Enricher - Elasticsearch sightings#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

Elasticsearch sightings

Input

Domain, hashes (hash-md5, hash-sha1, hash-sha256, and hash-sha512), host, IP addresses (ipv4 and ipv6), and uri.

Output

Creates sightings from matching results returned from a search in an external Elasticsearch instance.

API endpoint

http://${elasticsearch_instance_url}:9200/${schema_resource}

Description

The Elasticsearch sightings enricher creates sightings from matching results returned from a search in an external Elasticsearch instance.

Configure the enricher parameters#

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the Elasticsearch sightings enricher.

  3. In the ElasticSearch URL field, enter the URL pointing to the external Elasticsearch instance you want to use as a source for the enricher, including the sub-resource pointing to the data mapping schema.
    Example: http://localhost:9200/default. In a usage scenario, you may want to obtain data from an external Elasticsearch instance that acts as a centralized log aggregator to check for correlations with the platform observables, indicators, and other entities.
    If it is possible to establish a relationship between Elasticsearch data and a platform entity, a sighting is automatically created.

  4. In the Username field, enter valid user name credentials to authenticate and to receive authorization to access the resource(s).

  5. In the Password field, enter valid password credentials to authenticate and to receive authorization to access the resource(s).

  6. From the Observable queries drop-down menu, select the observable type and the corresponding observable value the rule should look for.

    1. In the first input field, from the drop-down select the observable type the rule should look for.

    2. In the second input field, specify the observable value associated with the observable type that the rule should look for.
      You can use free text, wildcards, Elasticsearch query syntax as well as the {kind} and {value} placeholders to reference an observable type and value, respectively.
      When the query executes, the placeholders take the values from the input observable key ({kind}) and value ({value) pairs, respectively.
      Example:
      The *@{value} query searches for observable values matching the input observable values it is fed at runtime.

  7. Click + Add or + More to add a new filtering option.
    For example, to include in the search additional key/value pairs like IP addresses, hashes, or domains.

  8. In the Search results limit field, you can set a cap to limit the returned search results, so that the search result entries do not exceed a predefined amount.
    For example: 10.

  9. To store your changes, click Save; to discard them, click Cancel.