Using Records to improve story performance in Tines

Aaron Jewitt, Principal Detection Engineer at Elastic, outlines a Tines workflow designed to enhance his team's automated alert triage processes by utilizing records to improve performance. In a guest blog post, he explains how his InfoSec team employs Tines to efficiently manage alert triage by tracking automated triage results and caching values for longer durations to improve system efficiency. The workflow, referred to as a story in Tines, involves checking various Elasticsearch index patterns for the source.ip field, with checks based on rule tags. By using a record containing a source.ip text field and a boolean field labeled is_managed, the team can ascertain if the source.ip is from a managed system and thus reduce unnecessary queries, thereby easing the load on their tenant and Elasticsearch clusters. The process includes creating new records for source.ips, marking them as managed or not, and subsequently routing alerts through distinct paths for further checks. If a source.ip hasn't been marked as managed, an alert is sent to Slack, and if found, it's directed to a Send to Story action, which deduplicates, updates, and tags alerts in Elastic SIEM. This innovative workflow is available for free exploration through the Tines Community Edition and a 14-day trial of Elastic Cloud.