[Security Solution] Bulk add alerts to Agent Builder chat

[jonwalstedt]

Summary

This PR is extracted from #270286 as the second of two stacked PRs. The first PR contains the needed changes in Agent Builder to support adding several attachments as a single batch to the chat. This followup adds the possibility bulk add Alerts to the chat.

What

Adds an "Add to chat" bulk action to the Kibana alerts table toolbar. Analysts can select up to 20 alerts and send them to the Agent Builder AI chat in a single click, where the agent receives the full alert details and can triage them.

Why

Security analysts frequently need to investigate multiple related alerts together. Switching between the alerts table and the AI chat to copy alert IDs manually is slow and error-prone. This feature closes that gap by making alert context available in chat at the point of investigation.

Stacked PR — depends on #270903 ([Agent Builder] Add AttachmentGroup and group_id to the attachment system). Do not merge this PR before #270903 lands.

Reviewers: to see only the security changes (without the agent-builder foundation), use this diff.

Closes https://github.com/elastic/security-team/issues/17496
Epic: https://github.com/elastic/security-team/issues/17311

Test plan available here

bulk-add-alerts2.mov

Changes

Attachment type

• security.alerts attachment type — server-side ES fetch scoped to the active space, returns full alert source for each selected ID
• get_alerts_by_id tool — fetches alert documents by ID for the agent to reason over
• register_attachments.ts updated to register the new type

Client-side helpers

• alertsToAttachmentGroup helper — chunks selected alert IDs into AttachmentGroup batches (max 20 per group)
• helpers.tsx / helpers.test.tsx — updated to generate the group label and build attachment groups from alert selections

Bulk action wiring (4 surfaces)

• x-pack/packages/response-ops/alerts-table — new addToChat bulk action in use_bulk_actions.ts; disableOnQuery: true prevents use with "Select all N" query mode
• Alerts page (detections/components/alerts_table)
• Cases alerts tab (cases/components/ease/table.tsx)
• Rule Details alerts tab (tabs/alerts_tab/ease/table.tsx)
• Attack Discovery alert summary (components/alert_summary/table/table.tsx)

Telemetry

• alert_count EBT event added to use_report_add_to_chat.ts

Tests

• use_bulk_actions.test.tsx — updated with add-to-chat cases
• table_bulk_add_to_chat.test.tsx ×4 — one per surface
• alerts.test.ts — attachment type server logic
• get_alerts_by_id.test.ts — tool logic
• bulk_add_alerts_to_chat.spec.ts — Scout E2E test
• kbn-evals-suite-security-alert-triage — new eval package with alert_triage_quality.spec.ts and bulk_alerts_attachment_read.spec.ts

Infrastructure

• .buildkite/pipelines/evals/evals.suites.json — registers the new eval suite
• .github/CODEOWNERS — ownership for the new eval package
• tsconfig.base.json, package.json, yarn.lock — new package wiring

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
• Flaky Test Runner was used on any tests changed
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

Identify risks

• Data loss / corruption: None. The feature only reads alert documents from Elasticsearch; it never writes, updates, or deletes data.
• Broken user workflows: Low. The bulk action is gated on isAgentBuilderEnabled so it is invisible in environments without the feature flag. disableOnQuery: true prevents accidental use with "Select all N" (unbounded) query mode, which would otherwise silently truncate to 20 alerts.
• Regressions: Low. Changes to use_bulk_actions.ts in response-ops are additive. Each of the 4 wired surfaces has a dedicated test. The alerts-table package is shared across solutions, but the new action is conditionally rendered.
• Performance: Low. The ES fetch is bounded to the caller-supplied alert IDs (max 20); no query scans. The agent receives alert data via AttachmentGroup which is flattened before being sent to the LLM.
• Hard-to-test: The "Select all N" disable guard is tested at the unit level but not end-to-end across all surfaces — worth noting for QA.

Release note

Adds an "Add to chat" bulk action to the alerts table, enabling analysts to send selected alerts directly to the AI Agent chat for triage.

