Elasticsearch 2.0.0
App Vendor: Elasticsearch
App Category: Configuration Management Database (CMDB)
Connector Version: 2.3.0
API Version: 7.9.0
About App
Elasticsearch app allows security teams to manage indexes that help analysts to find anomalies and hunt for potential threats that target your organization's data. The Elasticsearch app for Orchestrate allows you to perform the following actions.
Action Name | Description |
|---|---|
Add JSON Data to an Index | This action adds the JSON data to an index and returns the associated unique ID. |
Bulk Operation | This action performs multiple indexing or deletes operations in a single API call. |
Bulk Upload | This action performs multiple indexing operations in a single API call. |
Custom Search | This action is used to search with custom parameters passed by the user. |
Create an Index | This action creates an index with default settings. |
Delete an Index | This action deletes an index. |
Delete Data Inside an Index with Unique ID | This action deletes the data inside an index with the unique ID. |
Get Document | This action retrieves a document and its source or stored fields from an index using the specified document ID. |
Get Index Data | This action retrieves the data inside an index. The data, type, and unique ID associated with all the docs in an index are retrieved. |
Get Multiple Documents | This action retrieves multiple JSON documents by ID from the specified index. |
Query-based Search | This action is used to search based on queries in overall indexes. |
Update Data in Index with Unique ID | This action updates data in an index with a unique ID. |
Generic Action | This is a generic action to perform any additional use case on Elasticsearch. |
Configuration Parameters
The following configuration parameters are required for the Elasticsearch app to communicate with the Elasticsearch deployment.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL for the Elastic Search API Endpoint. Example: https://example.com:9200 | Text | Required | |
Username | Specify the username for the Elastic Search API endpoint. | Text | Optional | You must either provide an API Key, Bearer Token, or both the Username and Password for authentication. |
Password | Specify the password for the Elastic Search API endpoint for authentication. | Password | Optional | You must either provide an API Key, Bearer Token, or both the Username and Password for authentication. |
API Key | Enter the encoded Elasticsearch API Key. Example: WDJlY2w1UUJud1pRMm02anBqR1I6MDVpUEp2WEFSQk9Nc3psdENtZGpNZw== | Password | Optional | You must either provide an API Key, Bearer Token, or both the Username and Password for authentication. |
Bearer Token | Enter the generated service account token. Example: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuMTpyZkF0UFFEaVIzS0NUckFfeTZOemVR | Password | Optional | You must either provide an API Key, Bearer Token, or both the Username and Password for authentication. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Elasticsearch. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Add JSON Data to an Index
This action adds the JSON data to an index and returns the associated unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
JSON Data | Enter the JSON data to pass to an index. Example: $JSON{"Course": "MyCourse"} | Any | Required | |
Index Name | Specify the name of the index. Example: MyIndex1 | Text | Required | |
Extra Params | Enter the payload in JSON format to add data to an index. | Key value | Optional | Allowed keys: if_primary_term, if_seq_no, timeout, include_source_on_error, op_type, pipeline, refresh, routing, version, version_type, wait_for_active_shards, require_alias |
[
{
"json_data": {
"Course": "MyCourse"
},
"index_name": "MyIndex1"
}
]Action: Bulk Operation
This action is used to perform multiple operations in a single API call such as insert, update, and delete. Use the Bulk Upload action, to insert multiple indexes at once. To use the index action, you must have the create, index, or write index privilege. To use the delete action, you must have the delete or write index privilege.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Payload | Enter the payload data in one of the following formats:
Example: $JSON[{"timestamp": 1516729294000, "temperature": 200, "voltage": 5.2, "node": "input"}] | Any | Required | Allowed values:
|
Index Name | Enter the index name to perform the bulk operation. Example: Elastic_Index | Text | Required | |
