Appearance
AI Assistant
The Telovix AI Assistant is embedded throughout the Console and answers questions about your fleet, alerts, investigations, compliance posture, and telecom analytics using live data.
Requires: An LLM provider configured in Settings > AI / LLM. The assistant panel is disabled until a provider and API key are set. Telecom tools additionally require the telecom sensor flavor.
The assistant is context-aware: when you open it on a sensor detail page, it knows which sensor you are looking at. On a compliance page, it knows the current framework and score. This context is injected automatically and does not need to be restated in the prompt.
Requirements
The assistant requires an LLM provider to be configured. Without a provider, the chat panel is disabled. Configure the provider from Settings > AI / LLM.
Supported providers:
| Provider value | What to set |
|---|---|
anthropic | Anthropic Claude API key (set in Console Settings) |
openai | OpenAI API key |
gemini | Google Gemini via OpenAI-compatible endpoint |
custom | Any OpenAI-compatible endpoint (Mistral, Ollama, etc.) |
telovix_managed | Telovix-operated endpoint (Telovix Cloud only; no API key needed) |
disabled | AI features disabled |
The default model for Anthropic is claude-sonnet-4-6. Model and base URL can be overridden in Console Settings.
How tool use works
The assistant has 44 built-in tools that query live data from the Console. When it answers a question, it can call up to 8 tools per turn. Each tool result is truncated at 2,000 characters before being included in the context. When a question requires more detail than one tool provides, the assistant calls multiple tools in sequence to build a complete answer.
5 tools are only available on the telecom Console vertical: get_telco_snapshot, get_telco_trends, get_nf_resource_history, get_ngap_kpi_metrics, and get_network_activity. These tools are hidden and unavailable on standard vertical deployments.
Tool reference
Fleet and sensors
| Tool | What it returns |
|---|---|
get_fleet_summary | Live fleet counts: sensor health states, new alert count, enforcement rule count |
get_sensor_detail | Full sensor detail: health, trust state, cert expiry, OS/kernel, IP addresses, NF role, pack assignment, BPF metrics |
get_sensor_audit_trail | Full operator action history for a sensor: enrollment, policy changes, enforcement changes, anomaly detections, attack chain matches |
get_event_delivery_health | BPF delivery rate, BPF loss per mille, heartbeat failure counts per sensor, ranked worst-first |
get_sensor_upgrade_status | Active upgrade plans, strategy, progress counts, current status |
get_process_fingerprints | Most-executed process fingerprints across the fleet or a sensor |
get_anomaly_maturity | Learning mode status, data coverage days, min-score thresholds, estimated graduation dates |
get_daily_digest | 24-hour summary: new critical/high alerts, anomaly spikes, attack chains, compliance deltas, offline sensors |
Alerts and detections
| Tool | What it returns |
|---|---|
list_alerts | Recent fired alerts with filtering by status, severity, sensor |
get_alert_detail | Full alert detail: AI triage verdict, confidence, rationale, L2 narrative, recommended actions, analyst notes, investigation link |
get_anomaly_scores | Recent behavioral anomaly scores, optionally filtered by sensor |
get_attack_chains | Active attack chain detections |
get_attack_chain_detail | Full step-by-step event sequence for a specific chain |
correlate_alerts | Correlation verdict for 2+ alerts on the same sensor or time window |
get_fleet_correlation | Cross-sensor correlation: events appearing on 2+ sensors simultaneously |
get_custom_flags | Behavioral detection rules (custom flags), fire counts, enabled status |
get_flag_matches | Recent flag match hits with process, parent, args, message |
get_alert_rules | Alert rule configuration, fire counts, MITRE coverage |
get_suppression_rules | Active suppression rules, scope, expiry, reason |
get_anomaly_scores | Behavioral anomaly scores |
Investigations and cases
| Tool | What it returns |
|---|---|
search_investigations | Search investigations by title or status |
get_investigation_detail | Full investigation content: evidence events, analyst notes, timeline |
Compliance
| Tool | What it returns |
|---|---|
get_compliance_posture | Latest compliance scores: CIS, NIS2, ETSI |
