All Collections
Integration Guide
Elastic SIEM Integration
Elastic SIEM Integration
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About Elastic SIEM

Elastic SIEM is the amalgamation of multiple services including, threat hunting, Security Operations Center (SOC) workflows, and automated detection. It leverages the ELK (Elastic, Logstash, and Kibana) infrastructure to provide security analysts with enhanced speed and scalability. The SIEM solution also improved the threat detection and response time.

Elastic SIEM and SIRP join forces to provide signal integration that accelerates threat identification and documentation. Bidirectional integration between SIRP SOAR and Elastic SIEM enables SOC teams to orchestrate and automate response actions through detailed, relative, and predefined playbooks. It cuts back the detection, investigation, and response period 8x times.

Supported Actions

SIRP’s Elastic SIEM integration app allows you to execute the following actions:

S.no

Action

Description

1

get_signals

Get signals from Elastic SIEM

2

close_signal

Close signals on specified IDs

Elastic SIEM Configuration

  • Access the URL https://192.168.***.***.5601

  • On the dashboard, click on the stack management tab within the management tab located on the left.

  • The security tab on the left inside stack management contains the option to create users.

  • Click on users.

  • The create user option in the right allows the creation of users.

  • Enter the information as follows:

    1. Username: <Username of new user>

    2. Password: <Password of new user>

    3. Full name: <Full name of new user>

    4. Email Address: <Email of new user>

    5. Roles: <Role allocated to new user>

  • Enable and check the user information within the Users tab.

SIRP Configuration

  • Log in to SIRP, then go to Apps from the left navigation bar.

  • Locate the app named Elastic SIEM

  • Enable the Elastic SIEM app by clicking on the toggle button under the Status column.

  • As soon as you enable the App, you will get an option to add the configuration details. Add the following details and click Save:

    1. Host: <SIRP IP>

    2. Port: <Port from SIRP> (For on-prem use port 5601, for on-cloud use 9234)

    3. Username: <Username to Login Elastic SIEM>

    4. Password: <Password to Login Elastic SIEM>

Configuring Ingestion Source:

To configure Elastic SIEM's ingestion on SIRP:

  • Navigate to Administration > Automation > Ingestion Sources and click Add Ingestion Source.

  • Fill in the fields in the popup form as follows:

    • Ingestion Method: API

    • Format: JSON

    • Name: (This can be any string value to distinguish the ingestion source)

    • Ingestion Type: Incident (because we want to ingest alerts into our Incident Management module)

    • Is Auto Assign? : No (By default it is set to No)

    • Opened By: (not mandatory)

    • Applications: Elastic SIEM

    • Actions: GET SIGNALS

    • Source URL:

    • Query: (KQL search query from Elastic SIEM)

  • And click Update

  • The last step after creating an ingestion source is mapping the data fields ingested from Elastic SIEM, with fields available in SIRP. After the ingestion is created, a new configuration button, Update, will appear when the ellipsis is clicked. Click on it to configure the fields.

  • Configure the field mapping as shown in the screenshot below and click Save

Once an Alert is ingested it will appear as so:

The alerts from Elastic SIEM are now integrated into SIRP and will be populated on the SOAR platform automatically. The signals can also be closed in the same manner using the close_signal action.

Did this answer your question?