# Elasticsearch {% hint style="info" %} Elasticsearch is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis. {% endhint %} The Dropzone platform integrates with the [Elasticsearch](https://www.elastic.co/elasticsearch) security SIEM. Many customers ingest other alert sources into Elasticsearch (e.g. IDPs) and integrate Dropzone into Elasticsearch rather than the source systems. Dropzone supports both Cloud deployments and On-premise deployments. ## Create an API Key and Obtain a Cloud ID Elasticsearch requires an API Key and an Elasticsearch Cloud ID to enable. {% hint style="info" %} If you are using the Elasticsearch Serverless Projects-Based Model or an On-premise Elasticsearch using the Dropzone connector, you will not need to provide a Cloud ID. {% endhint %} To obtain an API Key, do the following: * Navigate to your [Elastic Cloud home page](https://cloud.elastic.co/home) or deployment * Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access * Click "Open"

* In the Deployment overview page, click "Management" in the bottom left corner * Click the icon next to Stack Management * Navigate to API keys

* Click "Create an API key"

* Name the API key something memorable, such as Dropzone.AI * Under type, select User API key * Click "Create API Key"

* Copy the API key generated for use later in the Dropzone UI, where it is called "API Key"

To obtain your Elasticsearch Cloud ID, do the following: * Navigate to your [Elastic Cloud home page](https://cloud.elastic.co/home) * Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access * Click "Open"

* In the upper right of the Overview page, click "Endpoint & API Keys"

* Check "Show Cloud ID" * Copy the value shown for use later in the Dropzone UI, where it is called "Elasticsearch Cloud ID"

## Enable Elasticsearch To enable the Alert Source integration, you will need the following information: | Dropzone Field | Source | | ---------------------- | --------------------------------------------------------------------------------------------------- | | Elasticsearch Cloud ID | The cloud ID value copied earlier. Only necessary if you have an Elastic Cloud Hosted deployment | | Elasticsearch Server | The server for your Elasticsearch project, e.g. | | API Token | The API token value generated earlier | To enable the Alert Source integration, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom left hand corner, navigate to Settings > Integrations

* Click "Available"

* In the Search bar, search Elasticsearch, then click "Configure"

* Under the Alert Source heading, if your Elasticsearch integration is behind an [On-premise Dropzone Connector](https://docs.dropzone.ai/platform/settings/connector), select your connector from the dropdown * If you have a Cloud deployment, check the box labeled "Connect with Elastic Cloud ID," then input the Elasticsearch Cloud ID and API Key

The Elasticsearch Alert Cloud ID Configuration

* Otherwise, input the Elasticsearch Server, Port, and API Key

The Elasticsearch Alert Configuration (pt 1)

* If you wish to enable namespace-based multitenancy, check the box labeled "Utilize namespace for multi-tenant environment." Otherwise, leave blank. See the bottom of this documentation for further information

The Elasticsearch Multi-tenant Namespace Configuration

* Under the heading Elasticsearch Alert Queries, click "Add item" to add Elasticsearch Alert Queries for Dropzone to investigate

The Elasticsearch Alert Configuration (pt 2)

* You may use the Elasticsearch [Kibana alerts](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html), or create your own custom index and query string * To use your own custom index and query string, uncheck the box labeled "Use Kibana Alerts." Input your custom index and query string into the areas labeled "Custom Index" and "Query String", then click "Add Item"

The Elasticsearch Kibana Alert Configuration (pt 3)

* To use Elasticsearch Kibana Alerts, check the box labeled "Use Kibana Alerts" * In the "Kibana Alert Index" section, input an Index pattern for Kibana security alerts * You may choose to allow Dropzone to inject only specific Kibana alert [schema](https://www.elastic.co/guide/en/security/current/alert-schema.html) under the heading "Kibana Alert Status Allowlist". If you do, click "Add Item" to add specific Kibana alert statuses. Otherwise, leave blank

The Elasticsearch Alert Configuration (pt 4)

* Under the heading "Kibana Alert Severities", check the box for each severity level you want Dropzone to investigate alerts for

The Elasticsearch Alert Configuration (pt 5)

* You may choose to allow Dropzone to allow or exclude select Kibana Alert [Rules](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html#_rules) * If you wish to include an Alert Rule, click "Add item" under the heading "Kibana Alert Rule Allowlist". If you wish to exclude a rule, click "Add Item" under the section labeled "Kibana Alert Rule Exclusion List". Otherwise, leave blank

The Elasticsearch Alert Configuration (pt 6)

* Once you have finished adding your Elasticsearch Alert Queries, click "Add item" at the end of the Kibana Alerts section

* Input your desired poll interval and lookback

The Elasticsearch Alert Configuration (pt 7)

* Click "Test & Save" to finish ## Multitenancy Configuration Using Namespaces The Elasticsearch integration supports multitenancy based on the Elastic data stream naming scheme. This approach allows you to leverage Elasticsearch's built-in data organization capabilities while maintaining proper tenant separation within Dropzone. ### Understanding Elastic Namespaces Elastic data streams follow a structured naming convention: **{type}-{dataset}-{namespace}** The namespace component is a user-configurable arbitrary grouping that provides flexibility in organizing data. For example, you might have data streams like `logs-nginx.access-production` or `logs-nginx.access-staging`, where `production` and `staging` are different namespaces. For more details on the Elastic data stream naming scheme, see [An introduction to the Elastic data stream naming scheme](https://www.elastic.co/blog/an-introduction-to-the-elastic-data-stream-naming-scheme). ### Enabling Namespace-Based Multitenancy When the multitenant configuration is selected and the multitenant map is enabled in Dropzone, you can map Elasticsearch namespaces to tenants within the multitent map. This enables alert investigation to only search for data within a specific namespace related the alert. To configure namespace-based multitenancy: 1. Define your namespace-to-tenant mappings to specify which Elasticsearch namespaces should be associated with which Dropzone tenants 2. Enable the multitenant configuration option in your Elasticsearch integration settings

3. Ensure your Elasticsearch data streams follow the standard naming convention with appropriate namespace values 4. (Optional) Specify namespaces with alerts that are desired to be investigated otherwise all alerts with a namespace will be ingested. {% hint style="warning" %} If this configuration is enabled and an alert is ingested without the namespace specified, the alert will be dropped and will not be investigated. {% endhint %} If you have any errors engage your Dropzone AI support representative.