Rule Actions Sometimes Don't Fire

We have hundreds of rules created in Elastic Security which we are leveraging as our SIEM, many Elastic created, some are ours. These rules are all configured to perform the same action, which is to send some details to a webhook we have that integrates with our ticketing system and SOAR. This works fine 99% of the time. However, periodically we notice that a Rule fires, and the corresponding action does not. There is no indication our webhook has received the event, no error, no nothing. Obviously this is an issue as it could mean our analysts miss security events. Has anyone noticed this issue before? We notice this on Elastic rules as well as our own. For instance, yesterday a 'Privileged Account Brute Force' rule triggered 4 times, and we received no alert to our webhook *and have received webhooks for these before and since. We checked the webhook, and it was not down or refusing requests at this time. We have a script that runs to check the webhook is able to receive events and it was successfully receiving events at that time, so this must be an Elastic issue.

Is there a place these actions are logged in Elastic? Any way to troubleshoot this?

Hi @SomeRobot ,

What version are you on? We log all action activity (including errors) in the stack management rule page. Just ensure you have the correct columns added.

Example below:

Exactly what I was looking for, thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.