SIEM rule action: Send raw json `context.alerts` to webhook

peter6 · December 1, 2021, 5:09pm

I'm trying to get the raw json content of context.alerts pushed to my webhook for further analysis.

Something like {{#toJson}}[{{context.alerts}}]{{/toJson}}

Received content is either empty or escaped \".

Please help.

peter6 · December 3, 2021, 4:09pm

Never mind. I'm just going to use a watcher.

PUT _watcher/watch/siem_notifications
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [".siem-signals-default-*"],
        "body" : {
          "query" : {
            "range": {
              "@timestamp": {
                "gte": "now-6m"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "my_bot": {
      "webhook": {
        "url": "https://my-webhook",
        "body": "{{#toJson}}ctx.payload{{/toJson}}"
      }
    }
  }
}

system · December 31, 2021, 4:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Json in alert result (message) SIEM	1	479	November 29, 2021
Elastic Rule Connector sends a String instead of JSON to the Webhook SIEM elastic-stack-alerting	6	1488	October 6, 2022
Add a json in webhook body for teams Elasticsearch elastic-stack-alerting	4	1083	July 2, 2018
Slack-Alerting \| JSON Body Elasticsearch elastic-stack-alerting	1	319	February 26, 2021
Sending the alert JSON details using Webhook Connector SIEM	8	343	May 9, 2024

SIEM rule action: Send raw json `context.alerts` to webhook

Related topics