Integration parameters
Arcanna supports a big number of integrations, each one can have multiple roles when defining a use case/job.
Available integration roles are:
- input
- processor
- output
- enrichment
- case_creation
- post_decision
Defining an integration requires a set of parameters that are dynamically defined for each type of integration. Each integration has an unique set of parameters. They are required to make a connection to that specific integration. Parameters can be provided through the resources API when creating an integration or updating one.
When using an integration with a specific role in a use case, another set of parameters is required. For each combination of integration - role the parameters are again unique. This set of parameters can be used when defining a job with the resources API.
To avoid having an extensive documentation for each type of integration the parameters needed for each type of integration can be found out by calling the GET /api/v2/resources/integration/parameters/schema endpoint. This returns the definition of each integration parameters in a JSON schema format.
Calling the endpoint with no filters will return the connection details needed for each integration available in Arcanna. Some parameters are mandatory while other are optional. This is specified by using the JSON schema syntax.
The resources token will need to be used to call this endpoint.
Getting all integration connection parameters
Request:
GET /api/v2/resources/integration/parameters/schema
Filter a specific integration connection parameters
Request:
GET /api/v2/resources/integration/parameters/schema&type=Elasticsearch
Response:
{
"type": "object",
"properties": {
"Elasticsearch": {
"type": "object",
"description": "Elasticsearch is a distributed, free and open search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is built on Apache Lucene.",
"required": [
"hosts",
"port",
"user",
"password",
"schema"
],
"properties": {
"hosts": {
"type": "string",
"description": "Host",
"required": [],
"properties": {}
},
"port": {
"type": "number",
"description": "Port",
"required": [],
"properties": {}
},
"user": {
"type": "string",
"description": "Username",
"required": [],
"properties": {}
},
"password": {
"type": "string",
"description": "Password",
"required": [],
"properties": {}
},
"schema": {
"type": "string",
"description": "Protocol",
"required": [],
"enum": [
"http",
"https"
],
"properties": {}
}
}
}
}
}
Get the integration parameters when used with a specific role in a job
Request:
GET /api/v2/resources/integration/parameters/schema?type=Elasticsearch&role=input
Response:
{
"type": "object",
"properties": {
"Elasticsearch": {
"type": "object",
"description": "Elasticsearch is a distributed, free and open search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is built on Apache Lucene.",
"required": [
"index_pattern",
"preserve_id"
],
"properties": {
"index_pattern": {
"type": "string",
"description": "Specify the index pattern Arcanna will read from (e.g. \"filebeat-*\").",
"required": [],
"properties": {}
},
"datetime": {
"type": "string",
"description": "Events ingested by Arcanna should contain a date and time field. If this is not specified, by default it will use \"@timestamp\".",
"required": [],
"properties": {}
},
"start_time": {
"type": "string",
"description": "Arcanna will retrieve events newer than the specified time. Will be compared to the date and time field, which is \"@timestamp\" by default.",
"required": [],
"properties": {}
},
"end_time": {
"type": "string",
"description": "Arcanna will retrieve events older than the specified time. Will be compared to the date and time field, which is \"@timestmap\" by default.",
"required": [],
"properties": {}
},
"filter": {
"type": "string",
"description": "See <a href=\"https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html\">documentation</a> for language specifications. You only need to specify for the filter what's on the path: query.query_string.query. You don't need to give specify the whole JSON used by the GET /_search endpoint. The JSON body is built in the backend and concatenated with other parameters given to the integration (e.g.: start_time, end_time). Syntax of query_string must respect the documentation. It is case sensitive.",
"required": [],
"properties": {}
},
"batch_size": {
"type": "number",
"description": "Arcanna will retrieve events in batches of specified size.",
"required": [],
"properties": {}
},
"_source": {
"type": "string",
"description": "Source fields which will be fetched by the query, given as a comma-separated list. If empty will fetch all fields.",
"required": [],
"properties": {}
},
"preserve_id": {
"type": "boolean",
"description": "If enabled, the results will have the same _id as the original input documents. If disabled, all events will receive a random, unique _id.",
"required": [],
"properties": {}
}
}
}
}
}