Employ AI to accelerate your switch from your current SIEM to Elastic Security

Migrating detection rules, dashboards, and other artifacts is one of the most challenging aspects of switching SIEMs. Generative AI can ease this burden.

Automatic Migration, new in Elastic Security 8.18 and 9.0, maps and translates existing detection rules, thereby lowering the effort and complexity of transitioning to a new SIEM. It complements Automatic Import, which creates custom data integrations, and other AI-based capabilities from Elastic. We’re starting with Automatic Migration for Splunk, with plans for additional SIEMs soon. Support for additional SIEM artifacts, like dashboards and visualizations, is also on the way.

Automatic Migration reliably transfers even complex Splunk detection rules to Elastic Security. The feature maps existing rules to Elastic-built rules using semantic search powered by the ELSER natural language processing (NLP) model, which matches equivalent rules even without exact text matches. It translates any rules that are not mapped — including associated lookups and macros — into new Elastic queries using generative AI grounded in custom knowledge. Automatic Migration then validates translated rules and provides an intuitive interface for quick installation.

Elastic engineers have validated Automatic Migration by evaluating its performance with real-world rulesets and conducting extensive error testing. We've also tested it across a range of AI models — results you can view in Elastic Security’s LLM performance matrix.

Automatic Migration is offered in technical preview to all customers with an Enterprise license or the Security Analytics Complete tier of Elastic Cloud Serverless.

The feature guides users to export their detection rules from Splunk and upload them. It scans for references to macros and lookups and, when found, prompts you to upload them, too. The system incorporates this logic to maintain functional equivalence with the original detection.

Automatic Migration maps many existing rules to the 1,300+ detection rules provided by Elastic Security Labs, covering use cases across the MITRE ATT&CK matrix. Utilizing semantic search powered by ELSER, it deciphers the title, description, and query of each rule to identify equivalents based on intent, rather than relying solely on exact text matches. These rules are actively maintained by Elastic’s engineers, minimizing customer upkeep. While mapping existing rules manually requires significant time and domain expertise, Automatic Migration typically completes the process in just minutes.

Let’s break down the steps highlighted above.

1. The user uploads the Splunk rules, macros, and lookups exported via the provided SPL query, which can be modified — for example, to filter rules by app or age.

2. Automatic Migration attempts to map the Splunk rules to Elastic’s prebuilt rules. In the background, it generates vectorized representations (embeddings) of Elastic’s prebuilt detection rules using ELSER.

3. The feature uses a large language model (LLM) to generate keywords relevant to the content of each Splunk rule.

4. Automatic Migration runs semantic searches using the keywords from each Splunk rule against the embeddings of Elastic’s prebuilt rules, identifying potential matches.

5. Automatic Migration passes the semantic search results to the LLM, and a determination is made to see if it is an identical or very close match.

6. If a match is found, the prebuilt rule is added to the set of translated rules.

7. If no match is found, Automatic Migration proceeds to translate the SPL rule.

8. The LLM substitutes macros in the SPL query with their expanded form. If the query references lookups, the lookup file is indexed as a lookup index in Elasticsearch.

9. Once the LLM returns the SPL query with macros substituted, Automatic Migration performs another semantic query to identify any prebuilt integrations for data sources that may be needed to run the query.

10. Automatic Migration then translates the SPL query into ES|QL using an inference plugin designed to generate ES|QL queries from natural language requests — the same plugin used by Elastic AI Assistant. It contains a catalog of all available ES|QL functions and how they can be used. Instructions relevant to the original query are leveraged by the LLM.

11. Automatic Migration validates the syntax of the translated query. If it is not valid, the query — along with the returned error code — is sent back to the LLM for correction. This loop runs up to three times.

12. If the query is valid, Automatic Migration directs the LLM to map specific fields from the Splunk Common Information Model (CIM) to Elastic Common Schema (ECS). If no direct mapping is found and the LLM cannot determine an appropriate ECS field, the field names are left as is.

You can examine individual rules with one click. The Translation tab presents the source and Elastic versions side-by-side to enable efficient comparison. You can make edits and get contextual help from Elastic AI Assistant on matters like rule syntax and logic. From the Overview tab, you can view details like the rule's severity, risk score, and execution interval.

Understanding and trusting your detections is critical, so Automatic Migration explains in detail how each rule was mapped or translated. The Summary tab outlines the rationale behind key decisions — such as field assignments and the use of specific ES|QL commands — and highlights any missing macros or lookups. This transparency helps you validate the translated rule's behavior and ensure alignment with your detection goals.

When a rule is only partially translated, Automatic Migration identifies blockers, such as misaligned index names or missing columns. You can upload any missing macros or lookups with step-by-step guidance, and if required data isn’t available, the feature suggests relevant integrations.

Once ready, you can install fully translated rules with one click.