Has anyone thought about building a cyber security case management solution on top of the ELK stack?
I can imagine a streamlined workflow for cyber security analysts/incident response teams. Analysts on a "hunt" could mark a record or records as the start of a new case and then could add additional records to that case. When adding records to a case it could potential prevent those records from being curated off the cluster or delay curation based on some criteria. This could also enable enrichment and correlation of case artifacts (IPs, hostnames, IOCs, etc...) more quickly or automatically and allowing analysts to operate within a single platform instead of moving between platforms frequently.
The only platform I've seen that achieves something like this is Apache Metron. I'd rather leverage an existing investment in the Elasticstack if possible which has the data I'm interested in using for case generation and enrichment.
Thanks for your input/ideas in advance.