[Security Solution] add policy_response_failure defend insight type

[joeypoon]

Summary

Adds a new Defend Insight (AKA. Automatic Troubleshooting) type, policy_response_failure. This Defend Insight type checks the endpoint policy responses for warnings and failures and provides remediation suggestions.

In order to provide better responses for policy response failures, this PR also introduces static KB assets for Defend Insights. policy_response_failure type requests are enriched with relevant KB assets.

The new policy_response_failure Defend Insight type is feature flagged under defendInsightsPolicyResponseFailure.

anonymized_events_retriever and get_anonymized_events directories renamed to events_retriever and get_events due to max path length restriction.

This PR only contains the API changes for this feature.

Corresponding PR to update Security AI Prompt package.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[ferullo]

Can we include links to online webpages in these snippets?

[joeypoon]

yeah, I think we can make it work.

[szwarckonrad]

A few questions, but otherwise the code looks good to me. Two wishes though 😉:

1. Could you add a script/tool to hydrate events with the policy response failure ones? It’ll make future development easier so we don’t have to generate them manually each time.
2. Could you include usage examples - i.e., sample request and response? A quick reference for UI implementation phase

[szwarckonrad]

Q: Are we sure we cant tighten this?

[joeypoon]

I'm intentionally leaving this more open since we're not sure what future remediation objects might look like.

[szwarckonrad]

Could you leave a comment with an example of a returned value?

[szwarckonrad]

We filter out failure || warning actions in both filter and map, is there a need for that?

[joeypoon]

This is so that we don't have nulls in the returned array.

[szwarckonrad]

Q: Isnt there a mechanism to fetch all by promptGroupId?

[joeypoon]

I don't think so, I only see getPrompt and getPromptsByGroupId in the exports and the promptIds arg is required.

[szwarckonrad]

getDefendInsightsIncompatibleVirusGenerationSchema can we stick to AntiVirus? Might be confusing to someone not familiar with this part of Kibana :D

[joeypoon]

Ah yeah, good catch.

[szwarckonrad]

I see we expect a message field there. Maybe we can build the schema above step by step and start with message instead of leaving it open-ended for now?

[joeypoon]

I might be misinterpreting your suggestion here but I think you're suggesting that we remove remediation and just have message? I did it this way:

1. to make it clear it's a remediation message, not just a generic message
2. to keep the schema for insights more consistent as we might have different remediation shapes in the future

[szwarckonrad]

Should we put it behind a feature flag?

[joeypoon]

This is flagged at the API level. Agree that we'll want a flag at the UI level as well but that will be in separate PR when we add the API call for this insight type.

[joeypoon]

Thanks for taking a look @szwarckonrad 🙇.

1. Could you add a script/tool to hydrate events with the policy response failure ones? It’ll make future development easier so we don’t have to generate them manually each time.

I believe the scripts/endpoint/resolver_generator script already randomly adds policy response failures. Can generate a handful of endpoints for more failure type coverage.

2. Could you include usage examples - i.e., sample request and response? A quick reference for UI implementation phase

This is kind of chunky, I'll share with you on slack.

[spong]

FYI, there's a helper utility for performing license, authenticated user and FF checks you can use:

kibana/x-pack/solutions/security/plugins/elastic_assistant/server/routes/evaluate/post_evaluate.ts

Lines 115 to 121 in c132340

	// Perform license, authenticated user and evaluation FF checks
	const checkResponse = await performChecks({
	capability: 'assistantModelEvaluation',
	context: ctx,
	request,
	response,
	});

[joeypoon]

wasn't aware of this, thanks for the tip. since performChecks is explicitly checking the license req for AI assistant, going to leave this as is for now since we want defend insights to maintain a separate license req (even though technically it's the same level as AI assistant right now).

[natasha-moore-elastic]

API doc changes LGTM

[spong]

Checked out, tested KB features locally with FF off, and code reviewed relevant GenAI changes -- LGTM! 👍

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 4f72c7b

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	10.2MB	10.2MB	+108.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
elasticAssistant	273.8KB	273.8KB	+39.0B
securitySolution	96.0KB	96.1KB	+39.0B
total			+78.0B

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
securitySolution	677	678	+1

Total ESLint disabled count

id	before	after	diff
securitySolution	777	778	+1

History

• 💚 Build #332600 succeeded 1a80aa4
• 💔 Build #332497 failed cbf1c59
• 💚 Build #331956 succeeded 12243c1
• 💔 Build #331769 failed 2b5e08b
• 💔 Build #331751 failed 2d67960
• 💚 Build #331163 succeeded c132340

[stephmilovic]

Hey I'm updating the prompts for something else and I think you may have forgotten to update the integration when you made these changes. My PR will include your changes, so no action needed, but please remember to update the integration in the future