ad2c8bf1da72/go.mod h1:+q7JpjqBFnNVMmh9VAVfZdOxQ3EmdCD+KM8Cg6VhKgg=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pierrec/lz4/v4 v4.1.2/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=

@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
@@ -0,0 +1,47 @@
+# Security AI Prompts Integration (Beta)
+
+## Overview
+
+The **Security AI Prompts** integration provides pre-configured AI-driven security prompts that enhance automated threat detection and response in Elastic Security. These prompts help security analysts generate AI-assisted insights and streamline their investigative workflows.
+
+This integration is in **beta** and subject to changes. Feedback and contributions are welcome.
+
+## Requirements
+
+- Elastic Stack **8.18.x** or later.
+- Kibana with the **Elastic Assistant** plugin enabled.
+
+## Installation
+
+This integration is automatically installed when users visit the **Security Solution** in Kibana. No manual setup is required.
+
+## Usage
+
+1. Navigate to **Security Solution** in Kibana.
+2. AI-generated security prompts will be used in AI Assistant, Attack Discovery, and other security AI features to assist in investigations and threat analysis.
+
+## Developer Guide
+
+Developers updating this integration must regenerate and update the AI prompts in the package:
+
+1. Generate the Security AI Prompts in the Kibana repository:
+   ```sh
+   cd x-pack/solutions/security/plugins/elastic_assistant
+   yarn generate-security-ai-prompts
+   ```
+2. Copy the updated prompt files to this package:
+   ```sh
+   cd packages/security_ai_prompts/kibana/security_ai_prompt
+   rm ./*.json
+   cp $KIBANA_HOME/target/security_ai_prompts/*.json .
+   ```
+
+## Known Issues & Limitations
+This integration is currently in beta and subject to change.
+Future versions may include automatic prompt synchronization.
+
+## Contributing
+Contributions are welcome! If you encounter issues or have suggestions, please open an issue or submit a pull request.
+
+## License
+This integration is subject to the Elastic License.
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "ProductDocumentationTool",
+    "promptGroupId": "security-tools",
+    "prompt": {
+      "default": "Use this tool to retrieve documentation about Elastic products. You can retrieve documentation about the Elastic stack, such as Kibana and Elasticsearch, or for Elastic solutions, such as Elastic Security, Elastic Observability or Elastic Enterprise Search."
+    }
+  },
+  "id": "security_ai_prompts-010fe1aa-6bc4-4434-b08d-71c9cd0c28b7",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,12 @@
+{
+  "attributes": {
+    "promptId": "chatTitle",
+    "promptGroupId": "aiAssistant",
+    "provider": "bedrock",
+    "prompt": {
+      "default": "You are a strictly rule-following assistant for Elastic Security.\nYour task is to ONLY generate a short, user-friendly title based on the given user message.\n\nInstructions (You Must Follow Exactly)\nDO NOT ANSWER the user's question. You are forbidden from doing so.\nYour response MUST contain only the generated title. Nothing else.\nAbsolutely NO explanations, disclaimers, or additional text.\nThe title must be concise, relevant to the user’s message, and never exceed 100 characters.\nDO NOT wrap the title in quotes or any other formatting.\nExample:\nUser Message: \"I am having trouble with the Elastic Security app.\"\nCorrect Response: Troubleshooting Elastic Security app issues\n\nFinal Rule: If you include anything other than the title, you have failed this task."
