Elasticsearch
The Dropzone platform integrates with the Elasticsearch security SIEM. Many customers ingest other alert sources into Elasticsearch (e.g. IDPs) and integrate Dropzone into Elasticsearch rather than the source systems.
Create an API Key and Obtain a Cloud ID
Elasticsearch requires an API Key and an Elasticsearch Cloud ID to enable.
To obtain your Elasticsearch Cloud ID, do the following:
Navigate to your Elastic Cloud home page
Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access
Click "Open"

In the upper right of the Overview page, click "Endpoint & API Keys"

Check "Show Cloud ID"
Copy the value shown for use later in the Dropzone UI, where it is called "Elasticsearch Cloud ID"

To obtain an API Key, do the following:
Navigate to your Elastic Cloud home page
Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access
Click "Open"

In the Deployment overview page, click Management in the bottom left corner
Click the icon next to Stack Management
Navigate to API keys

Click "Create an API key"

Name the API key something memorable, such as Dropzone.AI
Under type, select User API key
Click "Create API Key"

Copy the API key generated for use later in the Dropzone UI, where it will be called "API Key"

Enable the Dropzone Data Source Integration
To enable the Data Source integration, you will need the following information:
Elasticsearch Cloud ID
The Cloud ID value found earlier
API Key
The API key you generated earlier
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search Elasticsearch, then click "Configure"

Under the Data Source heading, input the Elasticsearch Cloud ID and API Key
If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Enable the Dropzone Alert Source Integration
To enable the Alert Source integration, you will need the following information:
Elasticsearch Cloud ID
The cloud ID value found earlier
API Token
The API token value you generated earlier
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom left hand corner, click Settings > Integrations

Click "Available"

In the Search bar, search Elasticsearch, then click "Configure"

Under the Alert Source heading, input the Elasticsearch Cloud ID and API Key

If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

Under the heading Elasticsearch Alert Queries, click "Add item" to add Elasticsearch Alert Queries for Dropzone to investigate

You may use the Elasticsearch Kibana alerts, or create your own custom index and query string
To use your own custom index and query string, uncheck the box labeled "Use Kibana Alerts." Input your custom index and query string into the areas labeled "Custom Index" and "Query String", then click "Add Item"

To use Elasticsearch Kibana Alerts, check the box labeled "Use Kibana Alerts"
In the "Kibana Alert Index" section, input an Index pattern for Kibana security alerts
You may choose to allow Dropzone to inject only specific Kibana alert schema under the heading "Kibana Alert Status Allowlist". If you do, click "Add Item" to add specific Kibana alert statuses. Otherwise, leave blank

Under the heading "Kibana Alert Severities", check the box for each severity level you want Dropzone to investigate alerts for

You may choose to allow Dropzone to allow or exclude select Kibana Alert Rules
If you wish to include an Alert Rule, click "Add item" under the heading "Kibana Alert Rule Allowlist". If you wish to exclude a rule, click "Add Item" under the section labeled "Kibana Alert Rule Exclusion List". Otherwise, leave blank

Once you have finished adding your Elasticsearch Alert Queries, click "Add item" above the Alert Queries section
Input your desired poll interval and lookback

Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Last updated
Was this helpful?