THREAT OPS › Threat News › From plain English to production rule: AI-native Elasticsearch ES|QL detection in Elastic Security
From plain English to production rule: AI-native Elasticsearch ES|QL detection in Elastic Security
<p>Elastic Security now includes AI-powered detection rule creation, built into the rule creation workflow. Analysts describe a threat behavior in plain English and receive a complete, validated Elasticsearch Query Language (ES|QL) rule in return, with MITRE ATT&CK mappings, severity recommendations, and a preview against live data, all without leaving the platform or writing a single line of
Attributed threat actors
- EquationG0020
MITRE ATT&CK techniques
- Valid AccountsT1078
- Credential StuffingT1110.004
- CredentialsT1589.001
- Valid AccountsAML.T0012
- Generative AIAML.T0016.002
Indicators of compromise
- https://hoxhunt.com/guide/phishing-trends-reporturl
- https://www.rapid7.com/blog/post/tr-accelerating-attack-cycle-2026-global-threat-landscape-report/url
- https://developer.okta.com/docs/reference/api/event-types/url
- https://join.slack.com/t/elasticstack/shared_invite/zt-2sgssfr0n-NhTOlSwHbaGH85tYfx6kGgurl
Original source: https://www.elastic.co/security-labs/ai-esql-detection-rule-creation