Incident management · Production

How Elastic built Automatic Import, Attack Discovery, and Elastic AI Assistant using LangChain

The problem

Security teams faced labor-intensive SecOps tasks, and adopting Elastic's new ES|QL query language required learning complex query syntax and functions — creating a barrier to effective threat hunting and detection.

Workflow diagram · grounded in source
1
User asks natural language question
trigger
“enabling Elastic AI Assistant to generate ES|QL queries from natural language questions”
2
RAG retrieves vectorized context
ai_action
“Elastic AI Assistant generates ES|QL leveraging retrieval augmented generation (RAG) to provide rich context to the chosen LLM, enabling generation of a query based on the user's input”
3
LangGraph orchestrates generation
ai_action
“LangGraph, a controllable agent orchestration framework, powers the end-to-end generation workflow”
4
Attack Discovery identifies attacks
ai_action
“Attack Discovery's ability to identify and describe attacks”
5
Automatic Import generates integration package
output
“Automatic Import leverages LangGraph to generate the resulting integration package”
Reported outcome

Three AI-powered security capabilities were deployed to production, reaching over 350 users, with LangSmith enabling the Elastic Security team to debug issues, track performance, and estimate costs across LLM requests.

Reported metrics
Users reached in productionover 350 users
SecOps task efficiencyexpedite labor-intensive SecOps tasks
Reported stack
LangChainLangGraphLangSmithElasticsearch PlatformES|QL
Source
https://www.elastic.co/blog/building-automatic-import-attack-discovery-langchain?ref=blog.langchain.dev
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Three AI-powered security capabilities were deployed to production, reaching over 350 users, with LangSmith enabling the Elastic Security team to debug issues, track performance, and estimate costs across LLM requests.

What tools did this team use?

LangChain, LangGraph, LangSmith, Elasticsearch Platform, ES|QL.

What results were reported?

Users reached in production: over 350 users; SecOps task efficiency: expedite labor-intensive SecOps tasks (source-reported, not independently verified).

How is this incident management AI workflow structured?

User asks natural language question → RAG retrieves vectorized context → LangGraph orchestrates generation → Attack Discovery identifies attacks → Automatic Import generates integration package.