Skip to main content

Overview

Connect your Elastic Cloud deployment to give TierZero access to your log data. TierZero queries Elasticsearch during investigations to search logs, analyze patterns, and correlate events.

Prerequisites

  • Access to your Elastic Cloud deployment
  • Permission to create API keys

Setup Instructions

Step 1: Navigate to Integration Settings

  1. Log into your TierZero dashboard
  2. Go to Settings → Integrations
  3. Click Connect next to Elasticsearch

Step 2: Create an API Key

  1. In Elastic Cloud, open Stack Management → API Keys
  2. Click Create API Key
  3. Name it (e.g., “tierzero-read-access”)
  4. Set the permissions to read-only:
{
  "role_descriptors": {
    "tierzero_reader": {
      "cluster": ["monitor"],
      "index": [
        {
          "names": ["*"],
          "privileges": ["read", "view_index_metadata"]
        }
      ]
    }
  }
}
  1. Click Create
  2. Copy the Base64-encoded API key value

Step 3: Enter Connection Details

  1. Enter your Elastic Cloud endpoint URL (e.g., https://my-deployment.es.us-east-1.aws.found.io:9243)
  2. Paste the Base64-encoded API key
  3. Click Connect

What TierZero Accesses

  • Log search: Query logs across indices with time range filtering
  • Index metadata: Index names and field mappings
  • Aggregations: Statistical analysis of log data

Security

  • TierZero uses API key authentication with read-only permissions
  • API keys are encrypted at rest
  • Revoke access by deleting the API key in Elastic Cloud under Stack Management → API Keys

Troubleshooting

Connection Fails

  • Verify the endpoint URL includes the port (typically :9243 for Elastic Cloud)
  • Check that the API key is Base64-encoded (the encoded value, not the raw id:api_key)
  • Ensure the deployment is running and accessible