ElasticSearch V7

elastic elasticsearch 7 the elasticsearch v7 connector allows users to manage and query documents within their elasticsearch indices directly from swimlane elasticsearch v7 is a powerful, open source search and analytics engine capable of handling a wide variety of use cases by integrating with swimlane turbine, users can automate document creation, deletion, and complex search operations within elasticsearch directly from the swimlane platform this connector streamlines security analytics by enabling rapid data manipulation and retrieval, enhancing incident response and threat hunting capabilities the seamless interaction with elasticsearch v7 through swimlane turbine empowers users to leverage real time search and indexing features to bolster their security posture prerequisites to effectively utilize the elasticsearch v7 connector with swimlane, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for your elasticsearch instance username your elasticsearch username credential password your elasticsearch password credential search action if the elasticsearch security features are enabled, you must have the read index privilege https //www elastic co/guide/en/elasticsearch/reference/current/security privileges html#privileges list indices for the target data stream, index, or alias for cross cluster search, see configure privileges for cross cluster search https //www elastic co/guide/en/elasticsearch/reference/current/remote clusters privileges html#remote clusters privileges ccs to search a point in time (pit) https //www elastic co/guide/en/elasticsearch/reference/current/point in time api html for an alias, you must have the read index privilege for the alias’s data streams or indices create document action if the elasticsearch security features are enabled, you must have the create doc , create , index , or write index privilege https //www elastic co/guide/en/elasticsearch/reference/current/security privileges html#privileges list indices capabilities this connector provides the following capabilities search data stored in elasticsearch indices and data streams add a json document to the specified data stream or index delete a json document by index and id actions setup add document please see the time units convention https //www elastic co/guide/en/elasticsearch/reference/current/api conventions html#time units if you want to use the timeout configuration configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create document creates a new document in the specified index with a unique id in elasticsearch v7, requiring both 'index' and 'id' path parameters endpoint url {{index}}/ doc/{{id}} method post input argument name type required description input argument name type required description index string required parameter for create document id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase index string output field index id string unique identifier version number output field version result string result of the operation shards object output field shards total number output field total successful number whether the operation was successful failed number output field failed seq no number output field seq no primary term number output field primary term example \[ { "status code" 201, "response headers" { "location" "/ internal alerts security alerts default 000001/ doc/test123", "x elastic product" "elasticsearch", "content type" "application/json", "content length" "189" }, "reason" "created", "json body" { " index" " internal alerts security alerts default 000001", " id" "test123", " version" 1, "result" "created", " shards" {}, " seq no" 3306, " primary term" 7 } } ] delete document removes a specified document from an elasticsearch v7 index using the provided index and document id endpoint url {{index}}/ doc/{{id}} method delete input argument name type required description input argument name type required description index string required parameter for delete document id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase index string output field index id string unique identifier version number output field version result string result of the operation shards object output field shards total number output field total successful number whether the operation was successful failed number output field failed seq no number output field seq no primary term number output field primary term example \[ { "status code" 200, "response headers" { "x elastic product" "elasticsearch", "content type" "application/json", "content length" "189" }, "reason" "ok", "json body" { " index" " internal alerts security alerts default 000001", " id" "test123", " version" 2, "result" "deleted", " shards" {}, " seq no" 3307, " primary term" 7 } } ] search index performs a search query on a specified index in elasticsearch v7 using path and query parameters endpoint url {{index}}/ search method get input argument name type required description input argument name type required description index string required parameter for search index q string optional parameter for search index index string required parameter for search index output parameter type description parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out shards object output field shards total number output field total successful number whether the operation was successful skipped number output field skipped failed number output field failed hits object output field hits total object output field total value number value for the parameter relation string output field relation max score number score value hits array output field hits index string output field index id string unique identifier score number score value source object output field source kibana version string output field kibana version kibana alert rule category string output field kibana alert rule category kibana alert rule consumer string output field kibana alert rule consumer kibana alert rule execution uuid string unique identifier kibana alert rule name string name of the resource example \[ { "status code" 200, "response headers" { "x elastic product" "elasticsearch", "content type" "application/json", "content length" "72165" }, "reason" "ok", "json body" { "took" 905, "timed out" false, " shards" {}, "hits" {} } } ] response headers header description example content length the length of the response body in bytes 72165 content type the media type of the resource application/json location the url to redirect a page to / internal alerts security alerts default 000001/ doc/test123 x elastic product http response header x elastic product elasticsearch notes index api https //www elastic co/guide/en/elasticsearch/reference/current/docs index htmlsearch api https //www elastic co/guide/en/elasticsearch/reference/current/search htmltime units https //www elastic co/guide/en/elasticsearch/reference/current/api conventions html#time unitsindex privileges https //www elastic co/guide/en/elasticsearch/reference/current/security privileges html#privileges list indicesconfigure privileges for cross cluster search https //www elastic co/guide/en/elasticsearch/reference/current/remote clusters privileges html#remote clusters privileges ccspoint in time (pit) https //www elastic co/guide/en/elasticsearch/reference/current/point in time api html