Elastic launches AI‑augmented detection engineering with ES|QL Completion, expanding

Elastic’s new ES|QL COMPLETION command embeds large‑language‑model (LLM) inference directly into detection pipelines, letting analysts move beyond static signatures toward context‑aware reasoning, the Mark0 post on Feb. 24 explains. The feature works by aggregating raw events—such as process launches or network scans—into a concise narrative that is then fed to an LLM via providers like OpenAI or Amazon Bedrock. The model returns a judgment on whether the behavior reflects legitimate administrative activity or malicious intent, effectively acting as an “LLM‑as‑judge” that can triage alerts in real time.

According to the same report, the workflow is deliberately structured. First, events are grouped by host or user to build a contextual snapshot. Next, a templated prompt—stored as a reusable “template” in Elastic’s UI—summarizes the snapshot and asks the LLM to classify the activity. Finally, the classification result is fed back into the ES|QL query, allowing the detection rule to suppress low‑confidence alerts and surface only high‑confidence true positives. This three‑step pattern reduces the noise that traditionally plagues behavioral detection, especially in environments saturated with tools like SCCM or Nessus that generate frequent false positives.

The post highlights that the approach is not a replacement for traditional signatures but a complement that automates the manual “exception list” process. By letting the LLM evaluate nuanced context—such as a legitimate software update that triggers a series of file writes—the system can automatically whitelist benign activity while still flagging anomalous patterns that deviate from expected behavior. Elastic’s engineers claim that this reduces the time security teams spend sifting through alerts, freeing analysts to focus on genuine threats.

Elastic positions ES|QL COMPLETION as a step toward “AI‑augmented detection engineering,” a term the Mark0 article uses to describe the blending of query‑language precision with generative‑AI flexibility. The feature is already available in Elastic’s security stack, and the post invites users to create and share their own prompt templates, effectively crowd‑sourcing best‑practice reasoning patterns. While the announcement is still early‑stage, the integration of LLMs into the query layer marks a notable shift in how security operations can leverage generative AI for real‑time decision making.