This is a cache of https://www.elastic.co/blog/automatic-import-ai-data-integration-builder. It is a snapshot of the page at 2024-12-24T00:07:10.283+0000.
Elastic accelerates SIEM data onboarding with Automatic Import powered by Search AI | Elastic Blog

Elastic accelerates SIEM data onboarding with Automatic Import powered by Search AI

Migrate your SIEM to AI-driven security analytics in record time by automating custom data integrations

Opt1_V1.jpg

Elastic is accelerating the adoption of AI-driven security analytics by automating SIEM data onboarding with Automatic Import. This new feature — the only one of its kind for a security analytics or SIEM solution — automates the development of custom data integrations. Elastic Security now adds custom data sources faster than any competing security analytics solution, facilitating broader visibility and easier SIEM implementation. 

Establishing visibility across an enterprise IT environment is inherently difficult, but no matter how the attack surface changes — applications created, systems added, infrastructure moved to the cloud — security teams can’t afford to fly blind. Unfortunately, onboarding custom data has remained costly and complex — until now.

Automatic Import automates the development of custom data integrations with generative AI, cutting the effort needed to create and validate custom integrations — from up to several days to less than 10 minutes — and significantly lowering the learning curve for onboarding data. The feature is powered by the Elastic Search AI Platform, which provides model-agnostic access to harness the knowledge from large language models (LLMs) and the ability to ground answers in proprietary data using retrieval augmented generation (RAG). It is also made possible by our rich expertise in enabling security teams to leverage data of any kind and the flexibility of our Search AI Lake.

create new integration

Automatic Import arrives at a critical moment as organizations explore replacement options for their legacy SIEM tools. Collecting and normalizing data is among the first phases of any migration plan, starting with leveraging prebuilt data integrations. Technologies that require custom connectors typically come next, but the manual nature of building each such integration can slow adoption of the new SIEM and retirement of the old solution. Automatic Import addresses these challenges.

The impact of Automatic Import

Automatic Import extends our leadership in applying generative AI to expedite labor-intensive SecOps tasks by automating the creation of custom data integrations. This release builds on our previous AI-driven security analytics innovations, such as Attack Discovery, which automates alert triage, and Elastic AI Assistant, which answers security questions and guides practitioner workflows. Elastic is further enhancing these capabilities by enabling automation via an API for our Elastic AI Assistant and expanding LLM choices with an integration for Google Gemini models.

In May, we released Attack Discovery to reduce the toil of triaging hundreds of security alerts every day. Elastic is uniquely positioned to mitigate the security challenges intrinsic to fast-changing environments and messy data due to our ability to handle unstructured data at scale and our strategy of drawing relevant insights via LLMs and RAG.

Elastic is complementing these AI-driven product capabilities with Elastic Express Migration, a commercial incentive program to address migration inertia associated with companies’ existing deployments and contracts and to provide an accelerated adoption path for customers.

One of Elastic’s largest security customers recently migrated nearly 200 data sources, including many custom technologies. Future customers of this scale will save hundreds of hours of consulting time and save weeks to months of implementation time.

icon-quote

Automatic Import addresses one of the biggest headaches of switching SIEMs: onboarding custom data sources. The feature automates the development of new data integrations, reducing the cost, complexity, and stress of migration.

Michelle Abraham, Research Director, Security and Trust at IDC

Elastic ships with 400+ prebuilt data integrations and counting, and Automatic Import makes it practical to extend visibility beyond these to an evolving array of security-relevant technologies and applications. These integrations normalize data to Elastic Common Schema (ECS), enabling uniform analysis with dashboards, search, alerting, machine learning, and more. Public LLMs can readily process and analyze data in ECS format because it is a popular open source data specification.

icon-quote

Automatic Import makes building and testing custom data integrations easier, helping us quickly enhance visibility throughout our environment.

Nate Thompson, Senior Manager, Cybersecurity Analytics & Automation, Dana Inc.

How it works

Automatic Import is easy to use and available to everyone with an Enterprise license. The user specifies some settings and uploads sample data from which the feature will extrapolate what to expect from the data source. These log samples are paired with LLM prompts that have been honed by Elastic engineers to reliably produce conformant Elasticsearch ingest pipelines. Automatic Import then iteratively builds, tests, and tweaks a custom ingest pipeline until it meets Elastic integration requirements.

Automatic Import powered by the Elastic Search AI Platform
Automatic Import powered by the Elastic Search AI Platform

In just minutes, the feature generates and validates a custom integration that accurately maps raw data into ECS and custom fields, populates contextual information (such as related.* fields), and categorizes events.

Automatic Import is launching with support for Anthropic models via Elastic’s connector for Amazon Bedrock, and additional LLMs will be introduced soon. It supports JSON and NDJSON-based log formats currently.

Automatic Import in action

Let’s say you want to onboard audit events from Teleport, a tool for securing access to infrastructure and web applications.

Start by navigating to Integrations -> Create new integration.

create new integration

Provide a name and description for the new data source.

integration details

Next, fill in other details and provide some sample data, anonymized as you see fit.

define data stream and upload logs screenshot

Click “Analyze logs” to submit integration details, sample logs, and expert-written instructions from Elastic to the specified LLM, which builds the integration package using generative AI. Automatic Import then fine-tunes the integration in an automated feedback loop until it is validated to meet Elastic requirements.

analyzing

Automatic Import presents recommended mappings to ECS fields and custom fields. You can easily adjust these settings if necessary.

review results

After finalizing the integration, add it to Elastic Agent or view it in Kibana. It is now available alongside your other integrations and follows the same workflows as prebuilt integrations. 

success

Upon deployment, you can begin analyzing newly ingested data immediately.

users

Fast-track your move to AI-driven security analytics

Automatic Import lowers the time required to build and test custom data integrations from days to minutes, accelerating the switch to AI-driven security analytics. The feature arrives during a time of change in the SIEM market with many longtime customers of legacy SIEMs now migrating to modern technologies.

Elastic pairs the unique power of Automatic Import with Elastic’s deep library of prebuilt data integrations, enabling wider visibility and fast data onboarding. In conjunction with Elastic AI Assistant for rule conversion, the feature substantially simplifies SIEM migration.

Interested in our Express Migration program to level up to Elastic? Contact Elastic to learn more.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, ESRE, Elasticsearch Relevance Engine and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.