完整聊天
编辑完整聊天
编辑完整聊天 API 允许您与配置的大型语言模型 (LLM) 进行通信,并在需要时将结果保存为会话(创建新会话或扩展现有会话)。
请求 URL
编辑POST <kibana 主机>:<端口>/api/security_ai_assistant/chat/complete
请求正文
编辑| 名称 | 类型 | 描述 | 必需 |
|---|---|---|---|
|
字符串 |
要附加到消息并用作上下文的会话 ID。请参阅会话 API。 |
否 |
|
字符串 |
LLM 连接器的 ID:与特定 LLM 提供商集成的 Kibana。 |
是 |
|
字符串 |
默认会话提示 ID。 |
否 |
|
布尔值 |
定义是否应创建或更新会话(如果提供了 |
是 |
|
布尔值 |
定义响应的类型。如果 |
否 |
|
会话消息数组。 |
是 |
|
|
字符串 |
要使用的特定 LLM 的名称。 |
否 |
|
字符串 |
定义 LLM 响应的语言。 |
否 |
messages 对象
编辑| 名称 | 类型 | 描述 | 必需 |
|---|---|---|---|
|
字符串 |
消息角色。可以是“user”、“assistant”或“system”。 |
是 |
|
字符串 |
要发送到 LLM 的消息内容。 |
是 |
|
对象 |
要作为模型上下文包含的 JSON 对象。 |
否 |
|
数组 |
要匿名化 |
否 |
示例请求
编辑示例 1
向 LLM 发送消息。数据使用中心匿名化进行匿名处理,并使用要匿名化的字段列表进行扩展。
POST api/security_ai_assistant/chat/complete
{
"connectorId": "my-gpt4o-ai",
"persist": false,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
"data": {
"event.category": "process",
"process.pid": 69516,
"host.os.version": 14.5,
"host.os.name": "macOS"
},
"fields_to_anonymize": [
"host.os.name"
]
}
]
}
示例 2
在现有会话中向 LLM 发送消息,并提供数据作为上下文。数据使用中心匿名化进行匿名处理,并使用要匿名化的字段列表进行扩展。将角色为 assistant 的 LLM 响应添加到现有会话中。
POST api/security_ai_assistant/chat/complete
{
"connectorId": "my-gpt4o-ai",
"conversationId": "df071e68-3c8e-4c0d-b0e7-1557e80c0319",
"persist": true,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
"data": {
"event.category": "process",
"process.pid": 69516,
"host.os.version": 14.5,
"host.os.name": "macOS",
"host.name": "test-MBP",
"process.name": "biomesyncd",
"user.name": "usertest",
"process.working_directory": "/",
"event.module": "system",
"process.executable": "/usr/libexec/biomesyncd",
"process.args": "/usr/libexec/biomesyncd",
"message": "Process biomesyncd (PID: 69516) by user usertest STOPPED"
},
"fields_to_anonymize": [
"host.os.name",
"event.module"
]
}
]
}
示例 3
向 LLM 发送消息。创建一个新会话,并添加角色为 assistant 的 LLM 响应。
POST api/security_ai_assistant/chat/complete
{
"connectorId": "my-gpt4o-ai",
"persist": true,
"messages": [
{
"role": "user",
"content": "Evaluate the event from the context and format your output neatly in markdown syntax for my Elastic Security case.\nAdd your description, recommended actions and bulleted triage steps. Use the MITRE ATT&CK data provided to add more context and recommendations from MITRE, and hyperlink to the relevant pages on MITRE's website. Be sure to include the user and host risk score data from the context. Your response should include steps that point to Elastic Security specific features, including endpoint response actions, the Elastic Agent OSQuery manager integration (with example osquery queries), timelines and entity analytics and link to all the relevant Elastic Security documentation.",
}
]
}
响应代码
编辑200 表示调用成功。
响应有效负载
编辑一个 JSON 对象,其中包含 LLM 响应,以及如果 persist 设置为 true 的会话 id。
示例 1
会话响应有效负载
{
"connector_id": "my-gpt4o-ai",
"data": "### Elastic Security Case: Process Stopped Event\n\n#### Description\nA process named `biomesyncd` with PID `69516` was stopped by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` running `dc00f5d9-bdf3-4517-b7ef-de5a89f0d071` version `14.5`. The executable path for the process is `/usr/libexec/biomesyncd`.\n\n#### Recommended Actions\n1. **Investigate the process**: Determine if the process `biomesyncd` is legitimate or potentially malicious.\n2. **Check user activity**: Review the actions performed by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` around the time the process was stopped.\n3. **Analyze host behavior**: Examine the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` for any other suspicious activities or anomalies.\n\n#### Triage Steps\n- **Review Process Details**:\n - Verify the legitimacy of the process `biomesyncd`.\n - Check the process arguments and executable path.\n- **User Activity Analysis**:\n - Investigate the user `2fede99b-5ec7-4274-b990-469b4110f7ba` for any unusual behavior.\n- **Host Analysis**:\n - Check for other suspicious processes or activities on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1`.\n\n#### MITRE ATT&CK Context\n- **Technique**: [T1059.001 - Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)\n- **Tactic**: Execution\n\n#### Elastic Security Features\n- **Endpoint Response Actions**: Use Elastic Security's endpoint response actions to isolate the host or terminate suspicious processes.\n- **Elastic Agent OSQuery Manager Integration**: Utilize OSQuery to gather more information about the host and processes.\n - Example OSQuery Query:\n ```sql\n SELECT * FROM processes WHERE name = 'biomesyncd';\n ```\n- **Timelines**: Create a timeline to visualize the sequence of events and correlate with other activities.\n- **Entity Analytics**: Use entity analytics to assess the risk score of the user and host.\n\n#### Elastic Security Documentation\n- \[Endpoint Security\]\(https:\//elastic.ac.cn/guide/en/security/current/endpoint-security.html\)\n- \[OSQuery Manager\]\(https:\//elastic.ac.cn/guide/en/security/current/osquery-manager.html\)\n- \[Timelines\]\(https:\//elastic.ac.cn/guide/en/security/current/timelines.html\)\n- \[Entity Analytics\]\(https:\//elastic.ac.cn/guide/en/security/current/entity-analytics.html\)\n\n### ESQL Query\n```sql\nFROM process\nWHERE process.name == \"biomesyncd\"\n AND process.pid == 69516\n AND user.name == \"2fede99b-5ec7-4274-b990-469b4110f7ba\"\n AND host.name == \"e4d4dc93-754e-4282-ac84-94fe72071ab1\"\n AND host.os.version == \"14.5\"\n```\n\nThis query can be used in an Elastic Security timeline or detection rule to detect the stopping of the `biomesyncd` process by the specified user on the specified host.",
"trace_data": {
"transactionId": "293ad93379ace883",
"traceId": "eeedce3430c9ded8fb8dc38dcfd96eb4"
},
"replacements": {
"dc00f5d9-bdf3-4517-b7ef-de5a89f0d071": "macOS",
},
"status": "ok",
"conversationId": "df071e68-3c8e-4c0d-b0e7-1557e80c0319"
}
响应代码
编辑200 表示调用成功。
响应有效负载
编辑一个 JSON 对象,其中包含 LLM 响应,以及如果 persist 设置为 true 的会话 ID。
示例 2
会话响应有效负载
{
"connector_id": "my-gpt4o-ai",
"data": "### Elastic Security Case: Process Stopped Event\n\n#### Description\nA process named `biomesyncd` with PID `69516` was stopped by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` running `dc00f5d9-bdf3-4517-b7ef-de5a89f0d071` version `14.5`. The executable path for the process is `/usr/libexec/biomesyncd`.\n\n#### Recommended Actions\n1. **Investigate the process**: Determine if the process `biomesyncd` is legitimate or potentially malicious.\n2. **Check user activity**: Review the actions performed by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` around the time the process was stopped.\n3. **Analyze host behavior**: Examine the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` for any other suspicious activities or anomalies.\n\n#### Triage Steps\n- **Review Process Details**:\n - Verify the legitimacy of the process `biomesyncd`.\n - Check the process arguments and executable path.\n- **User Activity Analysis**:\n - Investigate the user `2fede99b-5ec7-4274-b990-469b4110f7ba` for any unusual behavior.\n- **Host Analysis**:\n - Check for other suspicious processes or activities on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1`.\n\n#### MITRE ATT&CK Context\n- **Technique**: [T1059.001 - Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)\n- **Tactic**: Execution\n\n#### Elastic Security Features\n- **Endpoint Response Actions**: Use Elastic Security's endpoint response actions to isolate the host or terminate suspicious processes.\n- **Elastic Agent OSQuery Manager Integration**: Utilize OSQuery to gather more information about the host and processes.\n - Example OSQuery Query:\n ```sql\n SELECT * FROM processes WHERE name = 'biomesyncd';\n ```\n- **Timelines**: Create a timeline to visualize the sequence of events and correlate with other activities.\n- **Entity Analytics**: Use entity analytics to assess the risk score of the user and host.\n\n#### Elastic Security Documentation\n- \[Endpoint Security\]\(https:\//elastic.ac.cn/guide/en/security/current/endpoint-security.html\)\n- \[OSQuery Manager\]\(https:\//elastic.ac.cn/guide/en/security/current/osquery-manager.html\)\n- \[Timelines\]\(https:\//elastic.ac.cn/guide/en/security/current/timelines.html\)\n- \[Entity Analytics\]\(https:\//elastic.ac.cn/guide/en/security/current/entity-analytics.html\)\n\n### ESQL Query\n```sql\nFROM process\nWHERE process.name == \"biomesyncd\"\n AND process.pid == 69516\n AND user.name == \"2fede99b-5ec7-4274-b990-469b4110f7ba\"\n AND host.name == \"e4d4dc93-754e-4282-ac84-94fe72071ab1\"\n AND host.os.version == \"14.5\"\n```\n\nThis query can be used in an Elastic Security timeline or detection rule to detect the stopping of the `biomesyncd` process by the specified user on the specified host.",
