Elastic SIEM
App Vendor: Elastic
Connector Category: Analytics and SIEM
Connector Version: 1.3.0
API Version: 1.0.0
About App
The Elastic SIEM app allows security teams to detect, investigate, and quickly respond to complex threats through case management. It enables security analysts to gather evidence of an attack, annotate relevant events, and respond to the most relevant threats. Using the SIEM app, you can manage list containers that group common list items which define exceptions for scenarios when rule alerts are not generated even when any other rule criteria are met.
The Elastic SIEM app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Add a Comment in a Case | This action adds a new comment to a case. |
Create a Case | This action creates a new case with a title, description, and other fields. |
Create List Container | This action creates a list container. |
Create List Item | This action creates a list item in the specified list container. |
Find Cases | This action is used to search or find cases using query parameters. |
Get Activity List for a Case | This action retrieves a list of case activities using the case ID. |
Get Alerts | This action retrieves alerts. |
Get All List Containers | This action retrieves all the available list containers. |
Get Details of a Case | This action retrieves the details of a specific case using the case ID. |
Get Details of a Case Comment | This action retrieves the details of a specific case comment using the case ID and comment ID. |
Get List Item | This action gets the details of a list item using the list item ID. |
List Case Reporters | This action retrieves a list of reporters or users who opened specific cases. |
Update a Case | This action updates a case with the current case version along with additional fields. |
Update Case Comment | This action updates the details of an existing comment using the case ID and comment ID. |
Update List Item | This action updates a list item with a new value. |
Update Signal Status | This action updates the signal status. |
Generic Action | This is a generic action to access any endpoint on Elastic SIEM. |
Configuration Parameters
The following configuration parameters are required for the Elastic SIEM app to communicate with the Elastic SIEM enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Elastic SIEM base URL as <http[s]://BASE URL.TLD[:port]> | Text | Required | |
Username | Enter the Elastic SIEM username. | Text | Optional | NoteYou must provide either an API key or both a Username and Password. |
Password | Enter the Elastic SIEM password. | Password | Optional | NoteYou must provide either an API key or both a Username and Password. |
API Key | Enter the Elastic SIEM API Key. | Password | Optional | NoteYou must provide either an API key or both a Username and Password. |
SSL Verification | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | Default value: False |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Elastic SIEM. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Add a Comment in a Case
This action adds a new comment to a case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID to add a comment to. | Text | Required | You can retrieve the case ID using the action Find Cases. |
Comment | Enter a comment to the case. Example: This is a sample comment | Text | Required | |
Owner | Enter the application that owns the case. | Text | Optional | Allowed values: cases, observability, securitySolution Default value: securitySolution |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"comment": "This is a sample comment."
}
]Action: Create a Case
This action creates a new case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter a title to create a new case. Example: Threat | Text | Required | |
Description | Enter the case description. Example: Locate the threat | Text | Required | |
Tags | Enter the tags containing words and phrases that help categorize cases. By default, the array is empty. Example: ["phishing", "social engineering"] | Any | Optional | |
Owner | Enter the application that owns the case. | Text | Optional | Allowed values: cases, observability, securitySolution Default value: securitySolution |
Sync Alerts | Choose true to turn on alert syncing. | Boolean | Optional | Default value: True |
Example Request
[
{
"tags":[
"phishing"
],
"title": "This is a sample threat case",
"description": "This is to locate all the sample threats.",
"owner": "cases"
}
]Action: Create List Container
This action creates a list container with the given name and description.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comment |
|---|---|---|---|---|
List Container Name | Enter a name for the list container. Example: exclude-internal-IPs | Text | Required | |
Description | Enter a description for the list container. Example: Contains list items that exclude internal IPs | Text | Required | |
Type | Enter the data type of the items (excludes) that the list container holds. Example: ip | Text | Required | Allowed values: keyword, ip, ip_range |
Extra Params | Enter the extra parameters as key-value pairs to create the list container. | Key-Value | Optional | Allowed keys: deserializer, id, meta, serializer, version |
Example Request
[
{
"name": "Exclude IP ranges",
"description": "Contains list items that exclude internal IPs",
"type": "ip",
"extra_params": {
"id": "exclude-internal-IPs",
"version": "1.0",
"serializer": "(?<gte>.+)/(?<lte>.+)",
"deserializer": "{{{gte}}}--{{{lte}}}"
}
}
]Action: Create List Item
This action creates a list item and associates it with a list container. All the list items associated with the same container must be of the same type.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
List ID | Enter the ID of the associated list container. Example: exclude-internal-IPs | Text | Required | |
Value | Enter the values used to evaluate exceptions. Example: 10.0.0.3 | Text | Required | |
Unique ID | Enter the unique ID for the list item. Example: IP001 | Text | Optional | |
Meta | Enter the metadata about the list item. This is used to evaluate exceptions. Example: "updated_by": "testorg" | Text | Optional |
Example Request
[
{
"list_id": "exclude-internal-IPs",
"value": "10.0.0.3",
"id": "IP001",
"updated_by": "testorg",
"updated_at": "2020-08-11T10:54:46.080Z"
}
]Action: Find Cases
This action is used to search or find cases using query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter any query parameters in the form of key-value pairs to find cases. | Key Value | Optional | Allowed keys: assignees, category, defaultSearchOperator, from, owner, search, searchFields, severity, to, page, perPage, sortField, sortOrder, status, tags, reporters |
Example Request
[
{
"query_params": {
"page": "1",
"tags": "test",
"status": "open",
"perPage": "10",
"reporters": "elastic",
"sortFields": "createdAt",
"sortOrder": "asc"
}
}
]Action: Get Activity List for a Case
This action retrieves a list of reporters or users who opened specific cases.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID to retrieve the list of case activities. Example: e6a53980-5612-11eb-a445-4930bd0b6a33 | Text | Required | You can retrieve the case ID using the action Find Cases. |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33"
