From ef4a481928046d6606cd432d43bba0d57430d569 Mon Sep 17 00:00:00 2001
From: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
Date: Thu, 23 Jan 2025 09:32:23 +0100
Subject: [PATCH] [SIEM migrations] Changes comments format from direct string
 to object with message, author and date (requires mapping update) (#11538)
 (#207859)

## Summary

[Internal link](https://github.com/elastic/security-team/issues/10820)
to the feature details

This PR updates `.kibana-siem-rule-migrations-rules-*` schema.

Previously we would store comments as an array of strings which is not
future proof. To make sure that we can handle cases like adding comments
by different users at different time we extended comment to be an
object:

```
{
  message: string;
  created_by: string;
  created_at: data;
}
```

`created_by` field can be either a user profile ID or predefined
constant string `assistant` to indicate comments generated by LLM.

> [!NOTE]
> This feature needs `siemMigrationsEnabled` experimental flag enabled
to work.
---
 .../common/siem_migrations/constants.ts       |  2 +
 .../model/rule_migration.gen.ts               | 23 +++++-
 .../model/rule_migration.schema.yaml          | 23 +++++-
 .../tabs/summary/index.tsx                    | 78 ++++++++++++++-----
 .../rules/components/status_badge/index.tsx   |  2 +-
 .../rules/data/rule_migrations_field_maps.ts  |  5 +-
 .../match_prebuilt_rule.ts                    | 14 +++-
 .../nodes/ecs_mapping/ecs_mapping.ts          |  4 +-
 .../nodes/inline_query/inline_query.ts        | 11 ++-
 .../retrieve_integrations.ts                  | 14 +++-
 .../nodes/translate_rule/translate_rule.ts    |  4 +-
 .../rules/task/rule_migrations_task_client.ts |  3 +-
 .../rules/task/util/comments.ts               | 11 +++
 .../siem_migrations/utils/rules.ts            | 11 ++-
 14 files changed, 161 insertions(+), 44 deletions(-)

diff --git a/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/constants.ts b/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/constants.ts
index 16cd4365d56bc..898bc3910a84c 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/constants.ts
+++ b/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/constants.ts
@@ -7,6 +7,8 @@
 
 import type { Severity } from '@kbn/securitysolution-io-ts-alerting-types';
 
+export const SIEM_MIGRATIONS_ASSISTANT_USER = 'assistant';
+
 export const SIEM_MIGRATIONS_PATH = '/internal/siem_migrations' as const;
 export const SIEM_RULE_MIGRATIONS_PATH = `${SIEM_MIGRATIONS_PATH}/rules` as const;
 
diff --git a/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts
index a81e264073ef9..f7195ef9b14c4 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts
+++ b/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts
@@ -153,11 +153,30 @@ export const RuleMigrationStatus = z.enum(['pending', 'processing', 'completed',
 export type RuleMigrationStatusEnum = typeof RuleMigrationStatus.enum;
 export const RuleMigrationStatusEnum = RuleMigrationStatus.enum;
 
+/**
+ * The comment for the migration
+ */
+export type RuleMigrationComment = z.infer<typeof RuleMigrationComment>;
+export const RuleMigrationComment = z.object({
+  /**
+   * The comment for the migration
+   */
+  message: z.string(),
+  /**
+   * The moment of creation
+   */
+  created_at: z.string(),
+  /**
+   * The user profile ID of the user who created the comment or `assistant` if it was generated by the LLM
+   */
+  created_by: z.string(),
+});
+
 /**
  * The comments for the migration including a summary from the LLM in markdown.
  */
 export type RuleMigrationComments = z.infer<typeof RuleMigrationComments>;
-export const RuleMigrationComments = z.array(z.string());
+export const RuleMigrationComments = z.array(RuleMigrationComment);
 
 /**
  * The rule migration document object.
@@ -173,7 +192,7 @@ export const RuleMigrationData = z.object({
    */
   migration_id: NonEmptyString,
   /**
-   * The username of the user who created the migration.
+   * The user profile ID of the user who created the migration.
    */
   created_by: NonEmptyString,
   /**
diff --git a/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml
index 657d74eaee35b..7c5e44236f053 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml
+++ b/x-pack/solutions/security/plugins/security_solution/common/siem_migrations/model/rule_migration.schema.yaml
@@ -142,7 +142,7 @@ components:
           description: The migration id.
           $ref: '../../../common/api/model/primitives.schema.yaml#/components/schemas/NonEmptyString'
         created_by:
-          description: The username of the user who created the migration.
+          description: The user profile ID of the user who created the migration.
           $ref: '../../../common/api/model/primitives.schema.yaml#/components/schemas/NonEmptyString'
         original_rule:
           description: The original rule to migrate.
@@ -300,11 +300,30 @@ components:
         - completed
         - failed
 
