Elasticsearch

Elasticsearch is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.

The Dropzone platform integrates with the Elasticsearch security SIEM. Many customers ingest other alert sources into Elasticsearch (e.g. IDPs) and integrate Dropzone into Elasticsearch rather than the source systems.

Create an API Key and Obtain a Cloud ID

Elasticsearch requires an API Key and an Elasticsearch Cloud ID to enable.

If you are using the Elasticsearch Serverless Projects-Based Model, you will need to provide an endpoint instead of a Cloud ID.

To obtain your Elasticsearch Cloud ID, do the following:

Navigate to your Elastic Cloud home page
Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access
Click "Open"

In the upper right of the Overview page, click "Endpoint & API Keys"

Check "Show Cloud ID"
Copy the value shown for use later in the Dropzone UI, where it is called "Elasticsearch Cloud ID"

If you are using the Elasticsearch Serverless Projects-Based Model, copy the Elasticsearch endpoint instead of the Cloud ID.

To obtain an API Key, do the following:

Navigate to your Elastic Cloud home page
Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access
Click "Open"

In the Deployment overview page, click "Management" in the bottom left corner
Click the icon next to Stack Management
Navigate to API keys

Click "Create an API key"

Name the API key something memorable, such as Dropzone.AI
Under type, select User API key
Click "Create API Key"

Copy the API key generated for use later in the Dropzone UI, where it is called "API Key"

Enable Elasticsearch

To enable the Alert Source integration, you will need the following information:

Dropzone Field

Source

Elasticsearch Cloud ID

The cloud ID value found earlier

API Token

The API token value you generated earlier

To enable the Alert Source integration, do the following:

Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, navigate to Settings > Integrations

Click "Available"

In the Search bar, search Elasticsearch, then click "Configure"

Under the Alert Source heading, input the Elasticsearch Cloud ID and API Key

If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

Under the heading Elasticsearch Alert Queries, click "Add item" to add Elasticsearch Alert Queries for Dropzone to investigate

You may use the Elasticsearch Kibana alerts, or create your own custom index and query string
To use your own custom index and query string, uncheck the box labeled "Use Kibana Alerts." Input your custom index and query string into the areas labeled "Custom Index" and "Query String", then click "Add Item"

To use Elasticsearch Kibana Alerts, check the box labeled "Use Kibana Alerts"
- In the "Kibana Alert Index" section, input an Index pattern for Kibana security alerts
- You may choose to allow Dropzone to inject only specific Kibana alert schema under the heading "Kibana Alert Status Allowlist". If you do, click "Add Item" to add specific Kibana alert statuses. Otherwise, leave blank

Under the heading "Kibana Alert Severities", check the box for each severity level you want Dropzone to investigate alerts for

You may choose to allow Dropzone to allow or exclude select Kibana Alert Rules
- If you wish to include an Alert Rule, click "Add item" under the heading "Kibana Alert Rule Allowlist". If you wish to exclude a rule, click "Add Item" under the section labeled "Kibana Alert Rule Exclusion List". Otherwise, leave blank

Once you have finished adding your Elasticsearch Alert Queries, click "Add item" at the end of the Kibana Alerts section

Input your desired poll interval and lookback

Click "Test & Save" to finish

Multitenancy Configuration Using Namespaces

The Elasticsearch integration supports multitenancy based on the Elastic data stream naming scheme. This approach allows you to leverage Elasticsearch's built-in data organization capabilities while maintaining proper tenant separation within Dropzone.

Understanding Elastic Namespaces

Elastic data streams follow a structured naming convention: {type}-{dataset}-{namespace}

The namespace component is a user-configurable arbitrary grouping that provides flexibility in organizing data. For example, you might have data streams like logs-nginx.access-production or logs-nginx.access-staging, where production and staging are different namespaces.

For more details on the Elastic data stream naming scheme, see An introduction to the Elastic data stream naming scheme.

Enabling Namespace-Based Multitenancy

When the multitenant configuration is selected and the multitenant map is enabled in Dropzone, you can map Elasticsearch namespaces to tenants within the multitent map. This enables alert investigation to only search for data within a specific namespace related the alert.

To configure namespace-based multitenancy:

Define your namespace-to-tenant mappings to specify which Elasticsearch namespaces should be associated with which Dropzone tenants
Enable the multitenant configuration option in your Elasticsearch integration settings

Ensure your Elasticsearch data streams follow the standard naming convention with appropriate namespace values
(Optional) Specify namespaces with alerts that are desired to be investigated otherwise all alerts with a namespace will be ingested.

If this configuration is enabled and an alert is ingested without the namespace specified, the alert will be dropped and will not be investigated.

If you have any errors engage your Dropzone AI support representative.

PreviousDatadog NextGem

Last updated 17 days ago

Was this helpful?