Webhook action is sending multiple alerts

Daniel_B · June 15, 2023, 8:35am

Hello there,

I have few webhook actions set for some security rules and I'm including some fields from {{context.alerts}} in the POST request. However I've noticed that when 2 (probably more ) alerts of the same type occurs at the very same time with only few milliseconds apart, the webhook action POST request will include the details of both alerts in a single action. The effect of this issue is that the resolved field will contain merged data from both alerts. Example the result of this field {{#context.alerts}}{{host.name}}{{/contect.alert}} will be 'host1host2' where it should be either host1 or2

More detailed example.
An alert is raised when windows event id 4624 is generated.
log - eventId - host - user - alert_created(hh:mm:ss.ms)
WindowsForwarding - 4624 - host1 - user1 - 10:00:00.000
WindowsForwarding - 4624 - host2 - user2 - 10:00:00.002

Result of {{#context.alerts}}{{host.name}}{{/contect.alert}} will be 'host1host2'

Is this expected behavior and is there a way to fix or go around this ?

tks

Daniel

vitaliidm · June 15, 2023, 4:57pm

Hey @Daniel_B
Yes, it's an expected behaviour: when action is triggered it contains in its context all alerts that were generated during single rule execution or during specified in action throttle interval.

However, starting from 8.8.0+, it is possible to configure action per alert, so each action will have only one alert in it's context: Create a detection rule | Elastic Security Solution [8.8] | Elastic
In step 2, it's described how to do this.

Hope that helps.
Thanks, Vitalii

system · July 13, 2023, 4:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.