SIEM Integration

Elastic Security Integration

Forward database audit events to Elasticsearch for analysis with Elastic Security and Kibana. Native ECS (Elastic Common Schema) support for seamless integration with the Elastic Stack.

Start Free Trial View Configuration

Powerful Search

Full-text search and aggregations for deep analysis of database activity patterns.

ECS Format

Events formatted using Elastic Common Schema for consistent field mapping and correlation.

Detection Rules

Create custom detection rules for database security threats using Elastic Security.

Configuration Reference

1 Connection Settings

Field Type Required Default Description
name string Yes - A unique name for this SIEM connection (e.g., "elastic-prod")
provider select Yes elastic SIEM provider - select "Elastic Security"
enabled boolean No true Enable or disable event forwarding
cloud_id string No - Elastic Cloud ID (for Elastic Cloud deployments)
hosts array Yes - Elasticsearch hosts (e.g., ["https://es.example.com:9200"])
api_key password Yes - Elasticsearch API key for authentication

2 Elastic-Specific Settings

Field Type Required Default Description
index_pattern string No dbaudit-events Index pattern for events (e.g., "dbaudit-events-*")
pipeline string No - Ingest pipeline name for event processing
verify_ssl boolean No true Verify Elasticsearch SSL certificate
use_ecs boolean No true Format events using Elastic Common Schema (ECS)
ilm_policy string No - Index Lifecycle Management policy name

3 Event Filtering

Field Type Required Default Description
event_types multiselect No all Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings
severity_filter multiselect No all Filter by severity: critical, warning, info
database_filter array No - Limit to specific databases (empty = all databases)

4 Batching & Reliability

Field Type Required Default Description
batch_size number No 100 Number of events per batch (1-1000)
flush_interval_seconds number No 30 Maximum time between flushes (5-300 seconds)
retry_attempts number No 3 Number of retry attempts on failure

Setup Instructions

1

Create API Key

Create an API key in Elasticsearch with index write permissions.

                # Create API key via Kibana Dev Tools
POST /_security/api_key
{
  "name": "dbaudit-integration",
  "role_descriptors": {
    "dbaudit_writer": {
      "cluster": ["monitor"],
      "index": [
        {
          "names": ["dbaudit-*"],
          "privileges": ["create_index", "index", "write", "manage"]
        }
      ]
    }
  }
}

# Response:
{
  "id": "VuaCfGcBCdbkQm-e5aOx",
  "name": "dbaudit-integration",
  "api_key": "ui2lp2axTNmsyakw9tvNnw"
}

# Use as: "VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw"
2

Create Index Template (Optional)

Create an index template with proper mappings for DB Audit events.

                # Create index template for DB Audit events
PUT /_index_template/dbaudit-events
{
  "index_patterns": ["dbaudit-events-*"],
  "template": {
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas": 1,
      "index.lifecycle.name": "dbaudit-policy"
    },
    "mappings": {
      "properties": {
        "@timestamp": { "type": "date" },
        "event.kind": { "type": "keyword" },
        "event.category": { "type": "keyword" },
        "event.action": { "type": "keyword" },
        "event.outcome": { "type": "keyword" },
        "user.name": { "type": "keyword" },
        "source.ip": { "type": "ip" },
        "database.name": { "type": "keyword" },
        "database.type": { "type": "keyword" },
        "query.statement": { "type": "text" },
        "query.rows_affected": { "type": "long" }
      }
    }
  }
}
3

Configure in DB Audit

Add the Elastic Security integration in the DB Audit dashboard.

  1. Navigate to Integrations → SIEM in DB Audit
  2. Click Add SIEM Integration
  3. Select Elastic Security as the provider
  4. Enter your Elasticsearch hosts and API key (or Cloud ID)
  5. Configure index pattern and ECS settings
  6. Select event types to forward
  7. Test the connection and save
4

Create Detection Rules (Optional)

Create detection rules in Elastic Security for database threats.

                # Elastic Security Detection Rule
# Create via Security → Detections → Rules → Create new rule

{
  "name": "Suspicious Database Data Exfiltration",
  "description": "Detects queries returning large amounts of data",
  "risk_score": 73,
  "severity": "high",
  "type": "query",
  "query": "event.action:select AND query.rows_affected:>=10000",
  "index": ["dbaudit-events-*"],
  "interval": "5m",
  "from": "now-6m",
  "tags": ["Database", "Data Exfiltration"],
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0010",
        "name": "Exfiltration"
      }
    }
  ]
}

Event Format (ECS)

Events are formatted using Elastic Common Schema (ECS) for consistent field mapping.

          {
  "@timestamp": "2024-01-15T10:30:45.123Z",
  "event": {
    "kind": "event",
    "category": ["database"],
    "type": ["access"],
    "action": "select",
    "outcome": "success",
    "severity": 3
  },
  "user": {
    "name": "app_user",
    "domain": "production-postgres"
  },
  "source": {
    "ip": "10.0.1.50",
    "port": 45678
  },
  "destination": {
    "ip": "192.168.1.100",
    "port": 5432
  },
  "database": {
    "name": "production-postgres",
    "type": "postgresql",
    "instance": "customers"
  },
  "query": {
    "statement": "SELECT * FROM customers WHERE...",
    "rows_affected": 1500
  },
  "labels": {
    "contains_pii": "true",
    "data_types": "email,phone"
  },
  "tags": ["dbaudit", "postgresql", "pii"]
}

Sample Elasticsearch Queries

Use these queries to search and analyze DB Audit events in Elasticsearch.

          # Search all DB Audit events
GET dbaudit-events-*/_search
{
  "query": {
    "match_all": {}
  },
  "sort": [{"@timestamp": "desc"}],
  "size": 100
}

# Filter by severity (critical events)
GET dbaudit-events-*/_search
{
  "query": {
    "range": {
      "event.severity": {"gte": 7}
    }
  }
}

# Find large data access patterns
GET dbaudit-events-*/_search
{
  "query": {
    "range": {
      "query.rows_affected": {"gte": 10000}
    }
  },
  "aggs": {
    "by_user": {
      "terms": {"field": "user.name"}
    }
  }
}

# User activity timeline
GET dbaudit-events-*/_search
{
  "query": {
    "bool": {
      "filter": [
        {"term": {"user.name": "specific_user"}},
        {"range": {"@timestamp": {"gte": "now-24h"}}}
      ]
    }
  },
  "sort": [{"@timestamp": "asc"}]
}

Troubleshooting

Authentication failed (401)

Verify the API key format is correct (id:key format) and the key has not expired.

Index creation permission denied

Ensure the API key has create_index and write privileges on the specified index pattern.

Events not appearing in Kibana

Create a data view (index pattern) in Kibana for "dbaudit-*" to see the events.

Mapping conflicts

Create an index template with explicit mappings before ingesting data to avoid dynamic mapping issues.

Next Steps

Configure Alerts

Set up alerts in DB Audit to trigger Elastic Security alerts.

Other SIEM Integrations

Explore integrations with other SIEM platforms.

Database Connectors

Connect more databases to monitor with DB Audit.

Ready to Integrate with Elastic Security?

Start forwarding database audit events to Elasticsearch in minutes.

Start Free Trial Contact Sales