Generate attack discoveries from alerts

POST /api/attack_discovery/_generate
Api key auth

Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint.

application/json

Body Required

  • alertsIndexPattern string Required
  • anonymizationFields array[object] Required
    Hide anonymizationFields attributes Show anonymizationFields attributes object
    • allowed boolean

      Whether this field is allowed to be sent to the model.

    • anonymized boolean

      Whether this field should be anonymized.

    • createdAt string

      Timestamp of when the anonymization field was created.

    • createdBy string

      Username of the person who created the anonymization field.

    • field string Required

      Name of the anonymization field.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters.

      Minimum length is 1.

    • namespace string

      Kibana space in which this anonymization field exists.

    • timestamp string(nonempty)

      A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.

      Minimum length is 1.

    • updatedAt string

      Timestamp of the last update.

    • updatedBy string

      Username of the person who last updated the field.

  • apiConfig object Required
    Hide apiConfig attributes Show apiConfig attributes object
    • actionTypeId string Required

      Action type ID

    • connectorId string Required

      Connector ID

    • defaultSystemPromptId string

      Default system prompt ID

    • model string

      Model

    • provider string

      Provider

      Values are OpenAI, Azure OpenAI, or Other.

  • connectorName string
  • end string
  • filter object

    Additional properties are allowed.

  • langSmithApiKey string
  • langSmithProject string
  • model string
  • replacements object

    Replacements object used to anonymize/deanonymize messages

    Hide replacements attribute Show replacements attribute object
    • * string Additional properties
  • size number Required
  • start string
  • subAction string Required

    Values are invokeAI or invokeStream.

Responses

  • 200 application/json

    Attack discovery generation initiated successfully

    Hide response attribute Show response attribute object
    • execution_uuid string(nonempty) Required

      A string that does not contain only whitespace characters.

      Minimum length is 1.
  • 400 application/json

    Bad request - Invalid input parameters or configuration

    Hide response attributes Show response attributes object
    • error string Required

      Error type

    • message string Required

      Human-readable error message describing what went wrong

    • status_code number Required

      HTTP status code
POST /api/attack_discovery/_generate 
curl \ --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --header "elastic-api-version: 2023-10-31" \ --data '{ "alertsIndexPattern": ".alerts-security.alerts-default", "anonymizationFields": [ { "field": "host.name", "allowed": true, "anonymized": true }, { "field": "user.name", "allowed": true, "anonymized": true }, { "field": "_id", "allowed": true, "anonymized": false }, { "field": "source.ip", "allowed": true, "anonymized": false }, { "field": "destination.ip", "allowed": true, "anonymized": false }, { "field": "rule.name", "allowed": true, "anonymized": false }, { "field": "kibana.alert.risk_score", "allowed": true, "anonymized": false } ], "apiConfig": { "connectorId": "my-connector-id", "actionTypeId": ".gen-ai" }, "connectorName": "GPT-4 Chat", "size": 100, "subAction": "invokeAI", "start": "now-24h", "end": "now" }'