Sending the alert JSON details using Webhook Connector

aviran-cato · April 11, 2024, 2:22pm

Hi,

I want to use a Webhook connector to send the alert data to an automation platform.
The issue is that in the Connector action, I can't find a way to send only the JSON alert information. As marked in the image.

when using

{{#context.alerts}}
{{{.}}}
{{/context.alerts}}

It sends out tunes of info containing unuseful things. In this case, I can't know in advance what fields I will have in the alert, so I can't add to the connector variables like {{user.name}} because maybe in a different alert, the user name is in a different field.

I want everything related to the alert. The JSON tab in the alert contains just that, but I can't send it via the webhook connector.

Is it possible?

Thanks!

leandrojmp · April 11, 2024, 2:41pm

You need to send {{context}}, it will have the fields related to the alert and you will need to parse it in your automation platform.

aviran-cato · April 11, 2024, 2:47pm

Thanks for the quick reply @leandrojmp !

But it seems that it's not working.
I'm searching for the fields in the raw log I received in the automation platform (highlieted in the image) from the Webhook action, and there isn't such field.

It dons't seem to be sent via the webhook when the action is

{{#context.alerts}}
{{{.}}}
{{/context.alerts}}

OR

{{#context}}
{{{.}}}
{{/context}}

leandrojmp · April 11, 2024, 2:56pm

It does not exist in the json, the fields is how Kibana shows the fields that are indexed in the alert index.

When an alert is triggered it will be written into an internal index, and this process probably will do some parsing on the fields before indexing.

When using a webhook you have access to a couple of fields like context, rule and alert and you can send those fields to your destination.

aviran-cato · April 11, 2024, 3:01pm

I think I understand @leandrojmp, so my only option here is to send everything using {{#context}}, and then I will get everything (also things that are no in the JSON tab), or specify the specific fields I want in the action.

and in a case, the rule triggered 2 alerts. Is there a way that I can send them one by one and not as a long JSON containing 2 different alerts?
and if not, is there a way to send only the first alert?

leandrojmp · April 11, 2024, 3:07pm

You need to use {{context}} not {{#context}}.

If I'm not wrong if the rule triggered 2 alerts at the same time you will get an array with the alerts, not sure if you can change this behavior.

You would need to text it.

aviran-cato · April 11, 2024, 3:33pm

@leandrojmp, number 1 it's not sending anything, and number 2 it won't let me save the action.

Not sending anything:

{{context}}

Not sending anything.

{{context}}
{{{.}}}
{{context}}

Not letting me save.

{{#context}}
{{{.}}}
{{/context}}

leandrojmp · April 11, 2024, 3:42pm

You need a valid payload that will depend on what your webhook is expecting to receive:

You will need something like this:

{
    "field_expected_by_your_webhook": "{{context}}"
}