Change the way you hunt: AI powered AQL generation that makes detections faster, investigations sharper, and outcomes clearer
Introduction
Today, we’re excited to announce the release of a new feature called ‘AQL Generation’ in the QRadar Investigation Assistant app. This new feature brings AI-powered query creation and human‑readable query explanations directly into the investigation workflow, reducing time to detect and lowering the barrier for writing effective AQL queries. Analysts can now generate precise queries from natural language.
Security operations teams face persistent friction when translating investigative intent into effective AQL queries. Analysts frequently spend large portions of an investigation writing, testing, and tuning queries instead of focusing on analysis and containment. This gap is driven by uneven AQL expertise across SOC teams, opaque or undocumented query intent that complicates peer review and audits, and the operational risk of poorly scoped searches that consume resources and produce noisy results. The cumulative effect is a slower mean time to detection, reduced SOC throughput, and a higher likelihood of missed or misprioritized incidents. In short, the manual effort required to produce high‑quality, performant AQL is a recurring bottleneck that undermines both analyst productivity and organizational security posture.
Key Capabilities
Natural Language to AQL Query Generation
AQL Generation enables analysts to describe investigative intent in plain language and instantly receive accurate, runnable AQL. Rather than forcing analysts to translate a hypothesis into syntax, the feature maps natural language to Ariel fields, event categories, and custom event properties automatically, producing queries that are tailored to the deployed environment. The generated queries are not generic templates; they are environment‑aware constructs that reflect the organization’s data, so results are relevant on first run.
Built-In Guardrails for Quality & Performance
Built‑in guardrails for quality and performance are applied automatically to every generated query to maintain platform stability and result relevance. Best practices such as time‑window constraints, preference for indexed fields, and query limits are enforced by default, and the system supports configurable execution time limits that auto‑terminate heavy queries when they exceed safe thresholds. These safeguards prevent inefficient or overly broad searches from consuming resources, reduce the incidence of long‑running jobs, and ensure consistent, high‑quality results across environments.
AQL Explanation and Correctness Analysis
AQL Explanation provides a transparent, clause-by-clause breakdown of any AQL query. Analysts can see exactly why a query was constructed a certain way and can validate that the logic matches investigative intent. The explanation translates syntax into plain English, making the use of AI explainable, interpretable, and trustworthy. To know more, visit Explainable AI, Trustworthy AI, and IBM's Principles for Trust and Transparency. The explanations are saved with queries in conversation history to create an audit‑ready rationale that supports peer review, onboarding, and compliance.
Correctness Analysis validates both the intent and query behavior, giving analysts confidence that the generated AQL will behave as expected. Before running a query at scale, the system evaluates whether the query semantics align with the stated intent and checks for common logic errors. This reduces wasted runs, prevents misleading results, and helps analysts trust the generated queries in high‑stakes investigations.
Refinement Suggestions complement generation and explanation by recommending concrete improvements to scope and performance. Based on the dataset's characteristics and the analyst’s stated intent, the system may suggest narrowing time windows, adding or removing filters, or switching to indexed fields.
Dynamic Model Selection
Dynamic Model Selection by Region automatically selects the best AI model for your region based on benchmark accuracy and model availability. This ensures that generation and explanation quality are maximized while respecting regional model availability, delivering consistent performance for global customers without manual configuration.
Benefits for Security Teams
-
Faster investigations — Analysts get runnable AQL quickly, reducing time from hypothesis to results.
-
Lower skill barrier — Natural‑language generation and explanations let junior analysts contribute sooner.
-
Consistent query quality — Guardrails and refinement suggestions enforce best practices across teams.
-
Higher analyst confidence — Clause‑by‑clause explanations make AI outputs transparent and defensible.
-
Fewer wasted runs — Correctness checks and performance suggestions reduce long‑running or misleading queries.
-
Audit and knowledge capture — Stored prompts, queries, and explanations create a searchable record for reviews.
How does it work?
Analysts enter a natural language prompt. The system generates optimized AQL, explains its logic, validates correctness, and suggests refinements.
Queries and explanations are logged for governance and stored in the user's conversation history.
Rollout and Availability
On April 03, 2026, QRadar Investigation Assistant v1.4.0 was released with the AQL Generation feature now generally available.
However, this is just the beginning, as we will continue to evolve this feature to include many more data contexts fed into the AI model, making it much more environment-specific so you can gain full value from the AI-powered AQL feature in the QRadar Investigation Assistant app.