Dataminr Pulse Integration User Guide
| Version | 0.2.0
|
| Subscription level What's this? |
Basic |
| Developed by What's this? |
Elastic |
| Ingestion method(s) | API |
| Minimum Kibana version(s) | 9.0.0 8.19.0 |
To use pre-release integrations, go to the Integrations page in Kibana, scroll down, and toggle on the Display beta integrations option.
Embed Dataminr Pulse real-time, actionable intelligence directly into Elastic Security. Transform the earliest external threat signals from over 1.1 million public, deep, and dark web sources into Elastic-native detections, enriched indices, and automated workflows.
The Dataminr Pulse integration for Elastic Security seamlessly bridges the gap between external real-time data and your internal security operations. By leveraging the Elastic Agent with a CEL (Common Expression Language) input, the integration polls the Dataminr Pulse v4 API at configurable intervals—automatically managing OAuth token refresh and cursor-based pagination to ensure a continuous, resilient data flow.
Stay ahead of the threat curve and be the first to see rapidly emerging and evolving threats, vulnerabilities, exploits, ransomware activity, third-party incidents, and more—often hours or days before traditional sources.
Unmatched Coverage, Precision, and Granularity
With Dataminr Pulse for Cyber Risk, security teams gain a critical time advantage. Dataminr processes more than 45 terabytes of daily public data, leveraging over 55 proprietary LLMs and 15 years of historic alerting information. With multimodal fusion AI, GenAI, and Agentic AI deeply embedded into the platform, security teams can:
- Dynamically detect and defend digital assets beyond the perimeter.
- Unearth hidden threats and close blind spots with advanced processing of text, images, video, and machine signals.
- Leverage Agentic AI-powered Intel Agents to autonomously assemble adversary context, including TTPs, IOCs, CVEs, and MITRE ATT&CK® mappings.
- Proactively prioritize and patch fast-breaking vulnerabilities and exploits.
Accelerate Elastic Workflows with Actionable Context
- Native ECS Mapping: Ingested alerts are automatically mapped to the Elastic Common Schema (ECS) and stored in the logs-dataminr_pulse.alerts-* data stream for immediate correlation.
- Granular Entity Expansion: The integration automatically expands alerts containing multiple discovered entities, such as vulnerabilities, threat actors, malware, IP addresses, and URLs into individual documents for deep, granular analysis.
- Integrated Detection & Response: Populate Elastic Security signals and enrich indices to power advanced hunting, Kibana Dashboards, and Elastic Defend workflows.
Address Your Critical Use Cases with Dataminr
| Use Case | How Dataminr & Elastic Work Together |
|---|---|
| Cyber Threat Intelligence | Piece together attack context with crucial details about threat actors and malware directly within the Elastic Security Threat Intel view and custom dashboards specific to your Dataminr topics. |
| Vulnerability Prioritization | See the earliest signals of PoC exploitation to prioritize patching within the Elastic Vulnerability Management framework. |
| Third-Party Risk | Instantly identify and track supply chain attacks and vendor disruptions as they unfold in real-time. |
| Digital Risk Protection | Spot credential dumps, phishing attempts, and brand impersonations involving your digital footprint. |
| Cyber-Physical Convergence | Assess the complete blast radius of physical events and coordinate a unified response to converged threats. |
Before installing, ensure the following requirements are met.
| Dependency | Requirement |
|---|---|
| Active Dataminr Pulse API account | Required |
| Client ID | Required |
| Client Secret | Required |
| Dataminr Pulse API version | v4 |
| Dependency | Requirement |
|---|---|
| Elastic Stack version | 8.13.0 or newer |
| Kibana version | 8.13.0 or newer |
| Elastic Agent version | 8.13.0 or newer |
| Elastic subscription | Basic or higher |
The host running the Elastic Agent must have outbound HTTPS (port 443) access to the following endpoints:
| Destination | Purpose |
|---|---|
| userauth.dataminr.com | For OAuth authentication |
| api.dataminr.com | For fetching alerts from Pulse API |
| Fleet Server URL | Agent enrollment and policy management within the clients systems |
No inbound ports are required on the agent host.
- Log in to elastic and navigate to the Integrations page under Data Management.
- Search for Dataminr Pulse in the integrations catalog.
- Click the Dataminr Pulse integration card, then click Add Dataminr Pulse.
To use this integration, you need a Dataminr Pulse API account with a valid Client ID and Client Secret. Contact your Dataminr account representative to obtain the API credentials.
Keep your Client Secret secure. It will be stored as a secret value in the Elastic Agent policy and will not be visible after saving.
After clicking Add Dataminr Pulse from the integrations page, fill in the configuration form.
- Browse to the data management and select integrations.
- Search ‘Dataminr Pulse’ to install the integration and follow the onscreen instructions.
- Optionally, configure the Polling Interval, and Page Size. The defaults work for most deployments.
- Select an existing Agent policy or create a new one.
- Click Save and continue, then Save and deploy changes.
