AI Assistant Knowledge Base
Stack Serverless Security
AI Assistant’s Knowledge Base feature enables AI Assistant to recall specific documents and other specified information. This information, which can include everything from the location of your datacenters to the latest threat research, provides additional context that can improve the quality of AI Assistant’s responses to your queries. This topic describes how to enable and add information to Knowledge Base.
Elastic Stack users: when you upgrade from Elastic Security version 8.15 to a newer version, information previously stored by AI Assistant will be lost.
- To use Knowledge Base, the Elastic AI Assistant: Allprivilege.
- To edit global Knowledge Base entries (information that will affect the AI Assistant experience for other users in the Kibana space), the Allow Changes to Global Entriesprivilege.
- You must enable machine learning with a minimum ML node size of 4 GB.
We strongly recommend you enable autoscaling before using Knowledge Base.
The Elastic AI Assistant: All role privilege allows you to use AI Assistant and access its settings. It has two sub-privileges, Field Selection and Anonymization, which allows you to customize which alert fields are sent to AI Assistant and Attack Discovery, and Knowledge Base, which allows you to edit and create new Knowledge Base entries.
 
	
When you enable Knowledge Base, AI Assistant automatically gains access to Elastic's product documentation. This improves its answers to questions related to Elastic products and features.
In air-gapped environments, this requires additional configuration. Refer to the Kibana AI Assistant settings documentation for detailed instructions. Once you complete the instructions on that page, AI Assistant will automatically gain access to Elastic's documentation as soon as you start a new conversation.
There are two ways to enable Knowledge Base.
You must individually enable Knowledge Base for each Kibana space where you want to use it.
Open a conversation with AI Assistant, select a large language model, then click Setup Knowledge Base. If the button doesn’t appear, Knowledge Base is already enabled.
 
	
Knowledge base setup may take several minutes. It will continue in the background if you close the conversation. After setup is complete, you can access Knowledge Base settings from AI Assistant’s conversation settings menu (access the conversation settings menu by clicking the three dots button next to the model selection dropdown).
 
	
- To open Security AI settings, use the global search field to find "AI Assistant for Security."
- On the Knowledge Base tab, click Setup Knowledge Base. If the button doesn’t appear, Knowledge Base is already enabled.
 
	
AI Assistant receives open or acknowledged alerts from your environment from the last 24 hours and uses them as context for your prompts. This enables it to answer questions about multiple alerts in your environment rather than just about individual alerts you choose to send it. It receives alerts ordered by risk score, then by the most recently generated. Building block alerts are excluded.
To configure alert access for Knowledge Base:
- Go the Security AI settings page. Use the global search field to find "AI Assistant for Security."
- On the Knowledge Base tab, use the slider to select the number of alerts to send to AI Assistant.
- Click Save.
Including a large number of alerts may cause your request to exceed the maximum token length of your third-party generative AI provider. If this happens, try selecting a lower number of alerts to send.
To view all knowledge base entries, go to Security AI settings and select the Knowledge Base tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a Sharing setting of private or global. Private entries apply to the current user only and do not affect other users in the Kibana space, whereas global entries affect all users. Each entry can also have a Required knowledge setting, which means it will be included as context for every message sent to AI Assistant.
When you enable Knowledge Base, it comes pre-populated with articles from Elastic Security Labs, current through September 30, 2024, which allows AI Assistant to leverage Elastic’s security research during your conversations. This enables it to answer questions such as, “Are there any new tactics used against Windows hosts that I should be aware of when investigating my alerts?”
Add a markdown document to Knowledge Base when you want AI Assistant to remember a specific piece of information.
- To open Security AI settings, use the global search field to find "AI Assistant for Security." Select the Knowledge Base tab.
- Click New → Document and give it a name.
- Under Sharing, select whether this knowledge should be Global or Private.
- Write the knowledge AI Assistant should remember in the Markdown text field.
- In the Markdown text field, enter the information you want AI Assistant to remember.
- If it should be Required knowledge, select the option. Otherwise, leave it blank. Alternatively, you can simply send a message to AI Assistant that instructs it to "Remember" the information. For example, "Remember that I changed my password today, October 24, 2024", or "Remember we always use the Threat Hunting Timeline template when investigating potential threats". Entries created in this way are private to you. By default they are not required knowledge, but you can make them required by instructing AI Assistant to "Always remember", for example "Always remember to address me as madam", or "Always remember that our primary data center is located in Austin, Texas".
Refer to the following video for an example of adding a document to Knowledge Base from the settings menu (click to play video).
To add an individual file to Knowledge Base, you first need to ingest it into an index and ensure that it includes a semantic text or text field. Supported file types include text, PDF, ODF, Word, Excel, PowerPoint, NDJSON, CSV, and TSV.
- Access the Data Visualizer interface to upload a file using the global search field to find "File upload".
- Review the list of currently supported file formats and sizes, then select the file you want to upload. A preview of your data appears. In the Summary section, click Import.
- Go to the Advanced tab. In the Index name field , enter a name for the index that will contain the data in the uploaded file.
- (Optional) Review and update the mappings and ingest pipeline for your new index.
- Click Add additional field -> Add semantic text field.
- For Field, select the field you want to use as a semantic text field. It should contain information that AI Assistant can use to determine whether a document is relevant to a given query. Do not select a metadata field.
- For Copy to field, enter a name for your new semantic text field.
- For Inference endpoint, use the default or select another model that's enabled in your environment.
- Click Add. The new field appears in the Mappings section.
- Click Import. File ingest begins and should complete within a few seconds.
- Once your file has been ingested to an index, add it to Knowledge Base by following the steps to add an index.
Refer to the following video for an example of this process (click to play video):
Add an index as a knowledge source when you want information in that index to inform AI Assistant’s responses. Common security examples include asset inventories, network configuration information, on-call matrices, threat intelligence reports, and vulnerability scans. When you update the index with new information, AI Assistant will gain access to the new information.
Indices added to Knowledge Base must have at least one field mapped as semantic text.
Stack Serverless You can use a text field instead of a semantic text field. Semantic text fields offer better performance for large blobs of text and matching on semantic relevancy, while text fields perform better for retrieval based on specific document values or attributes, such as email or username.
- To open Security AI settings, use the global search field to find "AI Assistant for Security." Select the Knowledge Base tab.
- Click New → Index.
- Name the knowledge source.
- Under Sharing, select whether this knowledge should be Global or Private.
- Under Index, enter the name of the index you want to use as a knowledge source.
- Under Field, enter the names of one or more semantic text ( Stack Serverless or text) fields within the index.
- Under Data Description, describe when this information should be used by AI Assistant.
- Under Query Instruction, describe how AI Assistant should query this index to retrieve relevant documents.
- Under Output Fields, list the fields which AI Assistant should look at when reviewing documents in this index. If none are listed, all fields are sent.
 