+    RuleMigrationComment:
+      type: object
+      description: The comment for the migration
+      required:
+        - message
+        - created_at
+        - created_by
+      properties:
+        message:
+          type: string
+          description: The comment for the migration
+        created_at:
+          type: string
+          description: The moment of creation
+        created_by:
+          type: string
+          description: The user profile ID of the user who created the comment or `assistant` if it was generated by the LLM
+
     RuleMigrationComments:
       type: array
       description: The comments for the migration including a summary from the LLM in markdown.
       items:
-        type: string
+        description: The comments for the migration
+        $ref: '#/components/schemas/RuleMigrationComment'
 
     UpdateRuleMigrationData:
       type: object
diff --git a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/rule_details_flyout/tabs/summary/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/rule_details_flyout/tabs/summary/index.tsx
index e046b7957023f..c580b7a76dd51 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/rule_details_flyout/tabs/summary/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/rule_details_flyout/tabs/summary/index.tsx
@@ -10,8 +10,14 @@ import type { EuiCommentProps } from '@elastic/eui';
 import { EuiCommentList, EuiMarkdownFormat, EuiSpacer } from '@elastic/eui';
 import moment from 'moment';
 import { AssistantAvatar } from '@kbn/ai-assistant-icon';
+import { UserAvatar } from '@kbn/user-profile-components';
+import { USER_AVATAR_ITEM_TEST_ID } from '../../../../../../common/components/user_profiles/test_ids';
+import { useBulkGetUserProfiles } from '../../../../../../common/components/user_profiles/use_bulk_get_user_profiles';
 import { type RuleMigration } from '../../../../../../../common/siem_migrations/model/rule_migration.gen';
-import { RuleTranslationResult } from '../../../../../../../common/siem_migrations/constants';
+import {
+  RuleTranslationResult,
+  SIEM_MIGRATIONS_ASSISTANT_USER,
+} from '../../../../../../../common/siem_migrations/constants';
 import * as i18n from './translations';
 
 interface SummaryTabProps {
@@ -19,26 +25,58 @@ interface SummaryTabProps {
 }
 
 export const SummaryTab: React.FC<SummaryTabProps> = React.memo(({ ruleMigration }) => {
-  const timestamp = useMemo(
-    // Date formats https://momentjs.com/docs/#/displaying/format/
-    () => moment(ruleMigration['@timestamp']).format('ll'),
-    [ruleMigration]
-  );
+  const userProfileIds = useMemo<Set<string>>(() => {
+    if (!ruleMigration.comments) {
+      return new Set();
+    }
+    return ruleMigration.comments.reduce((acc, { created_by: createdBy }) => {
+      if (createdBy !== SIEM_MIGRATIONS_ASSISTANT_USER) acc.add(createdBy);
+      return acc;
+    }, new Set<string>());
+  }, [ruleMigration.comments]);
+  const { isLoading: isLoadingUserProfiles, data: userProfiles } = useBulkGetUserProfiles({
+    uids: userProfileIds,
+  });
+
   const comments: EuiCommentProps[] | undefined = useMemo(() => {
-    return ruleMigration.comments?.map((comment) => {
-      return {
-        username: i18n.ASSISTANT_USERNAME,
-        timelineAvatarAriaLabel: i18n.ASSISTANT_USERNAME,
-        timelineAvatar: <AssistantAvatar name="machine" size="l" color="subdued" />,
-        event:
-          ruleMigration.translation_result === RuleTranslationResult.UNTRANSLATABLE
-            ? i18n.COMMENT_EVENT_UNTRANSLATABLE
-            : i18n.COMMENT_EVENT_TRANSLATED,
-        timestamp,
-        children: <EuiMarkdownFormat textSize="s">{comment}</EuiMarkdownFormat>,
-      };
-    });
-  }, [ruleMigration, timestamp]);
+    if (isLoadingUserProfiles) {
+      return undefined;
+    }
+    return ruleMigration.comments?.map(
+      ({ message, created_at: createdAt, created_by: createdBy }) => {
+        const profile = userProfiles?.find(({ uid }) => uid === createdBy);
+        const isCreatedByAssistant = createdBy === SIEM_MIGRATIONS_ASSISTANT_USER || !profile;
+        const username = isCreatedByAssistant
+          ? i18n.ASSISTANT_USERNAME
+          : profile.user.full_name ?? profile.user.username;
+        return {
+          username,
+          timelineAvatarAriaLabel: username,
+          timelineAvatar: isCreatedByAssistant ? (
+            <AssistantAvatar name="machine" size="l" color="subdued" />
+          ) : (
+            <UserAvatar
+              data-test-subj={USER_AVATAR_ITEM_TEST_ID(username)}
+              user={profile?.user}
+              avatar={profile?.data.avatar}
+              size={'l'}
+            />
+          ),
+          event:
+            ruleMigration.translation_result === RuleTranslationResult.UNTRANSLATABLE
+              ? i18n.COMMENT_EVENT_UNTRANSLATABLE
+              : i18n.COMMENT_EVENT_TRANSLATED,
+          timestamp: moment(createdAt).format('ll'), // Date formats https://momentjs.com/docs/#/displaying/format/
+          children: <EuiMarkdownFormat textSize="s">{message}</EuiMarkdownFormat>,
+        };
+      }
+    );
+  }, [
+    isLoadingUserProfiles,
+    ruleMigration.comments,
+    ruleMigration.translation_result,
+    userProfiles,
+  ]);
 
