ElasticSearch is a distributed, RESTful search and analytics engine capable of solving a number of use cases. This connector facilitates automated operations to execute lucene query, get mapping and cluster details.
This document provides information about the ElasticSearch Connector, which facilitates automated interactions, with a ElasticSearch server using FortiSOAR™ playbooks. Add the ElasticSearch Connector as a step in FortiSOAR™ playbooks and perform automated operations with ElasticSearch.
Connector Version: 4.0.0
FortiSOAR™ Version Tested on: 7.6.1-5275
ElasticSearch Version Tested on: 8.17.4
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the ElasticSearch Connector in version 4.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-elasticsearch
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ElasticSearch connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The FQDN or IP address of the ElasticSearch server to which you will connect and perform the automated operations. |
| Protocol | The Protocol used to connect to the ElasticSearch server remotely. Choose between HTTP or HTTPS. By default, HTTPS is used. |
| Username | The Username to access the ElasticSearch server to which you will connect and perform the automated operations. |
| Password | The Password to access the ElasticSearch server to which you will connect and perform the automated operations. |
| Port | The Port number that is used to connect to the ElasticSearch server By default, this is set to 9200. |
| Maximum Retries | The maximum number of retries that the connector will make to connect to the ElasticSearch server in the case of network issues. By default, the connection timeout default value is set as 30 seconds. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Cluster Details | Retrieves cluster details and the health information about the cluster configured on your ElasticSearch instance, based on the index you have specified. | get_cluster_details Investigation |
| Get Mapping | Retrieves a list of indices, which includes the type of indices that are currently configured on your ElasticSearch instance. | get_mapping Investigation |
| Execute Query | Executes a query and fetches data from your ElasticSearch instance, based on the input filters. | execute_query Investigation |
| Execute Lucene Query | Executes a search query without using Elastic's DSL Query Syntax. An example query to search for the term phishing in documents where the status field is set to 200 would look like this: phishing AND status:200 |
execute_lucene_query Investigation |
| Get Saved Search | Retrieves details of saved searches from ElasticSearch or Kibana. | get_saved_search Investigation |
| Get Alerts List | Retrieves a list of alerts from ElasticSearch/Kibana based on the time range, query, and other filter criteria that you have specified. | get_alerts_list Investigation |
| Set Alert Status | Sets the status of an alert in ElasticSearch/Kibana based on the status to set, alert ID, and other input parameters that you have specified. | set_alert_status Investigation |
| Apply Alert Tags | Adds or removes alert tags in ElasticSearch/Kibana based on the alert ID, tags to add or remove, and other input parameters that you have specified. | apply_alert_tags Investigation |
| Assign or Unassign Users from Alerts | Adds or removes users assigned to an alert in ElasticSearch/Kibana based on the alert ID, users to add or remove, and other input parameters that you have specified. | assign_unassign_users_from_alert Investigation |
| Parameter | Description |
|---|---|
| Index | Specify a particular index whose cluster details you want to retrieve from ElasticSearch. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. |
| Run As User | Specify the user being impersonated for retrieving cluster details. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"cluster_details": {
"routing_nodes": {},
"metadata": {},
"cluster_name": "",
"version": "",
"master_node": "",
"routing_table": {},
"state_uuid": "",
"nodes": {},
"blocks": {},
"snapshots": {}
}
}
| Parameter | Description |
|---|---|
| Index | Specify a particular index whose indices you want to retrieve from ElasticSearch. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. To search for all indices, which are currently configured on your ElasticSearch instance, use _all. |
| Type | Specify the type of indices for which you want to retrieve details. A Type in ElasticSearch represents a class of similar documents. |
| Run As User | Specify the user being impersonated for retrieving indices. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"mapping": {}
}
| Parameter | Description |
|---|---|
| Query | Specify a stringified JSON formatted query used for searching data in ElasticSearch. For example: {"id": "template_1", "params": {"query_string": "search for these words" }} |
| Index | Specify a particular index, based on which you want to run the query. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. |
| Type | Specify the type of indices, based on which you want to run the query. Type in ElasticSearch represents a class of similar documents. |
| Routing | Specify the name of the shard for which you want to retrieve data. |
| Run As User | Specify the user being impersonated for executing the query. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"_shards": "",
"took": "",
"hits": "",
