[Security Solution] Bulk add alerts to Agent Builder chat

.buildkite/pipelines/evals/evals.suites.json

@@ -251,6 +251,14 @@
         "eis/openai-gpt-5.2",
         "eis/openai-gpt-5.4"
       ]
+    },
+    {
+      "id": "security-alert-triage",
+      "name": "Security Alert Triage",
+      "slackChannel": "#security-generative-ai-evals",
+      "configPath": "x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage/playwright.config.ts",
+      "tags": ["security", "alert-triage"],
+      "ciLabels": ["evals:security-alert-triage"]
     }
   ]
 }

.buildkite/pipelines/evals/llm_evals.yml

@@ -398,3 +398,25 @@ steps:
           automatic:
             - exit_status: '-1'
               limit: 3
+
+      - label: 'Evals: Security Alert Triage'
+        key: kbn-evals-weekly-security-alert-triage
+        command: bash .buildkite/scripts/steps/evals/run_suite.sh
+        env:
+          KBN_EVALS: '1'
+          FTR_EIS_CCM: '1'
+          EVAL_SUITE_ID: 'security-alert-triage'
+          EVAL_FANOUT: '1'
+          EVAL_INCLUDE_EIS_MODELS: '1'
+          EVAL_MODEL_GROUPS: *weekly_eis_core_models
+        timeout_in_minutes: 60
+        agents:
+          image: family/kibana-ubuntu-2404
+          imageProject: elastic-images-prod
+          provider: gcp
+          machineType: n2-standard-8
+          preemptible: true
+        retry:
+          automatic:
+            - exit_status: '-1'
+              limit: 3

.github/CODEOWNERS

@@ -1341,6 +1341,7 @@ x-pack/solutions/security/packages/kbn-evals-suite-entity-analytics @elastic/sec
 x-pack/solutions/security/packages/kbn-evals-suite-lead-generation @elastic/security-entity-analytics
 x-pack/solutions/security/packages/kbn-evals-suite-pci-compliance @elastic/security-defend-workflows
 x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules @elastic/security-detection-engine
+x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage @elastic/security-threat-hunting
 x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations @elastic/security-threat-hunting
 x-pack/solutions/security/packages/kbn-evals-suite-security-esql-generation-regression @elastic/security-detection-platform
 x-pack/solutions/security/packages/kbn-scout-security @elastic/appex-qa @elastic/security-engineering-productivity

.gitignore

@@ -1,4 +1,5 @@
 .aws-config.json
+.bk.yaml
 .signing-config.json
 .ackrc
 /.es

package.json

@@ -1756,6 +1756,7 @@
     "@kbn/evals-suite-observability-ai": "link:x-pack/solutions/observability/packages/kbn-evals-suite-observability-ai",
     "@kbn/evals-suite-pci-compliance": "link:x-pack/solutions/security/packages/kbn-evals-suite-pci-compliance",
     "@kbn/evals-suite-security-ai-rules": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules",
+    "@kbn/evals-suite-security-alert-triage": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage",
     "@kbn/evals-suite-security-automatic-migrations": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations",
     "@kbn/evals-suite-security-esql-generation-regression": "link:x-pack/solutions/security/packages/kbn-evals-suite-security-esql-generation-regression",
     "@kbn/evals-suite-significant-events": "link:x-pack/platform/packages/shared/kbn-evals-suite-significant-events",

tsconfig.base.json

@@ -1240,6 +1240,8 @@
       "@kbn/evals-suite-pci-compliance/*": ["x-pack/solutions/security/packages/kbn-evals-suite-pci-compliance/*"],
       "@kbn/evals-suite-security-ai-rules": ["x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules"],
       "@kbn/evals-suite-security-ai-rules/*": ["x-pack/solutions/security/packages/kbn-evals-suite-security-ai-rules/*"],
+      "@kbn/evals-suite-security-alert-triage": ["x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage"],
+      "@kbn/evals-suite-security-alert-triage/*": ["x-pack/solutions/security/packages/kbn-evals-suite-security-alert-triage/*"],
       "@kbn/evals-suite-security-automatic-migrations": ["x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations"],
       "@kbn/evals-suite-security-automatic-migrations/*": ["x-pack/solutions/security/packages/kbn-evals-suite-security-automatic-migrations/*"],
       "@kbn/evals-suite-security-esql-generation-regression": ["x-pack/solutions/security/packages/kbn-evals-suite-security-esql-generation-regression"],

x-pack/platform/packages/shared/response-ops/alerts-table/components/alerts_data_grid.tsx

