Elastic SIEM integration with Ansible for Security Automation


I wanted to know if there is a possibility where in Ansible can be integrated with the elastic SIEM app to take some automated actions against security events so that we can build a custom SOAR functionality rather than depending on third party apps for achieving SOAR.

If there is a possibility please do briefly explain or give some referrence documentation for my perusal.

Thank You

Hi @imran - how are you planning to use Ansible for SOAR? Do you have some kind of automation/orchestration framework for that?

In general, the Elastic SIEM is using data already in Elasticsearch, so the way to do it would be to query Elasticsearch and then trigger Ansible based on the response.

Hello Christoph,

Sorry for the delay in response. We were thinking of designing the solution in a way, where the watcher will invoke ansible playbooks from the actions section...

We were also thinking about using theHive for getting the watcher create security incidents into theHive and then maybe use theHive to invoke automation scripts.

Do let me know if you have any info or a use case regarding this...


@imran You can use Logstash to connect Watcher with Ansible:

Watcher -> Logstash -> Ansible

You can use the Webhook action in Watcher to trigger Logstash, and use an Exec output to run Ansible on the command line.

There are also automation tools like Rundeck that you can use to run Ansible. Again, you can use Logstash to trigger Rundeck through its API.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.