Elastic's information security team recently detailed their workflow automation using Tines, aimed at improving their ability to identify and respond to cybersecurity threats. The system automatically triages alerts from its Security Information and Event Management (SIEM) system, enhancing the ability to identify and prioritize real threats.
Aaron Jewitt, principal information security analyst II at Elastic, elaborated on the implementation in a blog post. Using this streamlined workflow, the team has investigated and resolved over 50,000 monthly alerts, each processed a few seconds after being triggered. This approach allows the team to focus on investigating complex threats, thereby improving overall security posture.
Previously, the Elastic InfoSec team created rule packages that detected User and Entity Behaviour Analytics (UEBA). This analyzes activity data from users and devices to establish a normal behavior standard.
The security team realized many UEBA alerts could be dismissed if they originated from trusted devices. Their investigations typically involved checking the alert's details against their Elasticsearch database. If matching activity was found, the alert was likely a false alarm.
Dealing with a high volume of false alarms can lead to analyst fatigue and missed threats. So the team considered automating initial alert investigations, dismissing false positives, and escalating genuine threats.
Currently, Elastic’s system transmits security alerts to a security orchestration, automation, and response (SOAR) system. This SOAR system then automatically investigates each alert using queries. Based on the results, it resolves the alert or escalates it to a security analyst for further review.
Jewitt further explained the use of Tines to build the automated triage workflow. Elastic's security team utilizes Alert Actions in Elastic Security to transmit alert data to their SOAR solution. This is achieved through a built-in Tines connector or a webhook that sends alerts individually or as a batch in ndjson format.
Automated triage tags, such as Triage:All, Triage:Asset, Triage: Workstation are used to route the rule to the appropriate triage path. Using different actions available in Tines, the alerts are further sent to Slack or PagerDuty. An example workflow of escalating open alerts to Slack is shown below.
Source: Reducing false positives with automated SIEM investigations from Elastic and Tines
On the topic of SIEM, there was an interesting conversation on Reddit that delved into the importance of SIEM. The OP Threezeley enquired how one should gauge the effectiveness of SIEM compared to all other security/alerting tools in their organization. Reddit user skylinesora chimed in, highlighting the importance of their SIEM as the foundation of their security operations. "SIEM is at least as important as SOAR," they said, emphasizing that while SOAR aids in incident management and automation, SIEM is crucial for providing the raw data and alerts that SOAR relies on for effective threat detection and response.
Jewitt also highlighted challenges with automation, particularly its limited effectiveness against insider threats. An attacker using a compromised device or authorized connection could appear as a trusted source, bypassing automated triage. Additionally, authorized API tokens used by third-party services can trigger false positives. Addressing these requires time and effort to track and establish exceptions, but it works for improving threat detection accuracy.
Interested readers can explore this automation approach by using the 14-day trial of Elastic Cloud and the free community edition of Tines.