Skip to content

v12 - fix(soc-ai): update capability group prefixes to match backend MCP tool names#2301

Merged
Kbayero merged 2 commits into
release/v12.0.0from
backlog/fix-soc-ai-capability-group-prefixes
Jul 1, 2026
Merged

v12 - fix(soc-ai): update capability group prefixes to match backend MCP tool names#2301
Kbayero merged 2 commits into
release/v12.0.0from
backlog/fix-soc-ai-capability-group-prefixes

Conversation

@yllada

@yllada yllada commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Descripción:
Closes #2300

What

The capabilityGroups map in the soc-ai plugin had stale prefixes for the
correlation and dashboards groups that didn't match the actual MCP tool
names registered by the backend.

Why it broke

groupOf() extracts the segment before the first . from a tool name:

  • correlation_rule.create → prefix correlation_rule
  • filter.create → prefix filter

The old prefixes (eventprocessing, event_processing) matched nothing,
so every mutating tool in the correlation group was silently filtered out.
The LLM never received those tools and correctly reported it had no permission
to create/update/delete correlation rules.

Changes

File Change
plugins/soc-ai/internal/agent/groups.go Fixed correlation prefixes: eventprocessing, event_processingcorrelation_rule, regex_pattern, tenant_config, filter. Extended dashboards with visualizations, dashboard_layouts.

Test plan

  • Enable correlation capability in Settings → SOC-AI
  • Ask the SOC assistant to create a correlation rule — it should now attempt it instead of refusing

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

🛑 AI review — Engineer review required

This PR touches critical paths or introduces changes the model cannot judge with sufficient confidence. @Kbayero @osmontero please review.

🛑 architecture (gemini-3-flash-lite) — blocking — must fix before merge

Summary: Modification of capability groups impacts agent-manager authorization and data access scope, potentially breaking existing agent permissions.

  • high plugins/soc-ai/internal/agent/groups.go:14 — Modification of capability groups changes the authorization contract for agents. This requires a coordinated rollout to ensure agents with older configurations do not lose access or violate security policies.

🛑 bugs (gemini-3-flash-lite) — blocking — must fix before merge

Summary: Inconsistent capability group mapping; potential unauthorized access due to broad scope changes.

  • high plugins/soc-ai/internal/agent/groups.go:16 — The 'correlation' capability group has been redefined to include 'tenant_config'. This grants the AI agent broad administrative access to tenant-wide configurations, which likely exceeds the scope of 'correlation and event-processing rules' and poses a security risk.

🛑 security (gemini-3-flash-lite) — blocking — must fix before merge

Summary: Expansion of SOC AI agent capabilities to include sensitive system configurations and regex patterns.

  • high plugins/soc-ai/internal/agent/groups.go:15 — The 'correlation' capability group now grants access to 'tenant_config', 'regex_pattern', and 'filter'. This significantly expands the agent's attack surface, potentially allowing unauthorized modification of system-wide filtering logic or exposure of sensitive tenant configurations. Ensure that the AI agent's access to these resources is strictly scoped and validated.

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — AI review found blocking issues (high/critical, or engineer review required). See above.

@Kbayero Kbayero merged commit 3a829f3 into release/v12.0.0 Jul 1, 2026
1 check passed
@Kbayero Kbayero deleted the backlog/fix-soc-ai-capability-group-prefixes branch July 1, 2026 15:07

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — AI review found blocking issues (high/critical, or engineer review required). See above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

v12 - fix(soc-ai): capability group prefixes don't match backend MCP tool names

2 participants