Skip to main content

AI analysis, chat, and enrichment

All of this runs in AWS Lambda (edr-api-handler) unless noted.

AI analysis (single event)

  • Endpoint: GET /events/{eventId}/ai-analysis (and related trigger logic in the handler).
  • Models: Amazon Bedrock Claude via _invoke_bedrock_claude_messages, with inference-profile fallbacks.
  • Prompts: bedrock_prompts.pySYSTEM_PROMPT_AI_ANALYSIS (JSON output) or SYSTEM_PROMPT_AI_ANALYSIS_RAG when Pinecone MITRE context is attached.
  • Output: Stored on the event (e.g. summary, classification, reasoning, key indicators, recommended severity, MITRE string, confidence).
  • RAG: Optional Pinecone retrieval (rag/ package); if not configured, analysis uses the non-RAG system prompt.

Why RAG (vs. “raw LLM”)

The degree project emphasizes grounding: the model should reason from structured telemetry and retrieved context (MITRE, similar events, rule metadata), not only from internal knowledge—reducing generic or hallucinated explanations. That is what the RAG path implements when Pinecone is enabled. See Thesis context for the academic framing.

Follow-up chat

  • Endpoint: POST /events/{eventId}/ai-chat with { message, history }.
  • Context: Lambda loads DynamoDB event + S3 forensic, builds a large text block (process, command, tree, network, cached AI text, similar events from Pinecone if enabled).
  • General prompt: SYSTEM_PROMPT_AI_CHAT.
  • Verdict-style questions (e.g. “is it suspicious?”): detector _is_classification_followup_question switches to SYSTEM_PROMPT_AI_CHAT_VERDICT — short Verdict / Assessment / Next steps without duplicating “cached classification” lines per product design.

VirusTotal

  • Endpoint: GET /events/{eventId}/virustotal.
  • Client: virustotal_client.py — file report by hash, DynamoDB cache to respect VT rate limits.
  • Requires: API Gateway route + VIRUSTOTAL_API_KEY on Lambda. See backend/VIRUSTOTAL_SETUP.md in the repo.

Multi-event correlation

  • Endpoint: POST /events/correlate (or GET with query params per handler).
  • Uses SYSTEM_PROMPT_CORRELATION and aggregated event payloads for campaign-style narrative.

For prompt editing and redeploy, see backend/AI_PROMPTS.md.