Skip to main content
SANDWORMSECURITY

Elm

Security orchestration, automation, and response — cases, war room, evidence vault, playbooks.

What is Elm?

Elm is the Security Orchestration, Automation, and Response (SOAR) hub of the Sandworm platform. It provides a structured case-management workflow, a real-time collaborative war room for multi-analyst investigations, a cryptographically-hashed evidence vault, and playbook-driven automation that can call any Sandworm product API or external webhook. It is designed for SOC teams that need a single place to triage, investigate, and close security incidents rather than switching between disconnected ticketing and chat tools.

  • Every Sandworm product can auto-open Elm cases — no configuration required for intra-platform alert routing.
  • The evidence vault hashes and timestamps every artefact on upload, providing a tamper-evident record suitable for legal hold.
  • Disposition tracking records case outcomes (true positive, false positive, benign, duplicate) to drive detection quality improvements over time.

Connect your alert sources

Elm is the SOAR hub for the Sandworm platform. Other Sandworm products can feed cases directly — no configuration required. For external tools, add a connector in Settings → Connectors.

  • Sandworm products: CloudGuard, Sandworm SIEM, Sandworm EDR, Truthsayer, and Sandworm BAS can all auto-open Elm cases — enable under each product's alert settings.
  • External webhooks: configure any alerting tool to POST to the Elm ingest webhook for automatic case creation.
  • Email ingestion: forward alerts from any system to your Elm ingest email address to create cases from email.
  • Ticketing integrations: bidirectional sync with Jira, ServiceNow, and PagerDuty is configured under Settings → Integrations.
  1. 1
    Enable intra-platform case creation.

    In each Sandworm product's alert settings, enable the 'Auto-open Elm case' option for your chosen severity thresholds. Cases start flowing immediately.

  2. 2
    Configure external webhook ingestion.

    Copy the Elm ingest webhook URL from Settings → Connectors → Webhooks and configure your external alerting tools to POST to it. Each POST creates a new case.

  3. 3
    Set up a ticketing integration.

    Navigate to Settings → Integrations and configure bidirectional sync with Jira, ServiceNow, or PagerDuty so cases stay in sync with your existing ticketing workflow.

Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Elm provides SOAR: a case management system with collaborative investigation tools, an evidence vault, and playbook-driven automation.

  • Cases: the primary unit of work — each case has a severity, lifecycle state, owner, and timeline of activity.
  • War room: a real-time collaborative space within a case for multi-analyst investigations — includes shared notes and a voice channel.
  • Evidence vault: cryptographically hashed evidence artefacts (screenshots, packet captures, logs) attached to a case for audit and legal hold.
  • Playbooks: automated response workflows triggered by case conditions — can call Sandworm product APIs or external webhooks.
  • Disposition tracking: record case outcomes (true positive, false positive, benign, duplicate) to drive detection quality improvements.

Opening your first case

Navigate to Elm → Cases → New Case, or let an alert from a connected product create one automatically. Assign the case to an analyst, set severity, and begin adding timeline entries.

  • The Timeline tab shows a chronological record of all analyst actions, automated playbook steps, and evidence additions.
  • Attach evidence by dragging files onto the Evidence Vault panel — each file is hashed and timestamped on upload.
  • Run a playbook from the Actions menu to trigger automated response steps without leaving the case view.

Integrations

Elm connects to every Sandworm product for automated case creation and to external ticketing, notification, and collaboration tools.

  • Sandworm products (native): CloudGuard, Sandworm SIEM, Sandworm EDR, Truthsayer, Sandworm BAS, Stillsuit, Sandworm SASE, Sandworm SCA, Sandworm AI Security — all can auto-create Elm cases.
  • Ticketing: Jira (bidirectional), ServiceNow (bidirectional), PagerDuty (alert → case mapping).
  • Notification: Slack (case updates and playbook results), email, and webhook to any HTTP endpoint.
  • External SOAR / SIEM: ingest webhook accepts POST from any external tool; outbound REST calls in playbooks reach any API.
  • Evidence and forensics: Sandworm EDR live-response sessions are attached to Elm cases automatically; packet capture uploads are hashed on receipt.

API and CLI

Create and update cases, run playbooks, and retrieve evidence metadata via the sandworm CLI or REST API.

  • `sandworm elm cases list --open` — list open cases.
  • `sandworm elm case create --title "Incident" --severity high` — open a new case.
  • `sandworm elm playbook run --case <id> --playbook <id>` — execute a playbook against a case.
  • REST API: see the OpenAPI spec at /api/elm/openapi.json on your deployment.
bash
sandworm elm cases list --open --format table
Book a demo← Back to Elm
Sandworm Security — One security platform, AI in every tool