elastic · machadoum · Oct 27, 2025 · Oct 24, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.0.9"
+  changes:
+    - description: "Add new Entity Highlights prompts"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15750
 - version: "1.0.8"
   changes:
     - description: "Update ease prompts"

@@ -6,6 +6,6 @@
       "default": "The suggested remediation action to take for the policy response failure"
     }
   },
-  "id": "security_ai_prompts-6a9fe9d7-5cd3-4d24-b458-f948da93c19f",
+  "id": "security_ai_prompts-00dba7a7-4edb-4c46-8f6d-aa4670020cd4",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The process.executable value of the event"
     }
   },
-  "id": "security_ai_prompts-f940864a-3dfe-4c37-b3ff-eb93aca35692",
+  "id": "security_ai_prompts-02d435d2-3ab1-45f7-be74-0715a8ca2ad9",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Return **only a single-line stringified JSON object** without any code fences, explanations, or variable assignments. Do **not** wrap the output in triple backticks or any Markdown code block. \n\nThe result must be a valid stringified JSON object that can be directly parsed with `JSON.parse()` in JavaScript.\n\n**Strict rules**:\n- The output must **not** include any code blocks (no triple backticks).\n- The output must be **a string**, ready to be passed directly into `JSON.parse()`.\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- The summary text should just be text. It does not need any titles or leading items in bold.\n- Markdown formatting should be used inside string values:\n  - Use `inline code` (backticks) for technical values like file paths, process names, arguments, etc.\n  - Use `**bold**` for emphasis.\n  - Use `-` for bullet points.\n  - The `recommendedActions` value must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- **Do not** include any extra explanation or text. Only return the stringified JSON object.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
     }
   },
-  "id": "security_ai_prompts-924663fd-7d79-46b6-8eb9-77db4e242c96",
+  "id": "security_ai_prompts-0760d6bb-3255-4db8-8512-38ba25055a74",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Discover the types of questions you can ask"
     }
   },
-  "id": "security_ai_prompts-be609c1f-1385-44c9-856e-40d23d3635e3",
+  "id": "security_ai_prompts-07abbb80-404c-4d31-b4d6-50450c6c5561",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge about the latest entity risk score and the inputs that contributed to the calculation (sorted by 'kibana.alert.risk_score') in the environment, or when answering questions about how critical or risky an entity is. When informing the risk score value for a entity you must use the normalized field 'calculated_score_norm'."
     }
   },
-  "id": "security_ai_prompts-7e4fa357-c793-4b59-a08d-eb0b2afb7ffb",
+  "id": "security_ai_prompts-0c781c7f-9ff9-4335-a0e2-6e5508ac8fa0",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Research"
     }
   },
-  "id": "security_ai_prompts-04f42079-7f27-4892-8c63-4c500e5821c4",
+  "id": "security_ai_prompts-1474ef6a-9da0-4871-87e6-eaf38b486699",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A link to documented remediation steps for the policy response failure"
     }
   },
-  "id": "security_ai_prompts-c2198fab-2091-4eb3-8aec-c9b0e06c26b5",
+  "id": "security_ai_prompts-174eadbe-d322-4f74-af55-eb9c49ce9d24",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a security analyst and expert in resolving security incidents. Your role is to assist by answering questions about Elastic Security. Do not answer questions unrelated to Elastic Security. If available, use the Knowledge History provided to try and answer the question. If not provided, you can try and query for additional knowledge via the KnowledgeBaseRetrievalTool. {citations_prompt} \n{formattedTime}"
     }
   },
-  "id": "security_ai_prompts-546b95da-5d4c-4bb8-9e89-1550045a1054",
+  "id": "security_ai_prompts-18f052ce-6a1c-408b-bedc-325189facd8d",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "entityDetailsHighlights",
+    "promptGroupId": "aiForEntityDetails",
+    "prompt": {