Suggested label: release_note:feature

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[fake-haris]

appex-qa changes LGTM

[tcalopes]

entity analytics changes LGTM

[ymao1]

Entity analytics changes LGTM. Code review only

[enriquesanchez-elastic]

This says "critical PowerShell alert on workstation-42", but the generated critical alert (index 49) is "Memory Injection via Process Hollowing" on laptop-finance-07. Doesn't affect scoring (criteria don't reference it), but it's the reference shown in results — worth correcting so it's not misleading.

[jonwalstedt]

Fixed in 486a151. Updated the expected string to match what index 49 actually generates: "Memory Injection via Process Hollowing" on laptop-finance-07. Also corrected the paired high-severity reference from "network-scanning" (medium) to "lateral-movement" (high, index 1).

[enriquesanchez-elastic]

This converse task is duplicated across both specs. Other eval suites (e.g. entity-analytics) keep it in src/. Worth extracting a shared helper.

[jonwalstedt]

Fixed in 486a151. Extracted the fetch('/api/agent_builder/converse', …) block to src/converse_task.ts as a shared callConverse helper. Both specs now call callConverse({ fetch, connectorId, question, attachments, log }). While at it, also extracted the AttachmentReadCompliance CODE evaluator to src/evaluators.ts so it can be shared between both specs as well (the e2e scenario added to alert_triage_quality.spec.ts needs it too).

[enriquesanchez-elastic]

traceEsClient is threaded through but never used here. Remove?

[jonwalstedt]

Fixed in 486a151. Removed traceEsClient from the createEvaluateAlertBatches parameter type, function destructuring, and fixture call. Also dropped the now-unused EsClient import.

[enriquesanchez-elastic]

Some comments from evals point of view.

The suite registers ciLabels: ["evals:security-alert-triage"] in evals.suites.json, but that label isn't on the PR, so the eval CI gate never triggered. Since evals are non-deterministic and the criteria are LLM-graded, can we add the label and get a green run before merge?

The actual shipped path — bulk → summary mode → attachment_read → triage real alerts — has no end-to-end coverage.
- bulk_alerts_attachment_read.spec.ts hits summary mode (6 batches) but uses synthetic IDs that resolve to "not found", so it only proves the agent calls attachment_read, not that it reasons over what comes back.
- alert_triage_quality.spec.ts uses real data but only 5 batches → inline mode, so attachment_read is never exercised.

No grounding / anti-hallucination criterion. Both datasets only check positive recall ("mentions a critical alert", "names web-server-01"). With 16 real hostnames + procedural rule names, an invented host/rule would pass silently.

[MadameSheema]

🤖 This is the output of the x-pack/solutions/security/plugins/security_solution/.agents/skills/scout-best-practices-reviewer skill, applied to the Scout test files in this PR.

---

Scout Best Practices Review

In scope: bulk_add_alerts_to_chat.spec.ts, fixtures/index.ts, alerts_table.ts (page object additions).
The kbn-evals-suite-security-alert-triage/evals/*.spec.ts files use a custom evaluate fixture framework (not spaceTest), so they are out of scope for this Scout review.

---

🚨 Blocker

• Page objects — raw locator chains and UI interactions directly in spec file
  • Explanation: The Security Solution skill requires all UI interactions to be encapsulated in page object methods. Specs should only contain expect assertions, test.step calls, and page object method invocations. Here, the spec builds locators, traverses the DOM, and calls .check() / .click() inline. The alertsTable.getByTestId('ruleName').filter(...) pattern is also duplicated across both tests.
  • Evidence:
    • bulk_add_alerts_to_chat.spec.ts:86-89 — inline alertsTablePage.alertsTable.getByTestId('ruleName').filter({ hasText: ruleNames[0] }) (duplicated at 156-159)
    • bulk_add_alerts_to_chat.spec.ts:92-95 — alertCheckbox traversal and .check() in spec body
    • bulk_add_alerts_to_chat.spec.ts:175-179, 184 — page.testSubj.locator('agentBuilderConversation'), agentBuilderAttachmentPillsRow, agentBuilderConversationInputEditor, agentBuilderConversationInputSubmitButton all called directly in spec
  • Suggested change: Add a waitForRuleAlert(ruleName: string) method and a checkFirstAlertRow(ruleName: string) method to AlertsTablePage. Create a new AgentBuilderPage page object in kbn-scout-security/src/playwright/fixtures/test/page_objects/ with readonly locators for the conversation panel elements and a sendMessage() method. Register it in the pageObjects fixture.

