docs/reference/search-connectors/es-connectors-sandfly.md
The Elastic Sandfly Security connector is a connector for Sandfly Security. This connector is written in Python using the Elastic connector framework.
View the source code for this connector (branch main, compatible with Elastic 9.0).
::::{note} This connector is a community contribution and is not supported by Elastic. Support for this connector is provided by the community. Please refer to the connector's source code repository for issues and support requests. ::::
This connector is available as a self-managed connector.
This self-managed connector is compatible with Elastic versions 9.1.0+.
To use this connector, satisfy all self-managed connector requirements.
To create a new Sandfly Security connector:
You can use the {{es}} Create connector API to create a new self-managed Sandfly Security connector.
For example:
PUT _connector/my-sandfly-connector
{
"index_name": "my-elasticsearch-index",
"name": "Content synced from Sandfly Security",
"service_type": "sandfly"
}
:::::{dropdown} You'll also need to create an API key for the connector to use.
::::{note}
The user needs the cluster privileges manage_api_key, manage_connector and write_connector_secrets to generate API keys programmatically.
::::
To create an API key for the connector:
Run the following command, replacing values where indicated.
Note the encoded return values from the response:
POST /_security/api_key
{
"name": "connector_name-connector-api-key",
"role_descriptors": {
"connector_name-connector-role": {
"cluster": [
"monitor",
"manage_connector"
],
"indices": [
{
"names": [
"index_name",
".search-acl-filter-index_name",
".elastic-connectors*"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
}
]
}
}
}
Update your config.yml file with the API key encoded value.
:::::
Refer to the {{es}} API documentation for details of all available Connector APIs.
To use this connector as a self-managed connector, see Self-managed connectors For additional usage operations, see Connectors UI in {{kib}}.
Configure Sandfly Security credentials to fetch data from your Sandfly Security server.
You'll need to provide:
https://your-sandfly-server.com/v4This connector is compatible with Sandfly Security servers that support API version v4.
The following configuration fields are required:
server_url
: Sandfly Server URL including the API version (v4).
For example: https://server-name/v4
username
: Sandfly Server Username for authentication.
password
: Sandfly Server Password for authentication.
enable_pass
: Toggle to enable indexing of "pass" results.
When disabled (default), only Alert and Error results are indexed.
Default value is False.
verify_ssl
: Toggle to verify the Sandfly Server SSL certificate.
Disable to allow self-signed certificates.
Default value is True.
fetch_days
: Number of days of results history to fetch during a Full Content Sync.
Default value is 30.
You can deploy the Sandfly Security connector as a self-managed connector using Docker. Follow these instructions.
::::{dropdown} Step 1: Download sample configuration file Download the sample configuration file. You can either download it manually or run the following command:
curl https://raw.githubusercontent.com/elastic/connectors/main/app/connectors_service/config.yml.example --output ~/connectors-config/config.yml
% NOTCONSOLE
Remember to update the --output argument value if your directory name is different, or you want to use a different config file name.
::::
::::{dropdown} Step 2: Update the configuration file for your self-managed connector Update the configuration file with the following settings to match your environment:
elasticsearch.hostelasticsearch.api_keyconnectorsIf you're running the connector service against a Dockerized version of Elasticsearch and Kibana, your config file will look like this:
# When connecting to your cloud deployment you should edit the host value
elasticsearch.host: http://host.docker.internal:9200
elasticsearch.api_key: <ELASTICSEARCH_API_KEY>
connectors:
-
connector_id: <CONNECTOR_ID_FROM_KIBANA>
service_type: sandfly
api_key: <CONNECTOR_API_KEY_FROM_KIBANA> # Optional. If not provided, the connector will use the elasticsearch.api_key instead
Using the elasticsearch.api_key is the recommended authentication method.
However, you can also use elasticsearch.username and elasticsearch.password to authenticate with your Elasticsearch instance.
Note: You can change other default configurations by simply uncommenting specific settings in the configuration file and modifying their values.
::::
::::{dropdown} Step 3: Run the Docker image Run the Docker image with the Connector Service using the following command:
docker run \
-v ~/connectors-config:/config \
--network "elastic" \
--tty \
--rm \
docker.elastic.co/integrations/elastic-connectors:{{version.stack}} \
/app/bin/elastic-ingest \
-c /config/config.yml
% NOTCONSOLE ::::
Refer to DOCKER.md in the elastic/connectors repo for more details.
Find all available Docker images in the official registry.
::::{tip}
We also have a quickstart self-managed option using Docker Compose, so you can spin up all required services at once: Elasticsearch, Kibana, and the connectors service.
Refer to this README in the elastic/connectors repo for more information.
::::
The connector syncs the following objects and entities from Sandfly Security:
::::{note}
::::
Full syncs are supported by default for all connectors.
This connector also supports incremental syncs.
Basic sync rules are identical for all connectors and are available by default. For more information read Types of sync rule.
::::{note} Advanced sync rules are not currently supported for this connector.
::::
See Content extraction.
The connector framework enables operators to run functional tests against a real data source. Refer to Connector testing for more details.
To perform E2E testing for the Sandfly Security connector, run the following command:
$ make ftest NAME=sandfly
For faster tests, add the DATA_SIZE=small flag:
make ftest NAME=sandfly DATA_SIZE=small
There are currently no known issues for this connector. Refer to Known issues for a list of known issues for all connectors.
See Troubleshooting.
See Security.