Appearance
AI Assistant Tools Reference
The AI assistant uses 44 structured tools to retrieve live data from the Console rather than generating answers from conversation context alone. Each tool maps to a specific data source: ClickHouse events, the PostgreSQL fleet database, or the Console API layer. When you ask a question, the assistant selects the appropriate tools, executes them, and assembles the results into an answer.
This page lists all 44 tools grouped by area, what each one returns, and example prompts that trigger it.
How tools work
Tool calls are visible in the assistant's reasoning output. Each call includes the tool name and parameters. Results are shown before the assistant composes its final answer, so you can verify what data was retrieved.
The assistant will not use a tool it does not need. Asking a narrow question about one sensor does not cause the assistant to fetch fleet-wide data.
Fleet and sensor health
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 1 | get_sensor_events | Runtime events from ClickHouse for a sensor (filterable by kind, severity, time window) | Show me the last 10 critical events on sensor upf-prod-01 |
| 2 | get_sensor_detail | Sensor identity, health state, role, tags, last heartbeat, and enrollment status | Tell me about sensor upf-prod-01 |
| 10 | get_fleet_summary | Fleet health overview: sensor counts by state, alert counts, overall posture | How many sensors are unhealthy right now? |
| 13 | get_sensor_trust | Certificate trust status, expiry, renewal state, and trust alerts for a sensor | Is the certificate on this sensor due for renewal? |
| 32 | get_resource_metrics | Sensor CPU, memory, and resource usage | How is resource usage on this O-DU node? |
| 40 | get_groups | Sensor group memberships | Which group is this sensor in? |
Events and activity
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 1 | get_sensor_events | Runtime events from ClickHouse, with filters for event kind, severity, process, time | Show process exec events from the last hour |
| 12 | search_events | Full-text event search across all sensors | Search for events mentioning /tmp/backdoor |
| 33 | get_active_flows | Active TCP flow records with process attribution | What connections is this process making? |
| 34 | get_dns_events | DNS query and resolution events | What domains did this process resolve? |
| 35 | get_privilege_events | UID and capability change events | Show privilege changes on this AMF node today |
| 36 | get_namespace_events | Linux namespace creation events | Were any user namespaces created recently? |
| 25 | get_shell_sessions | SSH and interactive shell session records | Were there any interactive shell sessions on this node? |
| 5 | get_process_tree | Reconstructed process ancestry for a specific event or process | What spawned this suspicious binary? |
Alerts and investigations
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 3 | get_alert_detail | Full alert context including event kind, sensor, process, MITRE mapping, and linked events | Explain this critical alert |
| 4 | get_investigation | Investigation timeline, notes, evidence links, and case status | Summarize the current investigation |
| 11 | get_attack_chains | Active or recent correlated attack chain events | Are any multi-stage attacks active? |
| 27 | get_investigations | List of investigations, filterable by status or sensor | Show open investigations on telecom nodes |
| 28 | create_investigation | Creates a new investigation case | Create an investigation for this alert |
| 29 | add_events_to_investigation | Links specific runtime events to an existing investigation | Add these events to the current case |
Behavioral analytics and anomalies
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 7 | get_anomaly_scores | Behavioral anomaly scores with contributing factors | What is the anomaly score on this UPF? |
| 8 | get_baselines | Process and network behavioral baselines for a sensor | What is the baseline for this binary? |
| 42 | get_entity_profile | Detailed process or binary behavioral profile | Profile this binary before I write an enforcement rule |
| 44 | get_correlation | Cross-sensor event correlation for a pattern or behavior | Does this behavior appear on other sensors? |
Integrity and security signals
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 30 | get_fim_alerts | File integrity monitoring hash mismatch alerts | Were any binaries modified on this node? |
| 31 | get_kernel_guard | Kernel integrity check results | Is the kernel intact on this sensor? |
Runtime controls and policy
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 14 | get_enforcement_state | Current enforcement policies and their active state | What is being enforced on this sensor? |
| 15 | get_policy_packs | Assigned policy pack info including ID, version, and enforcement state | Which pack is assigned to this gNB node? |
| 37 | get_custom_rules | Custom tracing policies and their targets | What custom rules are active on UPF nodes? |
| 38 | get_suppression_rules | Alert suppression rules with scope and reason | What suppressions apply to this site? |