---

⚠️ Major

• Locator quality — XPath selector in spec

  • Explanation: XPath selectors are fragile and explicitly flagged by the skill as major. The existing AlertsTablePage.openAlertContextMenu() already handles similar DOM traversal via XPath inside the page object — but this new code bypasses it and uses XPath directly in the spec.
  • Evidence: bulk_add_alerts_to_chat.spec.ts:93 — .locator('xpath=ancestor::div[contains(@class,"euiDataGridRow")]')
  • Suggested change: Move this into a page object method, replacing the XPath with CSS: page.locator('div.euiDataGridRow:has([data-test-subj="ruleName"])').filter({ hasText: ruleName }) — or reuse/extend the existing openAlertContextMenu pattern.

• Locator quality — EUI internal CSS class selector

  • Explanation: .euiCheckbox__input is an EUI-internal class that can change between EUI versions, making the test brittle.
  • Evidence: bulk_add_alerts_to_chat.spec.ts:94 — .locator('.euiCheckbox__input')
  • Suggested change: Use getByRole('checkbox') scoped to the row, or find a data-test-subj on the checkbox input.

• Package imports — internal subpath import bypasses public API

  • Explanation: Importing from @kbn/scout-security/src/... couples the spec to the package's internal file structure and breaks if internals are reorganized. Only public entry points should be used.
  • Evidence: bulk_add_alerts_to_chat.spec.ts:11 — import { CUSTOM_QUERY_RULE } from '@kbn/scout-security/src/playwright/constants/detection_rules'
  • Suggested change: Export CUSTOM_QUERY_RULE from @kbn/scout-security's public barrel (index.ts) and import it from '@kbn/scout-security'.

---

📋 Minor

• Tags — missing serverless coverage

  • Explanation: The suite only declares tags.stateful.classic. If the bulk add-to-chat feature is available on Serverless Security, serverless tags should be added. If it's intentionally excluded, a comment should document the reason.
  • Evidence: bulk_add_alerts_to_chat.spec.ts:54 — { tag: [...tags.stateful.classic] }
  • Suggested change: If serverless is supported, add ...tags.serverless.security.complete (and other tiers as applicable). Otherwise add a comment: // Serverless excluded: agent builder feature not yet available on serverless.

• Data cleanup — missing cleanStandardList() and defensive pre-test cleanup

  • Explanation: The Security skill requires scoutSpace.savedObjects.cleanStandardList() as a defensive catch-all in afterEach/afterAll. It also recommends calling the same cleanup methods at the top of beforeEach to handle leftover state from a previous failed run.
  • Evidence: bulk_add_alerts_to_chat.spec.ts:72-75 — afterEach only calls detectionRule.deleteAll() and detectionAlerts.deleteAll()
  • Suggested change:

    spaceTest.afterEach(async ({ apiServices, scoutSpace }) => {
      await apiServices.detectionRule.deleteAll();
      await apiServices.detectionAlerts.deleteAll();
      await scoutSpace.savedObjects.cleanStandardList();
    });

    And at the top of beforeEach, add the same cleanup calls before creating new rules.

