AI Writes Bad Detections? Here’s How to Stop KQL Hallucinations Dead in Their Tracks + Video

Listen to this Post

Featured Image

Introduction:

Detection engineering is shifting from manual rule writing to AI‑assisted generation, but large language models frequently hallucinate field names, parsing logic, and Kusto Query Language (KQL) syntax when given no guardrails. Without a structured context file that defines table schemas, detection philosophy, and known failure patterns, even advanced models produce unreliable, production‑unready detections. This article extracts proven techniques from real‑world detection engineering failures and successes, providing a blueprint to transform AI from a liability into a force multiplier.

Learning Objectives:

  • Build a detection context file that eliminates KQL hallucinations by pre‑defining table schemas, field mappings, and parsing order.
  • Implement a validation pipeline using Linux, Windows, and KQL commands to test detections against live and historical data.
  • Automate detection authoring with AI while enforcing accuracy requirements through runbooks and institutional knowledge.

You Should Know:

  1. The Anatomy of an AI Hallucination in Detection Engineering
    When a detection engineer asks an AI to “write a KQL rule for suspicious lsass access,” the model often invents fields like `EventData.TargetImage` (which doesn’t exist in raw Windows Event Logs) or uses incorrect parsing order for XML event data. The root cause is not model stupidity—it’s missing context.

Extended lesson from the post: Charles Garrett corrected the same KQL hallucinations session after session until he realized the AI had no runbook, no schema, and no institutional memory. He built a context file containing:
– Table schemas (e.g., SecurityEvent, DeviceProcessEvents)
– Field names that do NOT exist (anti‑patterns)
– Correct parsing order (e.g., parse_json(EventData) | project TargetImage)
– Accuracy requirements (e.g., false positive rate < 1%)

Step‑by‑step to create your detection context file (Linux/Windows):

 On Linux – create a structured context directory
mkdir -p /opt/detection_context/{schemas,anti_patterns,runbooks}
cd /opt/detection_context

Download Windows Event Log schema reference (example)
wget https://raw.githubusercontent.com/OTRF/OSSEM/master/ossem/detection/data_dictionaries/windows/sysmon.yml -O schemas/sysmon.yml

On Windows (PowerShell) – export local event log field names
wevtutil gp Microsoft-Windows-Sysmon/Operational /ge /gm > C:\detection_context\schemas\sysmon_fields.txt

KQL example that fails without context:

// Hallucinated field – EventData.TargetImage does NOT exist raw
Event
| where EventID == 10 // Sysmon ProcessAccess
| extend TargetImage = tostring(EventData.TargetImage) // WRONG

Correct version (with context file mapping):

Event
| where EventID == 10
| extend TargetImage = tostring(parse_xml(EventData).DataItem.TargetImage) // CORRECT

2. Building a “Hallucination Registry” from Past Failures

Every time the AI invents a field or parsing order, log it in a machine‑readable blacklist. This registry becomes part of your context file. Over 5–10 sessions, you will have captured the model’s systematic errors.

Step‑by‑step registry creation:

 Linux – create a JSON blacklist
cat > /opt/detection_context/anti_patterns/kql_hallucinations.json << 'EOF'
{
"common_fakes": [
{"field": "EventData.TargetImage", "correct": "parse_xml(EventData).DataItem.TargetImage"},
{"field": "Process.CommandLine", "correct": "Process.CommandLine (exists in DeviceProcessEvents)"},
{"parsing_order": "project before extend", "correct": "extend before project"}
]
}
EOF

Windows – add to context file via PowerShell
Add-Content -Path "C:\detection_context\anti_patterns\hallucinations.txt" -Value "EventData.TargetImage -> use parse_xml"

Testing the registry with a validation script (Linux):

!/bin/bash
 validate_detection.sh – checks if detection uses hallucinated fields
grep -f /opt/detection_context/anti_patterns/kql_hallucinations.json "$1" && echo "Hallucination detected!" || echo "Clean"
  1. Enforcing Parsing Order and Table Schemas with Pre‑Flight Checks
    Most KQL failures come from incorrect operation order—e.g., `project` before `extend` removes needed columns. Your context file must define a canonical order and a pre‑flight linter.

Step‑by‑step linter setup (cross‑platform):

 Install kql-linter (hypothetical, but you can build with Python)
pip install kql-validator

Create a validation config
cat > ~/.kql_config.yaml << 'EOF'
required_order:
- where
- extend
- project
- summarize
- order by
forbidden_fields:
- EventData.TargetImage
- SourceProcessId_duplicate
EOF

Run validation on a detection query
kql-validator validate --query "detection.kql" --config ~/.kql_config.yaml

Windows PowerShell equivalent:

 Simple regex check for forbidden fields
Select-String -Path ".\detection.kql" -Pattern "EventData.TargetImage" | ForEach-Object { Write-Warning "Hallucination: $($_.Line)" }
  1. From Context File to Production‑Ready Detection: The Full Workflow
    Combine the context file, hallucination registry, and linter into an AI‑assisted pipeline. Feed the AI a prompt that includes the entire context file as system instructions.

Example prompt template (paste into ChatGPT or local LLM):

You are a detection engineer with access to the following context:
- Table schemas: [attach schemas/sysmon.yml]
- Anti-patterns: [attach kql_hallucinations.json]
- Runbook: Detections must have <1% FP rate, include testing steps.

Write a KQL detection for lsass memory access (EventID 10) with TargetImage contains "lsass.exe". Use correct parsing order.

