GenAI Endpoint Observability for Detection Engineers
A practitioner talk by Mika Ayenson, who leads Threat Research and Detection Engineering at Elastic, delivered at the March 2026 Unprompted Conference.
Source: Conference abstracts page · Conference agenda
The Core Problem: Intent Attribution Is Broken
Developers install GenAI tools, agents, MCP servers, and SDKs faster than a security team can audit them, and those tools run directly on the endpoint. They spawn shells, write files, and make network calls. Endpoint detection and response (EDR) records the process, file, and network events but not the decision that drove them.
When a developer and an AI agent each run a shell command, the host telemetry is nearly identical: same PID, same user, same command line. EDR cannot tell which one acted. An alert fires, a suspicious process ran, and the analyst cannot answer whether a human or a model invoked it. That gap is what Ayenson calls broken intent attribution, and it is the recurring theme behind every detection idea in the talk.
The visible signal already trends toward the agents. Telemetry from Elastic endpoints shows a large share of DNS traffic going to model providers — Anthropic, OpenAI, and similar destinations — which all look normal, and that normality is itself the problem.
Detection Ideas, Each Shown to Be Brittle
Ayenson walked through the heuristics a detection engineer would reach for first, and demonstrated why each one breaks on GenAI activity.
| Heuristic | Why it is brittle |
|---|---|
| Flag unsigned code signatures | Most GenAI tool activity is signed and trusted; over a sampled window few unsigned binaries appeared, so the rule catches little. |
| Walk process ancestry (Cursor / Claude → zsh/bash → git, gh, node, curl) | The unsigned or malicious activity is buried in legitimate developer noise, and long multi-piped command chains hide intent. |
| Monitor file writes to AI config paths by unexpected processes | GenAI tools touch config and source files as normal business; the sensitive writes (persistence, defense evasion) hide under that traffic. |
| Detect an MCP server from the command line | Brittle: the command line may reveal that an MCP server is running, but not which MCP tool was invoked or its identity trust level. |
| Credential access — a GenAI process touching a sensitive file | Useful as a starting question (why is a GenAI tool reading a .plist, login.json, a cookies file, or a credentials file?), but still inference after the fact. |
None of these reconstruct intent on their own. They surface questions worth asking, not answers.
Broken intent attribution is a concrete instance of the visibility-and-transparency gap that NIST AI 800-4 documents as a cross-cutting barrier to monitoring deployed AI, and the unstandardized agent-identifier problem the report flags is the same gap viewed through identity.
Walk the full ancestry tree, not just the parent
A parent-process-name match catches one level and misses the grandchildren, the wider ancestry tree, and the intent carried across chained commands. The better technique is to walk the full process-ancestry tree and use entity-ID intersections to stitch child back to parent back to grandparent, correlating down the chain to decide whether a GenAI tool sits anywhere in the lineage. Even then the tree shows that Cursor’s helper ran zsh, which ran curl — it does not show which prompt triggered the chain.
Threat Model
The attribution gap matters because the adversary scenarios all route through legitimate-looking processes:
- Indirect prompt injection and a poisoned repo file that tricks an agent into exfiltrating data through processes that look ordinary to EDR.
- Malicious MCP servers and Trojan AI tools that a developer downloads and installs.
- Tool poisoning, where a tool’s behavior diverges from what its name and description imply.
- “YOLO mode” — the developer who clicks approve blindly, or triggers an agent remotely from a phone, so a single “go” downloads a file, executes it, establishes persistence, and runs further shell commands with no recorded intent.
- Cross-session context loss, where an adversary spreads activity across separate chats, workspaces, or sandboxes so no single session reveals the goal; stitching context across sessions is unsolved today.
- Agent self-escalation versus a user saying “go” — distinguishing an agent that escalated its own privileges from one a user explicitly authorized.
From the EDR vantage point, the entire chain looks like a developer running something on the command line. There is no native link back to the poisoned file, the prompt, or the model’s reasoning.
The Solution: Agent Hooks into OpenTelemetry
The durable fix moves the signal source upstream of the host. Agent hooks — pre-tool-call, session-start, and prompt-submit — emit contextual signals at the moment the agent acts. Those signals are ingested into OpenTelemetry and pushed to the SIEM or EDR.
OpenTelemetry matters here as a common lexicon. Without it, a detection engineer rewrites the same rule per vendor because each tool named its tool-call field differently; consistent semantics let one rule travel across tools. Elastic has worked with the OpenTelemetry community to establish GenAI semantic conventions and base fields, merging PRs into that workstream and continuing to add to it. Broader adoption by tool vendors is what makes the approach pay off.
Glass-box security is the same instinct applied one layer up, at the application and orchestration tier; this talk extends it to the endpoint.
What native fields make possible
Claude Code already ships OpenTelemetry natively and is the named exception; other tools are catching up. With native fields, an analyst can attribute an action to its parent process, the tool name (for example Cursor), whether the user approved it, the provider, the prompt, the model’s reasoning, and any guardrail or refusal event — and pull all of it into one coherent story rather than inferring it from a process tree.
Industry Gaps to Close Natively
Today’s best option is the parent-process-name heuristic, which gives a fighting chance but is not good enough. Ayenson named the data that tools should emit natively and consistently:
- Tool-use and decision-reasoning data, emitted natively and consistently across tools.
- Model-refusal events — when a model declined an action and why.
- Token-level tool-call attribution, tying an action back to the specific tool call.
“Every production rule is a workaround for telemetry that should be built in natively.” Pulling in more data also raises compliance and forensics obligations that a detection team must weigh.
Maturity Framing: Reduce Attack Surface First
The talk frames adoption as a maturity progression rather than a single deployment.
- Reduce the attack surface before writing rules. Inventory which GenAI tools the organization should run. Scrutinize runtimes — for example, whether GenAI tools run as root. Apply network controls. Consider a deliberate separation of powers between browser-focused and native-focused tooling, a control lever Ayenson argues is under-discussed.
- Start with hunting queries plus available telemetry. Use process, file, network, and user-context data already present to build detection building blocks.
- Promote to high-fidelity detection rules. Elastic ships open detection rules — credential access, persistence, C2 and execution, unusual DNS, suspicious URLs — across its endpoint and SIEM repositories on GitHub.
- Layer guardrails and network controls, including LLM rules and root-runtime scrutiny.
- Reach full observability as the long-term goal.
Next-generation firewalls and gateways are already starting to tag traffic with GenAI fields, which reinforces the case for a shared schema on ingestion.
Where It Fits
The talk targets the observability plane of the Agentic SOC thesis and the Agent Observability practice page. Its hooks-to-EDR and OpenTelemetry arguments map directly onto that page’s instrumentation sections, extended down to the endpoint: an agent is not fully observable if its on-host effects cannot be tied to the tool call that produced them.
It is upstream of two adjacent detection-engineering talks at the same conference. GreyNoise Orbie and PAN SYARA operate over endpoint telemetry to drive detection logic; Ayenson’s contribution is to generate that telemetry with a stable schema for the downstream content to write against. The attribution theme also connects to non-human identity — telling an agent’s action apart from its operating user’s is the same problem viewed through identity.
A Q&A exchange sharpened the stakes. Asked whether full network, process, and endpoint observability makes human-versus-agent attribution moot, Ayenson held that it still matters: an action a user took deliberately and an action an agent took after a blind “go” carry different risk, much as attribution to a specific threat actor matters even when the activity is already visible.