	
You can use an Elasticsearch connector or web crawler to create an index that contains data you want to add to Knowledge Base.
You can ingest data from third-party platforms such as Github, Jira, Teams, Google Drive, Slack, email, and more using content connectors.
Once you've set up a content connector, data from the selected source is ingested to an Elasticsearch index. To add it to Knowledge Base, follow the steps to add an index.
First, you’ll need to set up a web crawler to add the desired data to an index, then you’ll need to add that index to Knowledge Base. For more information on web crawlers, refer to web crawlers.
- From the Search section of Kibana, find Web crawlers in the navigation menu or use the global search field. 
- Click New web crawler. - Under Index name, name the index where the data from your new web crawler will be stored, for example  threat_intelligence_feed_1. Click Create index.
- Under Domain url, enter the url where the web crawler should collect data. Click Validate Domain to test it, then Add domain.
 
- Under Index name, name the index where the data from your new web crawler will be stored, for example  
- The previous step opens a page with the details of your new index. Go to its Mappings tab, then click Add field. Note- Remember, each index added to Knowledge Base must have at least one semantic text field. - Under Field type, select Semantic text. Under Select an inference endpoint, selectelastic-security-ai-assistant-elser2. Click Add field, then Save mapping.
 
- Under Field type, select 
- Go to the Scheduling tab. Enable the Enable recurring crawls with the following schedule setting, and define your desired schedule. 
- Go to the Manage Domains tab. Select the domain associated with your new web crawler, then go the its Crawl rules tab and click Add crawl rule. For more information, refer to Web crawler content extraction rules. - Click Add crawl rule again. Under Policy, select Disallow. Under Rule, selectRegex. Under Path pattern, enter.*. Click Save.
- Under Policy, select Allow. Under Rule, selectContains. Under Path pattern, enter your path pattern, for examplethreat-intelligence. Click Save. Make sure this rule appears below the rule created in the previous step on the list.
- Click Crawl, then Crawl all domains on this index. A success message appears. The crawl process will take longer for larger data sources. Once it finishes, your new web crawler’s index will contain documents provided by the crawler.
 
- Click Add crawl rule again. Under Policy, select 
- Finally, follow the instructions to add an index to Knowledge Base. Add the index that contains the data from your new web crawler ( - threat_intelligence_feed_1in this example).
Your new threat intelligence data is now included in Knowledge Base and can inform AI Assistant’s responses.
Refer to the following video for an example of creating a web crawler to ingest threat intelligence data and adding it to Knowledge Base.
- For a walkthrough of how Knowledge Base can improve the quality of AI Assistant's responses, refer to Use AI Assistant's Knowledge Base to improve response quality.
- To learn more about semantic search and inference models, refer to Elasticsearch semantic_text mapping.
- For more information about how the data in Knowledge Base gets chunked, refer to Intelligent RAG data chunking.


