Webhook Body for Machine Learning Alerts

catarina · January 20, 2025, 6:13pm

Hello Elastic Community,

I’ve set up an advanced Machine Learning job to detect anomalies in user logins, with 6 detectors focusing on unusual source.ip, country, hostname, hour, and time of the week per user.

I created a rule that checks record result types, with a lookback interval of 32 minutes, running every minute. The alert uses a webhook action to send data to an N8N workflow.

The Problem:
The webhook payload only shows top influencers and top records, but they seem aggregated across multiple anomalies. I want the alert to include only the details of the specific flagged record that triggered the alert, such as:

Detector details (e.g., function, partition_field_value, actual, typical).
Influencers tied to that flagged record.

Question:
How can I configure the alert and webhook body to retrieve details exclusively for the specific flagged record and its related influencers?

Thank you for your help!

catarina · January 22, 2025, 2:11pm

Anomalies Detected:

In the Anomaly Explorer (PRINT 1), I can see anomalies flagged for specific users (Soledade and Sofia) at 7:45, each with unique details such as:

Soledade - Unusual hour.
Sofia - Rare user authentication.

Each has distinct influencers such as hostname, geo-location, and source.ip.

2. Email Alert (PRINT 2):
I configured a rule that checks record result types every 1 minute, with the email connector using the following body:

[{{rule.name}}]:
{{context.message}}
- Job IDs: {{context.jobIds}}
- Time: {{context.timestampIso8601}}
- Anomaly score: {{context.score}}

{{#context.topInfluencers.length}}
Top influencers:
{{#context.topInfluencers}}
- {{influencer_field_name}}: {{influencer_field_value}} [{{score}}] {{/context.topInfluencers}} {{/context.topInfluencers.length}}

{{#context.topRecords.length}}
Top records: {{#context.topRecords}}
- {{function}}({{field_name}}) {{by_field_value}}{{over_field_value}}{{partition_field_value}} [{{score}}].
Typical: {{typical}}.
Actual: {{actual}}.
{{/context.topRecords}} {{/context.topRecords.length}}

The email received (PRINT 3) combines top influencers and top records from multiple anomalies logs in the time range, making it impossible to identify specific flagged records and their related influencers.
For example:

The top influencers (hostnames, usernames, etc.) from both anomalies are mixed, with no indication of whether they belong to Soledade or Sofia.
The same happens with top records, which are combined in a single email for anomalies flagged in the same time range (1-minute interval).

This creates confusion as the email does not allow me to clearly associate influencers or anomaly details with specific users (Soledade or Sofia).

3. Webhook Action (PRINT 4):
I also tested with a webhook connector for N8N, using this JSON body:

{ "rule_name": "{{rule.name}}", "message": "{{context.message}}", "job_id": "{{context.jobIds}}", "time": "{{context.timestampIso8601}}", "anomaly_score": "{{context.score}}", "influencers": "{{#context.topInfluencers.length}}{{#context.topInfluencers}} {{influencer_field_name}}={{influencer_field_value}} {{/context.topInfluencers}}{{/context.topInfluencers.length}}", "records": "{{#context.topRecords.length}}{{#context.topRecords}} {{function}}({{field_name}}) {{by_field_value}}{{over_field_value}}{{partition_field_value}}. Typical: {{typical}}. Actual: {{actual}}.{{/context.topRecords}}{{/context.topRecords.length}}", "context": "{{context}}" }

However, the same issue occurs. The response contains aggregated data, combining multiple anomalies flagged within the 1-minute interval, making it hard to act on.

What I Need Help With:
How can I configure the email and webhook action alert to:

Send one alert per flagged anomaly (record).
Ensure the influencers and details are tied specifically to that flagged record, without combining unrelated anomalies.

This is critical for teams with multi-functional roles where actionable information is required per anomaly.

Thank you for your assistance!

darnautov · January 28, 2025, 3:04pm

hi @catarina,

Currently, the Anomaly Detection rule type does not support filtering an alert context based on a specific partition value. There is an open github issue for a similar request. Could you please leave a comment with your use case? This helps us prioritize enhancement requests.

In the meantime, you can consider either:

Using the Elasticsearch query rule type: Create an Elasticsearch query rule | Kibana Guide [8.17] | Elastic
Creating a watcher with your custom condition, here is a blogpost with more details: Alerting on Machine Learning Jobs in Elasticsearch | Elastic Blog

In both cases, you'll need to query the .ml-anomalies* index.

I hope this helps!

Topic		Replies	Views
How to get all relevant data of anomaly into alert message Elasticsearch elastic-stack-machine-learning	7	1491	October 30, 2018
Kibana Machine Learning Job Alert Kibana elastic-stack-machine-learning	8	516	August 28, 2023
Watcher alerts, customizing message from Kibana Ui Kibana elastic-stack-alerting	5	2602	August 24, 2018
Trigering Alerts for Machine learning Jobs SIEM	3	125	August 1, 2024
Alerts not Triggering Email Notifications Despite Anomalies Detected in ML Jobs Kibana elastic-stack-machine-learning , elastic-stack-alerting	2	28	October 11, 2024

Webhook Body for Machine Learning Alerts

Related topics