This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« AI Assistant Attack Discovery »
Elastic Docs Elastic Security Solution [master] AI for Security AI Assistant

AI Assistant Knowledge Base

edit

AI Assistant Knowledge Base

edit

AI Assistant’s Knowledge Base feature enables AI Assistant to recall specific documents and other specified information. This information, which can include everything from the location of your datacenters to the latest threat research, provides additional context that can improve the quality of AI Assistant’s responses to your queries. This topic describes how to enable and add information to Knowledge Base.

When you upgrade from Elastic Security version 8.15 to a newer version, information previously stored by AI Assistant will be lost.

Requirements

  • To use Knowledge Base, you need the Elastic AI Assistant: All privilege. To edit global Knowledge Base entries (information that will affect the AI Assistant experience for other users in the Kibana space), you need the Allow Changes to Global Entries privilege.
  • You must enable machine learning with a minimum ML node size of 4 GB.

Role-based access control (RBAC) for Knowledge Base

edit

The Elastic AI Assistant: All role privilege allows you to use AI Assistant and access its settings. It has two sub-privileges, Field Selection and Anonymization, which allows you to customize which alert fields are sent to AI Assistant and Attack Discovery, and Knowledge Base, which allows you to edit and create new Knowledge Base entries.

Knowledge base’s RBAC settings

Enable Knowledge Base

edit

There are two ways to enable Knowledge Base.

You must individually enable Knowledge Base for each Kibana space where you want to use it.

Option 1: Enable Knowledge Base from an AI Assistant conversation
edit

Open a conversation with AI Assistant, select a large language model, then click Setup Knowledge Base. If the button doesn’t appear, Knowledge Base is already enabled.

An AI Assistant conversation showing the Setup Knowledge Base button

Knowledge base setup may take several minutes. It will continue in the background if you close the conversation. After setup is complete, you can access Knowledge Base settings from AI Assistant’s conversation settings menu (access the conversation settings menu by clicking the three dots button next to the model selection dropdown).

AI Assistant’s dropdown menu with the Knowledge Base option highlighted
Option 2: Enable Knowledge Base from the Security AI settings
edit
  1. To open Security AI settings, use the global search field to find "AI Assistant for Security."
  2. On the Knowledge Base tab, click Setup Knowledge Base. If the button doesn’t appear, Knowledge Base is already enabled.
AI Assistant’s settings menu open to the Knowledge Base tab

Knowledge base for alerts

edit

When Knowledge Base is enabled, AI Assistant receives open or acknowledged alerts from your environment from the last 24 hours. It uses these as context for each of your prompts. This enables it to answer questions about multiple alerts in your environment rather than just about individual alerts you choose to send it. It receives alerts ordered by risk score, then by the most recently generated. Building block alerts are excluded.

To enable Knowledge Base for alerts:

  1. Ensure that knowledge base is enabled.
  2. On the Security AI settings page, go to the Knowledge Base tab and use the slider to select the number of alerts to send to AI Assistant. Click Save.

Including a large number of alerts may cause your request to exceed the maximum token length of your third-party generative AI provider. If this happens, try selecting a lower number of alerts to send.

Add knowledge

edit

To view all knowledge base entries, go to Security AI settings and select the Knowledge Base tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a Sharing setting of private or global. Private entries apply to the current user only and do not affect other users in the Kibana space, whereas global entries affect all users. Each entry can also have a Required knowledge setting, which means it will be included as context for every message sent to AI Assistant.

When you enable Knowledge Base, it comes pre-populated with articles from Elastic Security Labs, current through September 30, 2024, which allows AI Assistant to leverage Elastic’s security research during your conversations. This enables it to answer questions such as, “Are there any new tactics used against Windows hosts that I should be aware of when investigating my alerts?”

Add an individual document
edit

Add an individual document to Knowledge Base when you want AI Assistant to remember a specific piece of information.