"aggregations": "",
"timed_out": ""
}
| Parameter | Description |
|---|---|
| Query | Specify a single-line Lucene query used for searching data in ElasticSearch. For example: EventID: "1" AND ParentImage: "C:\Program Files\*" |
| Index | Specify a particular index based on which you want to run the query. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. |
| Run As User | Specify the user being impersonated for executing the query. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"_shards": "",
"took": "",
"hits": "",
"aggregations": "",
"timed_out": ""
}
| Parameter | Description |
|---|---|
| Object ID | Specify the ID of the object whose saved search details you want to retrieve from ElasticSearch or Kibana. |
| Port | Specify the port of the Kibana server from which you want to retrieve details of the saved searches. |
The output contains the following populated JSON schema:
{
"version": "",
"id": "",
"updated_at": "",
"type": "",
"attributes": {}
}
| Parameter | Description |
|---|---|
| Start Time | Specify the start date and time from when to retrieve the list of alerts from ElasticSearch/Kibana. |
| End Time | Specify the end date and time till when to retrieve the list of alerts from ElasticSearch/Kibana |
| Query | (Optional) Specify Query DSL (Domain Specific Language) that determines which results are returned from ElasticSearch. For example: {"query": {"bool": {"filter": [{"match": {"signal.status": "in-progress"}},{"range": {"signal.rule.risk_score": {"gte": 70}}}]}}} |
| Limit | (Optional) Specify the maximum count of records to retrieve from the ElasticSearch/Kibana server. Default is 10 and minimum value is 0. |
| Port | (Optional) Specify the port of the ElasticSearch/Kibana server from which to retrieve details of the alerts. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"_shards": {
"total": "",
"successful": "",
"skipped": "",
"failed": ""
},
"hits": {
"total": {
"value": "",
"relation": ""
},
"max_score": "",
"hits": []
},
"aggregations": {
"oldest": {
"value": "",
"value_as_string": ""
},
"latest": {
"value": "",
"value_as_string": ""
}
}
}
| Parameter | Description |
|---|---|
| Status | Specify the status which needs to be set to alert in ElasticSearch/Kibana. For example: open, acknowledged or closed. |
| Alert ID | (Optional) Specify the Alert IDs whose saved status to be set in ElasticSearch/Kibana. Specify when not passed in query field. |
| Query | (Optional) Specify query DSL that determines which alerts are updated in ElasticSearch. For example: {"bool": {"filter": [{"range": {"signal.rule.risk_score":{"lte": 20}}},{"range": {"@timestamp": {"lte": "now-M"}}}]}}. Specify when not passed in Alert ID field. |
| Port | (Optional) Specify the port of the Kibana server from which you want to set the status of the Alert. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"total": "",
"updated": "",
"deleted": "",
"batches": "",
"version_conflicts": "",
"noops": "",
"retries": {
"bulk": "",
"search": ""
},
"throttled_millis": "",
"requests_per_second": "",
"throttled_until_millis": "",
"failures": []
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the Alert IDs to which the tags to be set in ElasticSearch/Kibana. |
| Tags to Add | (Optional) Specify the tag which needs to be added to alert in ElasticSearch/Kibana. For example: False Positive. |
| Tags to Remove | (Optional) Specify the tag which needs to be removed from alert in ElasticSearch/Kibana. For example: Further Investigation Required. |
| Port | (Optional) Specify the port of the Kibana server from which you want to apply tags to the Alert. |
The output contains the following populated JSON schema:
{
"took": "",
"errors": "",
"items": [
{
"update": {
"_index": "",
"_id": "",
"_version": "",
"result": "",
"_shards": {
"total": "",
"successful": "",
"failed": ""
},
"_seq_no": "",
"_primary_term": "",
"status": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the Alert IDs to which the users to be assigned or unassigned in ElasticSearch/Kibana. |
| Assign User | (Optional) Specify a user ID to assign to an alert in ElasticSearch/Kibana. You can specify multiple comma-separated user IDs to assign to an alert. |
| Unassign User | (Optional) Specify a user ID to unassign to an alert in ElasticSearch/Kibana. You can specify multiple comma-separated user IDs to unassign from an alert. |
| Port | (Optional) Specify the port of the Kibana server from which to assign and unassign user from Alert. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"total": "",
"updated": "",
"deleted": "",
"batches": "",
"version_conflicts": "",
"noops": "",
"retries": {
"bulk": "",
"search": ""
},
"throttled_millis": "",
"requests_per_second": "",
"throttled_until_millis": "",
"failures": []
}
The Sample - ElasticSearch - 4.0.0 playbook collection comes bundled with the ElasticSearch connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ElasticSearch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from ElasticSearch. Currently, alerts ingested from ElasticSearch is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming ElasticSearch alerts to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from ElasticSearch into FortiSOAR™. It also lets you pull some sample data from ElasticSearch using which you can define the mapping of data between ElasticSearch and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the alerts.
