Elastic Cloud Integration

Note: This integration requires Cisco XDR Advantage or Cisco XDR Premier licensing tier.

Accelerate results that matter when you use Elastic to address your search, observability, and security challenges. Deploy in your favorite public cloud, or in multiple clouds. Extend the value of Elastic with generative AI, cloud-native features and hundreds of built-in integrations to unlock the power of data, securely and at scale.

From document- and field-level security to analyzing data in real time with interactive visualizations, Elastic Cloud (the Elasticsearch service) delivers powerful features that readily extend what’s possible with the Elastic Stack.

Enabling this integration in Cisco XDR will make the Elastic Cloud API available as a target for automation workflows. Workflows can be used to do things like send incident data to Elasticsearch for indexing and retention.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Elastic Cloud integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Elastic Cloud integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Elastic Cloud integration in Cisco XDR.

You can perform the following tasks after you integrate Elastic Cloud with Cisco XDR:

  • Automation:

    • Atomic Actions - The atomic actions for Elastic Cloud can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Elastic Cloud can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Elastic Cloud target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Elastic Cloud and is included in the Cisco Managed Incident Playbook can be used to close and export incident. See Recovery on the Response page.