Elasticsearch#
Version: 0.7.3 · Category: SIEM · Plan: Base+
A full-featured Elasticsearch integration for SIEM log investigation and cluster management. Supports ES 5.x through 9.x with automatic version detection and adapter selection.
Tools#
es_search — Query DSL search#
Execute any Elasticsearch Query DSL query:
- Auto-highlight: matching content in all text fields is automatically highlighted — no need to configure
highlightmanually queryBodyaccepts a full DSL object includingquery,size,from,sort,aggs,_source
{
"query": {
"bool": {
"must": [
{ "range": { "@timestamp": { "gte": "now-1h" } } },
{ "match": { "event.outcome": "failure" } }
]
}
},
"size": 20
}
list_indices — Index list#
List all indices including:
- Health status (green / yellow / red)
- Document count
- Storage size
Smart compression mode: for large clusters, automatically groups by index pattern to avoid excessive output length. Supports pattern filtering and max_count to control how many are displayed.
get_mappings — Field mapping analysis#
Retrieve the field mappings for one or more indices, including:
- Field types
- Analyzer configuration
- Capability tags (keyword / text / date, etc.)
!!! tip "Check mappings before writing queries"
Understanding field types prevents common mistakes: keyword fields require exact matches; text fields support full-text search.
get_shards — Shard health analysis#
Get shard-level health status and optimization recommendations:
| Parameter | Default | Description |
|---|---|---|
size_warning_threshold_gb |
50 GB | Warning threshold for shard size |
doc_count_warning_threshold_millions |
200 M | Warning threshold for document count |
show_recommendations |
true | Whether to include optimization recommendations |
list_data_streams — Data stream list#
List all data streams, including:
- Lifecycle health status
- Rollover status
- Number and size of backing indices
For ECS/Fleet-managed log pipelines (e.g. logs collected by Elastic Agent), data streams are the primary storage format.
execute_es_api — Direct REST API execution#
Execute any Elasticsearch REST API endpoint:
| Parameter | Description |
|---|---|
method |
GET / POST / PUT / DELETE / HEAD |
path |
API path (e.g. _cluster/health, my-index/_settings) |
body |
Request body |
params |
Query parameters |
headers |
Custom request headers |
Use this for operations not covered by the other tools.
Configuration#
| Item | Description |
|---|---|
ES_URL |
Cluster endpoint (e.g. https://localhost:9200 or https://my-cluster.es.io:9243) |
| Authentication | ES_API_KEY (recommended) or ES_USERNAME + ES_PASSWORD |
| SSL mode | skip (ignore cert, for self-signed) / default (system CA) / ca-cert (custom CA) |
MAX_TOKEN_CALL |
Default 8000 (ES responses can be large; narrow your query scope first) |
Investigation workflow#
1. list_indices pattern:"logs-*"
→ Find relevant log indices, check health and size
2. get_mappings indices:"logs-*"
→ Understand field structure before writing queries
3. es_search
index:"logs-*"
queryBody:{
"query":{"bool":{"must":[
{"range":{"@timestamp":{"gte":"now-1h"}}},
{"match":{"event.outcome":"failure"}}
]}},
"size":20
}
→ Search security events with auto-highlight
4. execute_es_api
method:"GET"
path:"_cat/indices?v=true&s=store.size:desc"
→ Identify indices consuming unusually large storage