Elastic Rule Connector sends a String instead of JSON to the Webhook

Aaron_Jewitt · September 7, 2022, 8:18am

Hi @yzaritskyi, we use the webhook action on our internal SIEM to send the entire contents of the alert to our SOAR system. Instead of a json content type we set it to ndjson. This is the header we add to our webhook connector:

If you want to send the entire alert context to your SOAR this is the body of the Connector Action:
Screenshot 2022-09-07 at 10.16.18

This will send all alerts that triggered during the last rule execution as a single ndjson file to your SOAR so you will need to split them apart after they are sent through the webhook.

Topic		Replies	Views
SIEM rule action: Send raw json `context.alerts` to webhook Elastic Security	2	513	December 31, 2021
Webhook not sending json format Elasticsearch elastic-stack-alerting	3	2098	July 6, 2017
Sending the alert JSON details using Webhook Connector SIEM	8	1065	May 9, 2024
(v2.2 watcher ES) Convert complete payload to json to send via webhook Elasticsearch elastic-stack-alerting	3	1396	July 6, 2017
Webhook action: Hits collection not JSON Elasticsearch elastic-stack-alerting	2	2217	July 6, 2017

Elastic Rule Connector sends a String instead of JSON to the Webhook

Related topics