[Entity Analytics][Lead Generation][3] Entity retrieval and enrichment to get data for lead generation#256628
Merged
abhishekbhatia1710 merged 1 commit intoelastic:mainfrom Mar 27, 2026
Conversation
Contributor
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
Contributor
|
Important Review skippedAuto reviews are limited based on label configuration. 🏷️ Required labels (at least one) (4)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
hop-dev
requested changes
Mar 26, 2026
...olution/server/lib/entity_analytics/lead_generation/observation_modules/risk_score_module.ts
Outdated
Show resolved
Hide resolved
...ugins/security_solution/server/lib/entity_analytics/lead_generation/routes/generate_leads.ts
Outdated
Show resolved
Hide resolved
...olution/server/lib/entity_analytics/lead_generation/observation_modules/risk_score_module.ts
Outdated
Show resolved
Hide resolved
...ion/server/lib/entity_analytics/lead_generation/observation_modules/alert_analysis_module.ts
Outdated
Show resolved
Hide resolved
...ugins/security_solution/server/lib/entity_analytics/lead_generation/routes/generate_leads.ts
Outdated
Show resolved
Hide resolved
...ugins/security_solution/server/lib/entity_analytics/lead_generation/routes/generate_leads.ts
Outdated
Show resolved
Hide resolved
...ions/security/plugins/security_solution/server/lib/entity_analytics/lead_generation/types.ts
Outdated
Show resolved
Hide resolved
...ugins/security_solution/server/lib/entity_analytics/lead_generation/engine/llm_synthesize.ts
Outdated
Show resolved
Hide resolved
...ion/server/lib/entity_analytics/lead_generation/observation_modules/alert_analysis_module.ts
Outdated
Show resolved
Hide resolved
hop-dev
approved these changes
Mar 27, 2026
Contributor
hop-dev
left a comment
There was a problem hiding this comment.
Thanks for addressing all my comments 🚀
Contributor
|
Pinging @elastic/obs-presentation-team (Team:obs-presentation) |
Contributor
|
Pinging @elastic/fleet (Team:Fleet) |
Adds AlertAnalysisModule, LLMSynthesize, entity conversion, generate_leads route handler with full orchestration, and get_leads route. Review changes: use data clients, thin route handler, split alert module into folder, fix escalation detection, remove dead weight field, scope usedTitleTracker, deduplicate staleness logic, simplify LLM prompt.
d7cf013 to
607f80c
Compare
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
|
kelvtanv
pushed a commit
to kelvtanv/kibana
that referenced
this pull request
Mar 27, 2026
…t to get data for lead generation (elastic#256628) ## Summary - Introduces a shared **Entity Retriever** that centralises Entity Store V2 fetching, paginated via `search_after` for all users/hosts, or targeted by name, replacing duplicated inline logic in the generate-leads route - Introduces an **Entity Enricher** that pre-fetches risk score history (90-day daily averages), alert summaries (severity breakdown, top rules, top alerts), asset criticality, and privileged status for a batch of entities - Refactors the generate-leads route to delegate entity fetching to the retriever, removing ~70 lines of inline code - Updates the barrel file to export both new services and their types Closes : elastic/security-team#15948 This PR is 3rd part of the lead generation feature being built under the [Entity Analytics Lead Generation epic](elastic/security-team#14401). It builds on the foundation and observation modules from elastic#255272 and elastic#256156. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this pull request
Mar 30, 2026
…t to get data for lead generation (elastic#256628) ## Summary - Introduces a shared **Entity Retriever** that centralises Entity Store V2 fetching, paginated via `search_after` for all users/hosts, or targeted by name, replacing duplicated inline logic in the generate-leads route - Introduces an **Entity Enricher** that pre-fetches risk score history (90-day daily averages), alert summaries (severity breakdown, top rules, top alerts), asset criticality, and privileged status for a batch of entities - Refactors the generate-leads route to delegate entity fetching to the retriever, removing ~70 lines of inline code - Updates the barrel file to export both new services and their types Closes : elastic/security-team#15948 This PR is 3rd part of the lead generation feature being built under the [Entity Analytics Lead Generation epic](elastic/security-team#14401). It builds on the foundation and observation modules from elastic#255272 and elastic#256156. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
abhishekbhatia1710
added a commit
to abhishekbhatia1710/kibana
that referenced
this pull request
Mar 31, 2026
Resolve conflicts after PRs elastic#255272 (Foundation), elastic#256156 (Observation Modules), elastic#256628 (Entity Retrieval), and elastic#257046 (CRUD API Routes) were merged into main. Key resolutions: - Keep main's authoritative versions of observation modules with data-driven tier tables and RiskScoreDataClient integration - Add scheduling-specific weight properties to module configs - Wire RiskScoreDataClient through RunPipelineParams via dependency injection (route uses context, task creates from CoreStart) - Preserve main's .keyword suffix fixes in lead_data_client ES queries - Keep scheduling branch's single-file behavioral_analysis_module (consolidated from subdirectory structure) and remove stale subdir - Delete generate_leads.test.ts (coverage moved to run_pipeline.test.ts) - Preserve Task Manager registration, enable/disable route wiring, and run_pipeline shared orchestration from scheduling branch Note: pre-commit hook bypassed because ESLint failures are from upstream kbn-evals-suite-significant-events package (pre-existing in main), not from lead generation changes.
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…t to get data for lead generation (elastic#256628) ## Summary - Introduces a shared **Entity Retriever** that centralises Entity Store V2 fetching, paginated via `search_after` for all users/hosts, or targeted by name, replacing duplicated inline logic in the generate-leads route - Introduces an **Entity Enricher** that pre-fetches risk score history (90-day daily averages), alert summaries (severity breakdown, top rules, top alerts), asset criticality, and privileged status for a batch of entities - Refactors the generate-leads route to delegate entity fetching to the retriever, removing ~70 lines of inline code - Updates the barrel file to export both new services and their types Closes : elastic/security-team#15948 This PR is 3rd part of the lead generation feature being built under the [Entity Analytics Lead Generation epic](elastic/security-team#14401). It builds on the foundation and observation modules from elastic#255272 and elastic#256156. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…t to get data for lead generation (elastic#256628) ## Summary - Introduces a shared **Entity Retriever** that centralises Entity Store V2 fetching, paginated via `search_after` for all users/hosts, or targeted by name, replacing duplicated inline logic in the generate-leads route - Introduces an **Entity Enricher** that pre-fetches risk score history (90-day daily averages), alert summaries (severity breakdown, top rules, top alerts), asset criticality, and privileged status for a batch of entities - Refactors the generate-leads route to delegate entity fetching to the retriever, removing ~70 lines of inline code - Updates the barrel file to export both new services and their types Closes : elastic/security-team#15948 This PR is 3rd part of the lead generation feature being built under the [Entity Analytics Lead Generation epic](elastic/security-team#14401). It builds on the foundation and observation modules from elastic#255272 and elastic#256156. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
search_afterfor all users/hosts, or targeted by name, replacing duplicated inline logic in the generate-leads routeCloses : https://github.com/elastic/security-team/issues/15948
This PR is 3rd part of the lead generation feature being built under the Entity Analytics Lead Generation epic. It builds on the foundation and observation modules from #255272 and #256156.
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:*label is applied per the guidelinesbackport:*labels.