💝 Official Elastic Integration?

nicpenning · March 20, 2025, 3:26pm

Currently there is no native integration with Elastic for some of the Netwrix products.

Would Netwrix be willing to build the integration with Elastic so customers can easily ingest all the juicy data from the Netwrix product line for Security Operations?

Here is how you can get started: integrations/CONTRIBUTING.md at main · elastic/integrations

Here are a couple of GitHub issues out there for the need on these integrations.

[Netwrix_PAM] New integration, Netwrix Privilege Access Management · Issue #11856 · elastic/integrations

[Netwrix_Threat_Manager] New integration, Netwrix Threat Manager · Issue #11857 · elastic/integrations

Greg.Connors · March 20, 2025, 7:47pm

Hi, we should be able to do what NPS is doing in the link you pasted.

This may even be possible today if you post in your format into the “custom template” section.

We will look into this on our side.

CoachJonno · March 21, 2025, 3:56pm

Elasticsearch and Replication

nicpenning · March 28, 2025, 4:08pm

Hey Jonathan, how does your link relate to this post?

Ashleys · March 31, 2025, 6:11am

Hi Nicholas,

That’s really interesting feedback thank you.

For Threat Manager, as Greg mentioned it is possible today but you may have to do an extra step.

You can use the Elastic Logstash Cef codec plugin to create a pipeline that would work like this:
Threat Manager (CEF) → Elastic Logstash CEF plugin → Elasticsearch

Otherwise you may use the Custom template feature.
I am not familiar with what fields Elastic accepts, but it seems to be JSON.

Here is a conversion of our current (v3.0.493) custom SIEM template to JSON:

{
  "syslog_date": "%SYSLOG_DATE%", 
  "host": "%HOST%", 
  "LEEF_version": "1.0",
  "company": "%COMPANY%", 
  "product": "%PRODUCT%", 
  "product_version": "%PRODUCT_VERSION%", 
  "threat_type": "%THREAT_TYPE%", 
  "dev_time": "%THREAT_TIME%",
  "dev_time_format": "yyyy-MM-dd HH:mm:ss",
  "threat_type_detail": "%THREAT_TYPE%",
  "users": "%USERS%", 
  "computers": "%COMPUTERS%", 
  "file_name": "%FILENAME%", 
  "new_file_name": "%NEW_FILENAME%", 
  "process": "%PROCESS%"
}

You would have to make sure the field mapping matches what Elastic accepts.

An official integration is definitively something to look into. Thanks for sharing this .

nicpenning · April 2, 2025, 4:49pm

Elasticsearch can trivially ingest JSON data.

We don’t use Logstash but rather Elastic Agent with either a push or pull method. This gives us some ideas to what we can do here but really, Netwrix has a great opportunity to build an integration that all can take advantage of. This post is a good place to track said integration. Thank you!

Topic		Replies	Views
JSON SIEM Template for Privilege Secure Show & Tell privilege-secure , integration	1	67	March 20, 2025
Send directory manager audit log information to my SIEM or XDR Ideas new , ideas	0	7	April 11, 2025
Allow for the use of YubiKey to access NPS Ideas planned , ideas	5	111	March 18, 2025
Expand Claims and Permissions for Enhanced Dashboard Access Ideas pingcastle , under-review , ideas , claims , roles	3	15	April 17, 2025
Ability to create Custom Threats based on Policies that Feed Threat Manager Ideas threat-manager , threat-prevention , under-review , ideas , ntp-reporting	4	13	April 16, 2025

💝 Official Elastic Integration?

Related topics