+    }
+  },
+  "id": "security_ai_prompts-101fb945-cd5d-4ecd-93d5-5e3ac15c8ef2",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "defendInsights-incompatibleAntivirusRefine",
+    "promptGroupId": "defendInsights-incompatibleAntivirus",
+    "prompt": {
+      "default": "You previously generated the following insights, but sometimes they include events that aren't from an antivirus program or are not grouped correctly by the same antivirus program.\n\nReview the insights below and remove any that are not from an antivirus program and combine duplicates into the same 'group'; leave any other insights unchanged:"
+    }
+  },
+  "id": "security_ai_prompts-11855a6b-2713-45c7-b069-2cd8674b45ba",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,12 @@
+{
+  "attributes": {
+    "promptId": "systemPrompt",
+    "promptGroupId": "aiAssistant",
+    "provider": "openai",
+    "prompt": {
+      "default": "You are a security analyst and expert in resolving security incidents. Your role is to assist by answering questions about Elastic Security. Do not answer questions unrelated to Elastic Security. If available, use the Knowledge History provided to try and answer the question. If not provided, you can try and query for additional knowledge via the KnowledgeBaseRetrievalTool. \n\nAnnotate your answer with the provided citations. Here are some example responses with citations: \n1. \"Machine learning is increasingly used in cyber threat detection. {{reference(prSit)}}\" \n2. \"The alert has a risk score of 72. {{reference(OdRs2)}}\"\n\nOnly use the citations returned by tools\n\n \n{formattedTime}"
+    }
+  },
+  "id": "security_ai_prompts-190fa6f6-ef2d-4a77-93b8-72eb88f3a771",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "defendInsights-incompatibleAntivirusGroup",
+    "promptGroupId": "defendInsights-incompatibleAntivirus",
+    "prompt": {
+      "default": "The program which is triggering the events"
+    }
+  },
+  "id": "security_ai_prompts-19728866-efdc-4832-8367-2317b009a559",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "entitySummaryMarkdown",
+    "promptGroupId": "attackDiscovery",
+    "prompt": {
+      "default": "A short (no more than a sentence) summary of the insight featuring only the host.name and user.name fields (when they are applicable), using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
+    }
+  },
+  "id": "security_ai_prompts-26356c0a-d755-4d2a-8d70-8cbb1a431fd9",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "defendInsights-incompatibleAntivirusDefault",
+    "promptGroupId": "defendInsights-incompatibleAntivirus",
+    "prompt": {
+      "default": "You are an Elastic Security user tasked with analyzing file events from Elastic Security to identify antivirus processes. Only focus on detecting antivirus processes. Ignore processes that belong to Elastic Agent or Elastic Defend, that are not antivirus processes, or are typical processes built into the operating system. Accuracy is of the utmost importance, try to minimize false positives. Group the processes by the antivirus program, keeping track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively. If there are no events, ignore the group field. Escape backslashes to respect JSON validation. New lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON. Only return JSON output, as described above. Do not add any additional text to describe your output."
+    }
+  },
+  "id": "security_ai_prompts-3435d238-7c81-445a-8330-f86add887d25",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,12 @@
+{
+  "attributes": {
+    "promptId": "userPrompt",
+    "promptGroupId": "aiAssistant",
+    "provider": "gemini",
+    "prompt": {
+      "default": "Now, always using the tools at your disposal, step by step, come up with a response to this request:\n\n"
+    }
+  },
+  "id": "security_ai_prompts-377b3f39-85ee-490d-aaec-577312151246",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "OpenAndAcknowledgedAlertsTool",
+    "promptGroupId": "security-tools",
+    "prompt": {
+      "default": "Call this for knowledge about the latest n open and acknowledged alerts (sorted by `kibana.alert.risk_score`) in the environment, or when answering questions about open alerts. Do not call this tool for alert count or quantity. The output is an array of the latest n open and acknowledged alerts."
+    }
+  },
+  "id": "security_ai_prompts-49d743c0-ea35-4c70-9755-dabc88ab1ebe",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "defendInsights-incompatibleAntivirusEventsValue",
+    "promptGroupId": "defendInsights-incompatibleAntivirus",
+    "prompt": {
+      "default": "The process.executable value of the event"
+    }
+  },
+  "id": "security_ai_prompts-4a3fb6d7-853b-4aed-8fec-6b10c756b27a",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "chatTitle",
+    "promptGroupId": "aiAssistant",
+    "prompt": {
+      "default": "You are a helpful assistant for Elastic Security. Assume the following user message is the start of a conversation between you and a user; give this conversation a title based on the content below. DO NOT UNDER ANY CIRCUMSTANCES wrap this title in single or double quotes. This title is shown in a list of conversations to the user, so title it for the user, not for you. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
+    }
+  },
+  "id": "security_ai_prompts-4ad2b723-4e47-4f6c-83cb-f90f25ad07c4",
+  "type": "security-ai-prompt"
+}
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "defendInsights-incompatibleAntivirusEventsEndpointId",
+    "promptGroupId": "defendInsights-incompatibleAntivirus",
+    "prompt": {
+      "default": "The endpoint ID"
+    }
+  },
+  "id": "security_ai_prompts-57270f22-8e91-4a1f-8235-f5c3e2e9af83",
+  "type": "security-ai-prompt"
+}