Elastic SIEM Integration¶
Elastic Security (formerly Elastic SIEM) integrates with Parapet Security through the webhook connector. This guide covers Elastic 8.x configuration.
Prerequisites¶
- Elastic Stack 8.0 or later
- Kibana access with Security feature enabled
- Connector management permissions
- Your Parapet Security webhook URL and token
Quick Setup¶
Step 1: Get Your Credentials¶
- Log in to app.parapetsecurity.com
- Go to Settings → Service Tokens
- Click Generate New Token
- Save both:
- Webhook URL:
https://webhook-{region}.parapetsecurity.com/webhook/{tenant-id} - Service Token:
pst_...(shown only once)
- Webhook URL:
Step 2: Create Webhook Connector¶
- In Kibana, go to Stack Management → Connectors
- Click Create connector
- Select Webhook
- Configure the connector:
| Field | Value |
|---|---|
| Connector name | Parapet Security |
| URL | https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID |
| Method | POST |
| Authentication | None (we use headers) |
- Add the authentication header:
- Header key:
Authorization -
Header value:
Bearer pst_YOUR_TOKEN_HERE -
Click Save & test
Step 3: Configure Connector Body¶
Set the request body template using Mustache syntax:
{
"source": "elastic",
"timestamp": "{{date}}",
"rule": {
"id": "{{rule.id}}",
"name": "{{rule.name}}",
"severity": "{{rule.severity}}",
"risk_score": "{{rule.risk_score}}"
},
"alert": {
"id": "{{alert.id}}",
"status": "{{alert.status}}"
},
"context": {
"kibana_url": "{{context.alerts_url}}",
"host": "{{context.host.name}}",
"user": "{{context.user.name}}",
"source_ip": "{{context.source.ip}}"
},
"signals": "{{context.signals}}"
}
Step 4: Attach to Detection Rules¶
- Go to Security → Detections → Rules
- Select a detection rule (or create one)
- Click Edit rule settings
- Scroll to Actions
- Click Add action → Webhook → Parapet Security
- Configure when to run:
- On each rule execution (recommended)
-
Or specific conditions
-
Save the rule
Step 5: Test the Integration¶
- Trigger a test detection (or wait for a real one)
- Go to Security → Alerts to see the Elastic alert
- Check your Parapet Dashboard for the triaged alert
Configuration Options¶
Action Frequency¶
Control how often actions run:
| Setting | Description | Best For |
|---|---|---|
| On each rule execution | Send every time rule triggers | High-value rules |
| On a custom query match | Only when conditions met | Complex filtering |
| Per new alert | Deduplicated by alert ID | Most use cases |
Rule-Specific Configuration¶
Different rules can have different configurations:
Custom Fields¶
Include additional context in your alerts:
{
"source": "elastic",
"timestamp": "{{date}}",
"rule": {
"name": "{{rule.name}}",
"severity": "{{rule.severity}}",
"tags": ["{{#rule.tags}}{{.}}{{/rule.tags}}"]
},
"alert": {
"id": "{{alert.id}}",
"original_time": "{{alert.original_time}}"
},
"host": {
"name": "{{host.name}}",
"os": "{{host.os.name}}",
"ip": ["{{#host.ip}}{{.}}{{/host.ip}}"]
},
"user": {
"name": "{{user.name}}",
"domain": "{{user.domain}}"
},
"process": {
"name": "{{process.name}}",
"pid": "{{process.pid}}",
"command_line": "{{process.command_line}}"
},
"network": {
"direction": "{{network.direction}}",
"protocol": "{{network.protocol}}"
},
"source": {
"ip": "{{source.ip}}",
"port": "{{source.port}}",
"geo": {
"country": "{{source.geo.country_name}}"
}
},
"destination": {
"ip": "{{destination.ip}}",
"port": "{{destination.port}}"
}
}
Sample Alert Payload¶
Here's what Elastic sends to Parapet Security:
{
"source": "elastic",
"timestamp": "2026-01-28T15:30:00.000Z",
"rule": {
"id": "d8e8fca2-dc0f-4c4e-a9d7-3c9e7c8b4a2d",
"name": "Suspicious PowerShell Execution",
"severity": "high",
"risk_score": 75
},
"alert": {
"id": "abc123",
"status": "open"
},
"context": {
"host": "workstation-42",
"user": "jsmith",
"source_ip": "192.168.1.50"
}
}
Parapet Security's AI normalizes this to extract:
- Severity: High (from rule severity)
- Category: Endpoint/Execution
- Host: workstation-42
- User: jsmith
- MITRE Mapping: Based on rule content
Troubleshooting¶
Connector Test Fails¶
-
Verify URL format:
-
Check authorization header:
- Must be exactly:
Authorization: Bearer pst_... -
No extra spaces
-
Test with curl:
Alerts Not Appearing¶
-
Check rule is enabled: Security → Rules → Verify rule status is "Enabled"
-
Verify action is attached: Rule Settings → Actions → Webhook should show "Parapet Security"
-
Check Kibana logs: Stack Management → Logs → Search for connector errors
Missing Fields in Payload¶
If fields show as {{field.name}} instead of values:
- Ensure the field exists in your data
- Check ECS field names match your mapping
- Use conditional rendering:
{{#field}}{{field}}{{/field}}
Rate Limiting¶
If you see 429 errors:
- Add throttling to your rules
- Reduce rule frequency
- Upgrade your Parapet Security plan
Advanced: Bulk Alert Forwarding¶
For high-volume environments, use Elastic Alerts summary:
{
"source": "elastic",
"timestamp": "{{date}}",
"summary": {
"total_alerts": "{{context.alerts.length}}",
"rule_name": "{{rule.name}}"
},
"alerts": [
{{#context.alerts}}
{
"id": "{{_id}}",
"severity": "{{kibana.alert.severity}}",
"host": "{{host.name}}"
}{{^last}},{{/last}}
{{/context.alerts}}
]
}
Integration with Elastic Agent¶
If using Elastic Agent with Fleet:
- Detection rules apply to data from all agents
- Webhook connector sends aggregated alerts
- Host information included from agent metadata
Next Steps¶
- Configure Slack notifications for real-time alerts
- Set up alert filters to focus on what matters
- Understand AI triage results