incident_management · saas · workflow

How Elastic built Automatic Import, Attack Discovery, and Elastic AI Assistant using LangChain

Security teams faced labor-intensive SecOps tasks, and adopting Elastic's new ES|QL query language required learning complex query syntax and functions — creating a barrier to effective threat hunting and detection.

How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · User asks natural language question
Users ask natural language questions to generate ES|QL queries without learning query syntax.
Tools used
LangChainLangGraphLangSmithElasticsearch PlatformES|QL
Outcome

Three AI-powered security capabilities were deployed to production, reaching over 350 users, with LangSmith enabling the Elastic Security team to debug issues, track performance, and estimate costs across LLM requests.

Results
Volumeover 350 users
Source

https://www.elastic.co/blog/building-automatic-import-attack-discovery-langchain?ref=blog.langchain.dev

How we source this →

Grounding & classification
Source type: technical build writeup
23 fields verified against source quotes.
agentic workflowcontent generationdata extractionragknowledge basemetric backednamed customerpeer confirmedproduction runtime claimedsource backedtools describedworkflow describedsoftwareemployee productivitytechnical build writeupdata entry opsincident managementagentic task executionrag answering