Elastic Threat Intelligence

With the Elastic Security integration, users are able to utilize Kibana SIEM threat detection features with endpoint prevention and response capabilities. The Elastic Security integration consists of a Playbook and a Service app, which will allow customers to interact with the Elastic Security API's alert, case, and detection endpoints. The service app allows for retrieving detection alerts on a set schedule.

The following actions are available for threat intelligence management:

• Get Alert - Retrieve an alert by its alert ID.
• Update Alert Status - Update an existing alert.
• Create Detection Rule - Create a new detection rule. Rules run periodically and search for source events or machine learning job anomaly scores that meet their criteria. When a rule’s criteria are met, a detection alert is created.
• Update Detection Rule - Update an existing detection rule's fields.
• Delete Detection Rule  - Delete a detection rule.
• Get Detection Rule - Retrieve a detection rule by its ID.
• Add Case Comment - Adds a comment to an existing case.
• Create Case - Create a new case.
• List Cases - Return a list of all cases.

This app can be found in the ThreatConnect App Catalog under the name: Elastic Security

With the ElasticSearch integration, you can execute a search query and get back search hits that match the query. While the service app retrieves the executed search query on a set schedule returning hits that match the query. This integration supports Lucene, Query DSL, and EQL languages.

The following actions are available:

• Query Index

This app can be found in the ThreatConnect App Catalog under the name: Elasticsearch