elastic · NicholasPeretti · Jun 4, 2026 · Jun 5, 2026
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.0.14"
+  changes:
+    - description: "Trim ALERT_SUMMARY_500 and ALERT_SUMMARY_SYSTEM_PROMPT prompts for aiForSoc and ease groups."
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19388
 - version: "1.0.13"
   changes:
     - description: "Update Entity Highlights AI prompt"

@@ -3,7 +3,7 @@
     "promptId": "alertSummarySystemPrompt",
     "promptGroupId": "aiForSoc",
     "prompt": {
-      "default": "Return **only a single-line stringified JSON object** without any code fences, explanations, or variable assignments. Do **not** wrap the output in triple backticks or any Markdown code block. \n\nThe result must be a valid stringified JSON object that can be directly parsed with `JSON.parse()` in JavaScript.\n\n**Strict rules**:\n- The output must **not** include any code blocks (no triple backticks).\n- The output must be **a string**, ready to be passed directly into `JSON.parse()`.\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- The summary text should just be text. It does not need any titles or leading items in bold.\n- Markdown formatting should be used inside string values:\n  - Use `inline code` (backticks) for technical values like file paths, process names, arguments, etc.\n  - Use `**bold**` for emphasis.\n  - Use `-` for bullet points.\n  - The `recommendedActions` value must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- **Do not** include any extra explanation or text. Only return the stringified JSON object.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
+      "default": "Return **only a single-line stringified JSON object** that can be passed directly to `JSON.parse()` in JavaScript. Do not include code fences, triple backticks, explanations, or variable assignments.\n\n**Strict rules**:\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- `summary` is plain text with optional inline markdown; it does not need titles or leading items in bold.\n- `recommendedActions` must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- Inside string values use Markdown: `inline code` (backticks) for technical values like file paths, process names, and arguments; `**bold**` for emphasis; `-` for bullet points.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
     }
   },
   "id": "security_ai_prompts-26eb85d3-c474-4e48-a918-68b93fa409bb",

@@ -3,7 +3,7 @@
     "promptId": "alertSummary",
     "promptGroupId": "ease",
     "prompt": {
-      "default": "Evaluate the cyber security alert from the context above. Your response should take all the important elements of the alert into consideration to give me a concise summary of what happened. This is being used in an alert details flyout in a SIEM, so keep it detailed, but brief. Limit your response to 500 characters. Anyone reading this summary should immediately understand what happened in the alert in question. Only reply with the summary, and nothing else.\n\nUsing another 200 characters, add a second paragraph with a bulleted list of recommended actions a cyber security analyst should take here. Don't invent random, potentially harmful recommended actions."
+      "default": "Summarize the cyber security alert from the context above for an analyst viewing the SIEM alert details flyout. Limit the summary to 500 characters and the recommended actions to a further 200 characters. Reply with the summary and a bulleted list of recommended actions, and nothing else. Do not invent recommended actions that are not supported by the alert."
     }
   },
   "id": "security_ai_prompts-7d7cf0c3-7b8e-42a1-878d-668b282247eb",

@@ -3,7 +3,7 @@
     "promptId": "alertSummary",
     "promptGroupId": "aiForSoc",
     "prompt": {
-      "default": "Evaluate the cyber security alert from the context above. Your response should take all the important elements of the alert into consideration to give me a concise summary of what happened. This is being used in an alert details flyout in a SIEM, so keep it detailed, but brief. Limit your response to 500 characters. Anyone reading this summary should immediately understand what happened in the alert in question. Only reply with the summary, and nothing else.\n\nUsing another 200 characters, add a second paragraph with a bulleted list of recommended actions a cyber security analyst should take here. Don't invent random, potentially harmful recommended actions."
+      "default": "Summarize the cyber security alert from the context above for an analyst viewing the SIEM alert details flyout. Limit the summary to 500 characters and the recommended actions to a further 200 characters. Reply with the summary and a bulleted list of recommended actions, and nothing else. Do not invent recommended actions that are not supported by the alert."
     }
   },
   "id": "security_ai_prompts-9da0cebb-f56b-4199-b4db-ef79b876d842",

@@ -3,7 +3,7 @@
     "promptId": "alertSummarySystemPrompt",
     "promptGroupId": "ease",
     "prompt": {
-      "default": "Return **only a single-line stringified JSON object** without any code fences, explanations, or variable assignments. Do **not** wrap the output in triple backticks or any Markdown code block. \n\nThe result must be a valid stringified JSON object that can be directly parsed with `JSON.parse()` in JavaScript.\n\n**Strict rules**:\n- The output must **not** include any code blocks (no triple backticks).\n- The output must be **a string**, ready to be passed directly into `JSON.parse()`.\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- The summary text should just be text. It does not need any titles or leading items in bold.\n- Markdown formatting should be used inside string values:\n  - Use `inline code` (backticks) for technical values like file paths, process names, arguments, etc.\n  - Use `**bold**` for emphasis.\n  - Use `-` for bullet points.\n  - The `recommendedActions` value must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- **Do not** include any extra explanation or text. Only return the stringified JSON object.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
+      "default": "Return **only a single-line stringified JSON object** that can be passed directly to `JSON.parse()` in JavaScript. Do not include code fences, triple backticks, explanations, or variable assignments.\n\n**Strict rules**:\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- `summary` is plain text with optional inline markdown; it does not need titles or leading items in bold.\n- `recommendedActions` must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- Inside string values use Markdown: `inline code` (backticks) for technical values like file paths, process names, and arguments; `**bold**` for emphasis; `-` for bullet points.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
     }
   },
   "id": "security_ai_prompts-d8aebe8c-8541-4abf-90b9-7e100b606aec",

@@ -22,4 +22,4 @@ source:
   license: "Elastic-2.0"
 title: "Security AI Prompts"
 type: content
-version: 1.0.13
+version: 1.0.14