Webhook body format for threshold term value

lusynda · October 28, 2021, 9:12am

Hi all.
I've just created a webhooks to an internal services that will need to get the value as the result of the signal that a siem threshold rule will produce.
Normally for email connector the body will look like this:

{{#context.alerts}}
{{#signal.threshold_result.terms}}{{value}}{{/signal.threshold_result.terms}}
{{/context.alerts}}

But will the format for webhook be the same?

Thanks you for ryour time.

christos.nasikas · November 1, 2021, 10:41am

Hi @lusynda,

Yes, context variables are supported by the webhook. It should work.

Best,
Christos

lusynda · November 2, 2021, 10:58am

So will this

{
	"ip": "{{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}{{/signal.threshold_result.terms}}{{/context.alerts}}"
}

become this:

{
	"ip": "192.168.0.1"
}

christos.nasikas · November 2, 2021, 3:40pm

I am not sure about the values of signal.threshold_result.terms. If it worked for your email connector it should work for the webhook connector.

Thanks,
Christos

lusynda · November 10, 2021, 3:42am

Thanks for your response.
well the output is exactly what i want but in some case the output is concatenate like this:

{
    "ip": "192.168.0.1123.123.123.123"
}

Is there a way for each ip the webhook send the data separately

christos.nasikas · November 10, 2021, 1:12pm

Hi @lusynda,

Glad it worked!

I do not think is possible to send the data separately. But you can create a comma-delimited list by putting a comma after the {{value}}.

{
	"ip": "{{#context.alerts}}{{#signal.threshold_result.terms}}{{value}},{{/signal.threshold_result.terms}}{{/context.alerts}}"
}

Although that will put a comma after the last item. I am not sure how you can avoid that. Maybe @gmmorris or @Patrick_Mueller can help.

Thanks,
Christos

Patrick_Mueller · November 10, 2021, 6:59pm

The suggestion of using a delimiter (for instance, using a space below) within the string, so you'd have the following, is I think the best we can do today.

{
    "ip": "192.168.0.1 123.123.123.123 "
}

We have an issue open to track adding some additional capabilities, that might allow you to render this as something like this:

{
    "ip": ["192.168.0.1", "123.123.123.123"], 
}

It would be great if you could provide your use case there, if it's not already covered by some of the comments in the issue: [alerts] provide mustache functions for ease-of-use in transforming mustache variables · Issue #84217 · elastic/kibana · GitHub

system · December 8, 2021, 7:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Format mail send from siem detection threshold rule SIEM	3	508	June 17, 2021
Way to place new line space using Webhook request SIEM	2	472	June 6, 2021
How To get the alert severity in the body of the message , while sending the data via WEBHOOK Kibana	2	490	April 16, 2020
Elastic Rule Connector sends a String instead of JSON to the Webhook SIEM elastic-stack-alerting	6	1489	October 6, 2022
Alert and connector email context format Kibana	2	692	February 10, 2021

Webhook body format for threshold term value

Related topics