{ "name": "elastic_security", "title": "Elastic Security", "version": "0.4.1", "release": "beta", "source": { "license": "Elastic-2.0" }, "description": "Collect logs from Elastic Instance with Elastic Agent.", "type": "integration", "download": "/epr/elastic_security/elastic_security-0.4.1.zip", "path": "/package/elastic_security/0.4.1", "icons": [ { "src": "/img/elastic-security-logo.svg", "path": "/package/elastic_security/0.4.1/img/elastic-security-logo.svg", "title": "Elastic Security Logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^9.1.1" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "siem" ], "signature_path": "/epr/elastic_security/elastic_security-0.4.1.zip.sig", "format_version": "3.3.2", "readme": "/package/elastic_security/0.4.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/elastic-security-alert-dashboard.png", "path": "/package/elastic_security/0.4.1/img/elastic-security-alert-dashboard.png", "title": "Elastic Security Alert Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/elastic_security/0.4.1/LICENSE.txt", "/package/elastic_security/0.4.1/changelog.yml", "/package/elastic_security/0.4.1/manifest.yml", "/package/elastic_security/0.4.1/validation.yml", "/package/elastic_security/0.4.1/docs/README.md", "/package/elastic_security/0.4.1/img/elastic-security-alert-dashboard.png", "/package/elastic_security/0.4.1/img/elastic-security-logo.svg", "/package/elastic_security/0.4.1/data_stream/alert/manifest.yml", "/package/elastic_security/0.4.1/data_stream/alert/sample_event.json", "/package/elastic_security/0.4.1/kibana/dashboard/elastic_security-0244c13b-8bad-4bbb-9208-dcda507d3ff2.json", "/package/elastic_security/0.4.1/kibana/search/elastic_security-8e2b58aa-a147-45d7-a70b-b4850d156ac2.json", "/package/elastic_security/0.4.1/data_stream/alert/fields/base-fields.yml", "/package/elastic_security/0.4.1/data_stream/alert/fields/beats.yml", "/package/elastic_security/0.4.1/data_stream/alert/fields/ecs.yml", "/package/elastic_security/0.4.1/data_stream/alert/fields/fields.yml", "/package/elastic_security/0.4.1/data_stream/alert/agent/stream/cel.yml.hbs", "/package/elastic_security/0.4.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "elastic_security", "title": "Elastic Security logs", "description": "Collect Elastic Security logs.", "inputs": [ { "type": "cel", "title": "Collect Elastic Security events via API", "description": "Collect events from Elastic instance via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "elastic_security.alert", "title": "Alert", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "auth_type", "type": "select", "title": "Authentication Type", "description": "Type of authentication to be used for the Elasticsearch API requests. See [documentation](https://www.elastic.co/docs/api/doc/elasticsearch/authentication) for details.", "multi": false, "required": false, "show_user": true, "default": "api_auth" }, { "name": "url", "type": "url", "title": "URL", "description": "URL of the Elasticsearch instance. Example `https://:`.", "multi": false, "required": true, "show_user": true }, { "name": "username", "type": "text", "title": "[Basic Auth] Username", "description": "The username of Elasticsearch Instance to be used with Basic Auth headers.", "multi": false, "required": false, "show_user": true }, { "name": "password", "type": "password", "title": "[Basic Auth] Password", "description": "The password of Elasticsearch Instance to be used with Basic Auth headers.", "multi": false, "required": false, "show_user": true }, { "name": "api_key", "type": "password", "title": "[API Auth] API Key", "description": "The API Key of Elasticsearch Instance to be used with API Auth headers.", "multi": false, "required": false, "show_user": true }, { "name": "bearer_token", "type": "password", "title": "[Bearer Auth] Bearer Token", "description": "The Bearer Token of Elasticsearch Instance to be used with Bearer Auth headers.", "multi": false, "required": false, "show_user": true }, { "name": "space_id", "type": "text", "title": "Space ID", "description": "Space ID of Kibana. By default, the \"default\" space is used. To fetch data from all spaces, specify *.", "multi": false, "required": true, "show_user": true, "default": "default" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the events from Elasticsearch API. Supported units for this parameter are h/m/s. Example `72h`.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Elasticsearch API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the Elasticsearch API, with a default limit of 10000.", "multi": false, "required": true, "show_user": true, "default": 10000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "60s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "elastic_security-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "template_path": "cel.yml.hbs", "title": "Elastic Security Alerts", "description": "Collect Alerts from Elastic Security.", "enabled": true, "ingestion_method": "API" } ], "package": "elastic_security", "path": "alert" } ] }