Elastic has introduced the COMPLETION command within ES|QL, enabling security analysts to integrate Large Language Model (LLM) reasoning directly into their detection queries. This capability allows for an "LLM-as-a-judge" approach, where behavioral alerts are evaluated based on context rather than static signatures or exhaustive exception lists. By embedding inference into the query pipeline, teams can distinguish between legitimate administrative actions and actual attack chains without needing external orchestration or middleware.
The triage workflow involves aggregating related security events, constructing a structured context string, and using the LLM to provide a verdict and confidence score. This method effectively identifies true positives, such as LSASS credential dumping or Certutil-based downloads, while filtering out benign activity from enterprise tools like SCCM or vulnerability scanners. By using commands like STATS, EVAL, and DISSECT, analysts can process data efficiently and surface only the most critical threats for human investigation.
Top comments (0)