# Elastic SIEM Elastic SIEM forwards alerts to Radiant Security through an outbound webhook. Radiant receives each alert produced by a detection rule with the Radiant webhook action attached and triages it automatically. ### Prerequisites * [ ] Superuser or `elastic_security_admin` access level, or any other role that has read access to Elastic SIEM and Connectors ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, select **Settings** > **Data Connector** and click **+ Add Connector**. 3. Select the **Elastic SIEM (webhook)** option from the list and click **Data Feeds**. 4. Under **Select your data feeds**, select **Elastic SIEM** and click **Credentials**. 5. Under **Credential Name**, give the credential an identifiable name (for example, `Elastic Webhook Credentials`). 6. Under **Required Credentials**, enter a **Connector tag**. This value can be any string, and will be used as salt for the token that will be generated to identify your connector. 7. Click **Add Connector**. 8. Open the newly created connector. Under **Vendor Configuration**, copy and save the **Webhook URL** and the **Token** values, as you will use them later. 9. Click **Add Connector** to save the changes. ### Configure URL allow list {% hint style="info" %} This step is only required if your environment is not using the `xpack.action.allowedHosts` setting with the default value `["*"]`. {% endhint %} The `xpack.action.allowedHosts` setting restricts the hosts that Elastic can connect to when executing actions such as webhooks. Apply the steps below to all Elasticsearch nodes on the cluster: 1. Navigate to the `config` directory and open the `elasticsearch.yml` file. 2. Locate the line `xpack.action.allowedHosts`. * If the setting contains the value `["*"]`, there is no need to update it. * If the setting contains any value different from `["*"]`, include the following entry: `https://api.app.blastradius.ai` 3. Save and close the file. 4. Restart the node to apply the new configuration. ### Create the webhook connector 1. Access **Kibana**. 2. From the navigation menu, click **Management** > **Stack Management** > **Connectors** and click **Create Connector**. 3. Select **Webhook** from the list. 4. On the **Configuration** tab, enter the following values: * **Connector name**: `RadiantSecurity_Webhook` * **Method**: `POST` * **URL**: Paste in the **Webhook URL** that you copied during the data connector setup. * **Authentication**: `None` * Enable the **Add HTTP Header** option and click **Add**: * **Key**: `rs_token` * **Value**: Paste in the **Token** that you copied during the data connector setup. 5. Click **Save and test** 6. In **Edit connector**, click the **Test** tab. Copy and paste the following payload into the **Body** section: {% code overflow="wrap" %} ```json { "name": "Radiant Security Webhook connection test", "isTest": "true" } ``` {% endcode %} 7. Click **Run**. 8. If the test is successful, click **Close**. 9. If the test fails, review the **URL** and the **Token** in the **Configuration** tab and make sure they match the values provided during the **Add the data connector in Radiant Security** section. ### Configure rules to use the webhook action In this step you'll configure the detection rules to use the webhook action to send alerts to Radiant Security. 1. Access **Kibana**. 2. From the navigation menu, click **Security** > **Rules**. 3. Click the rule name. 4. Click **Edit rule settings**. 5. Navigate to the **Actions** tab. 6. Click **Webhook** and select the newly created Webhook connector (for example, `RadiantSecurity_Webhook`). 7. For **Action frequency**, select **For each alert** and then **Per rule run**. 8. Copy the following template and paste it into the **Body** section: {% code overflow="wrap" %} ```json { "rule_name": "{{rule.name}}", "alert_id": "{{context.alerts.0._id}}", "rule_uuid": "{{alert.uuid}}", "alert_timestamp": "{{context.alerts.0.kibana.alert.last_detected}}", "rule_severity": "{{context.rule.severity}}", "alert_count": "{{state.signals_count}}", "rule_description": "{{context.rule.description}}", "rule_index": "{{context.rule.index}}", "rule.tags": "{{rule.tags}}", "event": { "event_index": "{{context.alerts.0.kibana.alert.ancestors.0.index}}", "event_timestamp": "{{context.alerts.0.@timestamp}}", "hostname": "{{context.alerts.0.host.name}}", "srcIP": "{{context.alerts.0.source.ip}}", "destIP": "{{context.alerts.0.destination.ip}}", "srcport": "{{context.alerts.0.source.port}}", "destport": "{{context.alerts.0.destination.port}}", "url": "{{url.full}}", "username": "{{context.alerts.0.user.name}}", "action": "{{context.alerts.0.event.action}}", "filename": "{{context.alerts.0.event.file.name}}", "filepath": "{{context.alerts.0.event.file.path}}", "filemd5": "{{context.alerts.0.event.file.hash.md5}}", "filesha256": "{{context.alerts.0.event.file.hash.sha256}}", "vendor": "{{context.alerts.0.event.observer.vendor}}", "product": "{{context.alerts.0.event.observer.product}}", "threat": "{{context.alerts.0.kibana.alert.rule.parameters.threat}}", "category": "{{context.alerts.0.kibana.alert.rule.category}}", "rawData": "{{context.alerts}}" } } ``` {% endcode %} 9. Click **Save changes**. ### Verify ingestion After Elastic SIEM begins forwarding, confirm alerts are reaching Radiant. 1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs). 2. Filter by `rs_connectorType:"elastic_siem_webhook"`. 3. Confirm recent alerts appear. {% hint style="info" %} Allow several minutes for alerts to be parsed, indexed, and available for search. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/elastic-siem.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.