[Entity Analytics][Hypotheses] Prebuilt hypotheses initialisation and reconciliation

.buildkite/ftr_security_stateful_configs.yml

@@ -98,6 +98,7 @@ enabled:
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/basic_license_essentials_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_store/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/threat_hunting/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/entity_details/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/lists_and_exception_lists/exception_lists_items/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/solutions/security/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/configs/ess.config.ts

packages/kbn-check-saved-objects-cli/current_fields.json

@@ -1261,6 +1261,30 @@
     "userScope.apiKeyId"
   ],
   "telemetry": [],
+  "threat-hunting-hypothesis": [
+    "managed",
+    "model",
+    "model.name",
+    "sourceType",
+    "summary",
+    "tags",
+    "threat",
+    "threat.framework",
+    "threat.tactic",
+    "threat.tactic.id",
+    "threat.tactic.name",
+    "threat.tactic.reference",
+    "threat.technique",
+    "threat.technique.id",
+    "threat.technique.name",
+    "threat.technique.reference",
+    "threat.technique.subtechnique",
+    "threat.technique.subtechnique.id",
+    "threat.technique.subtechnique.name",
+    "threat.technique.subtechnique.reference",
+    "title",
+    "version"
+  ],
   "threshold-explorer-view": [],
   "ui-metric": [
     "count"

packages/kbn-check-saved-objects-cli/current_mappings.json

@@ -651,9 +651,6 @@
         },
         "type": "nested"
       },
-      "total_observables": {
-        "type": "integer"
-      },
       "owner": {
         "type": "keyword"
       },
@@ -693,6 +690,9 @@
       "total_events": {
         "type": "integer"
       },
+      "total_observables": {
+        "type": "integer"
+      },
       "updated_at": {
         "type": "date"
       },
@@ -4176,6 +4176,82 @@
     "dynamic": false,
     "properties": {}
   },
+  "threat-hunting-hypothesis": {
+    "dynamic": false,
+    "properties": {
+      "managed": {
+        "type": "boolean"
+      },
+      "model": {
+        "properties": {
+          "name": {
+            "type": "keyword"
+          }
+        }
+      },
+      "sourceType": {
+        "type": "keyword"
+      },
+      "summary": {
+        "type": "text"
+      },
+      "tags": {
+        "type": "keyword"
+      },
+      "threat": {
+        "properties": {
+          "framework": {
+            "type": "keyword"
+          },
+          "tactic": {
+            "properties": {
+              "id": {
+                "type": "keyword"
+              },
+              "name": {
+                "type": "keyword"
+              },
+              "reference": {
+                "type": "keyword"
+              }
+            }
+          },
+          "technique": {
+            "properties": {
+              "id": {
+                "type": "keyword"
+              },
+              "name": {
+                "type": "keyword"
+              },
+              "reference": {
+                "type": "keyword"
+              },
+              "subtechnique": {
+                "properties": {
+                  "id": {
+                    "type": "keyword"
+                  },
+                  "name": {
+                    "type": "keyword"
+                  },
+                  "reference": {
+                    "type": "keyword"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "title": {
+        "type": "text"
+      },
+      "version": {
+        "type": "keyword"
+      }
+    }
+  },
   "threshold-explorer-view": {
     "dynamic": false,
     "properties": {}

x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/threat_hunting_hypotheses/threat_hunting_hypotheses.schema.yaml

