Activate and configure the Elasticsearch - Incident Enrichment integration

The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including Elasticsearch - Incident Enrichment integration.

Before you begin

Role required: admin
Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method.

Procedure

  1. Access Elasticsearch and obtain the API Base URL under your Elasticsearch profile.
  2. Navigate to Security Operations > Integrations > Integration Configurations.
    The available security integrations appear as a series of cards.
    Elasticsearch - Incident Enrichment integration card
  3. In the Elasticsearch - Incident Enrichment card, click Install Plugin.
  4. In the Install Elasticsearch integration dialog box, review the plugin details and click Activate.
  5. When the activation is complete, click Close & Reload Form.
    The Security Integration screen reloads and the Configure button for the integration is available.
  6. Click Configure.
  7. Enter the Elasticsearch API Base URL you acquired from the Elasticsearch site.
  8. [Optional] Enter the Link URL - links to a Kibana instance, when available.
  9. Enter your Username
  10. Enter your Password
  11. Enter the Max Rows - the maximum number of rows you want to search.
  12. Enter the Earliest Result (days) - the earliest results you want to see in number of days.
  13. Click Submit.