Elastic Kibana 8 Security

introduction this guide tells you how to authenticate the elastic kibana 8 security connector in swimlane using one of the supported authentication methods you will configure elastic api access, collect the required credentials, and configure the connector asset in swimlane prerequisites elastic access requirements you must have administrative access in elastic to access the kibana security api endpoint generate api keys (elastic cloud or self managed) create or manage users with appropriate roles assign permissions for cases, detections, timelines, and endpoint actions required credentials during setup, you will collect one of the following credential sets depending on the authentication method used api key authentication (elastic cloud or self managed) kibana url elastic api key http basic authentication (on premises / self managed) kibana url username password authentication methods overview the elastic kibana 8 – security connector supports the following authentication methods api key authentication (recommended for elastic cloud) http basic authentication (commonly used for on prem deployments) elastic setup elastic authentication steps differ slightly depending on whether you are connecting to elastic cloud or an on premises kibana deployment generating an api key (elastic cloud / api key authentication) take the following steps to generate an api key in kibana log in to kibana with an administrator account open the main menu and navigate to stack management → security → api keys click create api key provide the following key name (example swimlane turbine connector) expiration (optional) role privileges (must include security access) click create api key copy the generated key immediately elastic cloud api key formatting requirement if your api key was generated from within the elastic cloud portal, you may need to reformat it before using it in swimlane run the following command to decode the key echo "base64 value==" | base64 d this produces a value similar to id\ api key secret then encode it again echo n "id\ api key secret" | base64 this final encoded value is the correct api key format required for swimlane creating a user for basic authentication (on premises) take the following steps if using http basic authentication log in to kibana as an administrator navigate to stack management → security → users click create user assign roles that allow access to elastic security features, such as superuser (full access) kibana admin security specific roles for cases and detections set a strong password and save the user connector configuration in swimlane take the following steps to configure the elastic kibana 8 – security connector asset in swimlane log in to turbine from the left hand navigation pane, click orchestration → assets click the plus icon to open the configure your connector asset window select elastic kibana 8 – security from the asset type list fill in the asset settings and asset input as shown below configuration api key authentication use this method for elastic cloud or when api keys are preferred true 220,220,221 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type 6\ click create configuration – http basic authentication use this method for self managed kibana deployments true 220,220,221 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type connecting to elastic cloud vs on premises elastic cloud requirements when using elastic cloud, you must configure url x apikey api key authentication is strongly recommended on premises requirements when connecting to an on prem deployment the url must be formatted as \<kibana host> \<port> you must configure url username password troubleshooting if authentication fails, verify the following invalid api key ensure the api key is active and not expired confirm it has sufficient privileges for elastic security apis if generated from elastic cloud, ensure it was encoded correctly host url errors if you receive a host validation error remove trailing slashes from the url 403 forbidden errors a 403 response usually means insufficient permissions confirm the api key or user role includes access to cases detections timelines endpoint actions sources elastic security api documentation (8 10) https //www elastic co/guide/en/security/current/security api overview\ html result you have successfully authenticated the elastic kibana 8 security connector in swimlane using api key authentication or http basic authentication