get_compliance_evidence_trend | Daily evidence match counts over a time window |
get_detection_coverage | MITRE ATT&CK coverage, compliance framework coverage, rule counts |
Network and Kubernetes
| Tool | What it returns |
|---|---|
get_network_connections | Active network connections |
get_listening_services | Services listening on ports, process attribution |
get_kubernetes_summary | Kubernetes workload summary, admission decisions |
get_kubernetes_pods | Pod inventory: phase, restart count, node, IP, container images |
get_kubernetes_services | Kubernetes services: type, IPs, ports |
get_kubernetes_images | Container image inventory |
get_kubernetes_network_policies | Network policy rules |
get_pod_lifecycle_events | CrashLoopBackOff, OOMKilled, evictions |
list_container_images | Container image inventory from fleet sensors |
Policy and enforcement
| Tool | What it returns |
|---|---|
get_enforcement_rules | Active enforcement rules, sensor scope, action type, confirmation status |
get_guardian_policies | Guardian/confinement policies with match conditions and actions |
generate_tracing_policy | Generates TracingPolicy YAML from a plain-English description (read-only; operator must apply it) |
get_sensor_baselines | Process baseline summaries for a sensor or fleet |
Telecom (telecom vertical only)
| Tool | What it returns |
|---|---|
get_telco_snapshot | Full O-RAN and 5G telco snapshot for a sensor |
get_telco_trends | Hourly 5G/O-RAN event trends by NF role and severity |
get_nf_resource_history | Hourly CPU, memory, and power per NF role |
get_ngap_kpi_metrics | NGAP procedure success rates, decode error counts |
get_network_activity | Network flows and listening services from ClickHouse |
Infrastructure
| Tool | What it returns |
|---|---|
get_energy_metrics | Estimated wattage per sensor, CPU/memory/bandwidth metrics |
get_federation_status | Federation role, connected regions, sensor counts, event ingestion totals |
Chat sessions
Each conversation is stored as a session. Sessions can be searched and exported to investigations.
In the Console, the AI Assistant panel is accessible from any page via the assistant icon in the navigation bar. Previous sessions are listed in the Sessions tab of the panel. Click any session to continue it or review its history. To export a session to an investigation, click Export to Investigation at the top of the session view. This creates an investigation with the first user message as the title and each AI response as a note attributed to "Telovix AI Assistant".
Typical prompts by use case
Fleet health
Which sensors are degraded right now?
How many sensors are in learning mode for anomaly detection?
What changed on O-DU nodes in zone A since the maintenance window?Alert triage
Show me critical alerts from O-DU nodes in the last hour.
Is alert abc123 a true positive? What do the analyst notes say?
Are there any alerts from multiple sensors on the same binary today?Investigations
Summarize the evidence collected in investigation case_abc123.
What have analysts noted on this case so far?Compliance
What is the current CIS v8 score and which controls are failing?
Has compliance signal improved over the last 7 days?Telecom and O-RAN (telecom vertical only)
What are the NGAP KPI success rates on the AMF node?
Are there any active WG11-related detections on Near-RT RIC nodes?
Show NF resource utilization for the SMF in the last 6 hours.Detection and policy
Generate a rule that detects bash spawned from a UPF process.
Which enforcement rules are active on the AMF group?
What behavioral flags have fired in the last 24 hours?Limitations
- The assistant can call up to 8 tools per turn. Questions requiring more than 8 separate data queries may receive partial answers.
- Tool results are truncated to 2,000 characters each before being included in the context. Large result sets (many alerts, many sensors) are summarized.
- The assistant generates TracingPolicy YAML as a starting point, not as a validated production-ready rule. Review generated YAML for correct hook choice and argument types before applying it.
- The assistant follows the authenticated user's sensor scope. A
sensor_owneruser will only receive data for their assigned sensors. - AI triage assessments (
get_alert_detailTP/FP verdicts) are probabilistic. The operator is responsible for final triage decisions.