Extra Params | Enter the extra parameters to make the request. | Key value | Optional | Allowed keys: list_executed_pipelines, pipeline, refresh, routing, _source, _source_excludes, _source_includes, timeout, wait_for_active_shards, require_alias, require_data_stream |
Example Requests
Create an Index with Documents
[ { "index": { "_index": "elastic_index" } }, { "timestamp": 1516729294000, "temperature": 200, "voltage": 5.2, }, { "index": { "_index": "elastic_index" } }, { "timestamp": 1516729394000, "temperature": 210, "voltage": 5.4, } ]Update Document in an Index
[ { "update": { "_index": "example", "_id": "exampleid12" } }, { "doc": { "message": "Updated document content", "editor": "Jane Doe", "updated_timestamp": 1516736494000 } } ]Delete Document from an Index
[ { "delete": { "_index": "example", "_id": "docid123" } } ]
Action: Bulk Upload
This action is used to perform multiple indexing operations in a single API. Use the Bulk Upload action, to insert multiple indexes instantaneously. To use the Bulk Upload action, you must have the create, index, or write index privileges.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Payload | Enter the payload data in one of the following formats:
Example: $JSON[{"IOCConfidenceScore": 100, "IOCType": “domain_name”, "IOCValue": “newtest123.com”}] | List | Required | Allowed values:
|
Index Name | Enter the index name to perform the bulk upload. Example: Elastic_Index | Text | Required | |
Extra Params | Enter the extra parameters to upload multiple indexes. | Key value | Optional | Allowed keys: list_executed_pipelines, pipeline, refresh, routing, _source, _source_excludes, _source_includes, timeout, wait_for_active_shards, require_alias |
Action: Create an Index
This action creates an index with default settings. You must have the create_index or manage index privilege for the target index. To add the index to an alias, you must have the manage index privilege for the alias.
Index names must meet the following criteria:
Lowercase only
Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, #
Indices prior to 7.0 could contain a colon (:), but that’s been deprecated and won’t be supported in 7.0+
Cannot start with -, _, +
Cannot be . or ..
Cannot be longer than 255 bytes (note it is bytes, so multi-byte characters will count towards the 255 limit faster)
Names starting with . are deprecated, except for hidden indices and internal indices managed by plugins
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index Name | Specify the index name you need to create. Example: My New Index | Text | Required | |
Extra Params | Enter the extra parameters to create an index. | Key value | Optional | Allowed keys: timeout, master_timeout, wait_for_active_shards |
Payload | Enter the payload in JSON format to create an index. | Key value | Optional | Allowed keys: aliases, mappings, settings |
[
{
"index_name": "My New Index"
}
]Action: Custom Search
This action is used to search with custom parameters passed by the user. You must have the read index privilege for the target data stream, index, or alias. This action allows you to execute a search query and get back search hits that match the query. You can provide search queries using the query string parameter.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index Name | Specify the Index Name to search data. Example: MyIndex | Text | Required | |
Match Field | Enter the field name to perform the string match search. Example: message | Text | Optional | Note: If you pass the Match Field, you must also pass the Match Value and vice-versa. |
Match Value | Enter the value to search for in the field specified in Match Field. Example: Sample message | Text | Optional | Note: If you pass the Match Field, you must also pass the Match Value and vice-versa. |
Exists Field | Enter the value to retrieve only the documents in which this field exists. Example: message | Text | Optional | |
Range Field | Enter the field name to search for documents, defining the parameter for the range search. Example: @timestamp | Text | Optional | |
Start Range | Enter the starting range for the field to include responses greater than or equal to this limit. Example: 2024-11-15T13:12:00 | Text | Optional | Note: If you pass the Start Range, you must also pass the Range Field. |
End Range | Enter the ending range for the field to include responses less than or equal to this limit. Example: 2025-11-15T13:12:00 | Text | Optional | Note: If you pass the End Range, you must also pass the Range Field. |
