Documentation

Elastic Security

Suggest Edits

Integrating Elastic supports forwarding detections and recommendations from Insights to your SIEM. This accelerates root cause analysis and threat response at scale.

Elasticsearch is a distributed, RESTful search and analytics engine. It centrally stores your data for lightning-fast search, fine‑tuned relevancy, and powerful analytics that scale easily.

Retrieve the Elastic Security credentials

  1. Log in to your Elastic Cloud account and navigate to your desired deployment.
  2. From your deployment's overview page, copy the Cloud ID. This ID is required in the next section.
  3. Navigate to Security/API Keys.
  4. Click Create API Key, and enter a name for the new key. This key is required in the next section.

Add an Elastic integration in Insights

  1. In the header of your Insights instance, click Menu > Integrations.
  2. Click Elastic.
    The Configure Integration page displays.
  3. Click Create Integration.
  4. Enter the Elastic Cloud ID and API Key that you obtained for your elastic deployment in the previous section.
  5. Click Create Integration.

You are redirected to your Elastic integration dashboard, with your new integration added under Configured.

Edit or delete an Elastic integration

Edit an individual Elastic integration

  1. Click the vertical ellipsis for a configured integration.
  2. Select Edit.
    The Configure Integration page displays.
  3. Edit the Cloud ID and API Key as necessary to assist in troubleshooting failing integrations.
  4. Click Save Integration.

ℹ️

Note

Edits to an integration may take up to two minutes to take effect.

You can remove individual Elastic integrations by deleting them. Deleting an integration cannot be undone and all of its configuration settings and data are deleted.

Delete an individual Elastic integration

  1. Click the vertical ellipsis for a configured integration.
  2. Select Delete.
  3. Type delete in the box to confirm you want to delete the integration.
  4. Click Delete Integration.

Elastic schema mapping

FieldInternal Mapping
message"\<incidentDescription\>"
tags["Detection | Recommendation"]
labels{ "current_status": "\<Open | Expected | FalsePositive | Resolved | InProgress\>" }
event.id"\<incidentId\>"
event.url"\<<https://app.beyondtrust.io/t/>\>\<tenantId\>/detections/details/\<incidentId\>"
event.reason"\<incidentDefinitionDetail>\"
event.severity\<incidentSeverity\>
event.code"\<incidentDefinitionId>\"
rule.id"\<incidentDefinitionId>\"
rule.description"\<incidentDescription>\"
rule.version"\<incidentDefinitionVersion>\"
ecs.version"8.7.0"
impacted_entites[i].entity_id"\<incidentImpactedEntityId>\"
impacted_entities[i].entity_type"\<incidentImpactedEntityType>\"
impacted_entities[i].tenant_id"\<incidentImpactedEntityTenantId>\"
impacted_entities[i].name"\<incidentImpactedEntityName>\"
impacted_entities[i].description"\<incidentImpactedEntityDescription>\"

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.