Configure and enable Elasticsearch integration

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Elasticsearch is a distributed, RESTful search and analytics engine that easily integrates with Security Operations.

    Before you begin

    Before you can use the Elasticsearch, you must download it from the ServiceNow Store.

    Role required: sn_sec_tisc.admin

    Important:
    • The Threat Intelligence Security Center plugin must be installed and activated before you can use the Elasticsearch integration.
    • Obtain the Elasticsearch API Base URL, Kibana Base URL, Username, and Password under your Elasticsearch profile.

    Procedure

    1. Using your instance, access Threat Intelligence Security Center.
    2. Download the integration from the ServiceNow Store.
    3. When the installation is complete, navigate to Workspaces > Threat Intelligence Security Center.
    4. Select Integrations > Enrichment Integrations > All Integrations.
    5. Alternatively, you can navigate to Integrations > Enrichment Integrations > All Integrations > Sighting Search
      Note:
      The configured integrations appear as a series of cards.
    6. In the Elasticsearch card, select Configure New Enrichment to configure Elasticsearch integration.
    7. Fill in the fields on the Configure New Enrichment form.
      Table 1. Enrichment Integration
      Field Description
      Name Enter a name for the sighting search configuration.
      Vendor Name Name of the vendor. The details of the selected vendor is populated by default. For example, Elasticsearch.
      Integration Type Type of integration that you selected. For example, Threat Lookup.
      Description Enter the description for the Elasticsearch integration. For example, The Elasticsearch enrichment integration aids in the investigation of an observable by supporting the querying of logs in your Elasticsearch deployment.
      Integration Configuration
      Elasticsearch API Base URL The base URL you acquired from the Elasticsearch site.
      Kibana Base URL The Kibana Base URL. [Optional] Links to a Kibana instance, when available.
      Username Your Intel Elasticsearch username.
      Password Your Intel Elasticsearch password.
      Elasticsearch Index The Elasticsearch index. These in turn will hold documents that are unique to each index. Indices are identified by lowercase names that refer to actions that are performed actions (such as searching and deleting).
      Date range field The timestamp of the configuration.
      Max Rows The maximum number of rows you want to search.
      Earliest Result (days) The earliest results you want to see in number of days.
      Include raw data samples in search results Select this to include samples of raw data in your sightings search results. The amount of data returned depends on your setting in the number of rows of raw data property in Security Incident Response properties.
      MID Server Select Any to use any active MID Server, or select a specific MID Server name.
      Note:
      Configuring this integration activates workflows. To manage the workflows, navigate to the Workflow Editor.
    8. Select Save.
      The integration details are validated, and by default the Elasticsearch integration's status is turned off.
    9. Select Enable to enable the Elasticsearch integration.

    Result

    After it is configured, Elasticsearch can be selected for performing sighting search on observables in Threat Intelligence Security Center.