[8.x] [Security Solution] add defend insights elastic assistant tool (#…

…198676) (#201104)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] add defend insights elastic assistant tool
(#198676)](#198676)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Joey F.
Poon","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-19T10:07:42Z","message":"[Security
Solution] add defend insights elastic assistant tool (#198676)\n\n###
Summary\r\nAdds the new Defend Insights Elastic Assistant tool. This
assistant tool\r\nprovides Elastic Defend configuration insights. For
this initial PR,\r\nonly incompatible antivirus detection is supported.
Telemetry is\r\ncollected for success and error events.\r\n\r\nFor
incompatible antivirus detection, Defend Insights will review
the\r\nlast 200 file events for the given endpoint and output
suspected\r\nantiviruses. Improvements such as customizable event count
and date\r\nrange will come in the future.\r\n\r\nThis PR does not
include any UI, that will come in a separate PR. 3\r\ninternal APIs for
interacting with Defend Insights are provided here:\r\n- `POST
/defend_insights` for creating a new Defend Insight\r\n- `GET
/defend_insights/{id}` for getting a Defend Insight\r\n- `GET
/defend_insights` for getting multiple Defend Insights\r\n\t- available
optional query params:\r\n\t\t- `size` - default 10\r\n\t\t-
`ids`\r\n\t\t- `connector_id`\r\n\t\t- `type` -
`incompatible_antivirus`\r\n\t\t- `status` - `running`, `completed`,
`failed`, `canceled`\r\n\t\t- `endpoint_ids`\r\n\r\nThis initial
implementation does not include the LangGraph/output\r\nchunking
upgrades seen in Attack Discovery due to time constraints.\r\nWe'll look
to make this upgrade in a future PR.\r\n\r\n### Checklist\r\n\r\n- [x]
[Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n\r\n### For
maintainers\r\n\r\n- [x] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels)","sha":"efc0568e014105637332533e37491f074ec8fe2b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","backport:all-open","v8.18.0"],"number":198676,"url":"https://github.com/elastic/kibana/pull/198676","mergeCommit":{"message":"[Security
Solution] add defend insights elastic assistant tool (#198676)\n\n###
Summary\r\nAdds the new Defend Insights Elastic Assistant tool. This
assistant tool\r\nprovides Elastic Defend configuration insights. For
this initial PR,\r\nonly incompatible antivirus detection is supported.
Telemetry is\r\ncollected for success and error events.\r\n\r\nFor
incompatible antivirus detection, Defend Insights will review
the\r\nlast 200 file events for the given endpoint and output
suspected\r\nantiviruses. Improvements such as customizable event count
and date\r\nrange will come in the future.\r\n\r\nThis PR does not
include any UI, that will come in a separate PR. 3\r\ninternal APIs for
interacting with Defend Insights are provided here:\r\n- `POST
/defend_insights` for creating a new Defend Insight\r\n- `GET
/defend_insights/{id}` for getting a Defend Insight\r\n- `GET
/defend_insights` for getting multiple Defend Insights\r\n\t- available
optional query params:\r\n\t\t- `size` - default 10\r\n\t\t-
`ids`\r\n\t\t- `connector_id`\r\n\t\t- `type` -
`incompatible_antivirus`\r\n\t\t- `status` - `running`, `completed`,
`failed`, `canceled`\r\n\t\t- `endpoint_ids`\r\n\r\nThis initial
implementation does not include the LangGraph/output\r\nchunking
upgrades seen in Attack Discovery due to time constraints.\r\nWe'll look
to make this upgrade in a future PR.\r\n\r\n### Checklist\r\n\r\n- [x]
[Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n\r\n### For
maintainers\r\n\r\n- [x] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels)","sha":"efc0568e014105637332533e37491f074ec8fe2b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198676","number":198676,"mergeCommit":{"message":"[Security
Solution] add defend insights elastic assistant tool (#198676)\n\n###
Summary\r\nAdds the new Defend Insights Elastic Assistant tool. This
assistant tool\r\nprovides Elastic Defend configuration insights. For
this initial PR,\r\nonly incompatible antivirus detection is supported.
Telemetry is\r\ncollected for success and error events.\r\n\r\nFor
incompatible antivirus detection, Defend Insights will review
the\r\nlast 200 file events for the given endpoint and output
suspected\r\nantiviruses. Improvements such as customizable event count
and date\r\nrange will come in the future.\r\n\r\nThis PR does not
include any UI, that will come in a separate PR. 3\r\ninternal APIs for
interacting with Defend Insights are provided here:\r\n- `POST
/defend_insights` for creating a new Defend Insight\r\n- `GET
/defend_insights/{id}` for getting a Defend Insight\r\n- `GET
/defend_insights` for getting multiple Defend Insights\r\n\t- available
optional query params:\r\n\t\t- `size` - default 10\r\n\t\t-
`ids`\r\n\t\t- `connector_id`\r\n\t\t- `type` -
`incompatible_antivirus`\r\n\t\t- `status` - `running`, `completed`,
`failed`, `canceled`\r\n\t\t- `endpoint_ids`\r\n\r\nThis initial
implementation does not include the LangGraph/output\r\nchunking
upgrades seen in Attack Discovery due to time constraints.\r\nWe'll look
to make this upgrade in a future PR.\r\n\r\n### Checklist\r\n\r\n- [x]
[Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n\r\n### For
maintainers\r\n\r\n- [x] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels)","sha":"efc0568e014105637332533e37491f074ec8fe2b"}},{"branch":"8.18","label":"v8.18.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

