Elastic SIEM
App Vendor: Elastic
Connector Category: Analytics and SIEM
App Version in Orchestrate: 1.2.0
API Version: 1.0.0
About App
The Elastic SIEM app allows security teams to detect, investigate and quickly respond to complex threats through case management. It enables security analysts to gather evidence of an attack, annotate relevant events, and respond to the most relevant threats. Using the SIEM app, you can manage list containers that group common list items which define exceptions for scenarios when rule alerts are not generated even when any other rule criteria are met.
The Elastic SIEM app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Get All List Containers | This action retrieves all the available list containers. |
Create List Container | This action creates a list container. |
Create List Item | This action creates a list item in the specified list container. |
Update List Item | This action updates a list item with a new value. |
Get List Item | This action gets the details of a list item using the list item ID. |
Update Case Comment | This action updates the details of an existing comment using the case ID and comment ID. |
Add a Comment in a Case | This action adds a new comment to a case. |
Get Details of a Case Comment | This action retrieves the details of a specific case comment using the case ID and comment ID. |
Update a Case | This action updates a case with the current case version along with additional fields. |
Create a Case | This action creates a new case with a title, description, and other fields. |
Get Details of a Case | This action retrieves the details of a specific case using the case ID. |
Find Cases | This action is used to search or find cases using query parameters. |
Get a List of Case Activities | This action retrieves a list of case activities using the case ID. |
Get a List of Case Reporters | This action retrieves a list of reporters or users who opened specific cases. |
Get Alerts | This action retrieves alerts. |
Update Signal Status | This action updates the signal status. |
Generic Action | This is a generic action to access any endpoint on Elastic SIEM. |
Configuration Parameters
The following configuration parameters are required for the Elastic SIEM app to communicate with the Elastic SIEM enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
BASE URL | Enter the Elastic SIEM base URL as <http[s]://BASE URL.TLD[:port]> | Text | Required | |
Username | Enter the Elastic SIEM username. | Text | Required | |
Password | Enter the Elastic SIEM password. | Password | Required | |
SSL Verification | Select to either verify or skip the SSL certificate verification. | Boolean | Optional | Allowed values:
Default value:False |
Action: Get All List Containers
This action retrieves all the available list containers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the extra parameters as key-value pairs to retrieve the list containers. Example:
| Key Value | Optional |
Example Request
[
{
"extra_params": {
"list_id": "internal-ip-excludes",
"page": "1",
"per_page": "20",
"sort_order": "asc"
}
}
] |
Action: Create List Container
This action creates a list container with the given name and description.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comment |
|---|---|---|---|---|
List Container Name | Enter a name for the list container. Example: "exclude-internal-IPs" | Text | Required | |
Description | Enter a description for the list container. Example: "Contains list items that exclude internal IPs" | Text | Required | |
Type | Enter the data type of the items (excludes) that the list container holds. Example:
| Text | Required | |
Extra Params | Enter the extra parameters as key-value pairs to create the list container. Example:
| Key-Value | Optional |
Example Request
[
{
"name": "Exclude IP ranges",
"description": "Contains list items that exclude internal IPs",
"type": "ip",
"extra_params": {
"id": "exclude-internal-IPs",
"version": "1.0",
"serializer": "(?<gte>.+)/(?<lte>.+)",
"deserializer": "{{{gte}}}--{{{lte}}}"
}
}
] |
Action: Create List Item
This action creates a list item and associates it with a list container. All the list items associated with the same container must be of the same type.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
List ID | Enter the ID of the associated list container. Example: "exclude-internal-IPs" | Text | Required | |
Value | Enter the values used to evaluate exceptions. Example: "10.0.0.3" | Text | Required | |
Unique ID | Enter the unique ID for the list item. Example: "IP001" | Text | Optional | |
Meta | Enter the metadata about the list item. This is used to evaluate exceptions. Example: "updated_by": "testorg" | Text | Optional |
Example Request
[
{
"list_id": "exclude-internal-IPs",
"value": "10.0.0.3",
"id": "IP001",
"updated_by": "testorg",
"updated_at": "2020-08-11T10:54:46.080Z"
}
] |
Action: Update List Item
This action updates an existing list item with a new value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the ID of the list item you want to update. Example: "IP001" | Text | Required | |
Value | Enter the value (to be updated) used to evaluate exceptions. Example: "10.0.0.8" | Text | Required | |
Version | Enter a specific version to prevent update conflicts. Example: "CYVER01" | Text | Optional |
Example Request
[
{
"id": "IP001",
"value": "10.0.0.8",
"version": "CYVER0"
}
] |
Action: Get List Item
This action gets the details of a list item using the list item ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the ID of the list item for which you want to fetch details. | Text | Required |
Example Request
[
{
"id": "IP001"
}
] |
Action: Update Case Comment
This action updates the details of an existing comment using the case ID and comment ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID. | Text | Required | |
Comment ID | Enter the comment ID. | Text | Required | |
