Elastic Workflows brings automation into Kibana to handle repetitive alert triage by running YAML-defined workflows that enrich alerts, query Elasticsearch, consult threat intel (e.g., VirusTotal), create cases, and notify responders. The article demonstrates a step-by-step alert triage playbook that includes ES|QL queries, connector-backed actions, conditional branching, and AI steps (classify, summarize, agent) to scale investigations and persist reasoning trails. #ElasticWorkflows #VirusTotal
Keypoints
- Elastic Workflows execute YAML-defined playbooks inside Kibana triggered by alerts, schedules, or manual actions.
- Workflows can enrich alerts with threat intel via built-in connectors (example: VirusTotal) without manual API handling.
- Direct data access through ES|QL enables querying security indices for related alerts, hosts, users, and process context.
- Conditional steps and branching let workflows close false positives or create and populate high-severity cases automatically.
- AI steps (classify, summarize, agent) enable dynamic decisioning, readable summaries, and agent-driven investigations with persisted reasoning trails.
- Connectors bridge external SOAR, ticketing, and communication tools; visual authoring, templates, and human-in-the-loop features are planned.
MITRE Techniques
- [Txxxx ] Lateral Movement – The article references investigating lateral movement as an investigation goal and classification category (‘…check for persistence mechanisms and lateral movement…’).
- [Txxxx ] Persistence – Workflows and agents are instructed to search for persistence mechanisms during investigations (‘…check for persistence mechanisms and lateral movement…’).
- [Txxxx ] Data Exfiltration – Data exfiltration appears as a classification category for AI-driven triage (‘…categories: – malware – phishing – lateral_movement – data_exfiltration – false_positive’).
Indicators of Compromise
- [File hash ] alert enrichment and threat-intel lookup – file.hash.sha256 (used for VirusTotal scans; example reference: “{{ event.alerts[0].file.hash.sha256 }}”).
- [Host name ] correlation and context – host.name used to query related alerts in ES|QL (example reference: “{{ event.alerts[0].host.name }}”).
- [Alert ID ] case and alert management – alert document ID used to close or reference alerts (example reference: “{{ event.alerts[0]._id }}”).
Read more: https://www.elastic.co/security-labs/security-automation-with-elastic-workflows