feat(security): bulk add alerts to chat

Adds a "Add to chat" bulk action to the Kibana alerts table toolbar,
allowing analysts to select multiple security alerts and send them to
the Agent Builder AI chat in a single click.

- security.alerts attachment type with server-side ES fetch (space-scoped)
- alertsToAttachmentGroup helper chunks selections into batches of 20
- Bulk action wired across all 4 surfaces: Alerts page, Cases, Rule
  Details, and Attack Discovery
- disableOnQuery: true prevents use with "Select all N" query mode
- alert_count EBT telemetry event
- Scout E2E test and kbn-evals-suite-security-alert-triage eval package

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jonwalstedt

.buildkite/pipelines/evals/evals.suites.json

@@ -202,6 +202,14 @@
       "configPath": "x-pack/solutions/security/packages/kbn-evals-suite-security-esql-generation-regression/playwright.config.ts",
       "tags": ["security", "esql-generation"],
       "ciLabels": ["evals:security-esql-generation-regression"]
+    },
+    {
+      "id": "security-alert-triage",
+      "name": "Security Alert Triage",
+      "slackChannel": "#security-generative-ai-evals",
+      "configPath": "x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage/playwright.config.ts",
+      "tags": ["security", "alert-triage"],
+      "ciLabels": ["evals:security-alert-triage"]
     }
   ]
 }

.github/CODEOWNERS

@@ -1330,6 +1330,7 @@ x-pack/solutions/security/packages/kbn-evals-suite-endpoint @elastic/security-de
 x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics @elastic/security-entity-analytics
 x-pack/solutions/security/packages/kbn-evals-suite-pci-compliance @elastic/security-defend-workflows
 x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules @elastic/security-detection-engine
+x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage @elastic/security-threat-hunting
 x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations @elastic/security-threat-hunting
 x-pack/solutions/security/packages/kbn-evals-suite-security-esql-generation-regression @elastic/security-detection-platform
 x-pack/solutions/security/packages/kbn-scout-security @elastic/appex-qa @elastic/security-engineering-productivity

package.json

@@ -1750,6 +1750,7 @@
     "@kbn/evals-suite-observability-ai": "link:x-pack/solutions/observability/packages/kbn-evals-suite-observability-ai",
     "@kbn/evals-suite-pci-compliance": "link:x-pack/solutions/security/packages/kbn-evals-suite-pci-compliance",
     "@kbn/evals-suite-security-ai-rules": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules",
+    "@kbn/evals-suite-security-alert-triage": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage",
     "@kbn/evals-suite-security-automatic-migrations": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations",
     "@kbn/evals-suite-security-esql-generation-regression": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-esql-generation-regression",
     "@kbn/evals-suite-significant-events": "link:x-pack/platform/packages/shared/kbn-evals-suite-significant-events",

tsconfig.base.json

@@ -1228,6 +1228,8 @@
       "@kbn/evals-suite-pci-compliance/*": ["x-pack/solutions/security/packages/kbn-evals-suite-pci-compliance/*"],
       "@kbn/evals-suite-security-ai-rules": ["x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules"],
       "@kbn/evals-suite-security-ai-rules/*": ["x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules/*"],
+      "@kbn/evals-suite-security-alert-triage": ["x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage"],
+      "@kbn/evals-suite-security-alert-triage/*": ["x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage/*"],
       "@kbn/evals-suite-security-automatic-migrations": ["x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations"],
       "@kbn/evals-suite-security-automatic-migrations/*": ["x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations/*"],
       "@kbn/evals-suite-security-esql-generation-regression": ["x-pack/solutions/security/packages/kbn-evals-suite-security-esql-generation-regression"],

x-pack/platform/packages/shared/response-ops/alerts-table/components/alerts_data_grid.tsx