"trace_data": {
"transactionId": "293ad93379ace883",
"traceId": "eeedce3430c9ded8fb8dc38dcfd96eb4"
},
"replacements": {
"dc00f5d9-bdf3-4517-b7ef-de5a89f0d071": "macOS",
"e4d4dc93-754e-4282-ac84-94fe72071ab1": "test-MBP",
"2fede99b-5ec7-4274-b990-469b4110f7ba": "usertest",
"661a7e8f-42c3-4f8c-a1bc-6ff1aa750034": "system"
},
"status": "ok",
"conversationId": "df071e68-3c8e-4c0d-b0e7-1557e80c0319"
}
响应代码
编辑200 表示调用成功。
响应有效负载
编辑一个 JSON 对象,其中包含 LLM 响应,以及如果 persist 设置为 true 的会话 ID。
示例 3
会话响应有效负载
{
"connector_id": "my-gpt4o-ai",
"data": "### Elastic Security Case: Process Stopped Event\n\n#### Description\nA process named `biomesyncd` with PID `69516` was stopped by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` running `dc00f5d9-bdf3-4517-b7ef-de5a89f0d071` version `14.5`. The executable path for the process is `/usr/libexec/biomesyncd`.\n\n#### Recommended Actions\n1. **Investigate the process**: Determine if the process `biomesyncd` is legitimate or potentially malicious.\n2. **Check user activity**: Review the actions performed by the user `2fede99b-5ec7-4274-b990-469b4110f7ba` around the time the process was stopped.\n3. **Analyze host behavior**: Examine the host `e4d4dc93-754e-4282-ac84-94fe72071ab1` for any other suspicious activities or anomalies.\n\n#### Triage Steps\n- **Review Process Details**:\n - Verify the legitimacy of the process `biomesyncd`.\n - Check the process arguments and executable path.\n- **User Activity Analysis**:\n - Investigate the user `2fede99b-5ec7-4274-b990-469b4110f7ba` for any unusual behavior.\n- **Host Analysis**:\n - Check for other suspicious processes or activities on the host `e4d4dc93-754e-4282-ac84-94fe72071ab1`.\n\n#### MITRE ATT&CK Context\n- **Technique**: [T1059.001 - Command and Scripting Interpreter: PowerShell](https://attack.mitre.org/techniques/T1059/001/)\n- **Tactic**: Execution\n\n#### Elastic Security Features\n- **Endpoint Response Actions**: Use Elastic Security's endpoint response actions to isolate the host or terminate suspicious processes.\n- **Elastic Agent OSQuery Manager Integration**: Utilize OSQuery to gather more information about the host and processes.\n - Example OSQuery Query:\n ```sql\n SELECT * FROM processes WHERE name = 'biomesyncd';\n ```\n- **Timelines**: Create a timeline to visualize the sequence of events and correlate with other activities.\n- **Entity Analytics**: Use entity analytics to assess the risk score of the user and host.\n\n#### Elastic Security Documentation\n- \[Endpoint Security\]\(https:\//elastic.ac.cn/guide/en/security/current/endpoint-security.html\)\n- \[OSQuery Manager\]\(https:\//elastic.ac.cn/guide/en/security/current/osquery-manager.html\)\n- \[Timelines\]\(https:\//elastic.ac.cn/guide/en/security/current/timelines.html\)\n- \[Entity Analytics\]\(https:\//elastic.ac.cn/guide/en/security/current/entity-analytics.html\)\n\n### ESQL Query\n```sql\nFROM process\nWHERE process.name == \"biomesyncd\"\n AND process.pid == 69516\n AND user.name == \"2fede99b-5ec7-4274-b990-469b4110f7ba\"\n AND host.name == \"e4d4dc93-754e-4282-ac84-94fe72071ab1\"\n AND host.os.version == \"14.5\"\n```\n\nThis query can be used in an Elastic Security timeline or detection rule to detect the stopping of the `biomesyncd` process by the specified user on the specified host.",
"trace_data": {
"transactionId": "783ad93379ace778",
"traceId": "bbbdce3430c9ded8fb8dc38dcfd96eb4"
},
"status": "ok",
"conversationId": "cb071e68-3c8e-4c0d-b0e7-1557e80c0316"
}
响应代码
编辑200 表示调用成功。
响应有效负载
编辑一个 JSON 对象,其中包含 LLM 响应,以及如果 persist 设置为 true 的会话 ID。