Hello,
I would like to share some feedback and also ask for guidance regarding the AI Agent feature in Elastic 9.x.
First, I want to clarify that this is not intended as criticism. I’m sharing my experience after upgrading from 8.x to 9.x and testing the feature in a real SOC environment.
After the upgrade, one of the features that caught my attention the most was the AI Agent, so I spent some time configuring it, giving it instructions and trying to tune it for investigation and threat hunting scenarios.
However, during my testing I observed something that surprised me:
the LLM token consumption was extremely high. In some cases, a very simple query resulted in ~200,000 tokens being consumed.
To try to optimize this, I adjusted the queries to:
-
Use ES|QL
-
Limit results to 10 documents
-
Restrict the time range to the last hour
Even with those adjustments, the token usage still seemed quite high for routine investigations.
The feature looks very powerful and promising, but in a real SOC environment where analysts perform many hunts or investigations per day, this could quickly translate into millions of tokens consumed daily.
Because of this, for now I decided to return to using the AI Assistant, which in my tests seemed more predictable in terms of token usage.
My questions for the community / Elastic team are:
-
Is this level of token consumption expected with AI Agents?
-
Are there recommended best practices to control token usage when using agents for investigations?
-
Are there configuration strategies to make the agents more cost-efficient in SOC workflows?
I really like the direction Elastic is taking with these AI features, so I’m very interested in learning how others are using AI Agents effectively in production environments.
Thanks in advance for any guidance or shared experiences.