Sending the alert JSON details using Webhook Connector

Elastic Security SIEM
1

Hi,

I want to use a Webhook connector to send the alert data to an automation platform.
The issue is that in the Connector action, I can't find a way to send only the JSON alert information. As marked in the image.

image
image1920×997 48.1 KB

when using

{{#context.alerts}}
{{{.}}}
{{/context.alerts}}

It sends out tunes of info containing unuseful things. In this case, I can't know in advance what fields I will have in the alert, so I can't add to the connector variables like {{user.name}} because maybe in a different alert, the user name is in a different field.

I want everything related to the alert. The JSON tab in the alert contains just that, but I can't send it via the webhook connector.

Is it possible?

Thanks!

1 Like
2

You need to send {{context}}, it will have the fields related to the alert and you will need to parse it in your automation platform.

3

Thanks for the quick reply @leandrojmp !

But it seems that it's not working.
I'm searching for the fields in the raw log I received in the automation platform (highlieted in the image) from the Webhook action, and there isn't such field.

image
image769×1159 119 KB

It dons't seem to be sent via the webhook when the action is

{{#context.alerts}}
{{{.}}}
{{/context.alerts}}

OR

{{#context}}
{{{.}}}
{{/context}}
4

It does not exist in the json, the fields is how Kibana shows the fields that are indexed in the alert index.

When an alert is triggered it will be written into an internal index, and this process probably will do some parsing on the fields before indexing.

When using a webhook you have access to a couple of fields like context, rule and alert and you can send those fields to your destination.

5

I think I understand @leandrojmp, so my only option here is to send everything using {{#context}}, and then I will get everything (also things that are no in the JSON tab), or specify the specific fields I want in the action.

and in a case, the rule triggered 2 alerts. Is there a way that I can send them one by one and not as a long JSON containing 2 different alerts?
and if not, is there a way to send only the first alert?

6

You need to use {{context}} not {{#context}}.

If I'm not wrong if the rule triggered 2 alerts at the same time you will get an array with the alerts, not sure if you can change this behavior.

You would need to text it.

7

@leandrojmp, number 1 it's not sending anything, and number 2 it won't let me save the action.

image
image2070×901 89.8 KB

Not sending anything:

{{context}}

Not sending anything.

{{context}}
{{{.}}}
{{context}}

Not letting me save.

{{#context}}
{{{.}}}
{{/context}}
1 Like
8

You need a valid payload that will depend on what your webhook is expecting to receive:

You will need something like this:

{
    "field_expected_by_your_webhook": "{{context}}"
}
1 Like
9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.