x-pack/packages/kbn-elastic-assistant-common/constants.ts

@@ -55,3 +55,8 @@ export const ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_INDICES_URL =
 
 export const ELASTIC_AI_ASSISTANT_EVALUATE_URL =
   `${ELASTIC_AI_ASSISTANT_INTERNAL_URL}/evaluate` as const;
+
+// Defend insights
+export const DEFEND_INSIGHTS_TOOL_ID = 'defend-insights';
+export const DEFEND_INSIGHTS = `${ELASTIC_AI_ASSISTANT_INTERNAL_URL}/defend_insights`;
+export const DEFEND_INSIGHTS_BY_ID = `${DEFEND_INSIGHTS}/{id}`;

x-pack/packages/kbn-elastic-assistant-common/impl/capabilities/index.ts

@@ -20,4 +20,5 @@ export type AssistantFeatureKey = keyof AssistantFeatures;
  */
 export const defaultAssistantFeatures = Object.freeze({
   assistantModelEvaluation: false,
+  defendInsights: false,
 });

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/capabilities/get_capabilities_route.gen.ts

@@ -19,4 +19,5 @@ import { z } from '@kbn/zod';
 export type GetCapabilitiesResponse = z.infer<typeof GetCapabilitiesResponse>;
 export const GetCapabilitiesResponse = z.object({
   assistantModelEvaluation: z.boolean(),
+  defendInsights: z.boolean(),
 });

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/capabilities/get_capabilities_route.schema.yaml

@@ -22,8 +22,11 @@ paths:
                 properties:
                   assistantModelEvaluation:
                     type: boolean
+                  defendInsights:
+                    type: boolean
                 required:
                   - assistantModelEvaluation
+                  - defendInsights
         '400':
           description: Generic Error
           content:

x-pack/packages/kbn-elastic-assistant-common/impl/schemas/defend_insights/common_attributes.gen.ts