To begin configuring data ingestion, click Configure Data Ingestion on the ElasticSearch connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between ElasticSearch data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from ElasticSearch.
Users can filter retrieved alerts by selecting the time since when to retrieve the alerts in the Fetch Alerts Since field, status of the alerts in the Status, and the maximum records to fetch in the Maximum Records to Fetch field. For example, if you choose open as Status and maximum record count as 100, then 100 alerts with the Status open are retrieved from the ElasticSearch/Kibana server.
The fetched data is used to create a mapping between the alerts from ElasticSearch and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested ElasticSearch alerts to the fields of a Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the uuid parameter of an ingested alert from ElasticSearch to the value parameter of a FortiSOAR™ Alert, click the Value field and then click the uuid field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to alerts, so that the content gets pulled from the alerts integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from ElasticSearch every 5 minutes, click Every X Minute, and in the minute box enter */5. This means that the Threat Intelligence Feeds will be pulled from alerts every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
ElasticSearch is a distributed, RESTful search and analytics engine capable of solving a number of use cases. This connector facilitates automated operations to execute lucene query, get mapping and cluster details.
This document provides information about the ElasticSearch Connector, which facilitates automated interactions, with a ElasticSearch server using FortiSOAR™ playbooks. Add the ElasticSearch Connector as a step in FortiSOAR™ playbooks and perform automated operations with ElasticSearch.
Connector Version: 4.0.0
FortiSOAR™ Version Tested on: 7.6.1-5275
ElasticSearch Version Tested on: 8.17.4
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the ElasticSearch Connector in version 4.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-elasticsearch
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the ElasticSearch connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The FQDN or IP address of the ElasticSearch server to which you will connect and perform the automated operations. |
| Protocol | The Protocol used to connect to the ElasticSearch server remotely. Choose between HTTP or HTTPS. By default, HTTPS is used. |
| Username | The Username to access the ElasticSearch server to which you will connect and perform the automated operations. |
| Password | The Password to access the ElasticSearch server to which you will connect and perform the automated operations. |
| Port | The Port number that is used to connect to the ElasticSearch server By default, this is set to 9200. |
| Maximum Retries | The maximum number of retries that the connector will make to connect to the ElasticSearch server in the case of network issues. By default, the connection timeout default value is set as 30 seconds. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Cluster Details | Retrieves cluster details and the health information about the cluster configured on your ElasticSearch instance, based on the index you have specified. | get_cluster_details Investigation |
| Get Mapping | Retrieves a list of indices, which includes the type of indices that are currently configured on your ElasticSearch instance. | get_mapping Investigation |
| Execute Query | Executes a query and fetches data from your ElasticSearch instance, based on the input filters. | execute_query Investigation |
| Execute Lucene Query | Executes a search query without using Elastic's DSL Query Syntax. An example query to search for the term phishing in documents where the status field is set to 200 would look like this: phishing AND status:200 |
execute_lucene_query Investigation |
| Get Saved Search | Retrieves details of saved searches from ElasticSearch or Kibana. | get_saved_search Investigation |
| Get Alerts List | Retrieves a list of alerts from ElasticSearch/Kibana based on the time range, query, and other filter criteria that you have specified. | get_alerts_list Investigation |
| Set Alert Status | Sets the status of an alert in ElasticSearch/Kibana based on the status to set, alert ID, and other input parameters that you have specified. | set_alert_status Investigation |
| Apply Alert Tags | Adds or removes alert tags in ElasticSearch/Kibana based on the alert ID, tags to add or remove, and other input parameters that you have specified. | apply_alert_tags Investigation |
