Elasticsearchlogo

Elasticsearch

The Polarity-Elasticsearch integration allows analysts to get real-time insights into any data contained within indexes in Elasticsearch, enabling analysts to work faster and more efficiently.

Elasticsearch Solutions

Security Operations Centers, Threat Hunting, and more.

Configuring Elasticsearch

This integration requires you to complete a few extra steps in order to use it.

In order to utilize the Elasticsearch integration, configuration of the integration is required.

Configuration Options

The Elasticsearch integration uses basic authentication for access to the API. A username and password are required to login. Typically a service account will be created for the Polarity - Elasticsearch integration that has access to the information needed.

Index to search within Elasticsearch: Comma separated list of indexes for Polarity to search against. Please note that there should be no spaces in between the indexes.

Search to be run in Elasticsearch: The search query to execute as JSON. The top level property should be a query object and must be a valid JSON search request when sent to the ES _search REST endpoint. The search query can make use of the templated variable {{entity}} which will be replaced by the entity recognized on the user’s screen.

As an example, with the search query is defined as:

{"query": { "simple_query_string": { "query": "\"{{entity}}\"" } }, "from": 0, "size": 10, "sort": [ {timestamp": "desc" } ] } }

Enable Highlighting: This option allows analysts to quickly see the highlight query within the Polarity Overlay window by using the Elasticsearch Highlighter feature. For more information on the Elasticsearch Highlighter please see the following documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-highlighting.html

Highlight Query: The highlighter query to execute when a user clicks to view additional details. The top level property should be a query object. This query should typically match the query portion of your Search Query. Highlighting will attempt to highlight against all fields and will return the first 10 results. Only runs if the Enable Highlighting option is checked

{"query": { "simple_query_string": { "query": "\"{{entity}}\"" } } }

Summary Field: The _source fields to be displayed within the summary portion of the Polarity Overlay window. This option sets the information that allows analysts to quickly triage Elasticsearch information. To set summary fields, ensure the list is comma separated with no spaces.

Document Title: Fields to be used as the document title for each document section within the Elasticsearch integration. This field must be returned as a part of the data within the search query.

Kibana Url: Url used for analysts to access Kibana, the visualization of Elasticsearch data. This is used so analysts can quickly pivot out to Kibana/Elasticsearch from Polarity for further analysis.