Elasticsearch

This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Elasticsearch.

Elasticsearch is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.

The Dropzone platform integrates with the Elasticsearch security SIEM. Many customers ingest other alert sources into Elasticsearch (e.g. IDPs) and integrate Dropzone into Elasticsearch rather than the source systems.

Create an API Key and Obtain a Cloud ID

Elasticsearch requires an API Key and an Elasticsearch Cloud ID to enable.

If you are using the Elasticsearch Serverless Projects-Based Model, you will need to provide an endpoint instead of a Cloud ID.

To obtain your Elasticsearch Cloud ID, do the following:

  • Navigate to your Elastic Cloud home page

  • Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access

  • Click "Open"

Click Open
  • In the upper right of the Overview page, click "Endpoint & API Keys"

Click Endpoint & API Keys
  • Check "Show Cloud ID"

  • Copy the value shown for use later in the Dropzone UI, where it is called "Elasticsearch Cloud ID"

Copy the Elasticsearch Cloud ID

If you are using the Elasticsearch Serverless Projects-Based Model, copy the Elasticsearch endpoint instead of the Cloud ID.

To obtain an API Key, do the following:

  • Navigate to your Elastic Cloud home page

  • Under the Hosted Deployments section, locate the deployment you wish Dropzone.AI to be able to access

  • Click "Open"

Click Manage
  • In the Deployment overview page, click Management in the bottom left corner

  • Click the icon next to Stack Management

  • Navigate to API keys

Navigate to API keys
  • Click "Create an API key"

Click "Create an API key"
  • Name the API key something memorable, such as Dropzone.AI

  • Under type, select User API key

  • Click "Create API Key"

Create an API key>
  • Copy the API key generated for use later in the Dropzone UI, where it will be called "API Key"

Copy the key

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

Dropzone Field
Source

Elasticsearch Cloud ID

The Cloud ID value found earlier

API Key

The API key you generated earlier

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown
  • Click "Available"

Click Available
  • In the Search bar, search Elasticsearch, then click "Configure"

The Elasticsearch Tile
  • Under the Data Source heading, input the Elasticsearch Cloud ID and API Key

  • If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

The Elasticsearch Data Configuration
  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

Dropzone Field
Source

Elasticsearch Cloud ID

The cloud ID value found earlier

API Token

The API token value you generated earlier

To enable the Alert Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown
  • Click "Available"

Click Available
  • In the Search bar, search Elasticsearch, then click "Configure"

The Elasticsearch Tile
  • Under the Alert Source heading, input the Elasticsearch Cloud ID and API Key

The Elasticsearch Alert Cloud ID Configuration
  • If you are using the Elasticsearch Serverless Projects-Based Model, check the box labeled "Use Elasticsearch Serverless" and input your Elasticsearch endpoint value

The Elasticsearch Alert Endpoint Configuration
  • Under the heading Elasticsearch Alert Queries, click "Add item" to add Elasticsearch Alert Queries for Dropzone to investigate

The Elasticsearch Alert Configuration (pt 2)
  • You may use the Elasticsearch Kibana alerts, or create your own custom index and query string

  • To use your own custom index and query string, uncheck the box labeled "Use Kibana Alerts." Input your custom index and query string into the areas labeled "Custom Index" and "Query String", then click "Add Item"

The Elasticsearch Kibana Alert Configuration (pt 3)
  • To use Elasticsearch Kibana Alerts, check the box labeled "Use Kibana Alerts"

    • In the "Kibana Alert Index" section, input an Index pattern for Kibana security alerts

    • You may choose to allow Dropzone to inject only specific Kibana alert schema under the heading "Kibana Alert Status Allowlist". If you do, click "Add Item" to add specific Kibana alert statuses. Otherwise, leave blank

The Elasticsearch Alert Configuration (pt 4)
  • Under the heading "Kibana Alert Severities", check the box for each severity level you want Dropzone to investigate alerts for

The Elasticsearch Alert Configuration (pt 5)
  • You may choose to allow Dropzone to allow or exclude select Kibana Alert Rules

    • If you wish to include an Alert Rule, click "Add item" under the heading "Kibana Alert Rule Allowlist". If you wish to exclude a rule, click "Add Item" under the section labeled "Kibana Alert Rule Exclusion List". Otherwise, leave blank

The Elasticsearch Alert Configuration (pt 6)
  • Once you have finished adding your Elasticsearch Alert Queries, click "Add item" above the Alert Queries section

  • Input your desired poll interval and lookback

The Elasticsearch Alert Configuration (pt 7)
  • Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Last updated

Was this helpful?