}
]Action: Get Alerts
This action retrieves alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Latest | Enter the latest timestamp to retrieve alerts. Example: 1631623910 | Text | Optional | Default value: current time |
Earliest | Enter the earliest timestamp to retrieve alerts. Example: 1600087910 | Text | Optional | Default value: 90 days prior |
Signal Status | Enter the signal status to filter the results. Example: open | Text | Optional | Default value: open Allowed values: open, in-progress, closed |
Risk Score | Enter the risk score to filter the alerts greater than the specified risk score. Example: 70 | Integer | Optional | Default value: greater than or equal to 0 |
Example Request
[
{
"latest":1631623910,
"signal_status":"open",
"risk_score":70
}
]Action: Get All List Containers
This action retrieves all the available list containers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the extra parameters as key-value pairs to retrieve the list containers. | Key Value | Optional | Allowed keys: list_id, page, per_page, sort_order |
Example Request
[
{
"extra_params": {
"list_id": "internal-ip-excludes",
"page": "1",
"per_page": "20",
"sort_order": "asc"
}
}
]Action: Get Details of a Case
This action retrieves the details of a specific case using the case ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID to retrieve details of the case. | Text | Required | You can retrieve the case ID using the action Find Cases. |
Include comments | Choose true to include comments in the response. | Boolean | Optional | Default value: True |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"include_comments": true
}
]Action: Get Details of a Case Comment
This action retrieves the details of a specific case comment using the case ID and comment ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID for which you are retrieving comments. | Text | Required | You can retrieve the case ID using the action Find Cases. |
Comment ID | Enter the comment ID. | Text | Required | You can retrieve the comment ID using the action Get Details of a Case. |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"comment_id": "441bebe0-5613-11eb-a445-4930bd0b6a33"
}
]Action: Get List Item
This action gets the details of a list item using the list item ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the ID of the list item for which you want to fetch details. | Text | Required |
Example Request
[
{
"id": "IP001"
}
]Action: List Case Reporters
This action retrieves a list of reporters or users who opened cases.
Action Input Parameters
No input parameters are required for this action.
Action: Update a Case
This action updates an existing case with the current case version and other additional fields.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID. | Text | Required | You can retrieve the case ID using the action Find Cases. |
Current Case Version | Enter the current case version. Example: WzIzLDFd | Text | Required | You can retrieve the case version using the action Find Cases. |
Extra Params | Enter the additional fields in the form of key-value pairs to update the case. | Key Value | Optional | Allowed keys: assignees, category, connector, customFields, description, id, settings, severity, status, tags, title |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"version": "WzM2NiwxXQ==",
"extra_fields": {
"tags": [
"test"
],
"status": "open",
"connector_id": "131d4448-abe0-4789-939d-8ef60680b498",
"title": "This case title has been updated over connector.",
"description": "This case description has been updated over connector."
}
}
]Action: Update Case Comment
This action updates the details of an existing comment using the case ID and comment ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID. Example: e6a53980-5612-11eb-a445-4930bd0b6a33 | Text | Required | You can retrieve the case ID using the action Find Cases. |
Comment ID | Enter the comment ID. Example: 441bebe0-5613-11eb-a445-4930bd0b6a33 | Text | Required | You can retrieve the comment ID using the action Get Details of a Case. |
Comment | Enter the comment to be updated for the case. Example: Threat detected | Text | Required | |
Current Comment Version | Enter the current comment version. Example: WzExODQyNSwzN10= | Text | Required | You can retrieve the comment version using the action Get Details of a Case Comment. |
Owner | Enter the application that owns the case. | Text | Optional | Allowed values: cases, observability, securitySolution Default value: securitySolution |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"comment": "Threat detected",
"comment_id": "441bebe0-5613-11eb-a445-4930bd0b6a33",
"comment_version": "WzMzMiwxXQ=="
}
]Action: Update List Item
This action updates an existing list item with a new value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the ID of the list item you want to update. Example: IP001 | Text | Required | |
Value | Enter the value (to be updated) used to evaluate exceptions. Example: 10.0.0.8 | Text | Required | |
Version | Enter a specific version to prevent update conflicts. Example: CYVER01 | Text | Optional |
Example Request
[
{
"id": "IP001",
"value": "10.0.0.8",
"version": "CYVER0"
}
]Action: Update Signal Status
This action updates the signal status.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ID List | Enter a list of signal IDs to update. Example: $LIST[694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba, 4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0] | List | Required | You must either provide ID List or Query, but not both simultaneously. |
Query | Enter the query to determine the signals to be updated. | Key value | Optional | You must either provide an ID List or Query, but not both simultaneously. |
Status | Enter the signal status to update. Example: open | Text | Required | Allowed values: open, in-progress, closed |
Example Request
[
{
"id_list":[
"694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba",
"f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0"
],
"status":"open"
}
]Action: Generic Action
This is a generic action to access any endpoint on Elastic SIEM.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. Example: GET | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the API endpoint to access. Example: api/detection_engine/signals/status | Text | Required | |
Payload | Enter the payload in JSON format. Example: {"data": [{"reason": "security_test"}]} | Text | Optional | |
Query Params | Enter the query parameters in JSON format. Example: {"limit": "10"} | Key Value | Optional | |
Extra Fields | Enter the extra fields to make the request. | Key Value | Optional | Allowed keys: payload_data, custom_output, download, filename, files, retry_wait, retry_count, response_type |
Example Request
[
{
"method":"GET",
"endpoint":"api/detection_engine/signals/status",
"payload":{
"data":[
{
"reason":"security_testing"
}
]
},
"query_params":{
"limit":"10"
}
}
]