Elastic API Key
Service Name: Elastic
Service Description: Elastic is a search and analytics company that offers a suite of products including Elasticsearch, Kibana, Beats, and Logstash, collectively known as the Elastic Stack (formerly ELK Stack). These tools are used for search, logging, security, and analytics purposes.
Service Address: https://www.elastic.co/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants access to Elasticsearch APIs and resources based on the permissions assigned to the API key.
Secret Revokement URL: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-invalidate-api-key.html
Secret Example: AAEAAWVsYXN0aWMva2liYW5hL3Rva2VuMTpkZWZhdWx0X2FkbWluOjEyMzQ1Njc4OTBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eg==
Suspicious Activity Investigation Instructions:
- Check Elasticsearch audit logs for unauthorized API calls or unusual access patterns
- Review access logs for suspicious IP addresses or locations
- Examine resource usage for unusual spikes that might indicate abuse
- Check for unauthorized index creation or data access
- Monitor for unusual search patterns or high-volume queries
Mitigation Instructions:
- Immediately invalidate the compromised API key using the Elasticsearch API
- Create a new API key with appropriate permissions
- Review and update access control policies
- Implement IP-based restrictions if possible
- Consider implementing shorter expiration times for API keys
- Audit all actions performed with the compromised key