Loading

AI for security

Elastic Security provides AI-powered tools that help security analysts automate alert triage, accelerate threat investigation, and streamline SOC operations. These tools use large language models (LLMs) to analyze your security data, identify attacks, generate queries, and assist with incident response—reducing mean time to respond and helping your team manage growing alert volumes.

These security-specific AI capabilities build on Elastic's platform-level AI infrastructure, including LLM connectors and Elastic Agent Builder. This page introduces each security AI tool and helps you find the right starting point for your goals.

Your goal Start here
Automatically discover attacks across alerts Attack Discovery
Get AI help with investigation, queries, and incident response AI Assistant or Elastic Agent Builder
Deploy an AI-powered SOC on Elastic Security Serverless Elastic AI SOC Engine (EASE)
Compare LLM performance for security tasks LLM performance matrix
Walk through AI-driven security workflows end-to-end AI use case guides
Connect to an LLM provider LLM connectors

The following tools provide interactive, LLM-driven capabilities for security analysts. Each requires at least one working LLM connector.

Attack Discovery uses LLMs to automatically analyze alerts in your environment and surface potential attacks. Rather than requiring you to review alerts individually, Attack Discovery identifies relationships among multiple alerts, maps activity to the MITRE ATT&CK matrix, and suggests which threat actors might be responsible. You can schedule Attack Discovery to run automatically and send notifications through connectors such as Slack, Microsoft Teams, PagerDuty, or email.

Elastic Security offers two AI chat experiences: Elastic AI Assistant for Security and Elastic Agent Builder. Both provide an LLM-powered chat interface that helps you with alert investigation, incident response, and ES|QL query generation throughout Elastic Security, and both provide contextual insights that explain errors and suggest remediation steps.

However, there are several important differences in their capabilities. To learn more and choose which to use, refer to AI Agent or AI Assistant.

Elastic AI SOC Engine (EASE) is an Elastic Security Serverless project type that provides AI-powered tools to augment your existing SIEM and EDR/XDR platforms. EASE combines Attack Discovery, AI Assistant, and agentless data ingestion in a serverless deployment that you can start using in minutes. It's designed for teams that want to get value from AI-driven security operations quickly, without managing infrastructure.

EASE also offers a Value report that summarizes key security metrics and helps you measure the impact of your AI-powered SOC.

In addition to the interactive tools described on this page, Elastic Security provides several AI-powered tools that automate specific workflows:

  • Automatic Import: Uses AI to ingest data from sources that don't have prebuilt Elastic integrations, by creating custom integrations with ECS mappings.
  • Automatic Migration: Uses AI to translate rules and dashboards from third-party SIEMs into Elastic Security's native format, accelerating SIEM migration.
  • Automatic Troubleshooting: Uses AI to identify issues that could prevent Elastic Defend from working as intended, including policy response failures and third-party antivirus conflicts.

Most security AI features require at least one working LLM connector. You can use Elastic Managed LLMs, which are available by default with a supported license, or connect to third-party providers such as OpenAI, Amazon Bedrock, Azure OpenAI, or Google Vertex AI. To compare how different models perform across security AI use cases, refer to the LLM performance matrix.

The following guides walk you through example workflows that demonstrate how AI Assistant and Attack Discovery work individually and together:

Several other Elastic capabilities complement the security AI tools described on this page: