Harness AI for a Seamless Transition to Elastic Security
By Charles Davison and Mark Settle
29 April 2025
Transitioning from one Security Information and Event Management (SIEM) system to another is often fraught with challenges, particularly when it comes to migrating essential components like detection rules and dashboards. Recognizing these hurdles, Elastic has introduced a groundbreaking solution with its Automatic Migration feature, a part of Elastic Security versions 8.18 and 9.0. This innovative tool utilizes generative AI to facilitate a smoother transition, significantly reducing the complexity and effort required to switch to Elastic Security.
The Automatic Migration feature is designed to systematically map and translate existing detection rules from other SIEM systems, such as Splunk, into Elastic Security's framework. This approach not only simplifies the migration process but also complements existing functionalities like Automatic Import, which helps create custom data integrations, and various AI-driven capabilities that Elastic offers. Currently, the focus is on supporting migrations from Splunk, with plans to extend support to more SIEM systems in the near future. Additionally, Elastic is working on incorporating support for other SIEM artifacts such as dashboards and visualizations, making the transition process even more robust.
At the core of Automatic Migration is its ability to reliably transfer complex detection rules from Splunk to Elastic Security. This is achieved through semantic search technology powered by the ELSER natural language processing (NLP) model. The model intelligently matches existing rules with Elastic-built counterparts, even when there are no exact text matches. For rules that are not directly mapped, the system generates new Elastic queries using generative AI, which is informed by custom knowledge. Furthermore, Automatic Migration validates the translated rules, providing an intuitive interface that enables users to install them quickly and efficiently. Elastic engineers have rigorously tested this feature by evaluating its performance with real-world rulesets, ensuring its reliability through extensive error testing. These results are compiled in Elastic Securitys LLM performance matrix, which showcases the effectiveness of various AI models employed.
Currently, Automatic Migration is available in technical preview for customers who hold an Enterprise license or subscribe to the Security Analytics Complete tier of Elastic Cloud Serverless. This access allows users to explore the capabilities of Automatic Migration and understand how it can enhance their security operations.
How Automatic Migration Works
The Automatic Migration feature can be accessed from Elastic Securitys Get Started page, where it can be run on demand. This flexibility allows customers to migrate their rules at their own pace, which is particularly beneficial for organizations with multiple Splunk deployments. To initiate the process, users export their detection rules from Splunk and upload them to the Elastic platform. The system scans for any references to macros and lookups in the existing rules, prompting users to upload these as well to maintain functional equivalence with the original detection settings.
Once the rules are uploaded, Automatic Migration utilizes semantic search powered by ELSER to map existing rules to over 1,300 detection rules provided by Elastic Security Labs, which cover a wide array of use cases across the MITRE ATT&CK matrix. By analyzing the title, description, and query of each rule, the system identifies equivalents based on intent rather than relying solely on exact text matches, thereby enhancing the accuracy of the migration process.
In instances where corresponding prebuilt rules are not available, Automatic Migration leverages generative AI to create custom rules. The feature first identifies relevant prebuilt data integrations associated with the users query using retrieval augmented generation (RAG). The translation process then involves converting the original query from Search Processing Language (SPL) into ES|QL, the query language used by Elastic Security. This process is supported by an inference plugin that generates ES|QL queries from natural language requests, ensuring that the translated queries adhere to Elastics schema and structure.
Reviewing and Installing Translated Rules
Upon completion of the translation process, Automatic Migration displays all translated rules in an organized manner, categorizing them by their translation status. Users can easily identify fully translated rules that are ready for installation, partially translated rules that require user action, and those that could not be translated due to potential functional discrepancies between the query languages. Each rule can be examined with a single click, providing a side-by-side comparison of the source and Elastic versions, thus facilitating quick edits and contextual assistance from Elastic AI Assistant regarding syntax and logic.
Automatic Migration ensures transparency in how each rule was mapped or translated, thereby fostering trust in the detection capabilities. The Summary tab outlines the rationale behind key decisions, such as field assignments and the specific ES|QL commands employed. This level of detail is crucial for validating the behavior of the translated rules and ensuring they align with the organizations detection objectives.
For rules that are only partially translated, Automatic Migration identifies any blockers that may impede functionality and offers step-by-step guidance on how to resolve these issues. Users can upload any missing macros or lookups, and if necessary data is not available, the feature suggests relevant integrations. Once all components are ready, users can install the fully translated rules with just one click.
Empowering Security Operations with AI
The introduction of Automatic Migration is part of Elastics broader commitment to enhance security operations through innovative AI features. These capabilities are designed to help Security Operations Center (SOC) teams strengthen their defenses across the entire IT landscape. In addition to Automatic Migration, Elastic offers a rich library of prebuilt rules to expand detection use case coverage. Features such as Automatic Import enable organizations to onboard custom data sources in a matter of minutes, while Attack Discovery simplifies the process of identifying advancing threats and recommending actionable next steps. Additionally, Elastic AI Assistant assists analysts throughout investigations and responses by translating complex queries into natural language, streamlining the decision-making process.
For organizations interested in exploring the advantages of switching to Elastic Security, the company encourages potential users to try it out for free. Feedback is welcomed through Elastics community Slack channel and the Elastic Security forum, where users can share their experiences and insights.
It is worth noting that Splunk and other related trademarks are owned by Splunk Inc. in the United States and other jurisdictions. All other brand names, product names, logos, or trademarks mentioned in this article belong to their respective owners. Elastic retains the right to decide the release and timing of any features or functionalities described, and there are no guarantees that all features will be available as planned. Furthermore, while this article references third-party generative AI tools, Elastic accepts no responsibility for their operations or content. Users are advised to be cautious when utilizing AI tools that may involve personal, sensitive, or confidential information.