   return (
     <>
diff --git a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/status_badge/index.tsx b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/status_badge/index.tsx
index 428dbf522f815..7a584bbd2c7db 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/status_badge/index.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/components/status_badge/index.tsx
@@ -50,7 +50,7 @@ export const StatusBadge: React.FC<StatusBadgeProps> = React.memo(
     // Failed
     if (migrationRule.status === RuleMigrationStatusEnum.failed) {
       const tooltipMessage = migrationRule.comments?.length
-        ? migrationRule.comments[0]
+        ? migrationRule.comments[0].message
         : i18n.RULE_STATUS_FAILED;
       return (
         <EuiToolTip content={tooltipMessage}>
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts
index 0ea2913d3ebd6..491f14597220c 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/data/rule_migrations_field_maps.ts
@@ -37,7 +37,10 @@ export const ruleMigrationsFieldMap: FieldMap<SchemaFieldMapKeys<Omit<RuleMigrat
   'elastic_rule.prebuilt_rule_id': { type: 'keyword', required: false },
   'elastic_rule.id': { type: 'keyword', required: false },
   translation_result: { type: 'keyword', required: false },
-  comments: { type: 'text', array: true, required: false },
+  comments: { type: 'object', array: true, required: false },
+  'comments.message': { type: 'keyword', required: true },
+  'comments.created_at': { type: 'date', required: true },
+  'comments.created_by': { type: 'keyword', required: true }, // use 'assistant' for llm
   updated_at: { type: 'date', required: false },
   updated_by: { type: 'keyword', required: false },
 };
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/match_prebuilt_rule/match_prebuilt_rule.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/match_prebuilt_rule/match_prebuilt_rule.ts
index 804e7a8bc3953..b9e97ced995f4 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/match_prebuilt_rule/match_prebuilt_rule.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/nodes/match_prebuilt_rule/match_prebuilt_rule.ts
@@ -16,7 +16,7 @@ import type { RuleMigrationsRetriever } from '../../../retrievers';
 import type { ChatModel } from '../../../util/actions_client_chat';
 import type { GraphNode } from '../../types';
 import { MATCH_PREBUILT_RULE_PROMPT } from './prompts';
-import { cleanMarkdown } from '../../../util/comments';
+import { cleanMarkdown, generateAssistantComment } from '../../../util/comments';
 
 interface GetMatchPrebuiltRuleNodeParams {
   model: ChatModel;
@@ -42,7 +42,13 @@ export const getMatchPrebuiltRuleNode = ({
       techniqueIds.join(',')
     );
     if (prebuiltRules.length === 0) {
-      return { comments: ['## Prebuilt Rule Matching Summary\nNo related prebuilt rule found.'] };
+      return {
+        comments: [
+          generateAssistantComment(
+            '## Prebuilt Rule Matching Summary\nNo related prebuilt rule found.'
+          ),
+        ],
+      };
     }
 
     const outputParser = new JsonOutputParser();
@@ -68,7 +74,9 @@ export const getMatchPrebuiltRuleNode = ({
       splunk_rule: JSON.stringify(splunkRule, null, 2),
     })) as GetMatchedRuleResponse;
 
