FutrixData logo FutrixData
Elasticsearch safety

Elasticsearch Safety for AI Agents — Block Bulk Deletes, Gate _reindex

Elasticsearch safety for AI agents inspects HTTP method, path, and request body. DELETE and _delete_by_query are blocked, _bulk and _reindex require approval, and FutrixData also detects unbounded queries (match_all, deep from + size, scripted aggregations).

Why Elasticsearch needs different controls

In Elasticsearch, risk often hides in the HTTP method, API path, and request body. A POST may be a search or a bulk write; a _search may turn into an unbounded scan; an aggregation without filters can scan billions of documents. FutrixData treats Elasticsearch as an HTTP API — parsing path, method, and JSON body — rather than running profile queries (which would themselves be expensive).

Built-in Elasticsearch rules

OperationDefault action
GET, HEAD, POST _search, POST _countallow
DELETE requestsblock
POST _delete_by_queryblock
_bulk, _reindex, _update_by_queryrequire_approval
Configuration — _settings, _mapping, _aliases, templates, pipelines, ILM/SLMrequire_approval
Routine PUT, PATCH, non-search POSTwarn

Request body analysis

Beyond method and path, FutrixData inspects the request body for:

Index-pattern rules

Rules can be scoped by index pattern, method, and path. Examples:

Examples

Bulk delete intercepted
// Agent attempts:
POST /orders-2024/_delete_by_query
{ "query": { "match_all": {} } }

// FutrixData response:
{ "ok": false, "risk": "block", "rule": "es.delete_by_query" }
Reindex requires approval
// Agent attempts:
POST /_reindex
{ "source": { "index": "orders-2023" }, "dest": { "index": "orders-archive" } }

// FutrixData response:
{ "ok": false, "risk": "require_approval", "rule": "es.reindex" }

Frequently asked questions

Does this work with OpenSearch?

Yes. FutrixData speaks the standard Elasticsearch HTTP API; OpenSearch responds to the same routes. Rules apply identically.

Can I allow _bulk on staging?

Yes — by data source and trust mode. Set the staging cluster to Trusted so _bulk auto-executes; keep production on Cautious so it requires approval.

Does it inspect Painless scripts?

Body inspection flags requests containing script and script_score. Flagging means warn or higher; you can hard-block scripted queries on production sources.

What about ILM/SLM?

ILM and SLM endpoints land at require_approval by default — they change retention and snapshot policy and shouldn't be edited from an agent context without explicit confirmation.

Cluster authentication?

FutrixData connects with whatever credentials you configure (basic auth, API key, mTLS for OpenSearch). Those credentials never leave the host where FutrixData is deployed.

Try FutrixData on your own database

Free desktop app on macOS, Windows, and Linux. Self-hosted Enterprise Edition for production deployments.