| Assign or Unassign Users from Alerts | Adds or removes users assigned to an alert in ElasticSearch/Kibana based on the alert ID, users to add or remove, and other input parameters that you have specified. | assign_unassign_users_from_alert Investigation |
| Parameter | Description |
|---|---|
| Index | Specify a particular index whose cluster details you want to retrieve from ElasticSearch. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. |
| Run As User | Specify the user being impersonated for retrieving cluster details. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"cluster_details": {
"routing_nodes": {},
"metadata": {},
"cluster_name": "",
"version": "",
"master_node": "",
"routing_table": {},
"state_uuid": "",
"nodes": {},
"blocks": {},
"snapshots": {}
}
}
| Parameter | Description |
|---|---|
| Index | Specify a particular index whose indices you want to retrieve from ElasticSearch. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. To search for all indices, which are currently configured on your ElasticSearch instance, use _all. |
| Type | Specify the type of indices for which you want to retrieve details. A Type in ElasticSearch represents a class of similar documents. |
| Run As User | Specify the user being impersonated for retrieving indices. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"mapping": {}
}
| Parameter | Description |
|---|---|
| Query | Specify a stringified JSON formatted query used for searching data in ElasticSearch. For example: {"id": "template_1", "params": {"query_string": "search for these words" }} |
| Index | Specify a particular index, based on which you want to run the query. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. |
| Type | Specify the type of indices, based on which you want to run the query. Type in ElasticSearch represents a class of similar documents. |
| Routing | Specify the name of the shard for which you want to retrieve data. |
| Run As User | Specify the user being impersonated for executing the query. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"_shards": "",
"took": "",
"hits": "",
"aggregations": "",
"timed_out": ""
}
| Parameter | Description |
|---|---|
| Query | Specify a single-line Lucene query used for searching data in ElasticSearch. For example: EventID: "1" AND ParentImage: "C:\Program Files\*" |
| Index | Specify a particular index based on which you want to run the query. An index is a logical namespace that maps to one or more primary shards and can have zero or more replica shards. |
| Run As User | Specify the user being impersonated for executing the query. Run As User is a kind of delegation of an account, i.e., the account access is delegated to a different account or an admin account. For example, User X takes on the role of User Y with the help of the run as user mechanism. |
The output contains the following populated JSON schema:
{
"_shards": "",
"took": "",
"hits": "",
"aggregations": "",
"timed_out": ""
}
| Parameter | Description |
|---|---|
| Object ID | Specify the ID of the object whose saved search details you want to retrieve from ElasticSearch or Kibana. |
| Port | Specify the port of the Kibana server from which you want to retrieve details of the saved searches. |
The output contains the following populated JSON schema:
{
"version": "",
"id": "",
"updated_at": "",
"type": "",
"attributes": {}
}
| Parameter | Description |
|---|---|
| Start Time | Specify the start date and time from when to retrieve the list of alerts from ElasticSearch/Kibana. |
| End Time | Specify the end date and time till when to retrieve the list of alerts from ElasticSearch/Kibana |
| Query | (Optional) Specify Query DSL (Domain Specific Language) that determines which results are returned from ElasticSearch. For example: {"query": {"bool": {"filter": [{"match": {"signal.status": "in-progress"}},{"range": {"signal.rule.risk_score": {"gte": 70}}}]}}} |
| Limit | (Optional) Specify the maximum count of records to retrieve from the ElasticSearch/Kibana server. Default is 10 and minimum value is 0. |
| Port | (Optional) Specify the port of the ElasticSearch/Kibana server from which to retrieve details of the alerts. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"_shards": {
"total": "",
"successful": "",
"skipped": "",
"failed": ""
},
"hits": {
"total": {
"value": "",
"relation": ""
},
"max_score": "",
"hits": []
},
"aggregations": {
"oldest": {
"value": "",
"value_as_string": ""
},
"latest": {
"value": "",
"value_as_string": ""
}
}
}
| Parameter | Description |
|---|---|
