I realized that the alerting system in Elastic isn't meant to pass raw data. I want to alert to notify but provide additional context/data not provided in the default alerts.
For example, if log,level: error > 0, I want to pass all the documents per host. This way the data in the alert helps provide more information on the alert, instead of just saying "error > 0" in the email body.
Totally agree with this. Elastic Watcher is way ahead of Kibana alerting by the way. You can use the data you receive from your queries and even output in pretty html with house colors. The problem is that, unfortunately, it doesn't really integrate with Elastic Security. Although in theory you could create an action which indexes an alert in the relevant siem indices.
I am using alerts from an Observability standpoint. I am not leveraging Security Alerts.
As for the native infrastructure alerts,
I was trying to use ES Query alert because it allows you to send the raw documents. The issue is I want to group by (aggregation). So, I also leveraged Log Threshold (aggregation based) and it doesn't allow you to send raw documents.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.