Automating Email Whitelisting for Alerts (elasticsearch, kibana)

Hi folks!

We are trying to achieve observability for a large organisation, and we now have users creating alerts in various elastic deployments. We have recently learned that, in order to receive the email alerts our users have set up, their emails must be whitelisted in the Elastic admin GUI (cloud.elastic.co).

We have been performing this step manually (by adding their email addresses into the "Monitoring Email Whitelist" text box at cloud.elastic.co/account/contacts), but are seeing an increase in users, and thus an increase in manual input needed to whitelist email addresses.

We are looking to automate this process, but I am struggling to find documentation that would help me to do so. The Elasticsearch Service Documentation on RESTful API suggests that the Organisation can be managed using API calls, but there is no mention of Contacts, or management of the email whitelist.

Any pointers would be much appreciated. Thanks for your time!

Hi @Hayden_WB

Curious...

What version of the Stack are you On?

and How are you creating alerts? Watcher or new Kibana Alerting Frameworks? or Both?

Hi @stephenb!

Most deployments are on 8.2.3, and we're using the new Kibana Alerting system. We're using the in-built connector (Elastic Cloud SMTP) if that helps?

@Hayden_WB Apologies.. Looking at the API (and Terraform) I do not see a programatic way to update the email whitelist at this time.. I will poke around a bit more.

Contact / Members can be update via that API but that is different than the operational contacts / emails which are you are looking to manage.

@Hayden_WB Poked around internall .. No Not Today, have some items on the backlog but no public date

Perhaps

1. remove the per-email whitelist altogether
2. allow customers to run a "domain allowlist" instead of per-email

Thanks for your help Stephen!

Could you provide some more detail on your two suggested steps?

1. remove the per-email whitelist altogether

As in, don't use the "Monitoring Email Whitelist" text box at cloud.elastic.co/account/contacts? Or do I need to do something more than not using it?

2. allow customers to run a "domain allowlist" instead of per-email

Is this achieved through xpack.actions.email.domain_allowlist?

From the documentation:

A list of allowed email domains which can be used with the email connector. When this setting is not used, all email domains are allowed. When this setting is used, if any email is attempted to be sent that (a) includes an addressee with an email domain that is not in the allowlist, or (b) includes a from address domain that is not in the allowlist, it will fail with a message indicating the email is not allowed.

If so, then I'll have a go and see where I get!

Apologies for the confusion.

Those were the potential future capabilities that may be on the road map. I was not suggesting that you could implement them today.

And no, you cannot apply that setting the allowed list setting.

None of these restrictions apply. If you use your own email endpoint or service, perhaps you should consider that.

Thanks for the clarification Stephen, much appreciated!

Hi - I came across this, and wanted to be sure if this wasn't solvable by moving to one or more domains to be allow-listed in Kibana, as per here:

Good luck!

Hi @EricDavisX Unfortunately those setting are not supported how the OP is operating, using the built in Elastic Cloud SMTP service. The referenced settings only apply if you are using yours / 3rd party mail services set up through connectors etc. not the Built in Elastic Cloud SMTP service

Thanks Eric! I've seen what Stephen has posted below too, but this is helpful - we may move out to a 3rd party mail service for this functionality if we see a deluge of whitelisting requests

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.