AI Assistant Knowledge Base

edit

AI Assistant’s Knowledge Base feature enables AI Assistant to recall specific documents and other specified information. This information, which can include everything from the location of your datacenters to the latest threat research, provides additional context that can improve the quality of AI Assistant’s responses to your queries. This topic describes how to enable and add information to Knowledge Base.

When you upgrade from Elastic Security version 8.15 to a newer version, information previously stored by AI Assistant will be lost.

Role-based access control (RBAC) for Knowledge Base
edit

The Elastic AI Assistant: All role privilege allows you to use AI Assistant and access its settings. It has two sub-privileges, Field Selection and Anonymization, which allows you to customize which alert fields are sent to AI Assistant and Attack Discovery, and Knowledge Base, which allows you to edit and create new Knowledge Base entries.

Knowledge Base’s RBAC settings
Enable Knowledge Base
edit

There are two ways to enable Knowledge Base.

You must individually enable Knowledge Base for each Kibana space where you want to use it.

Option 1: Enable Knowledge Base from an AI Assistant conversationedit

Open a conversation with AI Assistant, select a large language model, then click Setup Knowledge Base. If the button doesn’t appear, Knowledge Base is already enabled.

An AI Assistant conversation showing the Setup Knowledge Base button

Knowledge Base setup may take several minutes. It will continue in the background if you close the conversation. After setup is complete, you can access Knowledge Base settings from AI Assistant’s conversation settings menu (access the conversation settings menu by clicking the three dots button next to the model selection dropdown).

AI Assistant’s dropdown menu with the Knowledge Base option highlighted
Option 2: Enable Knowledge Base from the Security AI settingsedit
  1. To open Security AI settings, use the global search field to find "AI Assistant for Security."
  2. On the Knowledge Base tab, click Setup Knowledge Base. If the button doesn’t appear, Knowledge Base is already enabled.
AI Assistant’s settings menu open to the Knowledge Base tab
Knowledge Base for alerts
edit

When Knowledge Base is enabled, AI Assistant receives open or acknowledged alerts from your environment from the last 24 hours. It uses these as context for each of your prompts. This enables it to answer questions about multiple alerts in your environment rather than just about individual alerts you choose to send it. It receives alerts ordered by risk score, then by the most recently generated. Building block alerts are excluded.

To enable Knowledge Base for alerts:

  1. Ensure that Knowledge Base is enabled.
  2. Use the slider on the Security AI settings' Knowledge Base tab to select the number of alerts to send to AI Assistant. Click Save.

Including a large number of alerts may cause your request to exceed the maximum token length of your third-party generative AI provider. If this happens, try selecting a lower number of alerts to send.

Add knowledge
edit

To view all Knowledge Base entries, go to the Security AI settings and select the Knowledge Base tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a Sharing setting of private or global. Private entries apply to the current user only and do not affect other users in the Kibana space, whereas global entries affect all users. Each entry can also have a Required knowledge setting, which means it will be included as context for every message sent to AI Assistant.

When you enable Knowledge Base, it comes pre-populated with articles from Elastic Security Labs, current through September 30, 2024, which allows AI Assistant to leverage Elastic’s security research during your conversations. This enables it to answer questions such as, “Are there any new tactics used against Windows hosts that I should be aware of when investigating my alerts?”

Add an individual documentedit

Add an individual document to Knowledge Base when you want AI Assistant to remember a specific piece of information.

  1. To open Security AI settings, use the global search field to find "AI Assistant for Security." Select the Knowledge Base tab.
  2. Click New → Document and give it a name.
  3. Under Sharing, select whether this knowledge should be Global or Private.
  4. Write the knowledge AI Assistant should remember in the Markdown text field.
  5. In the Markdown text field, enter the information you want AI Assistant to remember.
  6. If it should be Required knowledge, select the option. Otherwise, leave it blank. Alternatively, you can simply send a message to AI Assistant that instructs it to "Remember" the information. For example, "Remember that I changed my password today, October 24, 2024", or "Remember we always use the Threat Hunting Timeline template when investigating potential threats". Entries created in this way are private to you. By default, they are not required knowledge, but you can make them required by instructing AI Assistant to "Always remember", for example "Always remember to address me as madam", or "Always remember that our primary data center is located in Austin, Texas".

Refer to the following video for an example of adding a document to Knowledge Base from the settings menu.


Add an indexedit

Add an index as a knowledge source when you want new information added to that index to automatically inform AI Assistant’s responses. Common security examples include asset inventories, network configuration information, on-call matrices, threat intelligence reports, and vulnerability scans.

Indices added to Knowledge Base must have at least one field mapped as semantic text.

  1. To open Security AI settings, use the global search field to find "AI Assistant for Security." Select the Knowledge Base tab.
  2. Click New → Index.
  3. Name the knowledge source.
  4. Under Sharing, select whether this knowledge should be Global or Private.
  5. Under Index, enter the name of the index you want to use as a knowledge source.
  6. Under Field, enter the names of one or more semantic text fields within the index.
  7. Under Data Description, describe when this information should be used by AI Assistant.
  8. Under Query Instruction, describe how AI Assistant should query this index to retrieve relevant information.
  9. Under Output Fields, list the fields which should be sent to AI Assistant. If none are listed, all fields will be sent.
Knowledge base’s Edit index entry menu

Refer to the following video for an example of adding an index to Knowledge Base.