Kibana action webhook failing


I have an 7.10 stack running in ECK, and have a webhook Alert and Action set up (Linked to a custom Security Detection Rule). The webhook endpoint is HTTPS with a self-signed certificate.

When hitting test on the connector configuration page, it fails with :

There is the same error in the Kibana log, the timestamp correlates with the detection rule run. There doesn't appear to be any other details of the error.

I've tested the endpoint with curl from the Kibana pod, and it works fine

The questions are;

  • is there configuration options that need to be made regarding ssl.
  • does anyone have an idea what could be wrong
  • Is there a way to get more info on the error.

II am confused as to how much this functionality overlaps with watcher, particularly as the documentation states; Kibana config is below; ""
    elasticsearch.hosts: [  "XXXXX" ]
    elasticsearch.ssl.verificationMode: "certificate"
    elasticsearch.requestHeadersWhitelist: [ "Authorization", "X-Forwarded-For", "X-Forwarded-User" ]
    elasticsearch.requestTimeout: 60000

    elasticsearch.shardTimeout: 60000
    xpack.monitoring.enabled: true
    xpack.ingestManager.enabled: false
    xpack.ingestManager.fleet.enabled: false
    xpack.reporting.kibanaServer.hostname: ""
    xpack.reporting.encryptionKey: "XXXXXXXXXXXXXXXXXXXXXXXXXX"
    xpack.encryptedSavedObjects.encryptionKey: "XXXXXXXXXXXXXXXXXXXX"
        order: 0
        realm: "test"
        order: 1
        realm: "test2"
        order: 2

Here is the related detection rule which fires ok, despite the lookback issue shown below;

            "body":"{\"event_id\":\"5\",\"value\":\"{{context.rule.threat}}\",\"category\":\"Network activity\",\"type\":\"ip-dst\"}"
   "last_failure_message":"a few seconds (13293ms) has passed since last rule execution, and signals may have been missed. Consider increasing your look behind time or adding more Kibana instances. name: \"Export_ioc_to_misp_shared_organisation\" id: \"49324725-d2e2-4e47-b8ae-7a4dc688e0b1\" rule id: \"60fd97bb-0194-4577-8297-8c4e6d80f017\" signals index: \".siem-signals-default\"",
   "query":"ioc.shared.ip : * ",


Hi @Alexhutchinson,

I think your only options right now are the following (explained here):

  • Set xpack.actions.proxyRejectUnauthorizedCertificates and/or xpack.actions.rejectUnauthorized to false
  • Or use NODE_EXTRA_CA_CERTS env variable (not recommended as it affects not only alerting functionality).

As far as I know it will be improved in the scope of


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.