Elastic Track Google Cloud × Elastic Hackathon 2026 CRITICAL Severity

Elastic IR Agent

An autonomous incident response agent that turns raw Windows attack telemetry into a structured, evidence-backed IR report — no analyst in the loop. Gemini 2.5 Flash reasons over 73,909 real attack events indexed in Elastic, calls ES|QL detection tools via MCP, and runs an independent Forensic Auditor that challenges every MITRE ATT&CK claim with fresh evidence.

View on GitHub Demo IR Report

How It Works

Architecture diagram

Stack

Data
Elastic Cloud Serverless — 73,909 Windows attack events (ECS)
Tools
Elastic Agent Builder — 6 ES|QL tools + memory, exposed via MCP
MCP Proxy
Cloud Run — REST → MCP translation, auth injection
Reasoning
Google Cloud Conversational Agents — Gemini 2.5 Flash
Memory
Elasticsearch hybrid search — ELSER sparse vectors + BM25 via RRF
Verification
Forensic Auditor — independent second Gemini pass, read-only tools
Audit
Chain-of-custody JSONL — atomic append per tool call
Dataset
EVTX-ATTACK-SAMPLES — 278 EVTX files, 2017–2023 Windows attacks

Demo Output

Real output from a full investigation across 73,909 events — attack chain, MITRE mapping, and Forensic Auditor verdict.

IR Report demo output

Forensic Auditor Result

A second independent Gemini pass re-queried Elastic with read-only tools and labeled every claim — no access to the Triage Agent's tool history.

Verified: 8 Refuted: 8 Unverifiable: 2

Every refuted claim cites the specific ES|QL query output that contradicted it. Refutals are findings too — they narrow the confirmed attack surface and eliminate false positives before the report is saved.

Security Model

Security model table