-    const comments = response.summary ? [cleanMarkdown(response.summary)] : undefined;
+    const comments = response.summary
+      ? [generateAssistantComment(cleanMarkdown(response.summary))]
+      : undefined;
 
     if (response.match) {
       const matchedRule = prebuiltRules.find((r) => r.name === response.match);
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/ecs_mapping/ecs_mapping.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/ecs_mapping/ecs_mapping.ts
index cddf85dea2d31..0e8f311fa3297 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/ecs_mapping/ecs_mapping.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/ecs_mapping/ecs_mapping.ts
@@ -12,7 +12,7 @@ import { getEsqlKnowledgeBase } from '../../../../../util/esql_knowledge_base_ca
 import type { GraphNode } from '../../types';
 import { SIEM_RULE_MIGRATION_CIM_ECS_MAP } from './cim_ecs_map';
 import { ESQL_TRANSLATE_ECS_MAPPING_PROMPT } from './prompts';
-import { cleanMarkdown } from '../../../../../util/comments';
+import { cleanMarkdown, generateAssistantComment } from '../../../../../util/comments';
 
 interface GetEcsMappingNodeParams {
   inferenceClient: InferenceClient;
@@ -48,7 +48,7 @@ export const getEcsMappingNode = ({
 
     return {
       response,
-      comments: [cleanMarkdown(ecsSummary)],
+      comments: [generateAssistantComment(cleanMarkdown(ecsSummary))],
       translation_finalized: true,
       translation_result: translationResult,
       elastic_rule: {
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/inline_query/inline_query.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/inline_query/inline_query.ts
index e5d16f59658c3..eac213652973d 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/inline_query/inline_query.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/inline_query/inline_query.ts
@@ -11,7 +11,7 @@ import type { RuleMigrationsRetriever } from '../../../../../retrievers';
 import type { ChatModel } from '../../../../../util/actions_client_chat';
 import type { GraphNode } from '../../../../types';
 import { REPLACE_QUERY_RESOURCE_PROMPT, getResourcesContext } from './prompts';
-import { cleanMarkdown } from '../../../../../util/comments';
+import { cleanMarkdown, generateAssistantComment } from '../../../../../util/comments';
 
 interface GetInlineQueryNodeParams {
   model: ChatModel;
@@ -28,7 +28,7 @@ export const getInlineQueryNode = ({
     // Check before to avoid unnecessary LLM calls
     let unsupportedComment = getUnsupportedComment(query);
     if (unsupportedComment) {
-      return { comments: [unsupportedComment] };
+      return { comments: [generateAssistantComment(unsupportedComment)] };
     }
 
     const resources = await ruleMigrationsRetriever.resources.getResources(state.original_rule);
@@ -51,10 +51,13 @@ export const getInlineQueryNode = ({
       // Check after replacing in case the replacements made it untranslatable
       unsupportedComment = getUnsupportedComment(query);
       if (unsupportedComment) {
-        return { comments: [unsupportedComment] };
+        return { comments: [generateAssistantComment(unsupportedComment)] };
       }
 
-      return { inline_query: query, comments: [cleanMarkdown(inliningSummary)] };
+      return {
+        inline_query: query,
+        comments: [generateAssistantComment(cleanMarkdown(inliningSummary))],
+      };
     }
     return { inline_query: query };
   };
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts
index 11c9069fc77ac..2e514b436e60e 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/retrieve_integrations/retrieve_integrations.ts
@@ -10,7 +10,7 @@ import type { RuleMigrationsRetriever } from '../../../../../retrievers';
 import type { ChatModel } from '../../../../../util/actions_client_chat';
 import type { GraphNode } from '../../types';
 import { MATCH_INTEGRATION_PROMPT } from './prompts';
-import { cleanMarkdown } from '../../../../../util/comments';
+import { cleanMarkdown, generateAssistantComment } from '../../../../../util/comments';
 
