[8.x] [Security Solution] [Attack discovery] Fixes intermittent refinement step error (#215816) #215966
+26
−6
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…step error (elastic#215816) ## [Security Solution] [Attack discovery] Fixes intermittent refinement step error This PR updates the refine prompt to fix the following intermittent error, which sometimes occurs during the refine step in the Attack discovery Langchain graph: ``` refine node is unable to parse (gemini) response from attempt 1; (this may be an incomplete response from the model): [ { "code": "invalid_type", "expected": "object", "received": "array", "path": [], "message": "Expected object, received array" } ] ``` The fix wraps the input to the refine prompt with an opening / closing `json` codeblock, in an object with an `insights` key: ```` """ ```json { "insights": [ // ... ] } ``` """ ```` ### Desk testing 1. Navigate to Security > Attack discovery 2. Click the `Generate` button to generate Attack discoveries 3. When generation completes, open the entry for the completed run in LangGraph 4. In the LangGraph waterfall, click on the `ActionsClientLlm` entry for the `refine` step **Expected result** The input to the refine prompt is wrapped with an opening / closing `json` codeblock, in an object with an `insights` key, as illustrated by the following screenshot and example:  ```` // ... - Conform exactly to the JSON schema defined earlier - Do not include explanatory text outside the JSON """ ```json { "insights": [ { "alertIds": [ "086469904a1ba57f4114466af23bbe2d0c62dde193a2fd4afd4ba3c4b4fc079f", "21ca4e4f082fd68ae2ad9a953fb5cfc9395a1769602011684750e95b36a79a99", "7a816e5db9464fcea1ba44ad28f4256e1fce079336bd9c32c9933c12fcdeb901", "986503ca78da6496646564a467e5aee9bf7fbb347bf0b017f3a57475f3546fa3" ], "detailsMarkdown": "- A malicious OneNote file was opened on {{ host.name 23466d50-b193-46cc-86f0-f6dd65902a73 }}\n- This triggered the execution of a suspicious Go application: {{ process.name My Go Application.app }}\n- The Go application then launched a malicious binary {{ file.name unix1 }} located at {{ file.path /Users/james/unix1 }}\n- The malicious binary attempted to access the user's keychain at {{ process.command_line /Users/james/unix1 /Users/james/library/Keychains/login.keychain-db TempTemp1234!! }}\n- Multiple alerts were generated for this malware execution chain", "mitreAttackTactics": [ "Initial Access", "Execution", "Credential Access" ], "summaryMarkdown": "A malicious OneNote attachment was opened, leading to the execution of malware on {{ host.name 23466d50-b193-46cc-86f0-f6dd65902a73 }}. The malware was detected as it attempted to access sensitive system files.", "title": "Malware Execution from OneNote Attachment", "timestamp": "2025-03-25T03:16:20.526Z" }, // ... ] } ``` """ ```` (cherry picked from commit 1d457e4)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
💚 Build Succeeded
Metrics [docs]
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.x:Questions ?
Please refer to the Backport tool documentation