I've just created a webhooks to an internal services that will need to get the value as the result of the signal that a siem threshold rule will produce.
Normally for email connector the body will look like this:
But will the format for webhook be the same?
Thanks you for ryour time.
Yes, context variables are supported by the webhook. It should work.
So will this
I am not sure about the values of
signal.threshold_result.terms. If it worked for your email connector it should work for the webhook connector.
Thanks for your response.
well the output is exactly what i want but in some case the output is concatenate like this:
Is there a way for each ip the webhook send the data separately
Glad it worked!
I do not think is possible to send the data separately. But you can create a comma-delimited list by putting a comma after the
Although that will put a comma after the last item. I am not sure how you can avoid that. Maybe @gmmorris or @Patrick_Mueller can help.
The suggestion of using a delimiter (for instance, using a space below) within the string, so you'd have the following, is I think the best we can do today.
"ip": "192.168.0.1 188.8.131.52 "
We have an issue open to track adding some additional capabilities, that might allow you to render this as something like this:
"ip": ["192.168.0.1", "184.108.40.206"],
It would be great if you could provide your use case there, if it's not already covered by some of the comments in the issue: [alerts] provide mustache functions for ease-of-use in transforming mustache variables · Issue #84217 · elastic/kibana · GitHub
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.