Threat Research

Automating detection tuning requests with Kibana cases

Elastic.co
Automating detection tuning requests with Kibana cases

Elastic Security describes an automated workflow that enables SOC analysts to open detection tuning requests from Kibana Cases with a single click by using custom fields, runtime fields, and integrations with ticketing and messaging platforms. The article details mapping custom fields in the .kibana_alerting_cases index, creating runtime fields to surface those values, querying and retrieving alerts attached to cases, and automating ticket creation and notifications (e.g., GitHub and Slack) to streamline tuning requests. #Elastic #Kibana

Keypoints

  • Elastic built an automated workflow allowing analysts to initiate detection tuning requests directly from Kibana Cases using custom fields and runtime fields.
  • All case documents are stored in the .kibana_alerting_cases Elasticsearch index, enabling queries, aggregations, and automation against case data.
  • Two custom fields are used for the workflow: a toggle (β€œOpen tuning request”) to trigger automation and a text field for analyst comments.
  • Runtime fields parse the cases.customFields array (via painless scripts) to expose boolean and text fields like TuningRequired and TuningDetail for querying and dashboards.
  • The automation locates recently updated cases with TuningRequired=true, retrieves alerts attached to each case from .siem-signals-*, deduplicates by signal.rule.name, and opens or updates tuning tickets.
  • Integrations with ticketing systems (example: GitHub Issues) and messaging (example: Slack) are used to track requests, notify detection engineers, and add comments back to the original case.

MITRE Techniques

  • No MITRE ATT&CK techniques are mentioned in the article.

Indicators of Compromise

  • [Elasticsearch Index ] case and alert storage/context – .kibana_alerting_cases, .siem-signals-*
  • [Custom Field Keys / UUIDs ] keys used to identify custom fields in case documents – 496e71f2-2bce-47a2-93a8-00db0de2d1b4, 6cadc70a-7d68-4531-9861-7d5bc24c4c1c, and 2 more keys
  • [API Endpoints ] endpoints referenced for retrieving case alerts and searching indices – /api/cases/{caseId}/alerts, POST /.kibana_alerting_cases/_search
  • [Case and Alert IDs ] identifiers used in automation and API calls – cases:{{case_ID}} (case document _id format), {{alert_id}} (alert _id used to query .siem-signals-*)
  • [Field Names / Document Keys ] fields used for queries, metrics, and runtime mapping – cases.updated_at, cases.customFields, TuningRequired, TuningDetail

Read more: https://www.elastic.co/security-labs/automating-detection-tuning-requests-with-kibana-cases