Skip to content
XDR Forensics Knowledge Base

Elasticsearch Logstash Kibana Integration

Step 1 - Creating A webhook for ELK

Section titled “Step 1 - Creating A webhook for ELK ”
  • Visit the Webhooks page in XDR Forensics,
  • Click the ”+ New Webhook” button in the upper right corner,
  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
  • Select “Elasticsearch Logstash Kibana: Generic Elasticsearch Logstash Kibana” as the parser for this webhook,
  • Select an Acquisition Profile when ELK activates this webhook,
  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let XDR Forensics configure them automatically based on the matching policy
  • Click the “Save” button

Step 2: Preparing ELK Watcher

Section titled “Step 2: Preparing ELK Watcher ”
  • Visit the <ELK_Instance URL>/app/management/insightsAndAlerting/watcher/watches . On the right, click “Create” then “Create advanced watch”.
  • Add an action part to your watcher.
  • Change the following JSON:
  1. Host: XDR Forensics Server address,
  2. Port: XDR Forensics Server port,
  3. Path: The webhook full path,
  4. Token: The token that you created in XDR Forensics Server.
  5. Body: The body part must include either the endpoint hostname or endpoint IP. Mapping must be customized with the watcher payload itself.

{ "trigger": { "schedule": { "interval": "30m" } }, "input": { "search": { "request": { "search_type": "query_then_fetch", "indices": [ "*" ], "rest_total_hits_as_int": true, "body": { "size": 0, "query": { "match_all": {} } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gte": 10 } } }, "actions": { "binalyzeAIR_webhook": { "webhook": { "scheme": "http", "host": "air-server-url", "port":`` ``80, "method": "post", "path": "/api/webhook/NAME", "params": { "token": "9236a8a1-ffb9-4521-9947-3f46548916c0" }, "headers": { "Content-Type": "application/json" }, "body": """["{{ctx.payload.endpoint}}"]""" } } } }

  • You can simulate the post request to learn if it’s working.

Please refer to the vendor’s documentation for more information.