Coming Soon

Elastic / ELK integration

Q: Is the Elastic / ELK integration available now?

Not yet — it's in active development and marked Coming Soon. The FortWatch dashboard already tracks every finding today; the Elastic integration adds automatic streaming of those findings into Elasticsearch and Kibana. You can request to be notified when it goes live, and we'll email you the moment it's ready.

Q: Will it work with self-hosted ELK as well as Elastic Cloud?

Yes, that's the plan. Because the integration is designed around standard Elasticsearch ingest (data streams / Bulk API, or a webhook into Logstash or Elastic Agent), it's intended to work whether you run Elastic Cloud or a self-managed ELK stack. You point FortWatch at your endpoint and supply credentials.

Q: Does FortWatch read data out of Elastic or pull from my logs?

No. The integration is one-directional — FortWatch only writes its own findings into Elastic as ECS-formatted events. It never reads, queries, or pulls your existing log or index data.

SIEM & Monitoring

FortWatch continuously discovers what attackers can see from outside your network — open ports, unauthenticated databases, public storage buckets, expiring certificates, and exposed secrets. Streaming those findings into Elastic / ELK puts external attack-surface signal next to the internal logs, metrics, and SIEM detections your team already lives in, so an exposure on the perimeter and the activity it triggers can be correlated in one place. Instead of checking another dashboard, your analysts see FortWatch findings as searchable events in Kibana and as triggers for Elastic detection rules.

Get notified All integrations

New alert in Elastic / ELK

Criticaljust now

Exposed Redis on 203.0.113.10:6379

Unauthenticated database reachable from the internet.

View finding & step-by-step fix →

Delivered in < 1 minute

How it works

Elastic / ELK + FortWatch

When it launches, FortWatch will ship findings into Elastic as structured JSON events over an outbound integration — either FortWatch pushing directly to an Elasticsearch data stream via the Bulk API, or routing through your existing pipeline (Elastic Agent, Logstash, or a Beats HTTP input) using a webhook. Each finding is mapped to Elastic Common Schema (ECS) fields — severity to event.severity, the scanner and finding type to event.category and event.action, and the affected asset to host, url, and network fields — so it indexes cleanly alongside the rest of your data and works with prebuilt Kibana visualizations. The flow is one-directional from FortWatch into Elastic: new findings, severity changes, and auto-resolved exposures arrive as events you can search in Discover, chart in Kibana dashboards, and match against Elastic Security detection rules to fire alerts or feed your existing on-call workflows.

FortWatch scans

Eleven scanners watch your external attack surface around the clock — ports, certs, DNS, cloud buckets, exposed files and more.

AI triages the finding

Each issue is scored by real-world impact and packaged with the affected asset and a one-line explanation of the risk.

Delivered to Elastic / ELK

The finding lands in Elastic / ELK, routed by severity — so the right people see the right alert, fast.

Capabilities

What you'll be able to do

Everything the Elastic / ELK integration will bring to your security workflow.

Correlate a newly exposed service in FortWatch with inbound connection logs in Elastic SIEM to confirm whether an open port is already being probed or hit.

Build a Kibana dashboard that trends your external attack surface over time — critical and high findings by asset, scanner, and age — alongside internal security metrics.

Write Elastic Security detection rules that trigger the moment a critical finding lands, such as an unauthenticated Redis, MongoDB, or Elasticsearch instance exposed to the internet.

Set up Kibana alerting on certificate-expiry and DNS-hygiene findings so TLS and SPF/DKIM/DMARC gaps surface before they cause an outage or spoofing incident.

Retain a searchable forensic history of every exposure and its lifecycle (opened, severity-changed, resolved) for audits and post-incident timelines.

Enrich incident investigations by pivoting from an internal alert to FortWatch's external view of the same host — open ports, exposed files, and known-CVE components on that asset.

In practice

What an alert looks like

Every finding arrives formatted for Elastic / ELK — severity up front, the affected asset, and a one-line explanation of why it matters, with a link straight to the step-by-step fix.

Severity-tagged and color-coded
The exact asset and port affected
One click to the full finding & remediation

Elastic / ELK

{\n  "@timestamp": "2026-06-07T14:32:08Z",\n  "event.kind": "alert",\n  "event.category": "configuration",\n  "event.action": "exposure-detected",\n  "event.severity": 99,\n  "fortwatch.scanner": "nmap-scan",\n  "fortwatch.finding": "Unauthenticated Redis exposed to the internet",\n  "fortwatch.severity": "critical",\n  "host.ip": "203.0.113.42",\n  "host.name": "cache-prod-01.example.com",\n  "network.transport": "tcp",\n  "destination.port": 6379,\n  "fortwatch.summary": "Redis is reachable from any IP with no auth (requirepass unset). An attacker can read/flush all keys and abuse it for RCE.",\n  "fortwatch.remediation": "Bind Redis to localhost/private network, enable requirepass, and firewall port 6379.",\n  "fortwatch.url": "https://app.fortwatch.ai/issues/8f31a2"\n}

Setup

Set it up in minutes, once it lands

No agents, no infrastructure changes — just connect Elastic / ELK and choose where alerts go.

When it launches, connect Elastic from FortWatch's Integrations settings by choosing whether to push to an Elasticsearch data stream directly or send to your Logstash/Elastic Agent endpoint.

Provide the target — your Elasticsearch URL and an API key (or the webhook/ingest endpoint of your pipeline) — and FortWatch will validate the connection.

Map or accept the default ECS field mapping and pick a data stream / index name so findings land where your team expects them.

Choose which findings to forward by severity and scanner (for example, critical and high only) to keep the stream focused.

Confirm with a test event, then build your Kibana dashboard and Elastic Security detection rules on the incoming FortWatch data.

Why route FortWatch into Elastic / ELK?

External exposures are often the first link in a breach, but they usually live in a separate tool from the SIEM where your team actually investigates. Routing FortWatch findings into Elastic / ELK closes that gap — perimeter risk becomes searchable, alertable, and correlatable next to your internal telemetry, so you spot a dangerous exposure and any activity against it in the same query. That shortens the path from "we have an open door" to "here's who's knocking on it."

FAQ

Frequently asked questions

Is the Elastic / ELK integration available now?

Not yet — it's in active development and marked Coming Soon. The FortWatch dashboard already tracks every finding today; the Elastic integration adds automatic streaming of those findings into Elasticsearch and Kibana. You can request to be notified when it goes live, and we'll email you the moment it's ready.

Will it work with self-hosted ELK as well as Elastic Cloud?

Yes, that's the plan. Because the integration is designed around standard Elasticsearch ingest (data streams / Bulk API, or a webhook into Logstash or Elastic Agent), it's intended to work whether you run Elastic Cloud or a self-managed ELK stack. You point FortWatch at your endpoint and supply credentials.

Does FortWatch read data out of Elastic or pull from my logs?

No. The integration is one-directional — FortWatch only writes its own findings into Elastic as ECS-formatted events. It never reads, queries, or pulls your existing log or index data.