@@ -80,6 +80,7 @@ export const AlertsDataGrid = typedMemo(
       cellActionsOptions,
       pageSizeOptions = DEFAULT_PAGE_SIZE_OPTIONS,
       height,
+      bulkAddToChatConfig,
       ...euiDataGridProps
     } = props;
     const {
@@ -98,7 +99,14 @@ export const AlertsDataGrid = typedMemo(
       refresh: refreshQueries,
       columns,
       dataGridRef,
-      services: { http, notifications, application, cases: casesService, settings },
+      services: {
+        http,
+        notifications,
+        application,
+        cases: casesService,
+        agentBuilder: agentBuilderService,
+        settings,
+      },
     } = renderContext;
 
     const { colorMode, euiTheme } = useEuiTheme();
@@ -126,6 +134,8 @@ export const AlertsDataGrid = typedMemo(
       notifications,
       application,
       casesService,
+      agentBuilderService,
+      bulkAddToChatConfig,
     });
 
     const refresh = useCallback(() => {

x-pack/platform/packages/shared/response-ops/alerts-table/hooks/use_bulk_actions.test.tsx

@@ -15,12 +15,13 @@ import { AlertsQueryContext } from '@kbn/alerts-ui-shared/src/common/contexts/al
 import {
   useBulkActions,
   useBulkAddToCaseActions,
+  useBulkAddToChatActions,
   useBulkUntrackActions,
   useBulkMuteActions,
 } from './use_bulk_actions';
 import { createCasesServiceMock } from '../mocks/cases.mock';
 import { BulkActionsVerbs, type PublicAlertsDataGridProps } from '../types';
-import type { AdditionalContext, RenderContext } from '../types';
+import type { AdditionalContext, OpenChatService, RenderContext, TimelineItem } from '../types';
 import { useAlertsTableContext } from '../contexts/alerts_table_context';
 import { createPartialObjectMock, testQueryClientConfig } from '../utils/test';
 import { applicationServiceMock } from '@kbn/core-application-browser-mocks';
@@ -427,6 +428,97 @@ describe('bulk action hooks', () => {
     });
   });
 
+  describe('useBulkAddToChatActions', () => {
+    const mockOpenChat = jest.fn();
+    const agentBuilderService: OpenChatService = { openChat: mockOpenChat };
+    const mockAttachments = [{ type: 'security.alerts', data: { alertIds: ['id1'] } }];
+    const convertAlertToAttachment = jest.fn().mockReturnValue(mockAttachments);
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it('returns empty array when agentBuilderService is not provided', () => {
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            bulkAddToChatConfig: { convertAlertToAttachment },
+          }),
+        { wrapper }
+      );
+
+      expect(result.current).toEqual([]);
+    });
+
+    it('returns empty array when bulkAddToChatConfig is not provided', () => {
+      const { result } = renderHook(() => useBulkAddToChatActions({ agentBuilderService }), {
+        wrapper,
+      });
+
+      expect(result.current).toEqual([]);
+    });
+
+    it('returns the add-to-chat action when both service and config are provided', () => {
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            agentBuilderService,
+            bulkAddToChatConfig: { convertAlertToAttachment },
+          }),
+        { wrapper }
+      );
+
+      expect(result.current).toHaveLength(1);
+      expect(result.current[0].key).toBe('bulk-add-to-chat');
+      expect(result.current[0]['data-test-subj']).toBe('bulk-add-to-chat');
+    });
+
+    it('calls openChat with converted attachments when the action is clicked', () => {
+      const alerts: TimelineItem[] = [
+        { _id: 'id1', _index: 'idx', data: [], ecs: { _id: 'id1', _index: 'idx' } },
+      ];
+
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            agentBuilderService,
+            bulkAddToChatConfig: { convertAlertToAttachment },
+          }),
+        { wrapper }
+      );
+
+      result.current[0].onClick(alerts);
+
+      expect(convertAlertToAttachment).toHaveBeenCalledWith(alerts);
+      expect(mockOpenChat).toHaveBeenCalledWith({
+        autoSendInitialMessage: false,
+        newConversation: true,
+        initialMessage: undefined,
+        attachments: mockAttachments,
+      });
+    });
+
+    it('passes initialMessage to openChat', () => {
+      const { result } = renderHook(
+        () =>
+          useBulkAddToChatActions({
+            agentBuilderService,
+            bulkAddToChatConfig: {
+              convertAlertToAttachment,
+              initialMessage: 'Please triage these alerts.',
+            },
+          }),
+        { wrapper }
+      );
+
+      result.current[0].onClick([]);
+
+      expect(mockOpenChat).toHaveBeenCalledWith(
+        expect.objectContaining({ initialMessage: 'Please triage these alerts.' })
+      );
+    });
+  });
+
   describe('useBulkUntrackActions', () => {
     beforeEach(() => {
       jest.clearAllMocks();

x-pack/platform/packages/shared/response-ops/alerts-table/hooks/use_bulk_actions.ts

