With the Elastic Security integration users are able to utilize Kibana SIEM threat detection features with endpoint prevention and response capabilities. The Elastic Security integration consists of a Playbook and a Service app which will allow customers to interact with the Elastic Security API’s alert, case, and detection endpoints. While the service app allows for retrieving detection alerts on a set schedule.
The following actions are available:
- Get Alert – Retrieve an alert by its alert ID.
- Update Alert Status – Update an existing alert.
- Create Detection Rule – Create a new detection rule. Rules run periodically and search for source events or machine learning job anomaly scores that meet their criteria. When a rule’s criteria are met, a detection alert is created.
- Update Detection Rule – Update an existing detection rule’s fields.
- Delete Detection Rule – Delete a detection rule.
- Get Detection Rule – Retrieve a detection rule by its ID.
- Add Case Comment – Adds a comment to an existing case.
- Create Case – Create a new case.
- List Cases – Return a list of all cases
This app can be found in the ThreatConnect App Catalog under the name: Elastic Security