Elastic Security Integrations Roundup: Q1 2026

Elastic announced nine new Elastic Security integrations that expand visibility and normalization across macOS, cloud services, email protection, identity and SIEM platforms, each shipping with ingest pipelines and prebuilt dashboards for immediate use. Highlights include macOS Security Events, IBM QRadar migration, Proofpoint Essentials, AWS Security Hub, JupiterOne, Airlock Digital, Island Browser, Ironscales, and Cyera with ECS/OCSF normalization and built-in support for ES|QL, Attack Discovery and the AI Assistant. #macOS #IBMQRadar

Keypoints

Elastic released nine new integrations to extend security visibility across endpoints, email, cloud, identity and SIEM platforms with out-of-the-box ingest pipelines and dashboards.
macOS Security Events complements Elastic Defend by ingesting filtered, security-relevant macOS telemetry (authentication, process execution, network, file system, configuration) using predicate-based filters to reduce noise.
The IBM QRadar integration collects offense records and supports a SIEM migration workflow that uses semantic search and generative AI to map QRadar rules to Elastic detections and translate unmatched rules to ES|QL.
Proofpoint Essentials streams four email event types (blocked malicious URL clicks, permitted clicks, messages blocked by URL/Attachment Defense, and messages delivered despite threats) into Elastic for SMB and MSP/MSSP visibility.
AWS Security Hub findings are ingested in OCSF format and normalized to ECS, landing in Elastic’s Vulnerability Findings page to enable cross-source correlation with endpoint, identity and network signals.
Additional integrations—JupiterOne, Airlock Digital, Island Browser, Ironscales, and Cyera—bring asset intelligence, allowlisting telemetry, browser security events, AI phishing detection, and DSPM findings into Elastic.
All integrations are searchable immediately and integrate with Elastic capabilities including Attack Discovery, AI Assistant, ES|QL and EQL for detection, investigation and response.

MITRE Techniques

[N/A ] No specific MITRE ATT&CK techniques are named in the article – The article references MITRE ATT&CK mappings for enrichment but does not list individual techniques (‘…enriched with MITRE ATT&CK mappings and CVSS scores…’).

Indicators of Compromise

[File hashes ] Airlock Digital context – the integration captures file hashes for blocked process executions, but no specific hash examples are provided in the article.
[Command lines ] Airlock Digital context – command-line arguments for blocked executions are collected for correlation, with no concrete examples included.
[Email event types ] Proofpoint Essentials context – streams events like “clicks on malicious URLs that were blocked” and “messages delivered despite containing threats” (these are event types rather than raw IOC artifacts).
[Cloud findings / Vulnerability IDs ] AWS Security Hub context – findings are normalized to OCSF/ECS and ingested into Elastic’s Vulnerability Findings page, but no specific finding IDs or ARNs are provided.
[CVE identifiers / Asset context ] JupiterOne context – ingests CVE findings and asset intelligence for unified risk visibility, though the article does not list specific CVE IDs or asset names.