@@ -23,12 +23,15 @@ import type {
   BulkActionsReducerAction,
   TimelineItem,
   BulkEditTagsFlyoutState,
+  BulkAddToChatConfig,
+  OpenChatService,
 } from '../types';
 import { BulkActionsVerbs } from '../types';
 import type { CasesService, PublicAlertsDataGridProps } from '../types';
 import {
   ADD_TO_EXISTING_CASE,
   ADD_TO_NEW_CASE,
+  ADD_TO_CHAT,
   ALERTS_ALREADY_ATTACHED_TO_CASE,
   EDIT_TAGS,
   MARK_AS_UNTRACKED,
@@ -49,6 +52,8 @@ interface BulkActionsProps {
   hideBulkActions?: boolean;
   application: ApplicationStart;
   casesService?: CasesService;
+  agentBuilderService?: OpenChatService;
+  bulkAddToChatConfig?: BulkAddToChatConfig;
   http: HttpStart;
   notifications: NotificationsStart;
 }
@@ -408,6 +413,45 @@ export const useBulkMuteActions = ({
   );
 };
 
+export const useBulkAddToChatActions = ({
+  agentBuilderService,
+  bulkAddToChatConfig,
+}: {
+  agentBuilderService?: OpenChatService;
+  bulkAddToChatConfig?: BulkAddToChatConfig;
+}) => {
+  const { convertAlertToAttachment, initialMessage, onAddedToChat } = bulkAddToChatConfig ?? {};
+
+  const onAddToChatClick = useCallback(
+    (alerts?: TimelineItem[]) => {
+      if (!agentBuilderService || !convertAlertToAttachment) return;
+      const items = alerts ?? [];
+      agentBuilderService.openChat({
+        autoSendInitialMessage: false,
+        newConversation: true,
+        initialMessage,
+        attachments: convertAlertToAttachment(items),
+      });
+      onAddedToChat?.(items.length);
+    },
+    [agentBuilderService, convertAlertToAttachment, initialMessage, onAddedToChat]
+  );
+
+  return useMemo(() => {
+    if (!agentBuilderService || !convertAlertToAttachment) return [];
+    return [
+      {
+        label: ADD_TO_CHAT,
+        key: 'bulk-add-to-chat',
+        disableOnQuery: true,
+        disabledLabel: ADD_TO_CHAT,
+        'data-test-subj': 'bulk-add-to-chat',
+        onClick: onAddToChatClick,
+      },
+    ];
+  }, [agentBuilderService, convertAlertToAttachment, onAddToChatClick]);
+};
+
 const EMPTY_BULK_ACTIONS_CONFIG: BulkActionsPanelConfig[] = [];
 
 export function useBulkActions({
@@ -422,6 +466,8 @@ export function useBulkActions({
   notifications,
   application,
   casesService,
+  agentBuilderService,
+  bulkAddToChatConfig,
 }: BulkActionsProps): UseBulkActions {
   const {
     bulkActionsStore: [bulkActionsState, updateBulkActionsState],
@@ -491,16 +537,28 @@ export function useBulkActions({
           },
         ];
   }, [tagsAction, application?.capabilities]);
+  const addToChatActions = useBulkAddToChatActions({
+    agentBuilderService,
+    bulkAddToChatConfig,
+  });
 
   const initialItems = useMemo(() => {
     const isSiem = ruleTypeIds?.some(isSiemRuleType);
     return [
       ...caseBulkActions,
+      ...addToChatActions,
       ...(isSiem ? [] : untrackBulkActions),
       ...(isSiem ? [] : tagsBulkActions),
       ...(isSiem ? [] : muteBulkActions),
     ];
-  }, [caseBulkActions, ruleTypeIds, untrackBulkActions, tagsBulkActions, muteBulkActions]);
+  }, [
+    caseBulkActions,
+    ruleTypeIds,
+    untrackBulkActions,
+    tagsBulkActions,
+    muteBulkActions,
+    addToChatActions,
+  ]);
 
   const bulkActions = useMemo(() => {
     if (hideBulkActions) {

x-pack/platform/packages/shared/response-ops/alerts-table/translations.ts

@@ -251,6 +251,10 @@ export const ADD_TO_EXISTING_CASE = i18n.translate(
   }
 );
 
+export const ADD_TO_CHAT = i18n.translate('xpack.responseOpsAlertsTable.actions.addChat', {
+  defaultMessage: 'Add to chat',
+});
+
 export const ADD_TO_NEW_CASE = i18n.translate('xpack.responseOpsAlertsTable.actions.addToNewCase', {
   defaultMessage: 'Add to new case',
 });