Integration
Elastic Security
Two paths: a Logstash HTTP input pipeline (most flexible) or a Fleet HTTP JSON input (simpler for Elastic Cloud customers).
Option A · Logstash pipeline
leakjar.confruby
input {
http {
port => 8080
codec => "json"
additional_codecs => { "application/json" => "json" }
}
}
filter {
if [event] == "exposureAlert.created" {
mutate {
add_field => {
"[@metadata][index]" => "leakjar-detected-%{+YYYY.MM.dd}"
}
}
} else if [event] == "exposureAlert.resolved" {
mutate {
add_field => {
"[@metadata][index]" => "leakjar-resolved-%{+YYYY.MM.dd}"
}
}
}
# Promote common fields for ECS-friendly indexing
mutate {
rename => {
"[data][email]" => "[user][email]"
"[data][severity]" => "[event][severity]"
}
}
}
output {
elasticsearch {
hosts => ["https://elastic:9200"]
index => "%{[@metadata][index]}"
user => "${ES_USER}"
password => "${ES_PASS}"
}
}Option B · Fleet HTTP JSON input
- Kibana → Fleet → Agent policies → Add integration.
- Pick Custom HTTP Endpoint (HTTP JSON).
- Data stream name:
logs-leakjar.exposure-default. - Configure the listener port; use it as the LeakJar webhook URL.
- Verify signatures in an ingest pipeline (see webhooks guide).
Detection rule example
detection-rule.ymlyaml
name: LeakJar — credential exposure for privileged account
rule_type: query
language: kuery
query: |
event : "exposureAlert.created" AND
data.severity : ("high" OR "critical") AND
data.email : (ceo@acme.com OR cto@acme.com OR *@acme.com)
severity: high
risk_score: 80
interval: 5m
from: now-5m
actions:
- action_type_id: .email
params:
to: ["soc@acme.com"]