完整聊天
编辑完整聊天
编辑完整的聊天 API 允许您与已配置的大型语言模型 (LLM) 通信,并在需要时将结果持久化为对话(创建新的对话或扩展现有对话)。
请求 URL
编辑POST <kibana 主机>:<端口>/api/security_ai_assistant/chat/complete
请求体
编辑| 名称 | 类型 | 描述 | 必填 |
|---|---|---|---|
|
字符串 |
要附加到消息并用作上下文的对话 ID。请参考对话 API。 |
否 |
|
字符串 |
LLM 连接器的 ID:与特定 LLM 提供程序集成的 Kibana 集成。 |
是 |
|
字符串 |
默认对话提示 ID。 |
否 |
|
布尔值 |
定义是否应该创建或更新对话(如果提供了 |
是 |
|
布尔值 |
定义响应的类型。如果 |
否 |
|
对话消息数组。 |
是 |
|
|
字符串 |
要使用的特定 LLM 的名称。 |
否 |
|
字符串 |
定义 LLM 响应的语言。 |
否 |
messages 对象
编辑| 名称 | 类型 | 描述 | 必填 |
|---|---|---|---|
|
字符串 |
消息角色。可以是“用户”、“助手”或“系统”。 |
是 |
|
字符串 |
要发送到 LLM 的消息内容。 |
是 |
|
对象 |
作为模型上下文包含的 JSON 对象。 |
否 |
|
数组 |
要匿名化的 |
否 |
示例请求
编辑示例 1
将消息发送到 LLM。数据使用应用的中心匿名化进行匿名化,并扩展了要匿名化的字段列表。
POST api/security_ai_assistant/chat/complete
{
"connectorId": "my-gpt4o-ai",
"persist": false,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
"data": {
"event.category": "process",
"process.pid": 69516,
"host.os.version": 14.5,
"host.os.name": "macOS"
},
"fields_to_anonymize": [
"host.os.name"
]
}
]
}
示例 2
将消息发送到现有对话中的 LLM,并提供数据作为上下文。数据使用应用的中心匿名化进行匿名化,并扩展了要匿名化的字段列表。将具有 assistant 角色的 LLM 响应添加到现有对话。
POST api/security_ai_assistant/chat/complete
{
"connectorId": "my-gpt4o-ai",
"conversationId": "df071e68-3c8e-4c0d-b0e7-1557e80c0319",
"persist": true,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
"data": {
"event.category": "process",
"process.pid": 69516,
"host.os.version": 14.5,
"host.os.name": "macOS",
"host.name": "test-MBP",
"process.name": "biomesyncd",
"user.name": "usertest",
"process.working_directory": "/",
"event.module": "system",
"process.executable": "/usr/libexec/biomesyncd",
"process.args": "/usr/libexec/biomesyncd",
"message": "Process biomesyncd (PID: 69516) by user usertest STOPPED"
},
"fields_to_anonymize": [
"host.os.name",
"event.module"
]
}
]
}
示例 3
将消息发送到 LLM。创建一个新对话,并添加具有 assistant 角色的 LLM 响应。
POST api/security_ai_assistant/chat/complete
{
"connectorId": "my-gpt4o-ai",
"persist": true,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
}
]
}
响应代码
编辑200 表示调用成功。
响应负载
编辑包含 LLM 响应的 JSON 对象,如果 persist 设置为 true,则包含对话 id。
示例 1
对话响应负载
{
"connector_id": "my-gpt4o-ai",
"data": "### Elastic Security Case: Process Stopped Event\n\n#### Description\nA process named `biomesyncd` with PID `69516` was stopped by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` running `dc00f5d9-bdf3-4517-b7ef-de5a89f0d071` version `14.5`. The executable path for the process is `/usr/libexec/biomesyncd`.\n\n#### Recommended Actions\n1. **Investigate the process**: Determine if the process `biomesyncd` is legitimate or potentially malicious.\n2. **Check user activity**: Review the actions performed by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` around the time the process was stopped.\n3. **Analyze host behavior**: Examine the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` for any other suspicious activities or anomalies.\n\n#### Triage Steps\n- **Review Process Details**:\n - Verify the legitimacy of the process `biomesyncd`.\n - Check the process arguments and executable path.\n- **User Activity Analysis**:\n - Investigate the user `2fede99b-5ec7-4274-b990-469b4110f7ba` for any unusual behavior.\n- **Host Analysis**:\n - Check for other suspicious processes or activities on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1`.\n\n#### MITRE ATT&CK Context\n- **Technique**: [T1059.001 - Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)\n- **Tactic**: Execution\n\n#### Elastic Security Features\n- **Endpoint Response Actions**: Use Elastic Security's endpoint response actions to isolate the host or terminate suspicious processes.\n- **Elastic Agent OSQuery Manager Integration**: Utilize OSQuery to gather more information about the host and processes.\n - Example OSQuery Query:\n ```sql\n SELECT * FROM processes WHERE name = 'biomesyncd';\n ```\n- **Timelines**: Create a timeline to visualize the sequence of events and correlate with other activities.