Elasticsearch

The Dropzone platform integrates with the security SIEM. Many customers ingest other alert sources into Elasticsearch (e.g. IDPs) and integrate Dropzone into Elasticsearch rather than the source systems.

Create an API Key and Obtain a Cloud ID

Elasticsearch requires an API Key and an Elasticsearch Cloud ID to enable.

To obtain your Elasticsearch Cloud ID, do the following:

• Navigate to your

• Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access

• Click "Open"

• In the upper right of the Overview page, click "Endpoint & API Keys"

• Check "Show Cloud ID"

• Copy the value shown for use later in the Dropzone UI, where it is called "Elasticsearch Cloud ID"

To obtain an API Key, do the following:

• Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access

• Click "Open"

• In the Deployment overview page, click Management in the bottom left corner

• Click the icon next to Stack Management

• Navigate to API keys

• Click "Create an API key"

• Name the API key something memorable, such as Dropzone.AI

• Under type, select User API key

• Click "Create API Key"

• Copy the API key generated for use later in the Dropzone UI, where it will be called "API Key"

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

To enable the Data Source integration, do the following:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

• In the bottom left hand corner, click Settings > Integrations

• Click "Available"

• In the Search bar, search Elasticsearch, then click "Configure"

• Under the Data Source heading, input the Elasticsearch Cloud ID and API Key

• If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

• Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

To enable the Alert Source integration, do the following:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

• In the bottom left hand corner, click Settings > Integrations

• Click "Available"

• In the Search bar, search Elasticsearch, then click "Configure"

• Under the Alert Source heading, input the Elasticsearch Cloud ID and API Key

• If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

• Under the heading Elasticsearch Alert Queries, click "Add item" to add Elasticsearch Alert Queries for Dropzone to investigate

• To use your own custom index and query string, uncheck the box labeled "Use Kibana Alerts." Input your custom index and query string into the areas labeled "Custom Index" and "Query String", then click "Add Item"

• To use Elasticsearch Kibana Alerts, check the box labeled "Use Kibana Alerts"

  • In the "Kibana Alert Index" section, input an Index pattern for Kibana security alerts

• Under the heading "Kibana Alert Severities", check the box for each severity level you want Dropzone to investigate alerts for

• • If you wish to include an Alert Rule, click "Add item" under the heading "Kibana Alert Rule Allowlist". If you wish to exclude a rule, click "Add Item" under the section labeled "Kibana Alert Rule Exclusion List". Otherwise, leave blank

• Once you have finished adding your Elasticsearch Alert Queries, click "Add item" above the Alert Queries section

• Input your desired poll interval and lookback

• Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.