elastic · maxcold · Nov 4, 2025 · Nov 3, 2025 · Nov 3, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.0.10"
+  changes:
+    - description: "Update Security AI prompts with latest changes from Kibana"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15848
 - version: "1.0.9"
   changes:
     - description: "Add new Entity Highlights prompts"

@@ -6,6 +6,6 @@
       "default": "Suggest"
     }
   },
-  "id": "security_ai_prompts-216b939d-456c-410a-b30b-38674cbe8b2c",
+  "id": "security_ai_prompts-0343f410-385e-41f1-be8b-1617e3296c4d",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The suggested remediation action to take for the policy response failure"
     }
   },
-  "id": "security_ai_prompts-00dba7a7-4edb-4c46-8f6d-aa4670020cd4",
+  "id": "security_ai_prompts-0fcb3ded-a48c-4075-8828-16509919a81c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The process.executable value of the event"
     }
   },
-  "id": "security_ai_prompts-02d435d2-3ab1-45f7-be74-0715a8ca2ad9",
+  "id": "security_ai_prompts-12a96a52-0e0b-41e2-8cf7-39afeaf442e4",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A short, no more than 7 words, title for the insight, NOT formatted with special syntax or markdown. This must be as brief as possible."
     }
   },
-  "id": "security_ai_prompts-6f4d8d3b-a9f9-4bce-9866-2110d21858f9",
+  "id": "security_ai_prompts-152db39b-c2b1-4a0d-a52a-80bf76487aff",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge from Elastic Security Labs content, which contains information on malware, attack techniques, and more."
     }
   },
-  "id": "security_ai_prompts-dca493a7-1d0b-484c-9619-585a7e437768",
+  "id": "security_ai_prompts-168ec8ca-1059-4ba4-bfb4-6a85bcfb6216",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are a security analyst and expert in resolving security incidents. Your role is to assist by answering questions about Elastic Security. Do not answer questions unrelated to Elastic Security. If available, use the Knowledge History provided to try and answer the question. If not provided, you can try and query for additional knowledge via the KnowledgeBaseRetrievalTool. {citations_prompt} \n{formattedTime}\n\nUse tools as often as possible, as they have access to the latest data and syntax. Never return <thinking> tags in the response, but make sure to include <result> tags content in the response. Do not reflect on the quality of the returned search results in your response.\n\nIMPORTANT: After using tools, you must provide a complete response that includes:\n1. The tool results (include the exact response from GenerateESQLTool verbatim)\n2. Any additional context, recommendations, or insights requested by the user\n\nNever end your response with just tool results. Always provide your complete analysis after using tools."
     }
   },
-  "id": "security_ai_prompts-6055ed56-3cff-44c9-965d-0a9cf469147f",
+  "id": "security_ai_prompts-175c377c-4c95-462d-9dea-39ebb1881fbd",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Evaluate the cyber security alert from the context above. Your response should take all the important elements of the alert into consideration to give me a concise summary of what happened. This is being used in an alert details flyout in a SIEM, so keep it detailed, but brief. Limit your response to 500 characters. Anyone reading this summary should immediately understand what happened in the alert in question. Only reply with the summary, and nothing else.\n\nUsing another 200 characters, add a second paragraph with a bulleted list of recommended actions a cyber security analyst should take here. Don't invent random, potentially harmful recommended actions."
     }
   },
-  "id": "security_ai_prompts-5d9cd9d2-f688-4bb6-a5f2-393728e48475",
+  "id": "security_ai_prompts-18a763b6-ca22-403f-b133-576b08d8a15c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for Elastic Defend insights."
     }
   },
-  "id": "security_ai_prompts-7e57af76-ade1-4b58-b9b5-f629ec9bbf5e",
+  "id": "security_ai_prompts-19dc5518-4f3a-4249-80cd-ce25739feceb",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for the counts of last 24 hours of open and acknowledged alerts in the environment, grouped by their severity and workflow status. The response will be JSON and from it you can summarize the information to answer the question."
