|
| 1 | +--- |
| 2 | +applies_to: |
| 3 | + stack: ga 9.1 |
| 4 | + serverless: |
| 5 | + security: all |
| 6 | +products: |
| 7 | + - id: security |
| 8 | +--- |
| 9 | + |
| 10 | + |
| 11 | +# Use the AI Assistant's Knowledge Base to Supercharge Security Operations |
| 12 | + |
| 13 | +AI Assistant Knowledge Base feature lets you provide custom, organization-specific context to the AI Assistant, making its responses more accurate, relevant, and actionable. By adding documents, indices, and external data sources, you can tailor the assistant to your environment, SOC strategy, threat intelligence, and operational workflows. |
| 14 | + |
| 15 | +## Overview |
| 16 | + |
| 17 | +- **What is the Knowledge Base?** |
| 18 | + - A feature that allows the AI Assistant to recall and use custom documents and indices as context for its responses. |
| 19 | + - Supports everything from infrastructure details, on-call rotations, SOC playbooks, threat intelligence, and more. |
| 20 | + - Entries can be private (user-specific) or global (shared across the space). |
| 21 | + |
| 22 | +- **Why use it?** |
| 23 | + - Increases the utility of the Security AI Assistant by grounding answers in your organization’s real data and processes. |
| 24 | + - Enables richer, more actionable responses for incident response, alert investigation, and SOC operations. |
| 25 | + |
| 26 | +## Prerequisites |
| 27 | + |
| 28 | +- Required privileges: `Elastic AI Assistant: All` (with sub-privileges for Knowledge Base and Field Selection/Anonymization). |
| 29 | +- Machine Learning enabled (minimum 4 GB ML node). |
| 30 | +- [Enable autoscaling](https://www.elastic.co/guide/en/cloud/current/autoscaling.html) is recommended. |
| 31 | +- Knowledge Base must be enabled for each Kibana space individually. |
| 32 | + |
| 33 | +## Step 1: Enable the Knowledge Base |
| 34 | + |
| 35 | +- **From an AI Assistant conversation:** |
| 36 | + - Open a chat, select a model, and click **Setup Knowledge Base** (button only appears if not already enabled). |
| 37 | +- **From Security AI settings:** |
| 38 | + - Use the global search field to find "AI Assistant for Security". |
| 39 | + - On the **Knowledge Base** tab, click **Setup Knowledge Base**. |
| 40 | + |
| 41 | +> _Comment: Confirm if enabling from the conversation is available in all environments or only certain versions._ |
| 42 | +
|
| 43 | +## Step 2: Configure Alert Context |
| 44 | + |
| 45 | +- AI Assistant can use up to N (configurable, up to 500) open or acknowledged alerts from the last 24 hours as context. |
| 46 | +- Use the slider in the Knowledge Base tab to select how many alerts to include. |
| 47 | +- Alerts are ordered by risk score and recency; building block alerts are excluded. |
| 48 | + |
| 49 | +> _Comment: Confirm maximum number of alerts supported for context (docs mention up to 500, but token limits may apply)._ |
| 50 | +
|
| 51 | +## Step 3: Add Knowledge Sources |
| 52 | + |
| 53 | +### Add Individual Documents |
| 54 | + |
| 55 | +- Click **New → Document** in the Knowledge Base tab. |
| 56 | +- Name the document, choose sharing (Global/Private), and enter content in Markdown. |
| 57 | +- Optionally mark as "Required knowledge" to always include as context. |
| 58 | + |
| 59 | +### Add Indices |
| 60 | + |
| 61 | +- Click **New → Index**. |
| 62 | +- Specify index name, sharing, semantic text field(s), data description, query instructions, and output fields. |
| 63 | +- Indices must have at least one [semantic text](https://www.elastic.co/guide/en/elasticsearch/reference/current/semantic-text.html) field. |
| 64 | + |
| 65 | +### Add Data via Connectors or Web Crawlers |
| 66 | + |
| 67 | +- Use Elastic connectors (GitHub, Jira, Google Drive, S3, etc.) or web crawlers to ingest external data into indices. |
| 68 | +- Add those indices to the Knowledge Base as above. |
| 69 | + |
| 70 | +> _Comment: Confirm if there are any limitations on connector types or index sizes for Knowledge Base ingestion._ |
| 71 | +
|
| 72 | +## Step 4: Use Knowledge Base in Conversations |
| 73 | + |
| 74 | +- When enabled, the AI Assistant automatically leverages Knowledge Base entries to inform its responses. |
| 75 | +- You can instruct the assistant to "remember" information during chat (creates a private document). |
| 76 | +- Required knowledge entries are always included as context. |
| 77 | + |
| 78 | +## Step 5: Manage and Share Knowledge |
| 79 | + |
| 80 | +- Entries can be edited, deleted, or marked as required. |
| 81 | +- Global entries affect all users in the space; private entries are user-specific. |
| 82 | +- Elastic Security Labs research is pre-populated as global knowledge. |
| 83 | + |
| 84 | +## Best Practices |
| 85 | + |
| 86 | +- Include operational details (on-call rotations, escalation contacts, infrastructure maps). |
| 87 | +- Add threat intelligence feeds and SOC playbooks. |
| 88 | +- Use connectors to keep knowledge sources up-to-date automatically. |
| 89 | +- Monitor token limits—too much context may exceed LLM limits. |
| 90 | + |
| 91 | +## Troubleshooting & Known Limitations |
| 92 | + |
| 93 | +- Token/context window limits depend on the selected LLM model. |
| 94 | +- Large indices or too many alerts may cause errors—reduce context size if needed. |
| 95 | +- ML node sizing and autoscaling are critical for performance. |
| 96 | + |
| 97 | +## Additional Resources |
| 98 | + |
| 99 | +- [AI Assistant Knowledge Base documentation](https://www.elastic.co/guide/en/security/current/ai-assistant-knowledge-base.html) |
| 100 | +- [Elastic Security Labs](https://www.elastic.co/security-labs) |
| 101 | +- [Ingest data with Elastic connectors](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-connectors.html) |
0 commit comments