Skip to content

App Components

This page describes the various different components that ship as part of the app and their functions.

ES to ITSI flow ITSI to ES flow

Searches

  1. es_is_installed - Checks to see if ES is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert action
  2. itsi_is_installed - Checks to see if ITSI is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert action
  3. es_share_itsi - Runs a scheduled search to pull information from ES findings to populate the share_with_itsi index
  4. itsi_share_es - Runs a scheduled search to pull information from ITSI episodes to populate the share_with_es index
  5. ITSI Episode - Scheduled detection to create ES findings based on data in share_with_es
  6. ES Alert - Scheduled correlation search to create ITSI notables based on data in share_with_itsi

Indexes

  1. share_with_es - Index that holds specific data from ITSI episodes, used to generate ES findings
  2. share_with_itsi - Index that holds specific data from ES findings, used to generate ITSI notables

Alert Actions

  1. enable_searches - Makes REST calls to enable and disable the proper searches based on the SH(C) it is installed on

Macros

  1. filter_share_itsi - Limits which ES findings are saved to the share_with_itsi index
  2. filter_share_es - Limits which ITSI episodes are saved to the share_with_es index
  3. itsi_severvity_description - Maps a number to a string for severity