     }
   },
-  "id": "security_ai_prompts-2356cb27-c0c6-467d-8f03-a6d2b66347e9",
+  "id": "security_ai_prompts-2135b21a-0fba-4ec1-9895-37ebe4db9f39",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Most important alerts from the last 24 hrs"
     }
   },
-  "id": "security_ai_prompts-599248c1-6dcf-4a2a-9247-c9acb9ba71e4",
+  "id": "security_ai_prompts-308b412b-7875-40b7-a0cb-fa064016961d",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "AssetMisconfigurationsTool",
+    "promptGroupId": "security-tools",
+    "prompt": {
+      "default": "Call this tool to retrieve security misconfigurations and compliance violations for a specific cloud asset or resource.\n\n**When to use this tool:**\n- When the user asks about misconfigurations, compliance failures, or security findings for a specific asset\n- When viewing an entity and the user wants to know about security issues\n- When the user provides an ARN (Amazon Resource Name), Azure Resource ID, or GCP Resource Name\n\n**Important - Resource ID format:**\nThe resource_id parameter must be the full cloud resource identifier (eg. ARN, Azure Resource ID, or GCP Resource Name), NOT an Elasticsearch document ID.\n\nExamples of CORRECT resource IDs:\n- AWS: \"arn:aws:ec2:us-east-1:123456789:security-group/sg-abc123\"\n- Azure: \"/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Compute/virtualMachines/vm-name\"\n- GCP: \"//compute.googleapis.com/projects/project-id/zones/zone/instances/instance-name\"\n\n**How to extract the resource ID:**\n- From entity data: Use the `entity.id` field\n- From event data: Use the `cloud.instance.id`, `resource.id`, or similar cloud resource identifier fields\n- From user input: If the user provides an ARN, Azure Resource ID, or GCP Resource Name directly\n\n**Do NOT use:**\n- Kibana document IDs (like \"82a224ff-3db6-4f94-8fd8-4c6661599cb6\")\n- Entity store document IDs\n- Elasticsearch document _id values\n\nThe tool returns only FAILED findings from the last 26 hours, including rule details, benchmark information, and evidence."
+    }
+  },
+  "id": "security_ai_prompts-318b1a08-5b7b-41a6-a4dc-161cc182e4dc",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge about the latest entity risk score and the inputs that contributed to the calculation (sorted by 'kibana.alert.risk_score') in the environment, or when answering questions about how critical or risky an entity is. When informing the risk score value for a entity you must use the normalized field 'calculated_score_norm'."
     }
   },
-  "id": "security_ai_prompts-0c781c7f-9ff9-4335-a0e2-6e5508ac8fa0",
+  "id": "security_ai_prompts-33db7c02-bc41-47d2-b706-796ea9814b7d",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a helpful assistant for Elastic Security. Assume the following user message is the start of a conversation between you and a user; give this conversation a title based on the content below. DO NOT UNDER ANY CIRCUMSTANCES wrap this title in single or double quotes. This title is shown in a list of conversations to the user, so title it for the user, not for you. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-2cec73e1-1b9b-4612-9006-6679e52cad06",
+  "id": "security_ai_prompts-35295605-7b65-441b-a229-60184d26c1fd",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are given Elasticsearch Lens aggregation results showing cost savings over time:"
     }
   },
-  "id": "security_ai_prompts-2d7d7b4d-580a-4aaa-8d65-2a1084706bf5",
+  "id": "security_ai_prompts-361ec961-8414-45bd-8bda-b9273b86980c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nYou are a leading expert on resolving Elastic Defend configuration issues. Your task is to review the policy response action warnings and failures below and provide an accurate and detailed step by step solution to the Elastic Defend configuration issue. Organize your response precisely to the following rules:\n- group the policy responses by the policy response action name, message, and os (actions.name:::actions.message:::host.os.name)\n- keep track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- suggest a remediation action to take for each policy response warning or failure, using the remediationMessage field\n- include a remediation link in the remediationLink field only if one is provided in the context\n- if there are no events, ignore the group field\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n"
     }
   },
-  "id": "security_ai_prompts-7793734f-4787-4d45-9511-967fa13c33f5",
