stack kb security-attack-discovery-api post-attack-discovery-generate cli command
Auth required
elastic stack kb security-attack-discovery-api post-attack-discovery-generate \
--alerts-index-pattern <alerts-index-pattern> \
--anonymization-fields <anonymization-fields> \
--api-config <api-config> \
--size <size> \
--sub-action <sub-action> \
[options]
Generate attack discoveries from alerts
Behaviour flags:
--dry-run — validate all inputs and exit without performing any action
--alerts-index-patternstringrequired- The (space specific) index pattern that contains the alerts to use as
--anonymization-fieldsstring[]required- The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the
/api/security_ai_assistant/anonymization_fields/_findAPI (for a specific Kibana space) to provide this value. --api-configstringrequired--sizenumberrequired--sub-actionstringrequired--connector-namestring--endstring--filterstring- An Elasticsearch-style query DSL object used to filter alerts. For example:
--modelstring--replacementsstring- Replacements object used to anonymize/deanonymize messages
--startstring--input-filestring- path to a JSON file to use as command input
--[no-]dry-run- validate all inputs and exit without performing any action (preview changes without applying them)
--[no-]json-
output as JSON