Skip to content

App Components

This page describes the various different compoents that ship as part of the app and their functions.

ES to ITSI flow ITSI to ES flow

Searches

  1. es_is_installed - Checks to see if ES is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert action
  2. itsi_is_installed - Checks to see if ITSI is installed on that SH(C). If so, is enables/disables the proper searches via the enable_searches alert action
  3. es_share_itsi - Runs a scheduled search to pull information from ES notables to populate the share_with_itsi index
  4. itsi_share_es - Runs a scheduled search to pull information from ITSI episodes to populate the share_with_es index
  5. ITSI Episode - Scheduled correlation search to create ES notables based on data in share_with_es
  6. ES Alert - Scheduled correlation search to create ITSI notables based on data in share_with_itsi

Indexes

  1. share_with_es - Index that holds specific data from ITSI episodes, used to generate ES notables
  2. share_with_itsi - Index that holds specific data from ES notables, used to generate ITSI notables

Alert Actions

  1. enable_searches - Makes REST calls to enable and disable the proper searches based on the SH(C) it is installed on

Macros

  1. filter_share_itsi - Limits which ES notables are saved to the share_with_itsi index
  2. filter_share_es - Limits which ITSI episodes are saved to the share_with_es index
  3. itsi_severvity_description - Maps a number to a string for severity