+  "id": "security_ai_prompts-38a095a8-bfa4-4b14-ba89-99fafe4fcb09",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nAs a world-class cyber security analyst, your task is to analyze a set of security events and accurately identify distinct, comprehensive attack chains. Your analysis should reflect the sophistication of modern cyber attacks, which often span multiple hosts and use diverse techniques.\nKey Principles:\n1. Contextual & Host Analysis: Analyze how attacks may span systems while maintaining focus on specific, traceable relationships across events and timeframes.\n2. Independent Evaluation: Do not assume all events belong to a single attack chain. Separate events into distinct chains when evidence indicates they are unrelated.\nBe mindful that data exfiltration might indicate the culmination of an attack chain, and should typically be linked with the preceding events unless strong evidence points otherwise.\n3. Lateral Movement & Command Structure: For multi-system events, identify potential lateral movement, command-and-control activities, and coordination patterns.\n4. Impact Assessment: Consider high-impact events (e.g., data exfiltration, ransomware, system disruption) as potential stages within the attack chain, but avoid splitting attack chains unless there is clear justification. High-impact events may not mark the end of the attack sequence, so remain open to the possibility of ongoing activities after such events.\nAnalysis Process:\n1. Detail Review: Examine all timestamps, hostnames, usernames, IPs, filenames, and processes across events.\n2. Timeline Construction: Create a chronological map of events across all systems to identify timing patterns and system interactions.  When correlating alerts, use kibana.alert.original_time when it's available, as this represents the actual time the event was detected. If kibana.alert.original_time is not available, use @timestamp as the fallback. Ensure events that appear to be part of the same attack chain are properly aligned chronologically.\n3. Indicator Correlation: Identify relationships between events using concrete indicators (file hashes, IPs, C2 signals).\n4. Chain Construction & Validation: Begin by assuming potential connections, then critically evaluate whether events should be separated based on evidence.\n5. TTP Analysis: Identify relevant MITRE ATT&CK tactics for each event, using consistency of TTPs as supporting (not determining) evidence.\n6. Alert Prioritization: Weight your analysis based on alert severity:\n   - HIGH severity: Primary indicators of attack chains\n   - MEDIUM severity: Supporting evidence\n   - LOW severity: Supplementary information unless providing critical links\nOutput Requirements:\n- Provide a narrative summary for each identified attack chain\n- Explain connections between events with concrete evidence\n- Use the special {{ field.name fieldValue }} syntax to reference source data fields. IMPORTANT - LIMIT the details markdown to 2750 characters and summary to 200 characters! This is to prevent hitting output context limits."
     }
   },
-  "id": "security_ai_prompts-9cd73e46-869d-4354-9b01-84cf2e66e328",
+  "id": "security_ai_prompts-45376117-6792-4e9e-ac2f-041adedfd847",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nYou previously generated the below insights using this prompt: \nYou are a leading expert on resolving Elastic Defend configuration issues. Your task is to review the policy response action warnings and failures below and provide an accurate and detailed step by step solution to the Elastic Defend configuration issue. Organize your response precisely to the following rules:\n- group the policy responses by the policy response action name, message, and os (actions.name:::actions.message:::host.os.name)\n- keep track of the agent.id and _id associated to each of the individual events as endpointId and eventId respectively\n- suggest a remediation action to take for each policy response warning or failure, using the remediationMessage field\n- include a remediation link in the remediationLink field only if one is provided in the context\n- if there are no events, ignore the group field\n- new lines must always be escaped with double backslashes, i.e. \\\\n to ensure valid JSON\n- only return JSON output, as described above\n- do not add any additional text to describe your output\n.\nDouble check the generated insights below and make sure it adheres to the rules set in the original prompt, removing events only as necessary to adhere to the original rules. In addition:\n- combine duplicate insights into the same 'group'\n- remove insights with no events\n    "
