Dropzone AI Documentation
WebsiteTest Drive
  • Dropzone Documentation
  • Overview
    • Alert Sources
    • Data Sources
    • Communicators
    • On-prem Support - Dropzone Connector
    • Interactive Chat
    • Metrics Guide
  • Dropzone Administraton
    • Team Admin
      • Google Workspace SAML
      • Okta SAML
  • Dropzone Integrations
    • Alert + Data Source Integrations
      • Amazon Web Services (AWS)
        • Cross-Account Access via CloudFormation
        • Cross-Account Access via Console
      • CrowdStrike
      • Datadog
      • Elasticsearch
      • Google Workspace
      • Google GCP
      • Jira
      • Microsoft 365 / Microsoft Defender
      • Palo Alto Networks Firewall
      • Panther
      • SentinelOne
      • Splunk
      • Sumo Logic
    • Alert Integrations
      • Gem
    • Communicators
      • Slack Communicator
    • Data Source Integrations
      • AbuseIPDB
      • Active Directory (LDAP)
      • Archive Inspector
      • Blocklist.de
      • CAPA
      • Censys
      • Crowdstrike Falcon Intelligence
      • DNSResolver
      • File
      • GreyNoise
      • Hybrid Analysis
      • Host.io
      • IPInfo.io
      • IPQualityScore
      • MalwareBazaar
      • Nuclei
      • NVD
      • Okta
      • oletools
      • OpenSSL Sign Code
      • PDF Analysis
      • Perplexity AI
      • PhishTank
      • Shodan
      • TShark
      • QRadar
      • UnshortenMe
      • URLhaus
      • Urlscan.io
      • VirusTotal
      • Vision
      • WHOIS
      • YARAify
Powered by GitBook
On this page
  • Create an API Key and Obtain a Cloud ID
  • Enable the Dropzone Data Source Integration
  • Enable the Dropzone Alert Source Integration

Was this helpful?

  1. Dropzone Integrations
  2. Alert + Data Source Integrations

Elasticsearch

PreviousDatadogNextGoogle Workspace

Last updated 1 month ago

Was this helpful?

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Elasticsearch.

Elasticsearch is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.

The Dropzone platform integrates with the security SIEM. Many customers ingest other alert sources into DataDog (e.g. IDPs) and integrate Dropzone into DataDog rather than the source systems.

Create an API Key and Obtain a Cloud ID

Elasticsearch requires an API Key and an Elasticsearch Cloud ID to enable.

If you are using the Elasticsearch Serverless Projects-Based Model, you will need to provide an endpoint instead of a Cloud ID.

To obtain your Elasticsearch Cloud ID, do the following:

  • Navigate to your

  • Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access

  • Click "Open"

  • In the upper right of the Overview page, click "Endpoint & API Keys"

  • Check "Show Cloud ID"

  • Copy the value shown for use later in the Dropzone UI, where it is called "Elasticsearch Cloud ID"

If you are using the Elasticsearch Serverless Projects-Based Model, copy the Elasticsearch endpoint instead of the Cloud ID.

To obtain an API Key, do the following:

  • Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access

  • Click "Open"

  • In the Deployment overview page, click Management in the bottom left corner

  • Click the icon next to Stack Management

  • Navigate to API keys

  • Click "Create an API key"

  • Name the API key something memorable, such as Dropzone.AI

  • Under type, select User API key

  • Click "Create API Key"

  • Copy the API key generated for use later in the Dropzone UI, where it will be called "API Key".

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

Dropzone Field
Source

Elasticsearch Cloud ID

The Cloud ID value found earlier

API Key

The API key you generated earlier

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Available"

  • In the Search bar, search Elasticsearch, then click "Configure"

  • Under the Data Source heading, input the Elasticsearch Cloud ID and API Key

  • If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

Dropzone Field
Source

Elasticsearch Cloud ID

The cloud ID value found earlier

API Token

The API token value you generated earlier

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

  • Click System > Integrations

  • Click "Available"

  • In the Search bar, search Elasticsearch, then click "Configure"

  • Under the Alert Source heading, input the Elasticsearch Cloud ID and API Key

  • If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

  • Under the heading Elasticsearch Alert Queries, click "Add item" to add Elasticsearch Alert Queries for Dropzone to investigate

  • To use your own custom index and query string, uncheck the box labeled "Use Kibana Alerts." Input your custom index and query string into the areas labeled "Custom Index" and "Query String", then click "Add Item"

  • To use Elasticsearch Kibana Alerts, check the box labeled "Use Kibana Alerts"

    • In the "Kibana Alert Index" section, input an Index pattern for Kibana security alerts.

  • Under the heading "Kibana Alert Severities", check the box for each severity level you want Dropzone to investigate alerts for

    • If you wish to include an Alert Rule, click "Add item" under the heading "Kibana Alert Rule Allowlist". If you wish to exclude a rule, click "Add Item" under the section labeled "Kibana Alert Rule Exclusion List". Otherwise, leave blank.

  • Once you have finished adding your Elasticsearch Alert Queries, click "Add item" above the Alert Queries section

  • Input your desired Poll interval and lookback

  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Navigate to your

You may use the Elasticsearch , or create your own custom index and query string.

You may choose to allow Dropzone to inject only specific Kibana alert under the heading "Kibana Alert Status Allowlist". If you do, click "Add Item" to add specific Kibana alert statuses. Otherwise, leave blank.

You may choose to allow Dropzone to allow or exclude select Kibana Alert .

Elastic Cloud home page
Kibana alerts
schema
Rules
Elasticsearch
Elastic Cloud home page
Click Open
Click Endpoint & API Keys
Copy the Elasticsearch Cloud ID
Click Manage
Navigate to API keys
Click "Create an API key"
Create an API key>
Copy the key
Integrations Dropdown
Click Available
The Elasticsearch Tile
The Elasticsearch Data Configuration
Integrations Dropdown
Click Available
The Elasticsearch Tile
The Elasticsearch Alert Cloud ID Configuration
The Elasticsearch Alert Endpoint Configuration
The Elasticsearch Alert Configuration (pt 2)
The Elasticsearch Kibana Alert Configuration (pt 3)
The Elasticsearch Alert Configuration (pt 4)
The Elasticsearch Alert Configuration (pt 5)
The Elasticsearch Alert Configuration (pt 6)
The Elasticsearch Alert Configuration (pt 7)