Elasticsearch 2.0.0
App Vendor: Elasticsearch
App Category: Configuration Management Database (CMDB)
App Version: 2.1.0
API Version: 7.9.0
About App
Elasticsearch app allows security teams to manage indexes that help analysts to find anomalies and hunt for potential threats that target your organization's data. The Elasticsearch app for Orchestrate allows you to perform the following actions.
Action Name | Description |
|---|---|
Update Data in Index with Unique ID | This action updates data in an index with a unique ID. |
Get Index Data | This action retrieves the data inside an index. The data, type, and unique ID associated with all the docs in an index are retrieved. |
Delete Data Inside an Index with Unique ID | This action deletes the data inside an index with the unique ID. |
Add JSON Data to an Index | This action adds the JSON data to an index and returns the associated unique ID. |
Delete an Index | This action deletes an index. |
Query-based Search | This action is used to search based on queries in overall indexes. |
Custom Search | This action is used to search with custom parameters passed by the user. |
Create an Index | This action creates an index with default settings. |
Bulk Operation | This action performs multiple indexing or deletes operations in a single API call. |
Generic Action | This is a generic action to perform any additional use case on Elastic Search. |
Bulk Upload | This action performs multiple indexing operations in a single API call. |
Configuration Parameters
The following configuration parameters are required for the Elasticsearch app to communicate with the Elasticsearch deployment.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL for the Elastic Search API Endpoint. Example: https://example.com:9200 | Text | Required | |
Username | Specify the username for the Elastic Search API endpoint. | Text | Required | |
Password | Specify the password for the Elastic Search API endpoint for authentication. | Password | Required |
Action: Update Data in Index with Unique ID
This action is used to update data in an index with a unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the name of the index. Example: MyIndex1 | Text | Required | |
Unique ID | Specify the unique ID in an index. Example: y0-9_YYBjrxjROvIaXOv | Text | Required | You can retrieve the unique ID using the Get Index Data action. |
JSON Data | Specify the JSON data that to update. Example: {"name": "MyIndex2"}. | Any | Required |
[
{
"json_data": {
"Course": "Course Example"
},
"unique_id": "y0-9_YYBjrxjROvIaXOv",
"index_name": "MyIndex1"
}
]Action: Get Index Data
This action is used to retrieve the data inside an index. The data, type, and unique ID associated with all the docs in an index are retrieved. You must have the view_index_metadata or manage index privilege for the target data stream, index, or alias.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the name of the index to get data. | Text | Required |
[
{
"index_name": "MyIndex1"
}
]Action: Delete Data Inside an Index with Unique ID
This action deletes the data inside an index with the unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the Name of the Index to delete data. | Text | Required | |
Unique ID | Specify the unique ID of the data in the index. Example: y0-9_YYBjrxjROvIaXOv | Text | Required | You can retrieve the unique ID using the Get Index Data action. |
[
{
"unique_id": "y0-9_YYBjrxjROvIaXOv",
"index_name": "MyIndex1"
}
]Action: Add JSON Data to an Index
This action adds the JSON data to an index and returns the associated unique ID.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
JSON Data | Enter the JSON data to pass to an index. Example: $JSON{"Course": "MyCourse"} | Any | Required | |
Index name | Specify the name of the index. Example: MyIndex1 | Text | Required |
[
{
"json_data": {
"Course": "MyCourse"
},
"index_name": "MyIndex1"
}
]Action: Delete an Index
This action deletes an index. You must have the delete_index or manage index privilege for the target index. Deleting an index deletes its documents, shards, and metadata. It does not delete related Kibana components, such as data views, visualizations, or dashboards. You cannot delete the current write index of a data stream.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the name of the index to delete. You can also pass a list of indices to delete. Example: MyIndex1 | Text | Required | You cannot specify index aliases. |
[
{
"index_name": "MyIndex"
}
]Action: Query-based Search
This action is used to search based on queries in overall indexes.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query string | Enter the query string to search for results. Example: MyIndex | Text | Required |
[
{
"query": "example index"
}
]Action: Custom Search
This action is used to search with custom parameters passed by the user. You must have the read index privilege for the target data stream, index, or alias. This action allows you to execute a search query and get back search hits that match the query. You can provide search queries using the query string parameter.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the Index Name to search data. Example: MyIndex | Text | Required | |
Query string | Enter the query string to search for data. Example: Wireshark | Text | Required |
[
{
"query": "Wireshark",
"index_name": "MyIndex"
}
]Action: Create an Index
This action creates an index with default settings. You must have the create_index or manage index privilege for the target index. To add the index to an alias, you must have the manage index privilege for the alias.
Index names must meet the following criteria:
Lowercase only
Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, #
Indices prior to 7.0 could contain a colon (:), but that’s been deprecated and won’t be supported in 7.0+
Cannot start with -, _, +
Cannot be . or ..
Cannot be longer than 255 bytes (note it is bytes, so multi-byte characters will count towards the 255 limit faster)
Names starting with . are deprecated, except for hidden indices and internal indices managed by plugins
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Index name | Specify the index name you need to create. Example: My New Index | Text | Required |
[
{
"index_name": "My New Index"
}
]Action: Generic Action
This is a generic action to perform any additional use case on Elastic Search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Method | Enter the HTTP method to use. Example:
| Text | Required | |
Endpoint | Enter the endpoint to initiate a request. Example: /_search | Text | Required | |
Payload JSON | Enter the payload JSON to pass to the API. Example: $JSON[{"type": "malicious", "id": "ES4356"}] | Any | Optional | |
Payload Data | Enter the payload data to pass to the API. Example: {"type": "malicious","id': "ES4356"} | Key Value | Optional | |
Query Params | Enter query parameters to filter the result. Example: $JSON[{"page_number":6}] | Any | Optional |
Example Request
[
{
"endpoint":"/_search",
"http_method":"GET",
"payload_json":[
{
"type":"malicious",
"id":"ES4356"
}
],
"query_params":[
{
"page_number":6
}
]
}
]Action: Bulk Operation
This action is used to perform multiple operations in a single API call such as insert, update, and delete. Use the Bulk Upload action, to insert multiple indexes at once. To use the index action, you must have the create, index, or write index privilege. To use the delete action, you must have the delete or write index privilege.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Payload JSON | Enter the payload data in one of the following formats:
Example: $JSON[{"timestamp": 1516729294000, "temperature": 200, "voltage": 5.2, "node": "input"}] | Any | Required | Allowed values:
|
Index Name | Enter the index name to perform the bulk operation. Example: Elastic_Index | Text | Required |
Example Request
[
{
"json_data":[
{
"timestamp":1516729294000,
"temperature":200,
"voltage":5.2,
"node":"input"
}
],
"index_name":"elastic_index"
}
]Action: Bulk Upload
This action is used to perform multiple indexing operations in a single API. Use the Bulk Upload action, to insert multiple indexes instantaneously. To use the Bulk Upload action, you must have the create, index, or write index privileges.
Parameter | Description | Field Type | Required/Optional | Comments |
Payload JSON | Enter the payload data in one of the following formats:
Example: $JSON[{"IOCConfidenceScore": 100, "IOCType": “domain_name”, "IOCValue": “newtest123.com”}] | Any | Required | Allowed values:
|
Index Name | Enter the index name to perform the bulk upload. Example: Elastic_Index | Text | Required |