+      "default": "Generate markdown text with most important information for entity so a Security analyst can act. Your response should take all the important elements of the entity into consideration. Limit your response to 500 characters. Only reply with the required sections, and nothing else.\n  ### Format  \n  Return a string with markdown text without any explanations, or variable assignments. Do **not** wrap the output in triple backticks. \n    The result must be a list of bullet points, nothing more.\n    Generate summaries for the following sections, but omit any section that if the information isn't available in the context:\n      - Risk score: Summarize the entity's risk score and the main factors contributing to it.\n      - Criticality: Note the entity's criticality level and its impact on the risk score.\n      - Vulnerabilities: Summarize any significant Vulnerability and briefly explain why it is significant.\n      - Anomalies: Summarize unusual activities or anomalies detected for the entity and briefly explain why it is significant.  \n    The generated data **MUST** follow this pattern:\n  \"\"\"- **{title1}**: {description1}\n  - **{title2}**: {description2}\n  ...\n  - **{titleN}**: {descriptionN}\n  \n  **Recommended action**: {description}\"\"\"\n  \n    **Strict rules**:\n      _ Only reply with the required sections, and nothing else.\n      - Limit your total response to 500 characters.\n      - Never return an section which there is no data available in the context.\n      - Use inline code (backticks) for technical values like file paths, process names, arguments, etc.\n      - Recommended action title should be bold and text should be inline.    \n      - **Do not** include any extra explanation, reasoning or text.\n    "
+    }
+  },
+  "id": "security_ai_prompts-1b3525c5-4a67-4578-b9e7-2e15b457f21e",
+  "type": "security-ai-prompt"
+}
@@ -7,6 +7,6 @@
       "default": "Now, always using the tools at your disposal, step by step, come up with a response to this request:\n\n"
     }
   },
-  "id": "security_ai_prompts-5a174f68-5d26-436f-bf5d-cea828f3e6be",
+  "id": "security_ai_prompts-1b6c3d08-0b87-4d34-9125-4cdf30270849",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Evaluate the cyber security alert from the context above. Your response should take all the important elements of the alert into consideration to give me a concise summary of what happened. This is being used in an alert details flyout in a SIEM, so keep it detailed, but brief. Limit your response to 500 characters. Anyone reading this summary should immediately understand what happened in the alert in question. Only reply with the summary, and nothing else.\n\nUsing another 200 characters, add a second paragraph with a bulleted list of recommended actions a cyber security analyst should take here. Don't invent random, potentially harmful recommended actions."
     }
   },
-  "id": "security_ai_prompts-2faf4fa3-97d3-4f2d-a388-f836a2a34ced",
+  "id": "security_ai_prompts-1c8ac29b-6728-48bf-afaf-1602fa9d28d5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Generate a concise bulleted summary in mdx markdown. Follow the style and tone of the example below, highlighting key trends, averages, peaks, and projections:\n\n```\n- Between July 18 and August 18, daily cost savings **averaged around $135K**\n- The lowest point, **just above $70K**, occurred in early August.\n- **Peaks near $160K** appeared in late July and mid-August.\n- After a mid-period decline, savings steadily recovered and grew toward the end of the month.\n- At this pace, projected annual savings **exceed $48M**, confirming strong and predictable ROI.\n```\n\nRespond only with the markdown. Do not include any explanation or extra text."
     }
   },
-  "id": "security_ai_prompts-686ff7c4-5ae4-4ba6-81ea-1959fdf644ea",
+  "id": "security_ai_prompts-20efedb7-f289-4473-89a4-c27e84ca53d5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Can you provide examples of questions I can ask about Elastic Security, such as investigating alerts, running ES|QL queries, incident response, or threat intelligence?"
     }
   },
-  "id": "security_ai_prompts-a86686d1-9d79-43f9-b32a-2c70334f1b8e",
+  "id": "security_ai_prompts-21205047-6f9e-4b9f-be79-b8e1cca24282",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Suggest"
     }
   },
-  "id": "security_ai_prompts-158c8455-422b-4a8f-b762-3d6994c24e6b",
+  "id": "security_ai_prompts-216b939d-456c-410a-b30b-38674cbe8b2c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The policy response action name + message + os"
     }
   },
-  "id": "security_ai_prompts-24b6282a-4f2c-4784-a824-ba1913599d27",
+  "id": "security_ai_prompts-21c777cf-acd3-4eff-a20f-1417698fbcfe",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this for the counts of last 24 hours of open and acknowledged alerts in the environment, grouped by their severity and workflow status. The response will be JSON and from it you can summarize the information to answer the question."