@@ -0,0 +1,217 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Common Defend Insights Attributes
+ *   version: not applicable
+ */
+
+import { z } from '@kbn/zod';
+
+import { NonEmptyString, User } from '../common_attributes.gen';
+import { Replacements, ApiConfig } from '../conversations/common_attributes.gen';
+
+/**
+ * A Defend insight event
+ */
+export type DefendInsightEvent = z.infer<typeof DefendInsightEvent>;
+export const DefendInsightEvent = z.object({
+  /**
+   * The event's ID
+   */
+  id: z.string(),
+  /**
+   * The endpoint's ID
+   */
+  endpointId: z.string(),
+  /**
+   * The value of the event
+   */
+  value: z.string(),
+});
+
+/**
+ * The insight type (ie. incompatible_antivirus)
+ */
+export type DefendInsightType = z.infer<typeof DefendInsightType>;
+export const DefendInsightType = z.enum(['incompatible_antivirus', 'noisy_process_tree']);
+export type DefendInsightTypeEnum = typeof DefendInsightType.enum;
+export const DefendInsightTypeEnum = DefendInsightType.enum;
+
+/**
+ * A Defend insight generated from endpoint events
+ */
+export type DefendInsight = z.infer<typeof DefendInsight>;
+export const DefendInsight = z.object({
+  /**
+   * The group category of the events (ie. Windows Defender)
+   */
+  group: z.string(),
+  /**
+   * An array of event objects
+   */
+  events: z.array(DefendInsightEvent).optional(),
+});
+
+/**
+ * Array of Defend insights
+ */
+export type DefendInsights = z.infer<typeof DefendInsights>;
+export const DefendInsights = z.array(DefendInsight);
+
+/**
+ * The status of the Defend insight.
+ */
+export type DefendInsightStatus = z.infer<typeof DefendInsightStatus>;
+export const DefendInsightStatus = z.enum(['running', 'succeeded', 'failed', 'canceled']);
+export type DefendInsightStatusEnum = typeof DefendInsightStatus.enum;
+export const DefendInsightStatusEnum = DefendInsightStatus.enum;
+
+/**
+ * Run durations for the Defend insight
+ */
+export type DefendInsightGenerationInterval = z.infer<typeof DefendInsightGenerationInterval>;
+export const DefendInsightGenerationInterval = z.object({
+  /**
+   * The time the Defend insight was generated
+   */
+  date: z.string(),
+  /**
+   * The duration of the Defend insight generation
+   */
+  durationMs: z.number().int(),
+});
+
+export type DefendInsightsResponse = z.infer<typeof DefendInsightsResponse>;
+export const DefendInsightsResponse = z.object({
+  id: NonEmptyString,
+  timestamp: NonEmptyString.optional(),
+  /**
+   * The last time the Defend insight was updated.
+   */
+  updatedAt: z.string(),
+  /**
+   * The last time the Defend insight was viewed in the browser.
+   */
+  lastViewedAt: z.string(),
+  /**
+   * The number of events in the context.
+   */
+  eventsContextCount: z.number().int().optional(),
+  /**
+   * The time the Defend insight was created.
+   */
+  createdAt: z.string(),
+  replacements: Replacements.optional(),
+  users: z.array(User),
+  /**
+   * The status of the Defend insight.
+   */
+  status: DefendInsightStatus,
+  endpointIds: z.array(NonEmptyString),
+  insightType: DefendInsightType,
+  /**
+   * The Defend insights.
+   */
+  insights: DefendInsights,
+  /**
+   * LLM API configuration.
+   */
+  apiConfig: ApiConfig,
+  /**
+   * Kibana space
+   */
+  namespace: z.string(),
+  /**
+   * The backing index required for update requests.
+   */
+  backingIndex: z.string(),
+  /**
+   * The most 5 recent generation intervals
+   */
+  generationIntervals: z.array(DefendInsightGenerationInterval),
+  /**
+   * The average generation interval in milliseconds
+   */
+  averageIntervalMs: z.number().int(),
+  /**
+   * The reason for a status of failed.
+   */
+  failureReason: z.string().optional(),
+});
+
+export type DefendInsightUpdateProps = z.infer<typeof DefendInsightUpdateProps>;
+export const DefendInsightUpdateProps = z.object({
+  id: NonEmptyString,
+  /**
+   * LLM API configuration.
+   */
+  apiConfig: ApiConfig.optional(),
+  /**
+   * The number of events in the context.
+   */
+  eventsContextCount: z.number().int().optional(),
+  /**
+   * The Defend insights.
+   */
+  insights: DefendInsights.optional(),
+  /**
+   * The status of the Defend insight.
+   */
+  status: DefendInsightStatus.optional(),
+  replacements: Replacements.optional(),
+  /**
+   * The most 5 recent generation intervals
+   */
+  generationIntervals: z.array(DefendInsightGenerationInterval).optional(),
+  /**
+   * The backing index required for update requests.
+   */
+  backingIndex: z.string(),
+  /**
+   * The reason for a status of failed.
+   */
+  failureReason: z.string().optional(),
+  /**
+   * The last time the Defend insight was viewed in the browser.
+   */
+  lastViewedAt: z.string().optional(),
+});
+
+export type DefendInsightsUpdateProps = z.infer<typeof DefendInsightsUpdateProps>;
+export const DefendInsightsUpdateProps = z.array(DefendInsightUpdateProps);
+
+export type DefendInsightCreateProps = z.infer<typeof DefendInsightCreateProps>;
+export const DefendInsightCreateProps = z.object({
+  /**
+   * The Defend insight id.
+   */
+  id: z.string().optional(),
+  /**
+   * The status of the Defend insight.
+   */
+  status: DefendInsightStatus,
+  /**
+   * The number of events in the context.
+   */
+  eventsContextCount: z.number().int().optional(),
+  endpointIds: z.array(NonEmptyString),
+  insightType: DefendInsightType,
+  /**
+   * The Defend insights.
+   */
+  insights: DefendInsights,
+  /**
+   * LLM API configuration.
+   */
+  apiConfig: ApiConfig,
+  replacements: Replacements.optional(),
+});