Elasticsearch safety for AI agents inspects HTTP method, path, and request body. DELETE and _delete_by_query are blocked, _bulk and _reindex require approval, and FutrixData also detects unbounded queries (match_all, deep from + size, scripted aggregations).
In Elasticsearch, risk often hides in the HTTP method, API path, and request body. A POST may be a search or a bulk write; a _search may turn into an unbounded scan; an aggregation without filters can scan billions of documents. FutrixData treats Elasticsearch as an HTTP API — parsing path, method, and JSON body — rather than running profile queries (which would themselves be expensive).
| Operation | Default action |
|---|---|
GET, HEAD, POST _search, POST _count | allow |
DELETE requests | block |
POST _delete_by_query | block |
_bulk, _reindex, _update_by_query | require_approval |
Configuration — _settings, _mapping, _aliases, templates, pipelines, ILM/SLM | require_approval |
Routine PUT, PATCH, non-search POST | warn |
Beyond method and path, FutrixData inspects the request body for:
match_all, wildcard, regexp, fuzzy.query field.size or deep pagination via from + size.script and script_score.size set.Rules can be scoped by index pattern, method, and path. Examples:
DELETE on audit-*._reindex against production indices.// Agent attempts:
POST /orders-2024/_delete_by_query
{ "query": { "match_all": {} } }
// FutrixData response:
{ "ok": false, "risk": "block", "rule": "es.delete_by_query" }// Agent attempts:
POST /_reindex
{ "source": { "index": "orders-2023" }, "dest": { "index": "orders-archive" } }
// FutrixData response:
{ "ok": false, "risk": "require_approval", "rule": "es.reindex" }Yes. FutrixData speaks the standard Elasticsearch HTTP API; OpenSearch responds to the same routes. Rules apply identically.
Yes — by data source and trust mode. Set the staging cluster to Trusted so _bulk auto-executes; keep production on Cautious so it requires approval.
Body inspection flags requests containing script and script_score. Flagging means warn or higher; you can hard-block scripted queries on production sources.
ILM and SLM endpoints land at require_approval by default — they change retention and snapshot policy and shouldn't be edited from an agent context without explicit confirmation.
FutrixData connects with whatever credentials you configure (basic auth, API key, mTLS for OpenSearch). Those credentials never leave the host where FutrixData is deployed.
Free desktop app on macOS, Windows, and Linux. Self-hosted Enterprise Edition for production deployments.