     }
   },
-  "id": "security_ai_prompts-75850752-5c07-47e3-8fc7-d29b82ab7653",
+  "id": "security_ai_prompts-2356cb27-c0c6-467d-8f03-a6d2b66347e9",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a helpful assistant for Elastic Security. Assume the following user message is the start of a conversation between you and a user; give this conversation a title based on the content below. DO NOT UNDER ANY CIRCUMSTANCES wrap this title in single or double quotes. This title is shown in a list of conversations to the user, so title it for the user, not for you. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-46a5c4e8-ef36-450c-ae8c-cec551d47f69",
+  "id": "security_ai_prompts-2cec73e1-1b9b-4612-9006-6679e52cad06",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are given Elasticsearch Lens aggregation results showing cost savings over time:"
     }
   },
-  "id": "security_ai_prompts-7fac04b5-61e1-4eef-97c1-e287780463ed",
+  "id": "security_ai_prompts-2d7d7b4d-580a-4aaa-8d65-2a1084706bf5",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The suggested remediation message to take for the policy response failure"
     }
   },
-  "id": "security_ai_prompts-84525901-f24e-493b-a2e2-9389649c281f",
+  "id": "security_ai_prompts-2db02aae-3c1d-4ce3-a723-6eed32f31cf6",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"GenerateESQLTool\" function when the user wants to:\n- generate an ES|QL query\n- convert queries from another language to ES|QL they can run on their cluster\n\nALWAYS use this tool to generate ES|QL queries and never generate ES|QL any other way."
     }
   },
-  "id": "security_ai_prompts-d1c2bfb9-5637-4d85-8241-eb62da098cc3",
+  "id": "security_ai_prompts-37aacd61-9dde-45f0-ad38-1e8249108208",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "A short (no more than a sentence) summary of the insight featuring only the host.name and user.name fields (when they are applicable), using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
     }
   },
-  "id": "security_ai_prompts-fee84222-b97c-4372-a231-8bcbb892ae26",
+  "id": "security_ai_prompts-39b76a46-9035-4b10-8fbe-917bc442764a",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "esqlVis"
     }
   },
-  "id": "security_ai_prompts-c4af33db-8582-41f3-8304-76220d2c2cda",
+  "id": "security_ai_prompts-3a5b4e67-961c-4c17-8fef-ee27ff57565c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The events that the insight is based on"
     }
   },
-  "id": "security_ai_prompts-d3f849a8-0334-4417-b844-03a617ad8d4e",
+  "id": "security_ai_prompts-3af75ebf-48be-4b95-bdfa-106c038e5d54",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Query"
     }
   },
-  "id": "security_ai_prompts-cb3ee776-534a-466e-8a7c-7c7a826e5994",
+  "id": "security_ai_prompts-3ec668ac-6e72-40d5-8117-3d76208f63a0",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Analyze asset data described above to provide security insights. The data contains the context of a specific asset (e.g., a host, user, service or cloud resource). Your response must be structured, contextual, and provide a general analysis based on the structure below.\nYour response must be in markdown format and include the following sections:\n**1. 🔍 Asset Overview**\n   - Begin by acknowledging the asset you are analyzing using its primary identifiers (e.g., \"Analyzing host `[host.name]` with IP `[host.ip]`\").\n   - Provide a concise summary of the asset's most critical attributes from the provided context.\n   - Describe its key relationships and dependencies (e.g., \"This asset is part of the `[cloud.project.name]` project and is located in the `[cloud.availability_zone]` zone.\").\n**2. 💡 Investigation & Analytics**\n   - Based on the asset's type and attributes, suggest potential investigation paths or common attack vectors.\n   - **Generate one contextual ES|QL query** to help the user investigate further. Your generated query should address a common analytical question related to the asset type and sub type. Suggest other possible queries and ask if the user wants to generate more queries.\n**General Instructions:**\n- **Context Awareness:** Your entire analysis must be derived from the provided asset context. If a piece of information is not available in the context state that and proceed with the available data.\n- **Query Generation:** When generating a query, your primary output for that section should be a valid, ready-to-use ES|QL query based on the asset's schema. Use ES|QL tool for query generation. Format all queries as code blocks.\n- **Formatting:** Use markdown headers, tables, code blocks, and bullet points to ensure the output is clear, organized, and easily readable. Use concise, actionable language."
