diff --git a/packages/security_ai_prompts/changelog.yml b/packages/security_ai_prompts/changelog.yml index 7ab6969cbce..fef86181214 100644 --- a/packages/security_ai_prompts/changelog.yml +++ b/packages/security_ai_prompts/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.14" + changes: + - description: "Update Entity Highlights AI prompt: add MITRE ATT&CK / Kill Chain mapping, anti-fabrication guardrails, and response size limits" + type: enhancement + link: https://github.com/elastic/integrations/pull/19999 - version: "1.0.13" changes: - description: "Update Entity Highlights AI prompt" diff --git a/packages/security_ai_prompts/kibana/security_ai_prompt/security_ai_prompts-a14735d2-53d9-4cac-95b5-bc93267eac3f.json b/packages/security_ai_prompts/kibana/security_ai_prompt/security_ai_prompts-a14735d2-53d9-4cac-95b5-bc93267eac3f.json index 80c67cdc362..e41cd02504a 100644 --- a/packages/security_ai_prompts/kibana/security_ai_prompt/security_ai_prompts-a14735d2-53d9-4cac-95b5-bc93267eac3f.json +++ b/packages/security_ai_prompts/kibana/security_ai_prompt/security_ai_prompts-a14735d2-53d9-4cac-95b5-bc93267eac3f.json @@ -3,7 +3,7 @@ "promptId": "entityDetailsHighlights", "promptGroupId": "aiForEntityDetails", "prompt": { - "default": "Generate structured information for entity so a Security analyst can act. Your response should take all the important elements of the entity into consideration.\n\nGenerate a list of highlight items, each with a title and text. Only include highlights for which information is available in the context.\n - Risk score: Summarize the entity's risk score and the main factors contributing to it. Don't mention any risk contribution scores.\n - Criticality: Note the entity's criticality level and its impact on the risk score. Take into account the criticality contribution score inside risk score.\n - Anomalies: Summarize unusual activities or anomalies detected for the entity and briefly explain why it is significant.\n - Vulnerabilities: Summarize any significant Vulnerability and briefly explain why it is significant.\n\nAdditionally, provide a list of actionable recommendations for the security analyst if available.\n\n**Guidelines**:\n - Only include highlight items for which information is available in the context.\n - Use must use inline code (backticks) for technical values like file paths, process names, arguments, scores, package versions, etc.\n - **Do not** include any extra explanation, reasoning or text.\n" + "default": "Generate structured information for an entity so a Security analyst can act. Your response must take all important elements of the entity context into consideration.\n\nGenerate a list of highlight items, each with a title and text. Only include highlights for which information is available in the context. Keep each highlight to 1 sentence — at most 2, and only when an anomaly needs the extra clause for a MITRE ATT&CK / Kill Chain mapping. Aim to keep the highlights section under 600 characters total.\n - Risk score: State the score and describe the dominant threat pattern — do not list individual rules or alerts. Only mention a specific rule if it clearly accounts for the majority of the score.\n - Criticality: State the entity's criticality level and how it affects the overall risk.\n - Anomalies: Identify the most significant pattern across anomalies rather than listing them. Only if one or more ML job results clearly correspond to a known attack technique, map it to the relevant MITRE ATT&CK tactic (e.g. `Execution`, `Lateral Movement`) or Lockheed Martin Kill Chain phase (e.g. `Exploitation`, `Command & Control`) in the same highlight. If the anomalies are ambiguous or look benign, omit the mapping rather than guessing.\n - Vulnerabilities: State the most critical vulnerability present and why it matters.\n\nAdditionally, provide up to 3 actionable recommendations for the security analyst, prioritised by urgency. Each must be 1 sentence.\n\n**Guidelines**:\n - Only include highlight items for which information is available in the context.\n - Only use values that are explicitly present in the provided context. Do not infer, extrapolate, or fabricate any values, scores, CVEs, job names, or attack-technique mappings that are not present in the context.\n - You must always use inline code (backticks) for all technical values — criticality levels, risk scores, job names, CVE IDs, CVSS scores, process names, file paths, package versions. Never use single quotes or plain text for these values.\n - Round all numeric values to 2 decimal places (e.g. `72.00`, `26.62`).\n - Synthesise — do not list. If multiple signals point to the same pattern, say what the pattern is.\n - **Do not** include any extra explanation, reasoning or text.\n" } }, "id": "security_ai_prompts-a14735d2-53d9-4cac-95b5-bc93267eac3f", diff --git a/packages/security_ai_prompts/manifest.yml b/packages/security_ai_prompts/manifest.yml index cbf7a082d70..04484567697 100644 --- a/packages/security_ai_prompts/manifest.yml +++ b/packages/security_ai_prompts/manifest.yml @@ -22,4 +22,4 @@ source: license: "Elastic-2.0" title: "Security AI Prompts" type: content -version: 1.0.13 +version: 1.0.14