• Reuse-first — AGENT_BUILDER_ROLE duplicates WORKFLOW_ENABLED_ROLE

  • Explanation: AGENT_BUILDER_ROLE (lines 20-52) is structurally identical to WORKFLOW_ENABLED_ROLE in run_workflow_action.spec.ts — same ES index list, same privileges, same Kibana base: ['all']. This duplication will need to be kept in sync across both files.
  • Evidence: bulk_add_alerts_to_chat.spec.ts:20-52 vs run_workflow_action.spec.ts:18-50
  • Suggested change: Extract a shared constant (e.g., FULL_KIBANA_SECURITY_ROLE) to a plugin-local file like test/scout/ui/common/roles.ts, and import it in both specs.

---

💡 Nit

• Fixture — static connector name not scoped to space/worker
  • Explanation: The connector name 'scout-llm-proxy' is hardcoded. The teardown filter c.name === 'scout-llm-proxy' is safe today because each worker gets its own space, but scoping the name to scoutSpace.id makes the intent explicit and guards against edge cases.
  • Evidence: fixtures/index.ts:31 — name: 'scout-llm-proxy'
  • Suggested change: name: `scout-llm-proxy-${scoutSpace.id}`

[js-jankisalvi]

Verified response-ops related changes and added few comments, thanks.

[jonwalstedt]

@MadameSheema Thanks for the Scout review — all points addressed in 1c4e3ad:

Blocker — page objects

• Added waitForRuleAlert(ruleName) and checkAlertRowCheckbox(ruleName) to AlertsTablePage — all inline locator chains removed from spec
• Created AgentBuilderPage page object (conversation, attachmentPillsRow, inputEditor, submitButton); registered in SecurityPageObjects; spec now uses agentBuilderPage.* throughout

Major — locator quality

• XPath row traversal moved into checkAlertRowCheckbox() (consistent with existing openAlertContextMenu pattern in the page object)
• .euiCheckbox__input replaced with getByRole('checkbox')
• Internal subpath import fixed: CUSTOM_QUERY_RULE exported from @kbn/scout-security public index.ts; both specs import from '@kbn/scout-security'

Minor — tags: Added comment: // Serverless excluded: agent builder feature not yet available on serverless

Minor — cleanup: Added scoutSpace.savedObjects.cleanStandardList() to afterEach and defensive deleteAll calls at top of beforeEach

Minor — shared role: Extracted FULL_KIBANA_SECURITY_ROLE to test/scout/ui/common/roles.ts; both bulk_add_alerts_to_chat.spec.ts and run_workflow_action.spec.ts import from it

Nit — connector name: Scoped to scout-llm-proxy-${scoutSpace.id} in both creation and cleanup

[js-jankisalvi]

Verified locally, Add to chat bulk action only appears on security solution alerts table. Response ops changes look good 👍

[jonwalstedt]

Thanks for the review @enriquesanchez-elastic, I've addressed your feedback, could you please take another look when you have a chance?

[kibanamachine]

💔 Build Failed

• Buildkite Build
• Commit: 8589d10
• Build duration: 39 mins

Failed CI Steps

• Check Types
• Defend Workflows Cypress Tests on Serverless #15
• LLM Evals: security-alert-triage / eis-anthropic-claude-4-6-sonnet

Test Failures

• [job] [logs] Scout Lane #9 - stateful-classic / default / local-stateful-classic - Bulk add alerts to chat - should open agent builder conversation with attachment chip and pre-filled prompt, and send multiple alerts to the LLM

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	9585	9586	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
cases	2.4MB	2.4MB	+781.0B
embeddableAlertsTable	1.2MB	1.2MB	+783.0B
ml	5.6MB	5.6MB	+781.0B
observability	2.1MB	2.1MB	+781.0B
securitySolution	12.1MB	12.1MB	+2.1KB
triggersActionsUi	2.6MB	2.6MB	+781.0B
total			+5.9KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	159.8KB	160.3KB	+552.0B

History

• 💛 Build #450423 was flaky 3219a16
• 💔 Build #450348 failed f935559
• 💔 Build #450261 failed 80d7947
• 💔 Build #450190 failed 1c4e3ad

cc @jonwalstedt