The table below describes all available configuration parameters.
| Parameter | Description | Required | Default |
|---|---|---|---|
| Integration name | A descriptive name visible on the Elastic Agent policy. | No | dataminr_pulse |
| API URL | The full URL for the Dataminr Pulse alerts endpoint. | Yes | https://api.dataminr.com/pulse/v1/alerts |
| Client ID | Your Dataminr API Client ID for OAuth token generation. | Yes | - |
| Client Secret | Your Dataminr API Client Secret for OAuth token generation. Stored securely. | Yes | - |
| Interval | How often the integration polls the Dataminr API for new alerts (e.g., 5m, 1m, 10m). | Yes | 5m |
| Page Size | Maximum number of alerts returned per API request. The maximum allowed value is 100. | Yes | 40 |
| Tags | Custom tags applied to each ingested event. | No | forwarded, dataminr-pulse-alerts |
| Preserve original event | When enabled, stores the raw API response in the event.original field. Useful for debugging. | No | false |
| Enable request tracing | Logs full HTTP request/response details for debugging. Do not enable in production - this logs credentials in plain text. | No | false |
| Processors | Custom Elastic Agent processors in YAML format, applied before data is sent to Elasticsearch. | No | - |
- Polling Interval: Start with the default of 5m. Reduce to 1m only if you need near-real-time alert ingestion and your Dataminr API quota allows it.
- Page Size: The default of 40 works well for most deployments. Increase up to 100 if you expect high alert volumes to reduce the number of API calls.
- Preserve original event: Keep disabled in production. Enabling it roughly doubles the storage per document.
After deploying the integration, verify that data is flowing correctly.
- Navigate to Assets > Fleet.
- Under Agents locate your enrolled agent.
- Verify the agent status is Healthy (green).
- Click the agent name, then click the Logs tab.
- Look for log entries showing successful execution of CEL script within agent (Ex: “Unit state changed cel-default (STARTING->HEALTHY): Healthy”)
- Navigate to Discover and create a session
- Set the Index pattern to logs-dataminr_pulse.alerts* under Data view
- Select the time to be the last hour, and confirm documents are appearing.
- Navigate to Data Management > Streams
- Search for logs-dataminr_pulse.alerts*. Verify the index exists and the document count is increasing.
- Navigate to Dashboards.
- Search for Dataminr. The integration includes pre-built dashboards for alert monitoring.
- Open a dashboard and verify it displays data.
To remove the Dataminr Pulse integration from an agent policy:
- Navigate to Assets > Fleet > Policies
- Click the policy that contains the Dataminr Pulse integration.
- Locate the Dataminr Pulse integration entry and click the Actions menu (three dots), then select Delete integration.
Deleting the integration from the policy stops data collection but does not remove already-ingested data.
If integration assets (dashboards, index templates, ingest pipelines) become corrupted or out of sync, you can reset them.
- Navigate to Data Management > Integrations.
- Click Dataminr Pulse.
- Select the Settings tab.
- Click Reinstall Dataminr Pulse. This reinstalls dashboards, index templates, and ingest pipelines to their default state.
The integration maps Dataminr Pulse alert fields to Elastic Common Schema (ECS) fields. Custom fields are stored under the dataminr_pulse namespace for reference.
| Dataminr Pulse Field | ECS Field | Description |
|---|---|---|
| Alert timestamp | @timestamp | Event timestamp |
| Alert headline | message | Single-sentence event summary |
| Alert ID | event.id | Unique alert identifier |
| Alert creation time | event.created | When the alert was created |
| Alert priority (Alert, Urgent, Flash) | event.severity | Numeric severity (10, 20, 30) |
| Dataminr alert URL | event.url | Link to alert in Dataminr platform |
| Dataminr alert location coordinates | source.geo.location | Coordinates of the Dataminr alert |
| Dataminr alert location name | geo.name | address of the Dataminr alert |
| Dataminr entity category | event.category | Categories - Threat Actor, Vulnerability, Malware |
| Threat actor name | threat.group.name | Threat actor name (MITRE ATT&CK) |
| Threat actor aliases | threat.group.alias | Threat actor alternative names |
| Threat actor country of origin | threat.indicator.geo.country_iso_code | Country of Origin for threat actors |
| CVE ID | vulnerability.id | CVE identifier |
| CVSS score | vulnerability.score.base | CVSS base score |
| Vulnerability description | vulnerability.description | Summary of the vulnerability |
| Type to distinguish URL vs IP IOC | threat.enrichments[].indicator.type | Values - ip4-ddr, ip6-addr, url |
| URL | Threat.enrichments[].indicator.url.original | URL discovered to be related to the alert, as in the original form |
| URL or IP addresses | threat.enrichments[].indicator.name | URL/IP addresses discovered to be related to the alert. |
| IP Addresses | threat.enrichments[].indicator.ip | IP Addresses discovered to be related to the alert. |