Query | Enter the query string to search for data. Example: Wireshark | Text | Required | |
Extra Params | Enter the extra parameters to search. | Key value | Optional | Allowed keys: allow_no_indices, allow_partial_search_results, explain, analyzer, analyze_wildcard, batched_reduce_size, ccs_minimize_roundtrips, default_operator, df, ignore_throttled, ignore_unavailable, include_named_queries_score, lenient, max_concurrent_shard_requests, preference, pre_filter_shard_size, request_cache, routing, scroll, search_type, suggest_field, suggest_mode, suggest_size, suggest_text, terminate_after, timeout, track_scores, typed_keys, rest_total_hits_as_int, version, _source_includes, seq_no_primary_term, q, size, from, sort, force_synthetic_source |
[
{
"query": "Wireshark",
"index_name": "MyIndex"
}
]Action: Delete an Index
This action deletes an index. You must have the delete_index or manage index privilege for the target index. Deleting an index deletes its documents, shards, and metadata. It does not delete related Kibana components, such as data views, visualizations, or dashboards. You cannot delete the current write index of a data stream.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index Name | Specify the name of the index to delete. You can also pass a list of indices to delete. Example: MyIndex1 | Text | Required | You cannot specify index aliases. |
Extra Params | Enter the extra parameters to delete an index. | Key value | Optional | Allowed keys: allow_no_indices, expand_wildcards, ignore_unavailable, master_timeout, timeout, wait_for_active_shards |
[
{
"index_name": "MyIndex"
}
]Action: Delete Data Inside an Index with Unique ID
This action deletes the data inside an index with the unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the Name of the Index to delete data. | Text | Required | |
Unique ID | Specify the unique ID of the data in the index. Example: y0-9_YYBjrxjROvIaXOv | Text | Required | You can retrieve the unique ID using the Get Index Data action. |
Extra Params | Enter the extra parameters to delete the data inside an index. | Key value | Optional | Allowed keys: if_primary_term, if_seq_no, refresh, routing, timeout, version, version_type, wait_for_active_shards |
[
{
"unique_id": "y0-9_YYBjrxjROvIaXOv",
"index_name": "MyIndex1"
}
]Action: Get Document
This action retrieves a document and its source or stored fields from an index using the specified document ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index Name | Enter the name of the index that contains the document. Example: MyIndex | Text | Required | |
Doc ID | Enter the unique document ID. Example: bxIXp5QB2RV9uHAXwJMK | Text | Required | You can retrieve the doc ID using the action Custom Search. |
Extra Params | Enter the extra parameters to retrieve the document. | Key value | Optional | Allowed keys: force_synthetic_source, preference, realtime, refresh, routing, _source, _source_excludes, _source_includes, stored_fields, version, version_type |
Example Request
[
{
"unique_id": "bxIXp5QB2RV9uHAXwJMK",
"index_name": "MyIndex",
"extra_params": {}
}
]Action: Get Index Data
This action is used to retrieve the data inside an index. The data, type, and unique ID associated with all the docs in an index are retrieved. You must have the view_index_metadata or manage index privilege for the target data stream, index, or alias.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index Name | Specify the name of the index to get data. | Text | Required | |
Payload | Enter the payload in JSON format to retrieve index data. | Key value | Optional | Allowed keys: aggregations, collapse, explain, ext, from, highlight, track_total_hits, indices_boost, docvalue_fields, knn, rank, min_score, post_filter, profile, query, restore, retriever, script_fields, search_after, size, slice, sort, _source, fields, suggest, terminate_after, timeout, track_scores, version, seq_no_primary_term, stored_fields, pit, runtime_mappings, stats |
Extra Params | Enter the extra parameters to retrieve index data. | Key value | Optional | Allowed keys: allow_no_indices, allow_partial_search_results, explain, analyzer, analyze_wildcard, batched_reduce_size, ccs_minimize_roundtrips, default_operator, df, docvalue_fields, expand_wildcards, ignore_throttled, ignore_unavailable, include_named_queries_score, lenient, max_concurrent_shard_requests, preference, pre_filter_shard_size, request_cache, routing, scroll, search_type, stats, stored_fields, suggest_field, suggest_mode, suggest_size, suggest_text, terminate_after, track_total_hits, track_scores, typed_keys, rest_total_hits_as_int, version, _source, _source_excludes, _source_includes, seq_no_primary_term, q, size, from, sort, force_synthetic_source |