 interface GetRetrieveIntegrationsNodeParams {
   model: ChatModel;
@@ -31,7 +31,13 @@ export const getRetrieveIntegrationsNode = ({
 
     const integrations = await ruleMigrationsRetriever.integrations.getIntegrations(query);
     if (integrations.length === 0) {
-      return { comments: ['## Integration Matching Summary\nNo related integration found.'] };
+      return {
+        comments: [
+          generateAssistantComment(
+            '## Integration Matching Summary\nNo related integration found.'
+          ),
+        ],
+      };
     }
 
     const outputParser = new JsonOutputParser();
@@ -55,7 +61,9 @@ export const getRetrieveIntegrationsNode = ({
       splunk_rule: JSON.stringify(splunkRule, null, 2),
     })) as GetMatchedIntegrationResponse;
 
-    const comments = response.summary ? [cleanMarkdown(response.summary)] : undefined;
+    const comments = response.summary
+      ? [generateAssistantComment(cleanMarkdown(response.summary))]
+      : undefined;
 
     if (response.match) {
       const matchedIntegration = integrations.find((r) => r.title === response.match);
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts
index e12d3e3da13b8..c6b946c295940 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/translate_rule.ts
@@ -10,7 +10,7 @@ import type { InferenceClient } from '@kbn/inference-plugin/server';
 import { getEsqlKnowledgeBase } from '../../../../../util/esql_knowledge_base_caller';
 import type { GraphNode } from '../../types';
 import { ESQL_SYNTAX_TRANSLATION_PROMPT } from './prompts';
-import { cleanMarkdown } from '../../../../../util/comments';
+import { cleanMarkdown, generateAssistantComment } from '../../../../../util/comments';
 
 interface GetTranslateRuleNodeParams {
   inferenceClient: InferenceClient;
@@ -47,7 +47,7 @@ export const getTranslateRuleNode = ({
 
     return {
       response,
-      comments: [cleanMarkdown(translationSummary)],
+      comments: [generateAssistantComment(cleanMarkdown(translationSummary))],
       elastic_rule: {
         integration_ids: [integrationId],
         query: esqlQuery,
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts
index 83f41d503bfa9..d5cedfaad4503 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/rule_migrations_task_client.ts
@@ -28,6 +28,7 @@ import type {
   RuleMigrationTaskStopResult,
 } from './types';
 import { ActionsClientChat } from './util/actions_client_chat';
+import { generateAssistantComment } from './util/comments';
 
 const ITERATION_BATCH_SIZE = 15 as const;
 const ITERATION_SLEEP_SECONDS = 10 as const;
@@ -146,7 +147,7 @@ export class RuleMigrationsTaskClient {
               );
               await this.data.rules.saveError({
                 ...ruleMigration,
-                comments: [`Error migrating rule: ${error.message}`],
+                comments: [generateAssistantComment(`Error migrating rule: ${error.message}`)],
               });
             }
           })
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/util/comments.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/util/comments.ts
index 4dad4235ad4e0..291e8c9bcf094 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/util/comments.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/siem_migrations/rules/task/util/comments.ts
@@ -5,7 +5,18 @@
  * 2.0.
  */
 
+import { SIEM_MIGRATIONS_ASSISTANT_USER } from '../../../../../../common/siem_migrations/constants';
+import type { RuleMigrationComment } from '../../../../../../common/siem_migrations/model/rule_migration.gen';
+
 export const cleanMarkdown = (markdown: string): string => {
   // Use languages known by the code block plugin
   return markdown.replaceAll('```esql', '```sql').replaceAll('```spl', '```splunk-spl');
 };
+
+export const generateAssistantComment = (message: string): RuleMigrationComment => {
+  return {
+    message,
+    created_at: new Date().toISOString(),
+    created_by: SIEM_MIGRATIONS_ASSISTANT_USER,
+  };
+};
diff --git a/x-pack/test/security_solution_api_integration/test_suites/siem_migrations/utils/rules.ts b/x-pack/test/security_solution_api_integration/test_suites/siem_migrations/utils/rules.ts
index b2247a97c6381..25789dd382589 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/siem_migrations/utils/rules.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/siem_migrations/utils/rules.ts
@@ -14,6 +14,7 @@ import { RuleMigration } from '@kbn/security-solution-plugin/common/siem_migrati
 import { INDEX_PATTERN as SIEM_MIGRATIONS_INDEX_PATTERN } from '@kbn/security-solution-plugin/server/lib/siem_migrations/rules/data/rule_migrations_data_service';
 import { SIEM_RULE_MIGRATION_PATH } from '@kbn/security-solution-plugin/common/siem_migrations/constants';
 import { GetRuleMigrationResponse } from '@kbn/security-solution-plugin/common/siem_migrations/model/api/rules/rule_migration.gen';
+import { generateAssistantComment } from '@kbn/security-solution-plugin/server/lib/siem_migrations/rules/task/util/comments';
 
