Webhook body format for threshold term value

lusynda · October 28, 2021, 9:12am

Hi all.
I've just created a webhooks to an internal services that will need to get the value as the result of the signal that a siem threshold rule will produce.
Normally for email connector the body will look like this:

{{#context.alerts}}
{{#signal.threshold_result.terms}}{{value}}{{/signal.threshold_result.terms}}
{{/context.alerts}}

But will the format for webhook be the same?

Thanks you for ryour time.

christos.nasikas · November 1, 2021, 10:41am

Hi @lusynda,

Yes, context variables are supported by the webhook. It should work.

Best,
Christos

lusynda · November 2, 2021, 10:58am

So will this

{
	"ip": "{{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}{{/signal.threshold_result.terms}}{{/context.alerts}}"
}

become this:

{
	"ip": "192.168.0.1"
}

christos.nasikas · November 2, 2021, 3:40pm

I am not sure about the values of signal.threshold_result.terms. If it worked for your email connector it should work for the webhook connector.

Thanks,
Christos

lusynda · November 10, 2021, 3:42am

Thanks for your response.
well the output is exactly what i want but in some case the output is concatenate like this:

{
    "ip": "192.168.0.1123.123.123.123"
}

Is there a way for each ip the webhook send the data separately

christos.nasikas · November 10, 2021, 1:12pm

Hi @lusynda,

Glad it worked!

I do not think is possible to send the data separately. But you can create a comma-delimited list by putting a comma after the {{value}}.

{
	"ip": "{{#context.alerts}}{{#signal.threshold_result.terms}}{{value}},{{/signal.threshold_result.terms}}{{/context.alerts}}"
}

Although that will put a comma after the last item. I am not sure how you can avoid that. Maybe @gmmorris or @Patrick_Mueller can help.

Thanks,
Christos

Patrick_Mueller · November 10, 2021, 6:59pm

The suggestion of using a delimiter (for instance, using a space below) within the string, so you'd have the following, is I think the best we can do today.

{
    "ip": "192.168.0.1 123.123.123.123 "
}

We have an issue open to track adding some additional capabilities, that might allow you to render this as something like this:

{
    "ip": ["192.168.0.1", "123.123.123.123"], 
}

It would be great if you could provide your use case there, if it's not already covered by some of the comments in the issue: [alerts] provide mustache functions for ease-of-use in transforming mustache variables · Issue #84217 · elastic/kibana · GitHub

system · December 8, 2021, 7:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.