SIEM Detection Rules Alerts Actions

Hi All, Is there a way to create an default detection rule alert action endpoint and then have this for all detection rules alerts? i.e. bulk action all enabled rules to send the alerts to our notification endpoint?



1 Like

Hello @Sunil_Iyengar

Welcome to the community

Alert action can be setup Create a detection rule | Elastic Security Solution [8.13] | Elastic

By notification endpoint, do you mean external web service? If so, this action connector would help: Webhook connector and action | Kibana Guide [8.13] | Elastic

This webhook action can be added in bulk to rules: Manage detection rules | Elastic Security Solution [8.13] | Elastic

Thanks, Vitalii

1 Like

Hi @vitaliidm, Thanks.

I am trying to send some custom source fields using <context.alerts> to the pagerduty actions message.

Elastic adds defaults notification properties as default. How can I change this default properties so I can have a default values filled for the pagerduty context notification object.

Is this done by moustache templating? Where can we change this so it is applied to all elastic rule alerts (elastic and custom rules).

Can provide some examples if that helps.

Kind Regards