[
{
"index_name": "MyIndex1"
}
]Action: Get Multiple Documents
This action retrieves multiple JSON documents by ID from the specified index.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index Name | Enter the name of the index to retrieve documents. Example: MyIndex | Text | Required | |
Doc IDs | Enter the list of document IDs to retrieve them. Example: [bxIXp5QB2RV9uHAXwJMK, Pmf6ppQBnwZQ2m6j7DKc] | List | Required | You can retrieve the doc IDs using the action Custom Search. |
Extra Params | Enter the extra parameters to retrieve documents. Example: {realtime: True, refresh: True} | Key value | Optional | Allowed keys: force_synthetic_source, preference, realtime, refresh, routing, _source, _source_excludes, _source_includes, stored_fields |
Example Request
[
{
"doc_ids": [
"XBJpppQB2RV9uHAXgJP4",
"WxJpppQB2RV9uHAXd5OO"
],
"index_name": "MyIndex,
"extra_params": {}
}
]Action: Query-based Search
This action is used to search based on queries in overall indexes.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query String | Enter the query string to search for results. Example: MyIndex | Text | Required | |
Extra Params | Enter the extra parameters to search across all indexes. | Key value | Optional | Allowed keys: allow_no_indices, allow_partial_search_results, analyzer, analyze_wildcard, batched_reduce_size, ccs_minimize_roundtrips, default_operator, df, docvalue_fields, expand_wildcards, explain, ignore_throttled, ignore_unavailable, include_named_queries_score, lenient, max_concurrent_shard_requests, preference, pre_filter_shard_size, request_cache, routing, scroll, search_type |
Payload | Enter the payload in JSON format to search across all indexes. | Key value | Optional | Allowed keys: aggregations, collapse, explain, ext, from, highlight, track_total_hits, indices_boost, docvalue_fields, knn, rank, min_score, post_filter, profile, query, restore, retriever, script_fields, search_after, size, slice, sort, _source, fields, suggest, terminate_after, timeout, track_scores, version, seq_no_primary_term |
[
{
"query": "example index"
}
]Action: Update Data in Index with Unique ID
This action is used to update data in an index with a unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index Name | Specify the name of the index. Example: MyIndex1 | Text | Required | |
Unique ID | Specify the unique document ID in an index. Example: bxIXp5QB2RV9uHAXwJMK | Text | Required | You can retrieve the unique ID using the Get Index Data action. |
Doc Data | Specify the JSON data that to update. Example: {"name": "MyIndex2"}. | Any | Required | |
Payload | Enter the payload in JSON format to update index data. | Key value | Optional | Allowed values: detect_noop, doc_as_upsert, script, scripted_upsert, _source, upsert |
Extra Params | Enter the extra parameters to update index data. | Key value | Optional | Allowed keys: if_primary_term, if_seq_no, refresh, include_source_on_error, lang, require_alias, retry_on_conflict, routing, timeout, wait_for_active_shards, _source, _source_excludes, _source_includes |
[
{
"json_data": {
"Course": "Course Example"
},
"unique_id": "y0-9_YYBjrxjROvIaXOv",
"index_name": "MyIndex1"
}
]Action: Generic Action
This is a generic action to perform any additional use case on Elasticsearch.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to use. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to initiate a request. Example: /_search | Text | Required | |
Extra Fields | Enter the extra fields pass to the API. Example: $JSON[{"type": "malicious", "id": "ES4356"}] | Key valu | Optional | Allowed keys: payload_json, custom_output, download, retry_wait, retry_count, response_type |
Payload Data | Enter the payload data to pass to the API. Example: {"type": "malicious","id': "ES4356"} | Key Value | Optional | |
Query Params | Enter query parameters to filter the result. Example: $JSON[{"page_number":6}] | Key value | Optional |
Example Request
[
{
"endpoint":"/_search",
"http_method":"GET",
"payload_json":[
{
"type":"malicious",
"id":"ES4356"
}
],
"query_params":[
{
"page_number":6
}
]
}
]