@@ -80,6 +80,7 @@ export const AlertsDataGrid = typedMemo(
       cellActionsOptions,
       pageSizeOptions = DEFAULT_PAGE_SIZE_OPTIONS,
       height,
+      bulkAddToChatConfig,
       ...euiDataGridProps
     } = props;
     const {
@@ -98,7 +99,14 @@ export const AlertsDataGrid = typedMemo(
       refresh: refreshQueries,
       columns,
       dataGridRef,
-      services: { http, notifications, application, cases: casesService, settings },
+      services: {
+        http,
+        notifications,
+        application,
+        cases: casesService,
+        agentBuilder: agentBuilderService,
+        settings,
+      },
     } = renderContext;
 
     const { colorMode, euiTheme } = useEuiTheme();
@@ -126,6 +134,8 @@ export const AlertsDataGrid = typedMemo(
       notifications,
       application,
       casesService,
+      agentBuilderService,
+      bulkAddToChatConfig,
     });
 
     const refresh = useCallback(() => {

x-pack/platform/packages/shared/response-ops/alerts-table/hooks/use_bulk_actions.test.tsx

@@ -15,12 +15,13 @@ import { AlertsQueryContext } from '@kbn/alerts-ui-shared/src/common/contexts/al
 import {
   useBulkActions,
   useBulkAddToCaseActions,
+  useBulkAddToChatActions,
   useBulkUntrackActions,
   useBulkMuteActions,
 } from './use_bulk_actions';
 import { createCasesServiceMock } from '../mocks/cases.mock';
 import { BulkActionsVerbs, type PublicAlertsDataGridProps } from '../types';
-import type { AdditionalContext, RenderContext } from '../types';
+import type { AdditionalContext, OpenChatService, RenderContext, TimelineItem } from '../types';
 import { useAlertsTableContext } from '../contexts/alerts_table_context';
 import { createPartialObjectMock, testQueryClientConfig } from '../utils/test';
 import { applicationServiceMock } from '@kbn/core-application-browser-mocks';
@@ -427,6 +428,97 @@ describe('bulk action hooks', () => {
     });
   });
 
+  describe('useBulkAddToChatActions', () => {
+    const mockOpenChat = jest.fn();
+    const agentBuilderService: OpenChatService = { openChat: mockOpenChat };
+    const mockAttachments = [{ type: 'security.alerts', data: { alertIds: ['id1'] } }];
+    const convertAlertToAttachment = jest.fn().mockReturnValue(mockAttachments);
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it('returns empty array when agentBuilderService is not provided', () => {
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            bulkAddToChatConfig: { convertAlertToAttachment },
+          }),
+        { wrapper }
+      );
+
+      expect(result.current).toEqual([]);
+    });
+
+    it('returns empty array when bulkAddToChatConfig is not provided', () => {
+      const { result } = renderHook(() => useBulkAddToChatActions({ agentBuilderService }), {
+        wrapper,
+      });
+
+      expect(result.current).toEqual([]);
+    });
+
+    it('returns the add-to-chat action when both service and config are provided', () => {
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            agentBuilderService,
+            bulkAddToChatConfig: { convertAlertToAttachment },
+          }),
+        { wrapper }
+      );
+
+      expect(result.current).toHaveLength(1);
+      expect(result.current[0].key).toBe('bulk-add-to-chat');
+      expect(result.current[0]['data-test-subj']).toBe('bulk-add-to-chat');
+    });
+
+    it('calls openChat with converted attachments when the action is clicked', () => {
+      const alerts: TimelineItem[] = [
+        { _id: 'id1', _index: 'idx', data: [], ecs: { _id: 'id1', _index: 'idx' } },
+      ];
+
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            agentBuilderService,
+            bulkAddToChatConfig: { convertAlertToAttachment },
+          }),
+        { wrapper }
+      );
+
+      result.current[0].onClick(alerts);
+
+      expect(convertAlertToAttachment).toHaveBeenCalledWith(alerts);
+      expect(mockOpenChat).toHaveBeenCalledWith({
+        autoSendInitialMessage: false,
+        newConversation: true,
+        initialMessage: undefined,
+        attachments: mockAttachments,
+      });
+    });
+
+    it('passes initialMessage to openChat', () => {
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            agentBuilderService,
+            bulkAddToChatConfig: {
+              convertAlertToAttachment,
+              initialMessage: 'Please triage these alerts.',
+            },
+          }),
+        { wrapper }
+      );
+
+      result.current[0].onClick([]);
+
+      expect(mockOpenChat).toHaveBeenCalledWith(
+        expect.objectContaining({ initialMessage: 'Please triage these alerts.' })
+      );
+    });
+  });
+
   describe('useBulkUntrackActions', () => {
     beforeEach(() => {
       jest.clearAllMocks();

x-pack/platform/packages/shared/response-ops/alerts-table/hooks/use_bulk_actions.ts