  1. To open Security AI settings, use the global search field to find "AI Assistant for Security." Select the Knowledge Base tab.
  2. Click New → Document and give it a name.
  3. Under Sharing, select whether this knowledge should be Global or Private.
  4. Write the knowledge AI Assistant should remember in the Markdown text field.
  5. In the Markdown text field, enter the information you want AI Assistant to remember.
  6. If it should be Required knowledge, select the option. Otherwise, leave it blank. Alternatively, you can simply send a message to AI Assistant that instructs it to "Remember" the information. For example, "Remember that I changed my password today, October 24, 2024", or "Remember we always use the Threat Hunting Timeline template when investigating potential threats". Entries created in this way are private to you. By default they are not required knowledge, but you can make them required by instructing AI Assistant to "Always remember", for example "Always remember to address me as madam", or "Always remember that our primary data center is located in Austin, Texas".

Refer to the following video for an example of adding a document to Knowledge Base from the settings menu.


Add an index
edit

Add an index as a knowledge source when you want new information added to that index to automatically inform AI Assistant’s responses. Common security examples include asset inventories, network configuration information, on-call matrices, threat intelligence reports, and vulnerability scans.

Indices added to Knowledge Base must have at least one field mapped as semantic text.

  1. To open Security AI settings, use the global search field to find "AI Assistant for Security." Select the Knowledge Base tab.
  2. Click New → Index.
  3. Name the knowledge source.
  4. Under Sharing, select whether this knowledge should be Global or Private.
  5. Under Index, enter the name of the index you want to use as a knowledge source.
  6. Under Field, enter the names of one or more semantic text fields within the index.
  7. Under Data Description, describe when this information should be used by AI Assistant.
  8. Under Query Instruction, describe how AI Assistant should query this index to retrieve relevant information.
  9. Under Output Fields, list the fields which should be sent to AI Assistant. If none are listed, all fields will be sent.
Knowledge base’s Edit index entry menu

Refer to the following video for an example of adding an index to Knowledge Base.


Add knowledge with a connector or web crawler
edit

You can use an Elasticsearch connector or web crawler to create an index that contains data you want to add to Knowledge Base.

This section provides an example of adding a threat intelligence feed to Knowledge Base using a web crawler. For more information on adding data to Elasticsearch using a connector, refer to Ingest data with Elastic connectors. For more information on web crawlers, refer to Elastic web crawler.

Use a web crawler to add threat intelligence to Knowledge Base
edit

First, you’ll need to set up a web crawler to add the desired data to an index, then you’ll need to add that index to Knowledge Base.

  1. From the Search section of Kibana, find Web crawlers in the navigation menu or use the global search field.

  2. Click New web crawler.

    1. Under Index name, name the index where the data from your new web crawler will be stored, for example threat_intelligence_feed_1. Click Create index.
    2. Under Domain URL, enter the URL where the web crawler should collect data. Click Validate Domain to test it, then Add domain.

  3. The previous step opens a page with the details of your new index. Go to its Mappings tab, then click Add field.

    Remember, each index added to Knowledge Base must have at least one semantic text field.

    1. Under Field type, select Semantic text. Under Select an inference endpoint, select elastic-security-ai-assistant-elser2. Click Add field, then Save mapping.
  4. Go to the Scheduling tab. Enable the Enable recurring crawls with the following schedule setting, and define your desired schedule.

  5. Go to the Manage Domains tab. Select the domain associated with your new web crawler, then go the its Crawl rules tab and click Add crawl rule. For more information, refer to Web crawler content extraction rules.

    1. Click Add crawl rule again. Under Policy, select Disallow. Under Rule, select Regex. Under Path pattern, enter .*. Click Save.
    2. Under Policy, select Allow. Under Rule, select Contains. Under Path pattern, enter your path pattern, for example threat-intelligence. Click Save. Make sure this rule appears below the rule created in the previous step on the list.
    3. Click Crawl, then Crawl all domains on this index. A success message appears. The crawl process will take longer for larger data sources. Once it finishes, your new web crawler’s index will contain documents provided by the crawler.
  6. Finally, follow the instructions to add an index to Knowledge Base. Add the index that contains the data from your new web crawler (threat_intelligence_feed_1 in this example).

Your new threat intelligence data is now included in Knowledge Base and can inform AI Assistant’s responses.

Refer to the following video for an example of creating a web crawler to ingest threat intelligence data and adding it to Knowledge Base.


« AI Assistant Attack Discovery »