\n- **Entity Analytics**: Use entity analytics to assess the risk score of the user and host.\n\n#### Elastic Security Documentation\n- \[Endpoint Security\]\(https:\//elastic.ac.cn/guide/en/security/current/endpoint-security.html\)\n- \[OSQuery Manager\]\(https:\//elastic.ac.cn/guide/en/security/current/osquery-manager.html\)\n- \[Timelines\]\(https:\//elastic.ac.cn/guide/en/security/current/timelines.html\)\n- \[Entity Analytics\]\(https:\//elastic.ac.cn/guide/en/security/current/entity-analytics.html\)\n\n### ESQL Query\n```sql\nFROM process\nWHERE process.name == \"biomesyncd\"\n AND process.pid == 69516\n AND user.name == \"2fede99b-5ec7-4274-b990-469b4110f7ba\"\n AND host.name == \"e4d4dc93-754e-4282-ac84-94fe72071ab1\"\n AND host.os.version == \"14.5\"\n```\n\nThis query can be used in an Elastic Security timeline or detection rule to detect the stopping of the `biomesyncd` process by the specified user on the specified host.",
"trace_data": {
"transactionId": "293ad93379ace883",
"traceId": "eeedce3430c9ded8fb8dc38dcfd96eb4"
},
"replacements": {
"dc00f5d9-bdf3-4517-b7ef-de5a89f0d071": "macOS",
},
"status": "ok",
"conversationId": "df071e68-3c8e-4c0d-b0e7-1557e80c0319"
}
响应代码
编辑200 表示调用成功。
响应负载
编辑包含 LLM 响应的 JSON 对象,如果 persist 设置为 true,则包含对话 ID。
示例 2
对话响应负载
{
"connector_id": "my-gpt4o-ai",
"data": "### Elastic Security Case: Process Stopped Event\n\n#### Description\nA process named `biomesyncd` with PID `69516` was stopped by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` running `dc00f5d9-bdf3-4517-b7ef-de5a89f0d071` version `14.5`. The executable path for the process is `/usr/libexec/biomesyncd`.\n\n#### Recommended Actions\n1. **Investigate the process**: Determine if the process `biomesyncd` is legitimate or potentially malicious.\n2. **Check user activity**: Review the actions performed by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` around the time the process was stopped.\n3. **Analyze host behavior**: Examine the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` for any other suspicious activities or anomalies.\n\n#### Triage Steps\n- **Review Process Details**:\n - Verify the legitimacy of the process `biomesyncd`.\n - Check the process arguments and executable path.\n- **User Activity Analysis**:\n - Investigate the user `2fede99b-5ec7-4274-b990-469b4110f7ba` for any unusual behavior.\n- **Host Analysis**:\n - Check for other suspicious processes or activities on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1`.\n\n#### MITRE ATT&CK Context\n- **Technique**: [T1059.001 - Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)\n- **Tactic**: Execution\n\n#### Elastic Security Features\n- **Endpoint Response Actions**: Use Elastic Security's endpoint response actions to isolate the host or terminate suspicious processes.\n- **Elastic Agent OSQuery Manager Integration**: Utilize OSQuery to gather more information about the host and processes.\n - Example OSQuery Query:\n ```sql\n SELECT * FROM processes WHERE name = 'biomesyncd';\n ```\n- **Timelines**: Create a timeline to visualize the sequence of events and correlate with other activities.\n- **Entity Analytics**: Use entity analytics to assess the risk score of the user and host.\n\n#### Elastic Security Documentation\n- \[Endpoint Security\]\(https:\//elastic.ac.cn/guide/en/security/current/endpoint-security.html\)\n- \[OSQuery Manager\]\(https:\//elastic.ac.cn/guide/en/security/current/osquery-manager.html\)\n- \[Timelines\]\(https:\//elastic.ac.cn/guide/en/security/current/timelines.html\)\n- \[Entity Analytics\]\(https:\//elastic.ac.cn/guide/en/security/current/entity-analytics.html\)\n\n### ESQL Query\n```sql\nFROM process\nWHERE process.name == \"biomesyncd\"\n AND process.pid == 69516\n AND user.name == \"2fede99b-5ec7-4274-b990-469b4110f7ba\"\n AND host.name == \"e4d4dc93-754e-4282-ac84-94fe72071ab1\"\n AND host.os.version == \"14.5\"\n```\n\nThis query can be used in an Elastic Security timeline or detection rule to detect the stopping of the `biomesyncd` process by the specified user on the specified host.",
