Elastic 9.4 delivers Elastic Workflows as a production-ready, built-in automation layer for Security, Observability, and Search with expanded case management, human-in-the-loop primitives, AI integration, and composable workflow features. The release also introduces event-driven triggers, execution-based pricing for Enterprise/Complete tiers, and integrations like Agent Builder and VirusTotal to streamline triage and investigations. #ElasticWorkflows #ChrysalisAPT
Keypoints
- Elastic Workflows 9.4 moves native automation from Tech Preview to general availability with production stability and expanded features.
- Case management gains 25 typed, validated automation steps covering the full lifecycle (create, find, update, close, assign, add observables/alerts/comments/tags, set severity/status, etc.).
- Human-in-the-loop is a first-class primitive via waitForInput, allowing AI-assisted classification followed by analyst review before escalation or action.
- Natural-language authoring is available as a Tech Preview: describe intent in plain English and the AI generates YAML workflows, which remain fully inspectable and editable.
- Composable workflows (workflow.execute) and new flow-control primitives (while, switch, loop.break/continue) enable reusable, testable sub-workflows and clearer complex logic.
- Reliability controls include on-failure behaviors, concurrency limits, execution history for audit/debugging, RBAC and audit logging, and event-driven triggers (starting with workflows.failed).
MITRE Techniques
- [T0000 ] No ATT&CK techniques mentioned β The article does not reference any specific MITRE ATT&CK technique explicitly. (βThis post focuses on a security deep dive, the same workflow capabilities apply across solutions.β)
Indicators of Compromise
- [IPv4 Address ] referenced as observables in alerts and case evidence β templated example {{ event.alerts[0].source.ip }}, illustrative example 203.0.113.45
- [File Hash (SHA256) ] used for enrichment and lookups (e.g., VirusTotal) β templated example {{ event.alerts[0].file.hash.sha256 }}, illustrative example e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- [Alert ID ] used to attach alerts to cases and deduplicate evidence β templated example {{ event.alerts[0]._id }}, illustrative example alert-12345
- [Observable Type Key ] observable metadata types referenced for case attachments β examples observable-type-ipv4, observable-type-file-hash
Read more: https://www.elastic.co/security-labs/elastic-workflows-ga-9-4