Webhook action is sending multiple alerts

Hello there,

I have few webhook actions set for some security rules and I'm including some fields from {{context.alerts}} in the POST request. However I've noticed that when 2 (probably more ) alerts of the same type occurs at the very same time with only few milliseconds apart, the webhook action POST request will include the details of both alerts in a single action. The effect of this issue is that the resolved field will contain merged data from both alerts. Example the result of this field {{#context.alerts}}{{host.name}}{{/contect.alert}} will be 'host1host2' where it should be either host1 or2

More detailed example.
An alert is raised when windows event id 4624 is generated.
log - eventId - host - user - alert_created(hh:mm:ss.ms)
WindowsForwarding - 4624 - host1 - user1 - 10:00:00.000
WindowsForwarding - 4624 - host2 - user2 - 10:00:00.002

Result of {{#context.alerts}}{{host.name}}{{/contect.alert}} will be 'host1host2'

Is this expected behavior and is there a way to fix or go around this ?



Hey @Daniel_B
Yes, it's an expected behaviour: when action is triggered it contains in its context all alerts that were generated during single rule execution or during specified in action throttle interval.

However, starting from 8.8.0+, it is possible to configure action per alert, so each action will have only one alert in it's context: Create a detection rule | Elastic Security Solution [8.8] | Elastic
In step 2, it's described how to do this.

Hope that helps.
Thanks, Vitalii

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.