Loading

AI for security

Elastic Security provides AI-powered tools that help security analysts automate alert triage, accelerate threat investigation, and streamline SOC operations. These tools use large language models (LLMs) to analyze your security data, identify attacks, generate queries, and assist with incident response—reducing mean time to respond and helping your team manage growing alert volumes.

Elastic Security's AI capabilities build on Elastic's platform-level AI capabilities, which include foundational infrastructure like LLM connectors and Elastic Managed LLMs and Elastic Agent Builder, while Elastic Security extends this infrastructure with security-specific tools and workflows.

For a complete view of AI capabilities across the Elastic platform, including features for Observability and Elasticsearch, refer to AI-powered features. To manage which AI features and connectors are available in your environment, refer to Manage access to AI features.

The following tools provide interactive, LLM-driven capabilities for security analysts. Each requires at least one working LLM connector.

Attack Discovery uses LLMs to automatically analyze alerts in your environment and surface potential attacks. Rather than requiring you to review alerts individually, Attack Discovery identifies relationships among multiple alerts, maps activity to the MITRE ATT&CK matrix, and suggests which threat actors might be responsible. You can schedule Attack Discovery to run automatically and send notifications through connectors such as Slack, Microsoft Teams, PagerDuty, or email.

Elastic Security offers two AI chat experiences: Elastic AI Assistant for Security, and Elastic Agent Builder. They have similar high level capabilities.

They both provide LLM-powered chat interface that helps you with alert investigation, incident response, and ES|QL query generation throughout Elastic Security, and provide contextual insights that explain errors and suggest remediation steps.

However, there are also several imporant differences in their capabilities. To learn more and select which to use, refer to Compare Agent Builder and AI Assistant.

Elastic AI SOC Engine (EASE) is an Elastic Security Serverless project type that provides AI-powered tools to augment your existing SIEM and EDR/XDR platforms. EASE combines Attack Discovery, AI Assistant, and agentless data ingestion in a serverless deployment that you can start using in minutes. It's designed for teams that want to get value from AI-driven security operations quickly, without managing infrastructure. EASE also offers a Value report that summarizes key security metrics and helps you measure the impact of your AI-powered SOC.

In addition to the interactive AI tools described in this section, Elastic Security provides several AI-powered tools that automate specific workflows:

  • Automatic Import: Uses AI to ingest data from sources that don't have prebuilt Elastic integrations, by creating custom integrations with ECS mappings.
  • Automatic Migration: Uses AI to translate rules and dashboards from third-party SIEMs into Elastic Security's native format, accelerating SIEM migration.
  • Automatic Troubleshooting: Uses AI to identify issues that could prevent Elastic Defend from working as intended, including policy response failures and third-party antivirus conflicts.

Most security AI features require at least one working LLM connector. You can use Elastic Managed LLMs, which are available by default with a supported license, or connect to third-party providers such as OpenAI, Amazon Bedrock, Azure OpenAI, or Google Vertex AI. To compare how different models perform across security AI use cases, refer to the LLM performance matrix.

The following guides walk you through example workflows that demonstrate how AI Assistant and Attack Discovery work individually and together: