SIEM rule action: Send raw json `context.alerts` to webhook

I'm trying to get the raw json content of context.alerts pushed to my webhook for further analysis.

Something like {{#toJson}}[{{context.alerts}}]{{/toJson}}

Received content is either empty or escaped \".

Please help.

Never mind. I'm just going to use a watcher.

PUT _watcher/watch/siem_notifications
{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": [".siem-signals-default-*"],
        "body" : {
          "query" : {
            "range": {
              "@timestamp": {
                "gte": "now-6m"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 0
      }
    }
  },
  "actions": {
    "my_bot": {
      "webhook": {
        "url": "https://my-webhook",
        "body": "{{#toJson}}ctx.payload{{/toJson}}"
      }
    }
  }
}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.