Elasticsearch Logstash Kibana Integration

This integration is built with the watcher feature of ELK by using sample data. In order to produce this watcher, the watcher's payload must be customized accordingly to parse Endpoint IP or Hostname.

Step 1 - Creating A webhook for ELK

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button in the upper right corner,

  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

  • Select "Elasticsearch Logstash Kibana: Generic Elasticsearch Logstash Kibana" as the parser for this webhook,

  • Select an Acquisition Profile when ELK activates this webhook,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button

Step 2: Preparing ELK Watcher

  • Visit the <ELK_Instance URL>/app/management/insightsAndAlerting/watcher/watches . On the right, click "Create" then "Create advanced watch".

  • Add an action part to your watcher.

  • Change the following JSON:

  1. Host: AIR Server address,

  2. Port: AIR-Server port,

  3. Path: The webhook full path,

  4. Token: The token that you created in AIR Server.

  5. Body: The body part must include either the endpoint hostname or endpoint IP. Mapping must be customized with the watcher payload itself.

{ "trigger": { "schedule": { "interval": "30m" } }, "input": { "search": { "request": { "search_type": "query_then_fetch", "indices": [ "*" ], "rest_total_hits_as_int": true, "body": { "size": 0, "query": { "match_all": {} } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gte": 10 } } }, "actions": { "binalyzeAIR_webhook": { "webhook": { "scheme": "http", "host": "air-server-url", "port": 80, "method": "post", "path": "/api/webhook/NAME", "params": { "token": "9236a8a1-ffb9-4521-9947-3f46548916c0" }, "headers": { "Content-Type": "application/json" }, "body": """["{{ctx.payload.endpoint}}"]""" } } } }

  • You can simulate the post request to learn if it's working.

Please refer to the vendor's documentation for more information.

Last updated