Skip to content

[DE][9.4 & Serverless] Attach Security Detection rule as AI Agent context #5540

Merged
nastasha-solomon merged 21 commits intomainfrom
docs-5364-attach-detection-rule-to-ai-agent
Apr 23, 2026
Merged

[DE][9.4 & Serverless] Attach Security Detection rule as AI Agent context #5540
nastasha-solomon merged 21 commits intomainfrom
docs-5364-attach-detection-rule-to-ai-agent

Conversation

@nastasha-solomon
Copy link
Copy Markdown
Member

@nastasha-solomon nastasha-solomon commented Mar 17, 2026
edited
Loading

Summary

Fixes #5364.

Documents the Add to chat feature that lets users attach a Security detection rule to the AI Agent from rule details, rule editing, rule creation, and alert flyouts.

  • New section "Create and refine detection rules in Agent Builder" highlights the following:
    • Where Add to chat appears (rule details, rule editing, rule creation, alerts flyout rule summary, alerts table rule flyout).
    • What the agent can help with (detection intent, query logic, MITRE ATT&CK coverage, timing/scheduling, metadata quality, investigation guide suggestions).
    • What the agent can "see" -- only rule-defined fields. Also does not resolve exception lists.
  • Added a note after the "Edit a single rule" section to highlight that Add to chat is available from the rule details page and edit rule settings view.

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes
  • No

Cursor + Auto

@nastasha-solomon nastasha-solomon self-assigned this Mar 17, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 17, 2026
edited
Loading

Vale Linting Results

Summary: 1 suggestion found

💡 Suggestions (1)
File Line Rule Message
solutions/security/ai/agent-builder/agent-builder.md 31 Elastic.Clone Use clone only when referring to cloning a GitHub repository or creating a copy that is linked to the original. Often confused with 'copy' and 'duplicate'.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 17, 2026
edited
Loading

🔍 Preview links for changed docs

benironside
benironside approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@benironside benironside left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your work LGTM @nastasha-solomon! I added a section to the Validate and test your detection rules page about how to validate rules using AI. Please lmk what you think!

@benironside benironside self-assigned this Mar 18, 2026
@nastasha-solomon nastasha-solomon marked this pull request as ready for review March 20, 2026 20:41
@nastasha-solomon nastasha-solomon requested a review from a team as a code owner March 20, 2026 20:41
@nastasha-solomon nastasha-solomon mentioned this pull request Mar 31, 2026
Closed
vitaliidm
vitaliidm reviewed Apr 10, 2026
View reviewed changes
Comment thread solutions/security/ai/agent-builder/agent-builder.md Outdated
@nastasha-solomon nastasha-solomon removed the request for review from leemthompo April 10, 2026 17:47
@nastasha-solomon
Copy link
Copy Markdown
Member Author

nastasha-solomon commented Apr 13, 2026

I might need to wait til next week to merge this PR. The PR that made AB the default agent in sec and obs was just merged today. Currently in serverless, users still need to opt-into AB and the TH agent is available to choose:

Screenshot 2026-04-13 at 2 12 47 PM

nastasha-solomon
nastasha-solomon commented Apr 13, 2026
View reviewed changes
Comment thread solutions/security/ai/agent-builder/agent-builder.md Outdated
Comment thread solutions/security/ai/agent-builder/agent-builder.md
leemthompo
leemthompo reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@leemthompo leemthompo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚗 Drive-by review from me, chiefly nits about referring to AI agents instead of Agent Builder. Changes look good!

Comment thread solutions/security/ai/agent-builder/agent-builder.md Outdated
Comment thread solutions/security/ai/agent-builder/agent-builder.md Outdated
Comment thread solutions/security/ai/agent-builder/agent-builder.md Outdated
Comment thread solutions/security/detect-and-alert/manage-detection-rules.md Outdated
@nastasha-solomon nastasha-solomon enabled auto-merge (squash) April 23, 2026 20:19
@nastasha-solomon nastasha-solomon merged commit 161ceb8 into main Apr 23, 2026
6 of 7 checks passed
@nastasha-solomon nastasha-solomon deleted the docs-5364-attach-detection-rule-to-ai-agent branch April 23, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leemthompo leemthompo leemthompo left review comments

@vitaliidm vitaliidm vitaliidm approved these changes

@benironside benironside Awaiting requested review from benironside

Assignees

@nastasha-solomon nastasha-solomon

@benironside benironside

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Internal]: [Security Solution][Detection Engine] Attach Security Detection rule as AI Agent context

4 participants

@nastasha-solomon @leemthompo @benironside @vitaliidm