Elastic SIEM

Forward alerts from Elastic SIEM to Radiant Security using a webhook connector and rule actions.

Elastic SIEM forwards alerts to Radiant Security through an outbound webhook. Radiant receives each alert produced by a detection rule with the Radiant webhook action attached and triages it automatically.

Prerequisites

Superuser or elastic_security_admin access level, or any other role that has read access to Elastic SIEM and Connectors

Add the data connector in Radiant Security

Log in to Radiant Security.
From the navigation menu, select Settings > Data Connector and click + Add Connector.
Select the Elastic SIEM (webhook) option from the list and click Data Feeds.
Under Select your data feeds, select Elastic SIEM and click Credentials.
Under Credential Name, give the credential an identifiable name (for example, Elastic Webhook Credentials).
Under Required Credentials, enter a Connector tag. This value can be any string, and will be used as salt for the token that will be generated to identify your connector.
Click Add Connector.
Open the newly created connector. Under Vendor Configuration, copy and save the Webhook URL and the Token values, as you will use them later.
Click Add Connector to save the changes.

Configure URL allow list

This step is only required if your environment is not using the xpack.action.allowedHosts setting with the default value ["*"].

The xpack.action.allowedHosts setting restricts the hosts that Elastic can connect to when executing actions such as webhooks.

Apply the steps below to all Elasticsearch nodes on the cluster:

Navigate to the config directory and open the elasticsearch.yml file.
Locate the line xpack.action.allowedHosts.
- If the setting contains the value ["*"], there is no need to update it.
- If the setting contains any value different from ["*"], include the following entry: https://api.app.blastradius.ai
Save and close the file.
Restart the node to apply the new configuration.

Create the webhook connector

Access Kibana.
From the navigation menu, click Management > Stack Management > Connectors and click Create Connector.
Select Webhook from the list.
On the Configuration tab, enter the following values:
- Connector name: RadiantSecurity_Webhook
- Method: POST
- URL: Paste in the Webhook URL that you copied during the data connector setup.
- Authentication: None
- Enable the Add HTTP Header option and click Add:
  - Key: rs_token
  - Value: Paste in the Token that you copied during the data connector setup.
Click Save and test
In Edit connector, click the Test tab. Copy and paste the following payload into the Body section:

{
    "name": "Radiant Security Webhook connection test",
    "isTest": "true"
}

Click Run.
If the test is successful, click Close.
If the test fails, review the URL and the Token in the Configuration tab and make sure they match the values provided during the Add the data connector in Radiant Security section.

Configure rules to use the webhook action

In this step you'll configure the detection rules to use the webhook action to send alerts to Radiant Security.

Access Kibana.
From the navigation menu, click Security > Rules.
Click the rule name.
Click Edit rule settings.
Navigate to the Actions tab.
Click Webhook and select the newly created Webhook connector (for example, RadiantSecurity_Webhook).
For Action frequency, select For each alert and then Per rule run.
Copy the following template and paste it into the Body section:

{
  "rule_name": "{{rule.name}}",
  "alert_id": "{{context.alerts.0._id}}",
  "rule_uuid": "{{alert.uuid}}",
  "alert_timestamp": "{{context.alerts.0.kibana.alert.last_detected}}",
  "rule_severity": "{{context.rule.severity}}",
  "alert_count": "{{state.signals_count}}",
  "rule_description": "{{context.rule.description}}",
  "rule_index": "{{context.rule.index}}",
  "rule.tags": "{{rule.tags}}",
  "event": {
  "event_index": "{{context.alerts.0.kibana.alert.ancestors.0.index}}",
  "event_timestamp": "{{context.alerts.0.@timestamp}}",
  "hostname": "{{context.alerts.0.host.name}}",
  "srcIP": "{{context.alerts.0.source.ip}}",
  "destIP": "{{context.alerts.0.destination.ip}}",
  "srcport": "{{context.alerts.0.source.port}}",
  "destport": "{{context.alerts.0.destination.port}}",
  "url": "{{url.full}}",
  "username": "{{context.alerts.0.user.name}}",
  "action": "{{context.alerts.0.event.action}}",
  "filename": "{{context.alerts.0.event.file.name}}",
  "filepath": "{{context.alerts.0.event.file.path}}",
  "filemd5": "{{context.alerts.0.event.file.hash.md5}}",
  "filesha256": "{{context.alerts.0.event.file.hash.sha256}}",
  "vendor": "{{context.alerts.0.event.observer.vendor}}",
  "product": "{{context.alerts.0.event.observer.product}}",
  "threat": "{{context.alerts.0.kibana.alert.rule.parameters.threat}}",
  "category": "{{context.alerts.0.kibana.alert.rule.category}}",
  "rawData": "{{context.alerts}}"
  }
}

Click Save changes.

Verify ingestion

After Elastic SIEM begins forwarding, confirm alerts are reaching Radiant.

In Radiant, navigate to Log Management.
Filter by rs_connectorType:"elastic_siem_webhook".
Confirm recent alerts appear.

Allow several minutes for alerts to be parsed, indexed, and available for search.

PreviousDragos Platform NextExecute Response Actions with KnowBe4

Last updated 18 days ago

Was this helpful?