HTTP request in Watcher transform

Before sending a Watcher alert into Slack, I would like to check with an external API, for example, if an IP has been reported as abusive in public databases.

Is possible to do so with Painless or any other transform scripts?


in order to understand if/how this works, this requires some explanation about watcher. All actions are executed in sequence, but they cannot modify the payload, so you cannot use an action to look things up.

What you could try however is a chain input, where you execute a search first, then use a transform to extract the ips from the search, create a proper HTTP body and then execute a http input to query for those ip addresses.

Lastly you can use the input of the search and of the http input to decide if you need to trigger a slack message.

Hope that makes sense!


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.