     }
   },
-  "id": "security_ai_prompts-d814a2d2-39a0-4864-8f69-d09164c4f50b",
+  "id": "security_ai_prompts-3f2f9739-dae9-4a97-b767-8672eaf721ec",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Please provide a comprehensive analysis of each selected Elastic Security detection rule, and consider using applicable tools for each part of the below request. Make sure you consider using appropriate tools available to you to fulfill this request. For each rule, include:\n- The rule name and a brief summary of its purpose.\n- The full detection query as published in Elastic’s official detection rules repository.\n- An in-depth explanation of how the query works, including key fields, logic, and detection techniques.\n- The relevance of the rule to modern threats or attack techniques (e.g., MITRE ATT&CK mapping).\n- Typical implications and recommended response actions for an organization if this rule triggers.\n- Any notable false positive considerations or tuning recommendations.\nFormat your response using markdown with clear headers for each rule, code blocks for queries, and concise bullet points for explanations."
     }
   },
-  "id": "security_ai_prompts-bcba3988-582f-45c6-97b7-7f1473fb324f",
+  "id": "security_ai_prompts-40f5d571-c184-4120-830c-349e2208a6b6",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "launch"
     }
   },
-  "id": "security_ai_prompts-bc25036c-357a-43e3-8cb3-3ce0f81b1da8",
+  "id": "security_ai_prompts-431021ff-0fc2-4aa3-abb4-49df01c3564b",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are a strictly rule-following assistant for Elastic Security.\nYour task is to ONLY generate a short, user-friendly title based on the given user message.\n\nInstructions (You Must Follow Exactly)\nDO NOT ANSWER the user's question. You are forbidden from doing so.\nYour response MUST contain only the generated title. Nothing else.\nAbsolutely NO explanations, disclaimers, or additional text.\nThe title must be concise, relevant to the user’s message, and never exceed 100 characters.\nDO NOT wrap the title in quotes or any other formatting.\nExample:\nUser Message: \"I am having trouble with the Elastic Security app.\"\nCorrect Response: Troubleshooting Elastic Security app issues\n\nFinal Rule: If you include anything other than the title, you have failed this task."
     }
   },
-  "id": "security_ai_prompts-56f371c4-c535-44b1-a24d-832a962f63bc",
+  "id": "security_ai_prompts-431aa821-9d6a-4490-bcbf-927366c84359",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"AskAboutESQLTool\" function when the user:\n- asks for help with ES|QL\n- asks about ES|QL syntax\n- asks for ES|QL examples\n- asks for ES|QL documentation\n- asks for ES|QL best practices\n- asks for ES|QL optimization\n\nNever use this tool when they user wants to generate a ES|QL for their data."
     }
   },
-  "id": "security_ai_prompts-747876da-3120-4954-a29e-04bf4cf9cf8c",
+  "id": "security_ai_prompts-43d9d26f-03ac-4bc1-bf88-c59058e88d29",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Call this tool to fetch information from the user's knowledge base. The knowledge base contains useful details the user has saved between conversation contexts.\n\nUse this tool **only in the following cases**:\n\n1. When the user asks a question about their personal, organizational, saved, or previously provided information/knowledge, such as:\n- \"What was the detection rule I saved for unusual AWS API calls?\"\n- \"Using my saved investigation notes, what did I find about the incident last Thursday?\"\n- \"What are my preferred index patterns?\"\n- \"What did I say about isolating hosts?\"\n- \"What is my favorite coffee spot near the office?\" *(non-security example)*\n\n2. Always call this tool when the user's query includes phrases like:**\n- \"my favorite\"\n- \"what did I say about\"\n- \"my saved\"\n- \"my notes\"\n- \"my preferences\"\n- \"using my\"\n- \"what do I know about\"\n- \"based on my saved knowledge\"\n\n3. When you need to retrieve saved information the user has stored in their knowledge base, whether it's security-related or not.\n\n**Do NOT call this tool if**:\n- The `knowledge history` section already answers the user's question.\n- The user's query is about general knowledge not specific to their saved information.\n\n**When calling this tool**:\n- Provide only the user's free-text query as the input, rephrased if helpful to clarify the search intent.\n- Format the input as a single, clean line of text.\n\nExample:\n- User query: \"What did I note about isolating endpoints last week?\"\n- Tool input: \"User notes about isolating endpoints.\"\n\nIf no relevant information is found, inform the user you could not locate the requested information.\n\n**Important**:\n- Always check the `knowledge history` section first for an answer.\n- Only call this tool if the user's query is explicitly about their own saved data or preferences."
     }
   },
-  "id": "security_ai_prompts-ad00ba60-8e84-460e-a604-4846562cd979",
+  "id": "security_ai_prompts-53d029ab-c1b7-4d54-9ece-f9b109eb6a41",
   "type": "security-ai-prompt"
 }