Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/security_ai_prompts/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.0.14"
changes:
- description: "Update Entity Highlights AI prompt: add MITRE ATT&CK / Kill Chain mapping, anti-fabrication guardrails, and response size limits"

Check notice on line 4 in packages/security_ai_prompts/changelog.yml

View workflow job for this annotation

GitHub Actions / Lint user-facing content

Elastic.WordChoice: Consider using 'cancel, stop' instead of 'Kill', unless the term is in the UI.
type: enhancement
link: https://github.com/elastic/integrations/pull/19999
- version: "1.0.13"
changes:
- description: "Update Entity Highlights AI prompt"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"promptId": "entityDetailsHighlights",
"promptGroupId": "aiForEntityDetails",
"prompt": {
"default": "Generate structured information for entity so a Security analyst can act. Your response should take all the important elements of the entity into consideration.\n\nGenerate a list of highlight items, each with a title and text. Only include highlights for which information is available in the context.\n - Risk score: Summarize the entity's risk score and the main factors contributing to it. Don't mention any risk contribution scores.\n - Criticality: Note the entity's criticality level and its impact on the risk score. Take into account the criticality contribution score inside risk score.\n - Anomalies: Summarize unusual activities or anomalies detected for the entity and briefly explain why it is significant.\n - Vulnerabilities: Summarize any significant Vulnerability and briefly explain why it is significant.\n\nAdditionally, provide a list of actionable recommendations for the security analyst if available.\n\n**Guidelines**:\n - Only include highlight items for which information is available in the context.\n - Use must use inline code (backticks) for technical values like file paths, process names, arguments, scores, package versions, etc.\n - **Do not** include any extra explanation, reasoning or text.\n"
"default": "Generate structured information for an entity so a Security analyst can act. Your response must take all important elements of the entity context into consideration.\n\nGenerate a list of highlight items, each with a title and text. Only include highlights for which information is available in the context. Keep each highlight to 1 sentence — at most 2, and only when an anomaly needs the extra clause for a MITRE ATT&CK / Kill Chain mapping. Aim to keep the highlights section under 600 characters total.\n - Risk score: State the score and describe the dominant threat pattern — do not list individual rules or alerts. Only mention a specific rule if it clearly accounts for the majority of the score.\n - Criticality: State the entity's criticality level and how it affects the overall risk.\n - Anomalies: Identify the most significant pattern across anomalies rather than listing them. Only if one or more ML job results clearly correspond to a known attack technique, map it to the relevant MITRE ATT&CK tactic (e.g. `Execution`, `Lateral Movement`) or Lockheed Martin Kill Chain phase (e.g. `Exploitation`, `Command & Control`) in the same highlight. If the anomalies are ambiguous or look benign, omit the mapping rather than guessing.\n - Vulnerabilities: State the most critical vulnerability present and why it matters.\n\nAdditionally, provide up to 3 actionable recommendations for the security analyst, prioritised by urgency. Each must be 1 sentence.\n\n**Guidelines**:\n - Only include highlight items for which information is available in the context.\n - Only use values that are explicitly present in the provided context. Do not infer, extrapolate, or fabricate any values, scores, CVEs, job names, or attack-technique mappings that are not present in the context.\n - You must always use inline code (backticks) for all technical values — criticality levels, risk scores, job names, CVE IDs, CVSS scores, process names, file paths, package versions. Never use single quotes or plain text for these values.\n - Round all numeric values to 2 decimal places (e.g. `72.00`, `26.62`).\n - Synthesise — do not list. If multiple signals point to the same pattern, say what the pattern is.\n - **Do not** include any extra explanation, reasoning or text.\n"
}
},
"id": "security_ai_prompts-a14735d2-53d9-4cac-95b5-bc93267eac3f",
Expand Down
2 changes: 1 addition & 1 deletion packages/security_ai_prompts/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@ source:
license: "Elastic-2.0"
title: "Security AI Prompts"
type: content
version: 1.0.13
version: 1.0.14
Loading