Hi!
I have an 7.10 stack running in ECK, and have a webhook Alert and Action set up (Linked to a custom Security Detection Rule). The webhook endpoint is HTTPS with a self-signed certificate.
When hitting test on the connector configuration page, it fails with :
There is the same error in the Kibana log, the timestamp correlates with the detection rule run. There doesn't appear to be any other details of the error.
I've tested the endpoint with curl from the Kibana pod, and it works fine
The questions are;
- is there configuration options that need to be made regarding ssl.
- does anyone have an idea what could be wrong
- Is there a way to get more info on the error.
II am confused as to how much this functionality overlaps with watcher, particularly as the documentation states; Kibana config is below;
server.host: "0.0.0.0"
elasticsearch.hosts: [ "XXXXX" ]
elasticsearch.ssl.verificationMode: "certificate"
elasticsearch.requestHeadersWhitelist: [ "Authorization", "X-Forwarded-For", "X-Forwarded-User" ]
0
elasticsearch.requestTimeout: 60000
elasticsearch.shardTimeout: 60000
xpack.monitoring.enabled: true
xpack.ingestManager.enabled: false
xpack.ingestManager.fleet.enabled: false
xpack.reporting.kibanaServer.hostname: "0.0.0.0"
xpack.reporting.encryptionKey: "XXXXXXXXXXXXXXXXXXXXXXXXXX"
xpack.encryptedSavedObjects.encryptionKey: "XXXXXXXXXXXXXXXXXXXX"
xpack.security.authc.providers:
saml.test:
order: 0
realm: "test"
saml.test2:
order: 1
realm: "test2"
basic.basic1:
order: 2
Here is the related detection rule which fires ok, despite the lookback issue shown below;
{
"author":[
],
"created_at":"2020-12-01T07:05:08.994Z",
"updated_at":"2020-12-07T12:56:44.049Z",
"created_by":"elastic",
"description":"Export_ip_ioc_to_misp_shared_organisation",
"enabled":true,
"false_positives":[
],
"from":"now-360s",
"id":"49324725-d2e2-4e47-b8ae-7a4dc688e0b1",
"immutable":false,
"interval":"1m",
"rule_id":"60fd97bb-0194-4577-8297-8c4e6d80f017",
"output_index":".siem-signals-default",
"max_signals":100,
"risk_score":21,
"risk_score_mapping":[
],
"name":"Export_ip_ioc_to_misp_shared_organisation",
"references":[
],
"severity":"low",
"severity_mapping":[
],
"updated_by":"elastic",
"tags":[
],
"to":"now",
"type":"query",
"threat":[
],
"version":2,
"exceptions_list":[
],
"actions":[
{
"action_type_id":".webhook",
"id":"25df7595-999f-487f-a91f-c76f8285c05f",
"params":{
"body":"{\"event_id\":\"5\",\"value\":\"{{context.rule.threat}}\",\"category\":\"Network activity\",\"type\":\"ip-dst\"}"
},
"group":"default"
}
],
"filters":[
],
"index":[
"shared_iocs*"
],
"license":"",
"meta":{
"from":"5m",
"kibana_siem_app_url":"https://X.X.X.X:XXXX/app/security"
},
"throttle":"rule",
"status":"succeeded",
"status_date":"2020-12-07T12:56:43.213Z",
"last_failure_at":"2020-12-01T09:01:37.610Z",
"last_success_at":"2020-12-07T12:56:43.213Z",
"last_failure_message":"a few seconds (13293ms) has passed since last rule execution, and signals may have been missed. Consider increasing your look behind time or adding more Kibana instances. name: \"Export_ioc_to_misp_shared_organisation\" id: \"49324725-d2e2-4e47-b8ae-7a4dc688e0b1\" rule id: \"60fd97bb-0194-4577-8297-8c4e6d80f017\" signals index: \".siem-signals-default\"",
"last_success_message":"succeeded",
"query":"ioc.shared.ip : * ",
"language":"kuery"
}
Thanks!