I am trying to use the Create a model response API to create an AI assistant response that summarizes many alerts at once. When I include multiple messages that each contain field data from security alerts, the Security AI assistant only provides a response for the last alert. I am unable to get it to take the other messages into consideration.
Do you know if it is possible for the Security AI assistant to consume multiple messages each with their own event/alert context?
Here is what I tried:
API: /api/security_ai_assistant/chat/complete
Request example:
{
"persist": False,
"promptId": promptId,
"messages": [
{
"role": "user",
"data": {
"user.name": "Sample User",
"source.geo.location": "Canada",
"source.ip": "1.1.1.1",
"process.name": "hacker.exe"
},
"content": """
Summarize the event
""",
"fields_to_anonymize": [
"user.name",
"source.ip"
]
},
{
"role": "user",
"data": {
"user.name": "Sample User 2",
"source.geo.location": "United States",
"source.ip": "8.8.8.8",
"process.name": "word.exe"
},
"content": """
Summarize the event
""",
"fields_to_anonymize": [
"user.name",
"source.ip"
]
},
],
"connectorId": connectorId,
}
The response is something like:
The event indicates a process named word.exe was executed. The source IP associated with this event is 77a49151-a05e-4b93-bb99-7530f8e4a580, and the user responsible for the action is identified as 7a89258b-9865-49fa-8cfe-0f42ce50244e. This could potentially be an anomalous or malicious activity, depending on the context and further investigation into the IP and user details.
The response fails to provide any context or details about the first message included.