| Status | Specify the status which needs to be set to alert in ElasticSearch/Kibana. For example: open, acknowledged or closed. |
| Alert ID | (Optional) Specify the Alert IDs whose saved status to be set in ElasticSearch/Kibana. Specify when not passed in query field. |
| Query | (Optional) Specify query DSL that determines which alerts are updated in ElasticSearch. For example: {"bool": {"filter": [{"range": {"signal.rule.risk_score":{"lte": 20}}},{"range": {"@timestamp": {"lte": "now-M"}}}]}}. Specify when not passed in Alert ID field. |
| Port | (Optional) Specify the port of the Kibana server from which you want to set the status of the Alert. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"total": "",
"updated": "",
"deleted": "",
"batches": "",
"version_conflicts": "",
"noops": "",
"retries": {
"bulk": "",
"search": ""
},
"throttled_millis": "",
"requests_per_second": "",
"throttled_until_millis": "",
"failures": []
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the Alert IDs to which the tags to be set in ElasticSearch/Kibana. |
| Tags to Add | (Optional) Specify the tag which needs to be added to alert in ElasticSearch/Kibana. For example: False Positive. |
| Tags to Remove | (Optional) Specify the tag which needs to be removed from alert in ElasticSearch/Kibana. For example: Further Investigation Required. |
| Port | (Optional) Specify the port of the Kibana server from which you want to apply tags to the Alert. |
The output contains the following populated JSON schema:
{
"took": "",
"errors": "",
"items": [
{
"update": {
"_index": "",
"_id": "",
"_version": "",
"result": "",
"_shards": {
"total": "",
"successful": "",
"failed": ""
},
"_seq_no": "",
"_primary_term": "",
"status": ""
}
}
]
}
| Parameter | Description |
|---|---|
| Alert ID | Specify the Alert IDs to which the users to be assigned or unassigned in ElasticSearch/Kibana. |
| Assign User | (Optional) Specify a user ID to assign to an alert in ElasticSearch/Kibana. You can specify multiple comma-separated user IDs to assign to an alert. |
| Unassign User | (Optional) Specify a user ID to unassign to an alert in ElasticSearch/Kibana. You can specify multiple comma-separated user IDs to unassign from an alert. |
| Port | (Optional) Specify the port of the Kibana server from which to assign and unassign user from Alert. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"total": "",
"updated": "",
"deleted": "",
"batches": "",
"version_conflicts": "",
"noops": "",
"retries": {
"bulk": "",
"search": ""
},
"throttled_millis": "",
"requests_per_second": "",
"throttled_until_millis": "",
"failures": []
}
The Sample - ElasticSearch - 4.0.0 playbook collection comes bundled with the ElasticSearch connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the ElasticSearch connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts from ElasticSearch. Currently, alerts ingested from ElasticSearch is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming ElasticSearch alerts to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from ElasticSearch into FortiSOAR™. It also lets you pull some sample data from ElasticSearch using which you can define the mapping of data between ElasticSearch and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the alerts.
To begin configuring data ingestion, click Configure Data Ingestion on the ElasticSearch connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between ElasticSearch data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch alerts from ElasticSearch.
Users can filter retrieved alerts by selecting the time since when to retrieve the alerts in the Fetch Alerts Since field, status of the alerts in the Status, and the maximum records to fetch in the Maximum Records to Fetch field. For example, if you choose open as Status and maximum record count as 100, then 100 alerts with the Status open are retrieved from the ElasticSearch/Kibana server.
The fetched data is used to create a mapping between the alerts from ElasticSearch and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested ElasticSearch alerts to the fields of a Alerts present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the uuid parameter of an ingested alert from ElasticSearch to the value parameter of a FortiSOAR™ Alert, click the Value field and then click the uuid field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to alerts, so that the content gets pulled from the alerts integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from ElasticSearch every 5 minutes, click Every X Minute, and in the minute box enter */5. This means that the Threat Intelligence Feeds will be pulled from alerts every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.