Comment | Enter the comment to be updated for the case. Example: "Threat detected" | Text | Required | |
Current comment version | Enter the current comment version. Example: "WzExODQyNSwzN10=". | Text | Required |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"comment": "new comment added over connector",
"comment_id": "441bebe0-5613-11eb-a445-4930bd0b6a33",
"comment_version": "WzMzMiwxXQ=="
}
] |
Action: Add a Comment in a Case
This action adds a new comment to a case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID. | Text | Required | |
Comment | Enter a comment to the case. Example: "new comment added over connector" | Text | Required |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"comment": "new comment added over connector"
}
] |
Action: Get Details of a Case Comment
This action retrieves the details of a specific case comment using the case ID and comment ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID for which you are retrieving comments. | Text | Required | |
Comment ID | Enter the comment ID. | Text | Required |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"comment_id": "441bebe0-5613-11eb-a445-4930bd0b6a33"
}
] |
Action: Update a Case
This action updates an existing case with the current case version and other additional fields.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID. | Text | Required | |
Current case version | Enter the current case version. The current case version can be retrieved from the Get case or Find cases actions. Example: "WzIzLDFd " | Text | Required | |
Extra Params | Enter the additional fields in the form of key-value pairs to update the case. Example:
| Key Value | Optional |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"version": "WzM2NiwxXQ==",
"extra_fields": {
"tags": [
"test"
],
"status": "open",
"connector_id": "131d4448-abe0-4789-939d-8ef60680b498",
"title": "This case title been updated over connector.",
"description": "This case description been updated over connector."
}
}
] |
Action: Create a case
This action creates a new case with a title, description, and tags.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Title | Enter a title to create a new case. Example: "Threat" | Text | Required | |
Description | Enter the case description. Example: "Locate the threat" | Text | Required | |
Tags | Enter the tags containing words and phrases that help categorize cases. By default, the array is empty. Example: ["phishing", "social engineering"] | Any | Optional |
Example Request
[
{
"tags":[
"phishing"
],
"title":"This is a sample threat case",
"description":"This is to locate all the sample threats."
}
] |
Action: Get Details of a Case
This action retrieves the details of a specific case using the case ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID to retrieve details of the case. | Text | Required | |
Include comments | Select to either include or exclude comments. | Boolean | Optional | Allowed values:
Default value: False |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33",
"include_comments": true
}
] |
Action: Find cases
This action is used to search or find cases using query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter any query parameters in the form of key-value pairs to find cases. Example:
| Key Value | Optional |
Example Request
[
{
"query_params": {
"page": "1",
"tags": "test",
"status": "open",
"perPage": "10",
"reporters": "elastic",
"sortField": "createdAt",
"sortOrder": "asc"
}
}
] |
Action: Get a list of case activities
This action retrieves a list of reporters or users who opened specific cases.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID to retrieve the list of case activities. | Text | Required |
Example Request
[
{
"case_id": "e6a53980-5612-11eb-a445-4930bd0b6a33"
}
] |
Action: Get Alerts
This action retrieves alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Latest | Enter the latest timestamp to retrieve alerts. Example: "1631623910" | Text | Optional | Default value: current time |
Earliest | Enter the earliest timestamp to retrieve alerts. Example: "1600087910" | Text | Optional | Default value: 90 days prior |
Signal Status | Enter the signal status to filter the results. Example: "open" | Text | Optional | Default value: open Allowed values:
|
Risk Score | Enter the risk score to filter the alerts greater than the specified risk score. Example: 70 | Integer | Optional | Default value: greater than or equal to 0 |
Example Request
[
{
"latest":1631623910,
"signal_status":"open",
"risk_score":70
}
]Action: Update Signal Status
This action updates the signal status.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
ID List | Enter a list of signal IDs to update. Example: $LIST[694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba, 4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0] | List | Required | |
Status | Enter the signal status to update. Example: "open" | Text | Required | Allowed values:
|
Example Request
[
{
"id_list":[
"694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba",
"f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0"
],
"status":"open"
}
]Action: Generic Action
This is a generic action to access any endpoint on Elastic SIEM.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
HTTP Method | Enter the HTTP method. Example: "GET" | Text | Required | Allowed values:
|
Endpoint | Enter the API endpoint to access. Example: "api/detection_engine/signals/status" | Text | Required | |
Request Body | Enter the payload in JSON format. Example: {"data": [{"reason": "security_test"}]} | Any | Optional | |
Query Params | Enter the query parameters in JSON format. Example: {"limit": "10"} | Key Value | Optional |
Example Request
[
{
"http_method":"GET",
"endpoint":"api/detection_engine/signals/status",
"request_body":{
"data":[
{
"reason":"security_testing"
}
]
},
"query_params":{
"limit":"10"
}
}
]