     }
   },
-  "id": "security_ai_prompts-5f5560b1-bc75-45f3-b3af-d08765cf899f",
+  "id": "security_ai_prompts-45b57555-4850-4d49-8327-9d4347a73c8a",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Generate markdown text with most important information for entity so a Security analyst can act. Your response should take all the important elements of the entity into consideration. Limit your response to 500 characters. Only reply with the required sections, and nothing else.\n  ### Format  \n  Return a string with markdown text without any explanations, or variable assignments. Do **not** wrap the output in triple backticks. \n    The result must be a list of bullet points, nothing more.\n    Generate summaries for the following sections, but omit any section that if the information isn't available in the context:\n      - Risk score: Summarize the entity's risk score and the main factors contributing to it.\n      - Criticality: Note the entity's criticality level and its impact on the risk score.\n      - Vulnerabilities: Summarize any significant Vulnerability and briefly explain why it is significant.\n      - Anomalies: Summarize unusual activities or anomalies detected for the entity and briefly explain why it is significant.  \n    The generated data **MUST** follow this pattern:\n  \"\"\"- **{title1}**: {description1}\n  - **{title2}**: {description2}\n  ...\n  - **{titleN}**: {descriptionN}\n  \n  **Recommended action**: {description}\"\"\"\n  \n    **Strict rules**:\n      _ Only reply with the required sections, and nothing else.\n      - Limit your total response to 500 characters.\n      - Never return an section which there is no data available in the context.\n      - Use inline code (backticks) for technical values like file paths, process names, arguments, etc.\n      - Recommended action title should be bold and text should be inline.    \n      - **Do not** include any extra explanation, reasoning or text.\n    "
     }
   },
-  "id": "security_ai_prompts-1b3525c5-4a67-4578-b9e7-2e15b457f21e",
+  "id": "security_ai_prompts-46e380cc-a4da-49c0-8702-bfa4c94baf4a",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "🔍 Identify and Prioritize Today's Most Critical Alerts\nProvide a structured summary of today's most significant alerts, including:\n🛡️ Critical Alerts Overview\nHighlight the most impactful alerts based on risk scores, severity, and affected entities.\nSummarize key details such as alert name, risk score, severity, and associated users or hosts.\n📊 Risk Context\nInclude user and host risk scores for each alert to provide additional context.\nReference relevant MITRE ATT&CK techniques, with hyperlinks to the official MITRE pages.\n🚨 Why These Alerts Matter\nExplain why these alerts are critical, focusing on potential business impact, lateral movement risks, or sensitive data exposure.\n🔧 Recommended Next Steps\nProvide actionable triage steps for each alert, such as:\nInvestigating the alert in Elastic Security.\nReviewing related events in Timelines.\nAnalyzing user and host behavior using Entity Analytics.\nSuggest Elastic Defend endpoint response actions (e.g., isolate host, kill process, retrieve/delete file), with links to Elastic documentation.\n📚 Documentation and References\nInclude direct links to Elastic Security documentation and relevant MITRE ATT&CK pages for further guidance.\nMake sure you use tools available to you to fulfill this request.\nUse markdown headers, tables, and code blocks for clarity. Include relevant emojis for visual distinction and ensure the response is concise, actionable, and tailored to Elastic Security workflows."
     }
   },
-  "id": "security_ai_prompts-f831ae5c-2dbf-490f-bce8-f5b1277d157d",
+  "id": "security_ai_prompts-475ff8a0-6f51-4376-ae1b-868e912f7482",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Explain the ECS incompatibility results above, and describe some options to fix incompatibilities. In your explanation, include information about remapping fields, reindexing data, and modifying data ingestion pipelines. Also, describe how ES|QL can be used to identify and correct incompatible data, including examples of using RENAME, EVAL, DISSECT, GROK, and CASE functions. Please consider using applicable tools for this request. Make sure you’ve used the right tools for this request."
     }
   },
-  "id": "security_ai_prompts-905c0219-ba33-481b-b249-6c6eecb711a1",
+  "id": "security_ai_prompts-4c57c28a-0491-433c-a72a-6626f1c8fee1",
   "type": "security-ai-prompt"
 }