 const SIEM_MIGRATIONS_RULES_INDEX_PATTERN = `${SIEM_MIGRATIONS_INDEX_PATTERN}-rules-default`;
 
@@ -40,9 +41,13 @@ const migrationRuleDocument: RuleMigrationDocument = {
   updated_by: 'u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0',
   updated_at: '2025-01-13T15:39:48.729Z',
   comments: [
-    '## Prebuilt Rule Matching Summary\nThe Splunk rule "Access - Default Account Usage - Rule" is intended to discover the use of default accounts, which are commonly targeted by attackers using brute force attack tools. However, none of the provided Elastic Prebuilt Rules specifically address the detection of default account usage. The closest matches involve brute force attacks in general, but they do not specifically focus on default accounts. Therefore, no suitable match was found.',
-    '## Integration Matching Summary\nNo related integration found.',
-    '## Translation Summary\n\nThe provided Splunk SPL query was analyzed and translated into the equivalent ES|QL query. Here is a breakdown of the process:\n\n### Original SPL Query\n```splunk-spl\n| from datamodel:"Authentication"."Successful_Default_Authentication" \n| stats max("_time") as "lastTime",\nvalues("tag") as "tag",\ncount by "dest","user","app"\n```\n\n### Key SPL Components and Their ES|QL Equivalents:\n1. **Data Model**: `from datamodel:"Authentication"."Successful_Default_Authentication"` is not directly translatable to ES|QL. Instead, we use `FROM logs-*` to define the data source.\n2. **Stats Aggregation**: The `stats max("_time") as "lastTime", values("tag") as "tag", count by "dest","user","app"` was translated as follows:\n   - `max(_time) as lastTime` to find the latest time.\n   - `values(tag) as tag` to collect all values in the `tag` field.\n   - `count by dest, user, app` to count the occurrences grouped by `dest`, `user`, and `app`.\n\nBy analyzing these key components and their ES|QL equivalents, the translated query achieves the same results as the SPL query while adhering to the ES|QL syntax and structure.',
+    generateAssistantComment(
+      '## Prebuilt Rule Matching Summary\nThe Splunk rule "Access - Default Account Usage - Rule" is intended to discover the use of default accounts, which are commonly targeted by attackers using brute force attack tools. However, none of the provided Elastic Prebuilt Rules specifically address the detection of default account usage. The closest matches involve brute force attacks in general, but they do not specifically focus on default accounts. Therefore, no suitable match was found.'
+    ),
+    generateAssistantComment('## Integration Matching Summary\nNo related integration found.'),
+    generateAssistantComment(
+      '## Translation Summary\n\nThe provided Splunk SPL query was analyzed and translated into the equivalent ES|QL query. Here is a breakdown of the process:\n\n### Original SPL Query\n```splunk-spl\n| from datamodel:"Authentication"."Successful_Default_Authentication" \n| stats max("_time") as "lastTime",\nvalues("tag") as "tag",\ncount by "dest","user","app"\n```\n\n### Key SPL Components and Their ES|QL Equivalents:\n1. **Data Model**: `from datamodel:"Authentication"."Successful_Default_Authentication"` is not directly translatable to ES|QL. Instead, we use `FROM logs-*` to define the data source.\n2. **Stats Aggregation**: The `stats max("_time") as "lastTime", values("tag") as "tag", count by "dest","user","app"` was translated as follows:\n   - `max(_time) as lastTime` to find the latest time.\n   - `values(tag) as tag` to collect all values in the `tag` field.\n   - `count by dest, user, app` to count the occurrences grouped by `dest`, `user`, and `app`.\n\nBy analyzing these key components and their ES|QL equivalents, the translated query achieves the same results as the SPL query while adhering to the ES|QL syntax and structure.'
+    ),
   ],
   translation_result: 'partial',
   elastic_rule: {