@@ -0,0 +1,218 @@
+openapi: 3.0.0
+info:
+  title: Threat Hunting Hypotheses Schema
+  description: Schema for managing threat hunting hypotheses in the security solution.
+  version: "2023-10-31"
+
+paths:
+  /api/entity_analytics/threat_hunting_hypotheses:
+    post:
+      operationId: CreateThreatHuntingHypothesis
+      x-codegen-enabled: true
+      summary: Create a new threat hunting hypothesis
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/CreateThreatHuntingHypothesis"
+      responses:
+        "200":
+          description: Threat hunting hypothesis created successfully
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ThreatHuntingHypothesis"
+
+  /api/entity_analytics/threat_hunting_hypotheses/{id}:
+    get:
+      operationId: GetThreatHuntingHypothesis
+      x-codegen-enabled: true
+      summary: Get a threat hunting hypothesis by ID
+      parameters:
+        - name: id
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        "200":
+          description: Threat Hunting hypothesis details retrieved
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ThreatHuntingHypothesis"
+    put:
+      operationId: UpdateThreatHuntingHypothesis
+      x-codegen-enabled: true
+      summary: Update a threat hunting hypothesis by ID
+      parameters:
+        - name: id
+          in: path
+          required: true
+          schema:
+            type: string
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/UpdateThreatHuntingHypothesis"
+      responses:
+        "200":
+          description: Threat hunting hypothesis updated successfully
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ThreatHuntingHypothesis"  
+
+    delete:
+      operationId: DeleteThreatHuntingHypothesis
+      x-codegen-enabled: true
+      summary: Delete a threat hunting hypothesis
+      parameters:
+        - name: id
+          in: path
+          required: true
+          schema:
+            type: string
+      responses:
+        "200":
+          description: Threat hunting hypothesis deleted successfully
+
+  /api/entity_analytics/threat_hunting_hypotheses/list:
+    get:
+      operationId: ListThreatHuntingHypotheses
+      x-codegen-enabled: true
+      summary: List all threat hunting hypotheses
+      parameters:
+        - name: type
+          in: query
+          schema:
+            type: string
+        - name: managed
+          in: query
+          schema:
+            type: boolean
+        - name: name
+          in: query
+          schema:
+            type: string
+
+      responses:
+        "200":
+          description: List of threat hunting hypotheses retrieved
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: "#/components/schemas/ThreatHuntingHypothesis"
+components:
+  schemas:
+    CreateThreatHuntingHypothesis:
+      allOf:
+      - $ref: '#/components/schemas/ThreatHuntingHypothesisProperties'
+      - type: object
+        required: [title, summary, managed, source_type, version]
+        properties: {}
+
+    UpdateThreatHuntingHypothesis:
+      allOf:
+      - $ref: '#/components/schemas/ThreatHuntingHypothesisProperties'
+      - type: object        
+        properties: {}
+
+    ThreatHuntingHypothesisProperties:
+      type: object
+      description: Core properties of a threat hunting hypothesis saved object
+      properties:
+        title:
+          type: string
+          description: Bold text shown at the top of the card
+        summary:
+          type: string
+          description: Supporting text shown below the title
+        managed:
+          type: boolean
+          description: Indicates if the hypothesis is system-managed (immutable)
+        source_type:
+          type: string
+          description: Origin of the hypothesis
+          enum: [pre_built, ai_generated]
+        version:
+          type: string
+          description: Content version used for reconciliation
+        threat:
+          type: object
+          description: ECS threat context for this hypothesis
+          properties:
+            framework:
+              type: string
+              description: e.g. "MITRE ATT&CK"
+            tactic:
+              type: object
+              properties:
+                id:
+                  type: string
+                name:
+                  type: string
+                reference:
+                  type: string
+            technique:
+              type: object
+              properties:
+                id:
+                  type: string
+                name:
+                  type: string
+                reference:
+                  type: string
+                subtechnique:
+                  type: object
+                  properties:
+                    id:
+                      type: string
+                    name:
+                      type: string
+                    reference:
+                      type: string
+        tags:
+          type: array
+          description: Labels associated with the hypothesis
+          items:
+            type: string
+        model:
+          type: object
+          description: LLM model metadata if AI-generated
+          properties:
+            name:
+              type: string
+              description: Model name (e.g. "gpt-4o", "claude-opus")
+
+    ThreatHuntingHypothesis:
+      allOf:
+      - $ref: '#/components/schemas/ThreatHuntingHypothesisProperties'
+      - type: object
+        required: [title, source_type, summary]
+        properties:
+          id:
+            type: string
+
+      type: object
+      properties:
+        syncMarkerIndex: 
+          type: string
+          description: Index to read latest sync markers from
+        syncData: 
+          type: object
+          description: integrations latest full sync and update syncData
+          properties:
+            lastFullSync: 
+              type: string
+              format: date-time
+              description: Timestamp of the last full sync from integrations
+            lastUpdateProcessed: 
+              type: string
+              format: date-time
+              description: Timestamp of the last update processed from integrations

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/hypothesis_threat_hunting/auditing/actions.ts

@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const ThreatHuntingHypothesisActions = {
+  CREATE: 'create',
+  DELETE: 'delete',
+} as const;
+
+export type ThreatHuntingHypothesisActions =
+  (typeof ThreatHuntingHypothesisActions)[keyof typeof ThreatHuntingHypothesisActions];