"trace_data": {
"transactionId": "293ad93379ace883",
"traceId": "eeedce3430c9ded8fb8dc38dcfd96eb4"
},
"replacements": {
"dc00f5d9-bdf3-4517-b7ef-de5a89f0d071": "macOS",
"e4d4dc93-754e-4282-ac84-94fe72071ab1": "test-MBP",
"2fede99b-5ec7-4274-b990-469b4110f7ba": "usertest",
"661a7e8f-42c3-4f8c-a1bc-6ff1aa750034": "system"
},
"status": "ok",
"conversationId": "df071e68-3c8e-4c0d-b0e7-1557e80c0319"
}
响应代码
编辑200 表示调用成功。
响应负载
编辑包含 LLM 响应的 JSON 对象,如果 persist 设置为 true,则包含对话 ID。
示例 3
对话响应负载
{
"connector_id": "my-gpt4o-ai",
"data": "### Elastic Security Case: Process Stopped Event\n\n#### Description\nA process named `biomesyncd` with PID `69516` was stopped by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` running `dc00f5d9-bdf3-4517-b7ef-de5a89f0d071` version `14.5`. The executable path for the process is `/usr/libexec/biomesyncd`.\n\n#### Recommended Actions\n1. **Investigate the process**: Determine if the process `biomesyncd` is legitimate or potentially malicious.\n2. **Check user activity**: Review the actions performed by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` around the time the process was stopped.\n3. **Analyze host behavior**: Examine the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` for any other suspicious activities or anomalies.\n\n#### Triage Steps\n- **Review Process Details**:\n - Verify the legitimacy of the process `biomesyncd`.\n - Check the process arguments and executable path.\n- **User Activity Analysis**:\n - Investigate the user `2fede99b-5ec7-4274-b990-469b4110f7ba` for any unusual behavior.\n- **Host Analysis**:\n - Check for other suspicious processes or activities on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1`.\n\n#### MITRE ATT&CK Context\n- **Technique**: [T1059.001 - Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)\n- **Tactic**: Execution\n\n#### Elastic Security Features\n- **Endpoint Response Actions**: Use Elastic Security's endpoint response actions to isolate the host or terminate suspicious processes.\n- **Elastic Agent OSQuery Manager Integration**: Utilize OSQuery to gather more information about the host and processes.\n - Example OSQuery Query:\n ```sql\n SELECT * FROM processes WHERE name = 'biomesyncd';\n ```\n- **Timelines**: Create a timeline to visualize the sequence of events and correlate with other activities.\n- **Entity Analytics**: Use entity analytics to assess the risk score of the user and host.\n\n#### Elastic Security Documentation\n- \[Endpoint Security\]\(https:\//elastic.ac.cn/guide/en/security/current/endpoint-security.html\)\n- \[OSQuery Manager\]\(https:\//elastic.ac.cn/guide/en/security/current/osquery-manager.html\)\n- \[Timelines\]\(https:\//elastic.ac.cn/guide/en/security/current/timelines.html\)\n- \[Entity Analytics\]\(https:\//elastic.ac.cn/guide/en/security/current/entity-analytics.html\)\n\n### ESQL Query\n```sql\nFROM process\nWHERE process.name == \"biomesyncd\"\n AND process.pid == 69516\n AND user.name == \"2fede99b-5ec7-4274-b990-469b4110f7ba\"\n AND host.name == \"e4d4dc93-754e-4282-ac84-94fe72071ab1\"\n AND host.os.version == \"14.5\"\n```\n\nThis query can be used in an Elastic Security timeline or detection rule to detect the stopping of the `biomesyncd` process by the specified user on the specified host.",
"trace_data": {
"transactionId": "783ad93379ace778",
"traceId": "bbbdce3430c9ded8fb8dc38dcfd96eb4"
},
"status": "ok",
"conversationId": "cb071e68-3c8e-4c0d-b0e7-1557e80c0316"
}
响应代码
编辑200 表示调用成功。
响应负载
编辑包含 LLM 响应的 JSON 对象,如果 persist 设置为 true,则包含对话 ID。