| 39 | get_admission_rules | Kubernetes admission control rules | Which admission rules apply to this cluster? |
| 43 | get_coverage_report | Detection coverage summary for active packs and rules | What detections cover these NF roles? |
Compliance
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 9 | get_compliance_status | Compliance report snapshot with passing, failing, and partial controls | What is our WG11 compliance posture? |
| 41 | get_license_status | Current license state: plan, node count, validity, grace period | Is the license up to date? |
Kubernetes and network
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 17 | get_kubernetes_pods | Pod inventory with restart state, node placement, and security posture | Which pods restarted during the outage? |
| 6 | get_network_connections | Active network connections for a sensor with process attribution | Show connections from this SMF process |
SBOM and vulnerabilities
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 16 | get_sbom | SBOM scan results for a sensor or container image | Are there critical CVEs in this UPF image? |
Telecom
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 18 | get_telco_nf_inventory | 5G NF detection results: detected roles, confidence scores, evidence | Which NFs were detected on this sensor? |
| 19 | get_ngap_kpis | NGAP procedure KPIs from ngap_kpi_history | Did the NGAP failure rate spike after maintenance? |
| 20 | get_pfcp_sessions | PFCP session state: count, latency, anomalies | How many active PFCP sessions does this UPF have? |
| 21 | get_gtpu_tunnels | GTP-U tunnel inventory: TEID count, anomalies, visibility gap | Are there any GTP-U tunnel anomalies? |
| 22 | get_oran_status | O-RAN interface status: E2, O1, O2, xApp peer state | What is the E2 interface status on this Near-RT RIC? |
| 23 | get_slo_metrics | NF SLO data: availability, MTTR, breach status | Is the AMF meeting its 5-nines SLO? |
| 24 | get_tls_inventory | TLS session inventory: coverage classification per NF and interface | Are SBI interfaces using TLS on all core nodes? |
Audit and diagnostics
| # | Tool | What it returns | Example prompt |
|---|---|---|---|
| 26 | get_audit_log | Console audit log entries filterable by actor, action, or time | Who changed enforcement on this sensor? |
Complete tool list
The following is the authoritative ordered list of all 44 tools from ai_chat.rs:
| # | Tool name | Description |
|---|---|---|
| 1 | get_sensor_events | Query ClickHouse for sensor events |
| 2 | get_sensor_detail | Fetch sensor info from fleet |
| 3 | get_alert_detail | Fetch alert context |
| 4 | get_investigation | Fetch investigation data |
| 5 | get_process_tree | Reconstruct process ancestry |
| 6 | get_network_connections | Active connections for a sensor |
| 7 | get_anomaly_scores | Behavioral anomaly context |
| 8 | get_baselines | Process and network baselines |
| 9 | get_compliance_status | Compliance report snapshot |
| 10 | get_fleet_summary | Fleet health overview |
| 11 | get_attack_chains | Correlated attack chain events |
| 12 | search_events | Full-text event search |
| 13 | get_sensor_trust | Certificate trust status |
| 14 | get_enforcement_state | Current enforcement policies |
| 15 | get_policy_packs | Assigned pack info |
| 16 | get_sbom | SBOM for a sensor or image |
| 17 | get_kubernetes_pods | Pod inventory |
| 18 | get_telco_nf_inventory | 5G NF detection results |
| 19 | get_ngap_kpis | NGAP procedure KPIs |
| 20 | get_pfcp_sessions | PFCP session state |
| 21 | get_gtpu_tunnels | GTP-U tunnel inventory |
| 22 | get_oran_status | O-RAN interface status |
| 23 | get_slo_metrics | NF SLO data |
| 24 | get_tls_inventory | TLS session inventory |
| 25 | get_shell_sessions | SSH and shell session records |
| 26 | get_audit_log | Console audit log |
| 27 | get_investigations | List investigations |
| 28 | create_investigation | Create new investigation |
| 29 | add_events_to_investigation | Link events to a case |
| 30 | get_fim_alerts | FIM hash mismatch alerts |
| 31 | get_kernel_guard | Kernel integrity status |
| 32 | get_resource_metrics | Sensor resource usage |
| 33 | get_active_flows | TCP flow records |
| 34 | get_dns_events | DNS query and resolution events |
| 35 | get_privilege_events | UID and capability change events |
| 36 | get_namespace_events | Namespace creation events |
| 37 | get_custom_rules | Custom tracing policies |
| 38 | get_suppression_rules | Alert suppression list |
| 39 | get_admission_rules | Kubernetes admission control rules |
| 40 | get_groups | Sensor group memberships |
| 41 | get_license_status | Current license state |
| 42 | get_entity_profile | Process or binary behavioral profile |
| 43 | get_coverage_report | Detection coverage summary |
| 44 | get_correlation | Cross-sensor event correlation |
Using the AI assistant
In the Console, open the AI Assistant chat panel (the chat icon in the navigation bar) and type your question. Example:
In the Console, open the AI Assistant chat and type:
What is the anomaly score on sensor upf-prod-01?
The assistant selects the relevant tools, fetches live data from the Console, and composes its answer. Tool calls and their results are visible in the reasoning output before the final answer.