@@ -23,12 +23,15 @@ import type {
   BulkActionsReducerAction,
   TimelineItem,
   BulkEditTagsFlyoutState,
+  BulkAddToChatConfig,
+  OpenChatService,
 } from '../types';
 import { BulkActionsVerbs } from '../types';
 import type { CasesService, PublicAlertsDataGridProps } from '../types';
 import {
   ADD_TO_EXISTING_CASE,
   ADD_TO_NEW_CASE,
+  ADD_TO_CHAT,
   ALERTS_ALREADY_ATTACHED_TO_CASE,
   EDIT_TAGS,
   MARK_AS_UNTRACKED,
@@ -49,6 +52,8 @@ interface BulkActionsProps {
   hideBulkActions?: boolean;
   application: ApplicationStart;
   casesService?: CasesService;
+  agentBuilderService?: OpenChatService;
+  bulkAddToChatConfig?: BulkAddToChatConfig;
   http: HttpStart;
   notifications: NotificationsStart;
 }
@@ -408,6 +413,43 @@ export const useBulkMuteActions = ({
   );
 };
 
+export const useBulkAddToChatActions = ({
+  agentBuilderService,
+  bulkAddToChatConfig,
+}: {
+  agentBuilderService?: OpenChatService;
+  bulkAddToChatConfig?: BulkAddToChatConfig;
+}) => {
+  const { convertAlertToAttachment, initialMessage } = bulkAddToChatConfig ?? {};
+
+  const onAddToChatClick = useCallback(
+    (alerts?: TimelineItem[]) => {
+      if (!agentBuilderService || !convertAlertToAttachment) return;
+      agentBuilderService.openChat({
+        autoSendInitialMessage: false,
+        newConversation: true,
+        initialMessage,
+        attachments: convertAlertToAttachment(alerts ?? []),
+      });
+    },
+    [agentBuilderService, convertAlertToAttachment, initialMessage]
+  );
+
+  return useMemo(() => {
+    if (!agentBuilderService || !convertAlertToAttachment) return [];
+    return [
+      {
+        label: ADD_TO_CHAT,
+        key: 'bulk-add-to-chat',
+        disableOnQuery: true,
+        disabledLabel: ADD_TO_CHAT,
+        'data-test-subj': 'bulk-add-to-chat',
+        onClick: onAddToChatClick,
+      },
+    ];
+  }, [agentBuilderService, convertAlertToAttachment, onAddToChatClick]);
+};
+
 const EMPTY_BULK_ACTIONS_CONFIG: BulkActionsPanelConfig[] = [];
 
 export function useBulkActions({
@@ -422,6 +464,8 @@ export function useBulkActions({
   notifications,
   application,
   casesService,
+  agentBuilderService,
+  bulkAddToChatConfig,
 }: BulkActionsProps): UseBulkActions {
   const {
     bulkActionsStore: [bulkActionsState, updateBulkActionsState],
@@ -491,16 +535,29 @@ export function useBulkActions({
           },
         ];
   }, [tagsAction, application?.capabilities]);
+  const addToChatActions = useBulkAddToChatActions({
+    agentBuilderService,
+    bulkAddToChatConfig,
+  });
 
   const initialItems = useMemo(() => {
     const isSiem = ruleTypeIds?.some(isSiemRuleType);
     return [
       ...caseBulkActions,
+      ...(agentBuilderService ? addToChatActions : []),
       ...(isSiem ? [] : untrackBulkActions),
       ...(isSiem ? [] : tagsBulkActions),
       ...(isSiem ? [] : muteBulkActions),
     ];
-  }, [caseBulkActions, ruleTypeIds, untrackBulkActions, tagsBulkActions, muteBulkActions]);
+  }, [
+    caseBulkActions,
+    ruleTypeIds,
+    untrackBulkActions,
+    tagsBulkActions,
+    muteBulkActions,
+    addToChatActions,
+    agentBuilderService,
+  ]);
 
   const bulkActions = useMemo(() => {
     if (hideBulkActions) {

x-pack/platform/packages/shared/response-ops/alerts-table/translations.ts

@@ -251,6 +251,10 @@ export const ADD_TO_EXISTING_CASE = i18n.translate(
   }
 );
 