| Port | threat.enrichments[].indicator.port[] | Ports discovered to be associated with the IP addresses above |
| Field | Type | Description |
|---|---|---|
| dataminr_pulse.categories.name | keyword | Alert topic categories |
| dataminr_pulse.companies.name | keyword | Affected company names |
| dataminr_pulse.sectors.name | keyword | Industry sectors |
| dataminr_pulse.source.href | keyword | URL to the public source post |
| dataminr_pulse.source.channels | keyword | Source channels (e.g., sensor) |
| dataminr_pulse.source.media.href | keyword | Media attachment URLs |
| dataminr_pulse.intel_agents.summary | keyword | AI-generated critical context summary |
| dataminr_pulse.watchlists_matched_by_type.name | keyword | Matched watchlist names |
| dataminr_pulse.alert_type.name | keyword | Alert priority level (Alert, Urgent, Flash) |
| dataminr_pulse.live_brief.summary | keyword | AI-generated event summary |
| dataminr_pulse.live_brief.version | keyword | Live Brief version |
| dataminr_pulse.live_brief.timestamp | date | Live Brief generation timestamp |
| Dataminr_pulse.threatactor | keyword | Threat actors discovered in the alert |
| Dataminr_pulse.threatactor.alias | keyword | Alternative names of threat actors discovered in the alert |
| dataminr_pulse.threatactor.country_of_origin | keyword | Country of origin for threat actors discovered in the alert |
| dataminr_pulse.vulnerability.name | keyword | Vulnerability identifiers (CVE IDs) |
| Dataminr_pulse.event.malware | keyword | Malwares discovered in the alert |
| dataminr_pulse.platforms | keyword | Operating systems that were discovered to be impacted because of the malwares |
| Dataminr_pulse.url | keyword | URLs discovered to be impacted |
| Dataminr_pulse.ip | keyword | IP address (for IP-type entities) |
| Field | Type | Description |
|---|---|---|
| dataminr_pulse.log.log_type | keyword | Values: “alert-fetch” or “auth” |
| dataminr_pulse.log.api_endpoint | keyword | Full API used to fetch alerts or for authentication |
| dataminr_pulse.log.http_status_code | keyword | HTTP response for the API call |
| dataminr_pulse.log.fetched_alerts | long | Number of alerts fetched in the batch |
| dataminr_pulse.log.fetch_timestamp | date | Timestamp when the Alert API call was made |
| dataminr_pulse.log.next_cursor | keyword | Pagination cursor to be used in next batch |
| dataminr_pulse.log.status | keyword | If the iteration failed or succeded |
Request tracing logs full HTTP request and response details, which is useful for diagnosing connectivity or authentication issues.
Request tracing logs credentials in plain text. Only enable it temporarily for debugging and disable it immediately after.
- Navigate to Assets > Fleet > Policies
- Click the policy that contains the Dataminr Pulse integration.
- Locate the Dataminr Pulse integration entry and click the Actions menu (three dots), then select Edit integration.
- Under advanced settings, set Enable request tracing to true.
- Click Save and deploy changes.
- To view traces, navigate to Assets > Fleet > Agents
- Click the agent, then click Actions > Request diagnostics.
- Download the diagnostics bundle and examine the HTTP trace logs in the agent log files.
| HTTP Status | Error | Explanation |
|---|---|---|
| 400 | Bad Request | The API URL is malformed or a request parameter is invalid. Verify the API URL and Base URL fields. |
| 401 | Unauthorized | Authentication failed. Verify your Client ID and Client Secret are correct and the account is active. |
| 403 | Forbidden | The API credentials do not have permission to access the requested resource. Contact your Dataminr account representative. |
| 404 | Not Found | The API endpoint URL is incorrect. Ensure the API URL is set to https://api.dataminr.com/pulse/v1/alerts. |
| 429 | Too Many Requests | API rate limit exceeded. Increase the Interval value or reduce the Page Size. |
- Check Agent Status: Navigate to Fleet > Agents and verify the agent is Healthy.
- Check Agent Logs: Click the agent and review the Logs tab for error messages.
- Test Credentials: On the agent host, run:
- curl -X POST https://userauth.dataminr.com/auth/2/token -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=api_key&client_id=YOUR_ID&client_secret=YOUR_SECRET"
- A successful response returns a JSON object with dmaToken and expire fields.
- Check Data Stream: In Dev Tools, run:
- GET logs-dataminr_pulse.alerts-*/_count
- If the count is 0, the integration is not receiving data from the API. Review the agent logs for details.
The integration uses document fingerprinting to prevent duplicates. If you observe duplicate documents:
- Verify the ingest pipeline is installed by running in Dev Tools:
- GET _ingest/pipeline/logs-dataminr_pulse.alerts-*
- If missing, reset integration assets (see Reset Integration Assets).
Changelog
| Version | Details | Minimum Kibana version |
|---|---|---|
| 0.2.0 | Enhancement (View pull request) Enable for 9.x stacks. |
9.0.0 8.19.0 |
| 0.1.0 | Enhancement (View pull request) Initial release. |
8.19.0 |