Elastic has introduced the COMPLETION command within ES|QL, allowing security teams to embed LLM reasoning directly into their query pipelines. This shift enables detection logic to evaluate the context of behaviors—such as process execution or network enumeration—rather than relying solely on static signatures or extensive manual exception lists. By automating the "LLM-as-a-judge" pattern, analysts can triage alerts more efficiently by distinguishing between legitimate administrative actions and actual malicious intent.
The article outlines a structured detection pattern involving event aggregation, context building, and LLM inference. By correlating alerts by host or user and passing a summarized context to a model like OpenAI or Bedrock, engineers can filter for high-confidence true positives. This approach significantly reduces the noise generated by behavioral rules in complex environments, where tools like SCCM or Nessus often trigger false positives.
Top comments (0)