[9.0] [Security Solution] [Attack discovery] Prompt updates (#215578) (#215590)

# Backport

This will backport the following commits from `main` to `9.0`:
- [ [Security Solution] [Attack discovery] Prompt updates
(#215578)](https://github.com/elastic/kibana/pull/215578)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Andrew
Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2025-03-21T23:06:37Z","message":"
[Security Solution] [Attack discovery] Prompt updates (#215578)\n\n##
[Security Solution] [Attack discovery] Prompt updates\n\nThis PR
contains updates to the following Attack discovery prompts:\n\n-
`attackDiscoveryPrompt`\n- `continuePrompt`\n- `refinePrompt`\n\nThank
you @mgarzon for these
improvements!","sha":"d52c5ed85cf31a14f3ee2b4c4d1ace62237fb23f","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:
SecuritySolution","Team:Security Generative
AI","backport:version","v8.18.0","v9.1.0","v8.19.0","v8.18.1","v9.0.1"],"title":"
[Security Solution] [Attack discovery] Prompt
updates","number":215578,"url":"https://github.com/elastic/kibana/pull/215578","mergeCommit":{"message":"
[Security Solution] [Attack discovery] Prompt updates (#215578)\n\n##
[Security Solution] [Attack discovery] Prompt updates\n\nThis PR
contains updates to the following Attack discovery prompts:\n\n-
`attackDiscoveryPrompt`\n- `continuePrompt`\n- `refinePrompt`\n\nThank
you @mgarzon for these
improvements!","sha":"d52c5ed85cf31a14f3ee2b4c4d1ace62237fb23f"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.x","9.0"],"targetPullRequestStates":[{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215578","number":215578,"mergeCommit":{"message":"
[Security Solution] [Attack discovery] Prompt updates (#215578)\n\n##
[Security Solution] [Attack discovery] Prompt updates\n\nThis PR
contains updates to the following Attack discovery prompts:\n\n-
`attackDiscoveryPrompt`\n- `continuePrompt`\n- `refinePrompt`\n\nThank
you @mgarzon for these
improvements!","sha":"d52c5ed85cf31a14f3ee2b4c4d1ace62237fb23f"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Andrew Macri <andrew.macri@elastic.co>

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/graphs/default_attack_discovery_graph/nodes/helpers/get_combined_attack_discovery_prompt/index.test.ts

@@ -48,12 +48,23 @@ alert2
 """
 
 
-Continue exactly where you left off in the JSON output below, generating only the additional JSON output when it's required to complete your work. The additional JSON output MUST ALWAYS follow these rules:
-1) it MUST conform to the schema above, because it will be checked against the JSON schema
-2) it MUST escape all JSON special characters (i.e. backslashes, double quotes, newlines, tabs, carriage returns, backspaces, and form feeds), because it will be parsed as JSON
-3) it MUST NOT repeat any the previous output, because that would prevent partial results from being combined
-4) it MUST NOT restart from the beginning, because that would prevent partial results from being combined
-5) it MUST NOT be prefixed or suffixed with additional text outside of the JSON, because that would prevent it from being combined and parsed as JSON:
+
+Continue your JSON analysis from exactly where you left off. Generate only the additional content needed to complete the response.
+
+FORMAT REQUIREMENTS:
+1. Maintain strict JSON validity:
+   - Use double quotes for all strings
+   - Properly escape special characters (\" for quotes, \\ for backslashes, \n for newlines)
+   - Avoid all control characters (ASCII 0-31)
+   - Keep text fields under 500 characters
+
+2. Output rules:
+   - Do not repeat any previously generated content
+   - Do not include explanatory text outside the JSON
+   - Do not restart from the beginning
+   - Conform exactly to the JSON schema defined earlier
+
+Your continuation should seamlessly connect with the previous output to form a complete, valid JSON document.
 
 
 """

x-pack/solutions/security/plugins/elastic_assistant/server/lib/prompt/prompts.ts

@@ -74,19 +74,61 @@ Action:
 
 Begin! Reminder to ALWAYS respond with a valid json blob of a single action with no additional output. When using tools, ALWAYS input the expected JSON schema args. Your answer will be parsed as JSON, so never use double quotes within the output and instead use backticks. Single quotes may be used, such as apostrophes. Response format is Action:\`\`\`$JSON_BLOB\`\`\`then Observation`;
 
