Elastic Security
Creating the Service Connector
Before configuring Elastic Security you must create the Elastic Security service connector in ActiveEye. In order to do so, you must do the following:
- Log into ActiveEye
- In the lefthand menu, navigate to Admin -> Service Connectors
- Click on Add Connector
- Scroll down to the Security Management category, then click Add Connection under Elastic Security
- Under Display Name, add a meaningful name, then select the appropriate Account Priority from the dropdown
- Click Add
- In the redirected page, take note of the Event Ingestion URL for configuring Elastic Security
Configuring Elastic Security
In order to configure Elastic Security to send its logs to ActiveEye, you must do the following:
- Log into Kibana
- In the lefthand menu, navigate to Management -> Stack Management -> Rules and Connectors
- Click the Connectors tab, then click Create Connector
- Select Webhook as the Connector Type
- Add the connector name and set method to POST
- Add the Event Ingestion URL generated when setting up the service connector, and add the HTTP header "key"
- After, navigate to Alerts under the Elastic Security tab
- Click Manage detection rules and click the desired Detection Rule
- Click Edit rule settings and navigate to the Actions tab
- Select the Actions frequency as "on each execution" and select the connector type Webhook
- Select the Webhook connector name made previously (e.g. ActiveEye API) and paste the following JSON without modification:
{"alertId": "{{alertId}}", "alertName": "{{alertName}}", "context.alerts": "{{context.alerts}}", "context.rule.description": "{{context.rule.description}}", "context.rule.severity":"{{context.rule.severity}}", "date":"{{date}}", "context.results_link": "{{{context.results_link}}}", "state.signals_count": "{{state.signals_count}}", "tags": "{{tags}}"}