ElastAlert2 vs Kibana Alerting

erikg · July 15, 2024, 3:45pm

Hello I was wondering if people who are leveraging ElastAlert, can share why they chose it over Kibana OOTB alerts?

leandrojmp · July 15, 2024, 4:27pm

I think a lot of people uses ElastAlert because they have been using the Elastic stack for a couple of time and Kibana didn't had any Alert features.

Even today ElastAlert is more flexible then Kibana Alerts, it is easier to automate the creation of rules using yml files than doing it using the Kibana UI.

Also, one of the main issue I have with Kibana Alerts is that it is not that simple to access the individual fields of the document the triggered the alert and it is pretty common to need those fields, with ElastAlert I just need to name the field and that's it.

If you do not have a license Kibana Alert will be pretty limited as you can output only to an index or to Kibana log, so if you need to send the alert to an external place like some Slack channel or Webhook, you would need another tool to query Elasticsearch and send the alert, with ElastAlert you just choose the destination you want.

Currently I'm using ElastAlert2 querying the Kibana Alert indices, but I'm migration everything to Kibana Alerts because we internally built a flow to automate the creation of rules using a yml file.

Also, my company has a license, so we can use the Webhook action, the alerts will then be sent to a SOAR where they will be processed and sent to the final destination (slack, email, thehive etc).

If I had no license I would stay fully with ElastAlert2, or maybe create rules in Kibana and have ElastAlert2 query the alert index and trigger the alerts to the destinations.

erikg · July 15, 2024, 4:56pm

@leandrojmp thank you for the insight!
We also have the license, but we find little to no benefit from Kibana Alerts because of the same reason of accessing fields from the documents.

Someone told me that the purpose of Kibana Alerts is to notify which they do but I feel like you need additional supporting information to go along with the notification.

I hear so many people use ElastAlert so I think I will give it a try.

leandrojmp · July 15, 2024, 5:20pm

Yeah, having the notification and then the need to look into the alert in Kibana to have more informatinou about it is not enough for a lot of people.

We need to have as much as possible context directly in the alert notification.

willemdh · July 16, 2024, 7:29pm

Imho Elastic watches are super flexible and you can use the full result. Unfortunately it doesn't really integrate well with Elastic Security.