Elasticsearch 1.0.0
App Vendor: Elasticsearch
App Category: Configuration Management Database (CMDB)
App Version: 1.0.6
API Version: 1.0.0
About App
Elasticsearch app allows security teams to manage indexes that help analysts to find anomalies and hunt for potential threats that target your organization's data. The Elastic Search app for the Orchestrate allows you to perform the following actions.
Action Name | Description |
|---|---|
Update data in index with unique ID | This action updates data in an index with a unique ID. |
Get index data | This action retrieves the data inside an index. The data, type, and unique ID associated with all the docs in an index are retrieved. |
Delete data inside an index with unique ID | This action deletes the data inside an index with the unique ID. |
Add JSON data to an index | This action adds the JSON data to an index and returns the associated unique ID. |
Dump JSON data into an index | This action dumps JSON data into an index. |
Delete an index | This action deletes an index. |
Query-based search | This action is used to search based on queries in overall indexes. |
Dump data into index with external JSON file | This action dumps data into the index with an external JSON file. |
Custom search | This action is used to search with custom parameters passed by the user. |
Create an index | This action creates an index with default settings. |
Configuration Parameters
The following configuration parameters are required for the Elasticsearch app to communicate with the Elasticsearch deployment.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL for the Elastic Search API Endpoint. Example: https://example.com:9200 | Text | Required | |
Username | Specify the username for the Elastic Search API endpoint. | Text | Required | |
Password | Specify the password for the Elastic Search API endpoint for authentication. | Password | Required |
Action: Update data in index with unique ID
This action is used to update data in an index with the unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the name of the index. Example: "MyIndex1" | Text | Required | |
Unique ID | Specify the unique ID in an index. | Text | Required | You can retrieve the unique ID using the Get Index Data action. |
JSON Data | Specify the JSON data that to update. Example: {"name": "MyIndex2"}. | Any | Required |
[
{
"json_data": {
"Course": "Course Example"
},
"unique_id": "csxxxXYB_txxxxB-pos",
"index_name": "MyIndex1"
}
]Action: Get index data
This action is used to retrieve the data inside an index. The data, type, and unique ID associated with all the docs in an index are retrieved.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the Name of the Index to get data. | Text | Required |
[
{
"index_name": "MyIndex1"
}
]Action: Delete data inside an index with unique ID
This action deletes the data inside an index with the unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the Name of the Index to delete data. | Text | Required | |
Unique ID | Specify the unique ID of the data in the index. | Text | Required | You can retrieve the unique ID using the Get Index Data action. |
[
{
"unique_id": "bxxxxB_t5xxxrc",
"index_name": "MyIndex1"
}
]Action: Add JSON data to an index
This action adds the JSON data to an index and return the associated unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
JSON Data | Enter the JSON data in string format. Example: {"name": "MyIndex2"}. | Text | Required | |
Index name | Specify the name of the index. Example: "MyIndex1" | Text | Required |
[
{
"json_data": {
"Course": "MyCourse"
},
"index_name": "MyIndex1"
}
]Action: Dump JSON data into an index
This action dumps JSON data into an index.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
JSON Data | Enter the JSON data in string format. Example: {"name": "MyIndex2"}. | Text | Required | |
Index name | Specify the name of the index. Example: "MyIndex1" | Text | Required |
[
{
"json_data": "{\"Subject\":\"Wireshark\"}",
"index_name": "MyIndex1"
}
]Action: Delete an index
This action deletes an index.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the name of the index. Example: "MyIndex1" | Text | Required |
[
{
"index_name": "MyIndex"
}
]Action: Query-based search
This action is used to search based on queries in overall indexes.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query string | Enter the query string to search for results. Example: "MyIndex". | Text | Required |
[
{
"query": "example index"
}
]Action: Dump data into index with external JSON file
This action dumps data into the index with an external JSON file.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File path | Specify the file path to which you want to dump JSON data. Example: "\Program Files\Security\VirusTotal.json" | Text | Required | |
Index name | Specify the Index Name to dump data. | Text | Required |
[
{
"filename": "\Program Files\Security\VirusTotal.zip",
"index_name": "MyIndex1"
}
]Action: Custom search
This action is used to search with custom parameters passed by the user.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the Index Name to search data. Example: "MyIndex" | Text | Required | |
Query string | Enter the query string to search for data. Example: "MyIndex" | Text | Required |
[
{
"query": "Wireshark",
"index_name": "MyIndex"
}
]Action: Create an index
This action creates an index with default settings.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the Index Name to dump data. Example: "My New Index" | Text | Required |
[
{
"index_name": "My New Index"
}
]