Skip to main content

Using AI Search in Huntress SIEM

Cody Staley
  • Updated

 

Team:  Huntress Managed SIEM
Environment:  Huntress Managed SIEM Dashboard
Audience:  MSP Partners

Overview

AI Search lets you find events in your SIEM logs by describing what you are looking for in plain English — no query language required. The AI translates your description into an ES|QL query and runs it automatically.
 

You can access AI Search from the Search SIEM panel on the SIEM Dashboard. Click the AI Search tab to get started.


 

How It Works

1. Type a plain-language description of what you want to find into the search field. The placeholder text gives you an idea of the format:

Describe what you're looking for, e.g. "show me failed login attempts"

2. Set your time range using the date picker on the right.

3. Click Search. The AI generates an ES|QL query and runs it against your logs.

 

A blue summary banner appears below the search bar explaining what the query does in plain language. For example:
 
Example

I want to find PowerShell 53504 events with a hostname of BRANDONCHAN4809

 

Returns PowerShell event code 53504 from host BRANDONCHAN4809, showing hostname, event code, host application, command name, script block text, and message.

Results appear in the table below the banner.
 

Viewing the Generated Query

After AI Search runs, click the ES|QL tab to see the exact query that was generated. This is useful if you want to understand what was searched, refine the query further, or save it for later use.

The field will show an ES|QL Detected badge confirming the query is active.


 

Providing Feedback

After each search, AI Search asks: "Did this match what you were looking for?"

Use the thumbs up or thumbs down to indicate whether the results were helpful. Your feedback directly improves the quality of AI Search over time.


 

Rate Limiting

AI Search uses AI to generate queries and is subject to a usage limit. If you exceed the limit, you will be prompted to try again later.

 

For high-volume searching or complex queries, use the ES|QL tab to enter queries directly — ES|QL queries run without this restriction.
 

Tips for Better Results

  • Be specific. Include specific field values you know — event codes, hostnames, usernames, or IP addresses. The more detail you provide, the more targeted the query.
  • Use natural phrasing. Write as if you are describing the event to a colleague: "Show me failed logins for the admin account" or "Find outbound connections to 10.0.0.5."
  • Check the ES|QL tab. If results are not quite right, switch to the ES|QL tab to view and adjust the generated query directly.
  • Use ES|QL for complex searches. AI Search is designed to make common queries fast and accessible. For advanced filtering, aggregations, or multi-condition queries, ES|QL gives you full control.

 

Summary

AI Search makes it easy to search your SIEM logs without knowing ES|QL. Type a plain-language description, and the AI handles the rest. It is a great starting point for quick investigations — and can always be refined using the ES|QL tab for more precise control.