# Elasticsearch Logstash Kibana Integration

#### Step 1 - Creating A webhook for ELK <a href="#step-1-creating-a-webhook-for-mattermost" id="step-1-creating-a-webhook-for-mattermost"></a>

* Visit the **Webhooks** page in AIR,
* Click the "**+ New Webhook**" button in the upper right corner,
* Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
* Select "Elasticsearch Logstash Kiban&#x61;**: Generic** Elasticsearch Logstash Kibana" as the parser for this webhook,
* Select an **Acquisition Profile** when ELK activates this webhook,
* Select the **Ignore** option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
* Provide other settings such as **Evidence Repository**, **CPU Limit**, **Compression & Encryption** to use or let AIR configure them automatically based on the matching policy
* Click the "**Save**" button

#### Step 2: Preparing ELK Watcher <a href="#step-2-preparing-elk-watcher" id="step-2-preparing-elk-watcher"></a>

* Visit the \<ELK\_Instance URL>/app/management/insightsAndAlerting/watcher/watches . On the right, click **"Create"** then **"Create advanced watch"**.
* Add an action part to your watcher.
* Change the following JSON:

1. Host: AIR Server address,
2. Port: AIR Server port,
3. Path: The webhook full path,
4. Token: The token that you created in AIR Server.
5. Body: The body part must include either the endpoint hostname or endpoint IP. Mapping must be customized with the watcher payload itself.

`{ "trigger": { "schedule": { "interval": "30m" } }, "input": { "search": { "request": { "search_type": "query_then_fetch", "indices": [ "*" ], "rest_total_hits_as_int": true, "body": { "size": 0, "query": { "match_all": {} } } } } }, "condition": { "compare": { "ctx.payload.hits.total": { "gte": 10 } } }, "actions": { "binalyzeAIR_webhook": { "webhook": { "scheme": "http", "host": "`<mark style="color:red;">**`air-server-url`**</mark>` ", "port":`` `` `<mark style="color:red;">**`80`**</mark>`, "method": "post", "path": "`<mark style="color:red;">**`/api/webhook/NAME`**</mark>`", "params": { "token": "`<mark style="color:red;">**`9236a8a1-ffb9-4521-9947-3f46548916c0`**</mark>`" }, "headers": { "Content-Type": "application/json" }, "body": """["{{`<mark style="color:red;">**`ctx.payload.endpoint`**</mark>`}}"]""" } } } }`

* You can simulate the post request to learn if it's working.

Please refer to the vendor's [documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/how-watcher-works.html) for more information.