+export const ADD_TO_CHAT = i18n.translate('xpack.responseOpsAlertsTable.actions.addChat', {
+  defaultMessage: 'Add to chat',
+});
+
 export const ADD_TO_NEW_CASE = i18n.translate('xpack.responseOpsAlertsTable.actions.addToNewCase', {
   defaultMessage: 'Add to new case',
 });

x-pack/platform/packages/shared/response-ops/alerts-table/types.ts

@@ -43,6 +43,33 @@ import type { SetRequired } from 'type-fest';
 import type { MaintenanceWindow } from '@kbn/maintenance-windows-plugin/common';
 import type { FieldFormatsStart } from '@kbn/field-formats-plugin/public';
 import type { DataPublicPluginStart } from '@kbn/data-plugin/public';
+
+/**
+ * A single conversation attachment or a group of attachments.
+ * Defined structurally here to avoid a compile-time dependency on agent-builder packages.
+ */
+export type ConversationAttachmentInput =
+  | { type: string; data?: unknown; hidden?: boolean }
+  | { type: 'group'; id: string; label: string; items: Array<{ type: string; data?: unknown }> };
+
+/**
+ * Minimal structural interface for the chat service required by the alerts table.
+ * Using a local structural type avoids a compile-time dependency on agent-builder packages
+ * from this shared platform package.
+ */
+export interface OpenChatService {
+  openChat(options?: {
+    attachments?: ConversationAttachmentInput[];
+    newConversation?: boolean;
+    initialMessage?: string;
+    autoSendInitialMessage?: boolean;
+  }): void;
+}
+
+export interface BulkAddToChatConfig {
+  convertAlertToAttachment: (alerts: TimelineItem[]) => ConversationAttachmentInput[];
+  initialMessage?: string;
+}
 import type { FieldBrowserOptions } from '@kbn/response-ops-alerts-fields-browser';
 import type { MutedAlerts } from '@kbn/response-ops-alerts-apis/types';
 import type { NotificationsStart } from '@kbn/core-notifications-browser';
@@ -411,6 +438,14 @@ export interface AlertsTableProps<AC extends AdditionalContext = AdditionalConte
    * @default new LocalStorageWrapper(window.localStorage)
    */
   configurationStorage?: IStorageWrapper | null;
+
+  /**
+   * Configuration for the bulk "Add to chat" action. When provided, a bulk
+   * action will appear in the table allowing users to add selected alerts to
+   * the Agent Builder chat.
+   */
+  bulkAddToChatConfig?: BulkAddToChatConfig;
+
   /**
    * Show a CSV export button in the toolbar. The button exports all alerts matching
    * the current filters using the reporting CSV endpoint.
@@ -438,6 +473,7 @@ export interface AlertsTableProps<AC extends AdditionalContext = AdditionalConte
      * The cases service is optional: cases features will be disabled if not provided
      */
     cases?: CasesService;
+    agentBuilder?: OpenChatService;
   };
 }
 
@@ -613,6 +649,7 @@ export interface AlertsDataGridProps<AC extends AdditionalContext = AdditionalCo
   extends PublicAlertsDataGridProps,
     Pick<EuiDataGridProps, 'columnVisibility'> {
   renderContext: RenderContext<AC>;
+  bulkAddToChatConfig?: BulkAddToChatConfig;
   additionalToolbarControls?: ReactNode;
   pageSizeOptions?: number[];
   leadingControlColumns?: EuiDataGridControlColumn[];

x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage/.eslintrc.js

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/** @type {import('eslint').Linter.Config} */
+module.exports = {
+  overrides: [
+    // This package is Node-only (Playwright eval suite). Allow Node.js builtins.
+    {
+      files: ['**/*.{js,mjs,ts,tsx}'],
+      rules: {
+        'import/no-nodejs-modules': 'off',
+        // functional-tests packages intentionally import from test-helper packages (e.g. @kbn/evals, @kbn/scout)
+        '@kbn/imports/no_boundary_crossing': 'off',
+      },
+    },
+  ],
+};