First of all, I'd like to describe my situation. I have an Elastic Rule, that successfully creates the Alerts in the Elastic Security. Now I have configured a connector, that allows me to send those Alerts to my custom webhook. It works, but all Alert data (in JSON format by default) is sent as a string.
Then I added the Content-Type header with the value application/JSON, but nothing changed.
this is a sample of what I receive at webhook when I use a JSON content-type header.
Hi @yzaritskyi, we use the webhook action on our internal SIEM to send the entire contents of the alert to our SOAR system. Instead of a json content type we set it to ndjson. This is the header we add to our webhook connector:
If you want to send the entire alert context to your SOAR this is the body of the Connector Action:
This will send all alerts that triggered during the last rule execution as a single ndjson file to your SOAR so you will need to split them apart after they are sent through the webhook.
But there is one more question. When I have multiple alerts generated by my Rule, I'm receiving those two objects like a raw. It looks like {}{}, instead of [{},{}], that's not legit to work with.
I tried to modify the connector body to this:
But as the result I got [{},{},], and when I have only 1 alert - [{},]. And because of this coma at the end, JSON is not valid.
It is not a big problem. I guess I'd find a way to remove this coma into SOAR, but maybe you know the way to do it at elastic?
We are using Tines for our SOAR so it handles the input as an ndjson that we can then iterate through. If your SOAR doesn't handle ndjson you'll have to do some string formatting after receiving the alerts. The trailing comma after the last alert will be an issue, I don't know of a way to keep from adding it after the last element, it may be easier to add a newline or a comma between the }{ after they are sent to the webhook.
By the way, the last thing I just discovered. When I was using a payload like this: {{context.alerts}} - I always had a normal JSON, but with backslashes. And after I saw your message with triple {}, I started to use {{{context.alerts}}} instead of the previous one, and my problem was resolved. I'm so glad for your quick response.
But the bad thing is that I haven't found any information about that feature at elastic docs. That might be useful for someone else.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