-export const ATTACK_DISCOVERY_DEFAULT =
-  "You are a cyber security analyst tasked with analyzing security events from Elastic Security to identify and report on potential cyber attacks or progressions. Your report should focus on high-risk incidents that could severely impact the organization, rather than isolated alerts. Present your findings in a way that can be easily understood by anyone, regardless of their technical expertise, as if you were briefing the CISO. Break down your response into sections based on timing, hosts, and users involved. When correlating alerts, use kibana.alert.original_time when it's available, otherwise use @timestamp. Include appropriate context about the affected hosts and users. Describe how the attack progression might have occurred and, if feasible, attribute it to known threat groups. Prioritize high and critical alerts, but include lower-severity alerts if desired. In the description field, provide as much detail as possible, in a bulleted list explaining any attack progressions. Accuracy is of utmost importance. You MUST escape all JSON special characters (i.e. backslashes, double quotes, newlines, tabs, carriage returns, backspaces, and form feeds).";
+export const ATTACK_DISCOVERY_DEFAULT = `
+As a world-class cyber security analyst, your task is to analyze a set of security events and accurately identify distinct, comprehensive attack chains. Your analysis should reflect the sophistication of modern cyber attacks, which often span multiple hosts and use diverse techniques.
+Key Principles:
+1. Contextual & Host Analysis: Analyze how attacks may span systems while maintaining focus on specific, traceable relationships across events and timeframes.
+2. Independent Evaluation: Do not assume all events belong to a single attack chain. Separate events into distinct chains when evidence indicates they are unrelated.
+Be mindful that data exfiltration might indicate the culmination of an attack chain, and should typically be linked with the preceding events unless strong evidence points otherwise.
+3. Lateral Movement & Command Structure: For multi-system events, identify potential lateral movement, command-and-control activities, and coordination patterns.
+4. Impact Assessment: Consider high-impact events (e.g., data exfiltration, ransomware, system disruption) as potential stages within the attack chain, but avoid splitting attack chains unless there is clear justification. High-impact events may not mark the end of the attack sequence, so remain open to the possibility of ongoing activities after such events.
+Analysis Process:
+1. Detail Review: Examine all timestamps, hostnames, usernames, IPs, filenames, and processes across events.
+2. Timeline Construction: Create a chronological map of events across all systems to identify timing patterns and system interactions.  When correlating alerts, use kibana.alert.original_time when it's available, as this represents the actual time the event was detected. If kibana.alert.original_time is not available, use @timestamp as the fallback. Ensure events that appear to be part of the same attack chain are properly aligned chronologically.
+3. Indicator Correlation: Identify relationships between events using concrete indicators (file hashes, IPs, C2 signals).
+4. Chain Construction & Validation: Begin by assuming potential connections, then critically evaluate whether events should be separated based on evidence.
+5. TTP Analysis: Identify relevant MITRE ATT&CK tactics for each event, using consistency of TTPs as supporting (not determining) evidence.
+6. Alert Prioritization: Weight your analysis based on alert severity:
+   - HIGH severity: Primary indicators of attack chains
+   - MEDIUM severity: Supporting evidence
+   - LOW severity: Supplementary information unless providing critical links
+Output Requirements:
+- Provide a narrative summary for each identified attack chain
+- Explain connections between events with concrete evidence
+- Use the special {{ field.name fieldValue }} syntax to reference source data fields`;
 
-export const ATTACK_DISCOVERY_REFINE = `You previously generated the following insights, but sometimes they represent the same attack.
+export const ATTACK_DISCOVERY_REFINE = `
+Review the JSON output from your initial analysis. Your task is to refine the attack chains by:
 
-Combine the insights below, when they represent the same attack; leave any insights that are not combined unchanged:`;
+1. Merge attack chains when strong evidence links them to the same campaign. Only connect events with clear relationships, such as matching timestamps, network patterns, IPs, or overlapping entities like hostnames and user accounts. Prioritize correlating alerts based on shared entities, such as the same host, user, or source IP across multiple alerts.
+2. Keep distinct attacks separated when evidence doesn't support merging.
+3. Strengthening justifications: For each attack chain:
+   - Explain the specific evidence connecting events (particularly across hosts)
+   - Reference relevant MITRE ATT&CK techniques that support your grouping
+   - Ensure your narrative follows the chronological progression of the attack
+Output requirements:
+- Return your refined analysis using the exact same JSON format as your initial output, applying the same field syntax requirements.
+- Conform exactly to the JSON schema defined earlier
+- Do not include explanatory text outside the JSON
+`;
 
-export const ATTACK_DISCOVERY_CONTINUE = `Continue exactly where you left off in the JSON output below, generating only the additional JSON output when it's required to complete your work. The additional JSON output MUST ALWAYS follow these rules:
-1) it MUST conform to the schema above, because it will be checked against the JSON schema
-2) it MUST escape all JSON special characters (i.e. backslashes, double quotes, newlines, tabs, carriage returns, backspaces, and form feeds), because it will be parsed as JSON
-3) it MUST NOT repeat any the previous output, because that would prevent partial results from being combined
-4) it MUST NOT restart from the beginning, because that would prevent partial results from being combined
-5) it MUST NOT be prefixed or suffixed with additional text outside of the JSON, because that would prevent it from being combined and parsed as JSON:
+export const ATTACK_DISCOVERY_CONTINUE = `
+Continue your JSON analysis from exactly where you left off. Generate only the additional content needed to complete the response.
+
+FORMAT REQUIREMENTS:
+1. Maintain strict JSON validity:
+   - Use double quotes for all strings
+   - Properly escape special characters (\" for quotes, \\ for backslashes, \n for newlines)
+   - Avoid all control characters (ASCII 0-31)
+   - Keep text fields under 500 characters
+
+2. Output rules:
+   - Do not repeat any previously generated content
+   - Do not include explanatory text outside the JSON
+   - Do not restart from the beginning
+   - Conform exactly to the JSON schema defined earlier
+
+Your continuation should seamlessly connect with the previous output to form a complete, valid JSON document.
 `;
 
 const SYNTAX = '{{ field.name fieldValue1 fieldValue2 fieldValueN }}';