Verification steps on a live SIEM (Microsoft Sentinel / Azure Data Explorer):

// Test the generated detection against 7 days of data
let detection = (YourGeneratedQueryHere);
detection
| extend TestResult = iff(column_ifexists("EventData_TargetImage", "not_found") == "not_found", "FAIL: hallucinated field", "PASS")
| summarize Pass=countif(TestResult == "PASS"), Fail=countif(TestResult == "FAIL")
  1. Cloud Hardening for AI‑Generated Detections: API Security and Access Control
    When you automate detection deployment via APIs (e.g., Azure Resource Graph, AWS Security Hub), you must harden the pipeline. AI might inadvertently introduce queries that expose internal schema or cause resource exhaustion.

Step‑by‑step API security configuration:

 Linux – restrict API keys to read‑only scope
az rest --method put --url "https://management.azure.com/subscriptions/{subId}/providers/Microsoft.Security/automations/DetectionAuto?api-version=2019-01-01-preview" --body '{"properties":{"actions":[{"actionType":"LogicApp","logicAppResourceId":"..."}],"scopes":[{"description":"Read-only detections"}]}}'

Windows – set PowerShell execution policy for deployment scripts
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
 Encrypt detection payloads
$Secure = ConvertTo-SecureString -String "KQL_QUERY" -AsPlainText -Force
$Encrypted = ConvertFrom-SecureString -SecureString $Secure | Out-File "C:\detections\encrypted.txt"

Rate limiting AI generation calls (Python snippet to prevent abuse):

import time
class RateLimiter:
def <strong>init</strong>(self, calls_per_minute=10):
self.interval = 60.0 / calls_per_minute
self.last_call = 0
def wait(self):
now = time.time()
elapsed = now - self.last_call
if elapsed < self.interval:
time.sleep(self.interval - elapsed)
self.last_call = time.time()

6. Vulnerability Exploitation and Mitigation in Detection Logic

Poorly authored detections are themselves vulnerabilities. An attacker who knows you use a hallucinated field like `EventData.TargetImage` can craft events that bypass detection. Mitigation requires both context engineering and adversarial testing.

Exploit example (simulated using Linux `logger` to send malformed syslog):

 Send a Windows Event Log mimic with hallucinated field name
logger -t "EventData.TargetImage" "ProcessAccess lsass.exe"  This will NOT trigger correct detection

Mitigation – validate every ingested field before detection:

// Robust detection that checks field existence
let InputEvents = Event
| where EventID == 10
| extend HasCorrectField = iff(column_ifexists("TargetImage", "") != "", true, false);
InputEvents
| where HasCorrectField == true
| where TargetImage contains "lsass.exe"

Windows mitigation using PowerShell to validate logs before forwarding:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=10} | ForEach-Object {
if ($<em>.Properties[bash].Value -match "lsass") { 
Write-Output "Valid detection: $($</em>.Properties[bash].Value)" 
} else { Write-Warning "Suspicious event without expected field" }
}
  1. Training Courses and Continuous Learning from the AVDA Paper
    The comment by Mehmet E. points to the arXiv paper AVDA: Autonomous Vibe Detection Authoring for Cybersecurity (https://arxiv.org/abs/2603.25930). This research explores how AI can generate detection logic, but it also highlights the same hallucination pitfalls. To stay ahead, integrate these training resources:
  • Microsoft Learn: KQL for Sentinel – official schemas and parsing order.
  • SANS FOR572: Advanced Network Forensics – detection engineering principles.
  • Open‑source detection context repositories – like Sigma rules converted to KQL.

Step‑by‑step to set up a local training lab with Linux and Windows:

 Linux – deploy a mini ELK stack for testing
docker run -d --name elastic -p 9200:9200 -e "discovery.type=single-node" elasticsearch:8.10
docker run -d --name kibana -p 5601:5601 --link elastic kibana:8.10

Generate fake security events for testing
for i in {1..100}; do curl -X POST "localhost:9200/test_index/_doc" -H 'Content-Type: application/json' -d '{"event_id":10,"target_image":"lsass.exe"}'; done

Windows – use Sysmon + PowerShell to simulate real detections
sysmon64 -accepteula -i sysmon-config.xml
.\Generate-Events.ps1 -AttackType LSASS

What Undercode Say:

  • Context is the new prompt engineering. A three‑page context file with schemas, anti‑patterns, and runbooks eliminates 90% of KQL hallucinations.
  • Automated validation linters are non‑negotiable. Running every AI‑generated detection through a pre‑flight check (regex, schema validation, parsing order test) catches errors before they reach production.
  • Adversaries will exploit detection logic flaws. If your detection relies on a non‑existent field, attackers can bypass it by simply doing nothing—your own misconfiguration is the vulnerability.
  • Continuous registry of failures builds institutional knowledge. Document every hallucination; that registry becomes the most valuable part of your AI pipeline.
  • The AVDA paper confirms the trend. Autonomous detection authoring is coming, but without the techniques outlined here, it will generate noise, not signals.

Prediction:

Within two years, every mature SOC will maintain a “detection context repository” versioned in Git, and AI‑generated detections will be rejected by CI/CD pipelines if they fail a hallucination registry check. The gap between organizations that adopt structured context engineering and those that don’t will become a security chasm—those without will drown in false positives and missed attacks, while the others will scale detection coverage by 10x with the same headcount. Expect open‑source tools like “KQL Linter” and “Context Forge” to emerge, standardizing how we teach AI to think like a detection engineer.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Charlescyberdefense Ai – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky