Elastic SIEM (webhook)

Configure Elastic SIEM to forward alerts to Radiant Security via webhook.

In this guide, you'll establish a trusted relationship between Elastic SIEM and Radiant Security. Once set up, Radiant Security will receive alerts from your Elastic SIEM environment and use them to support automated triage and response.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, select Settings > Data Connector and click + Add Connector.

  3. Select the Elastic SIEM (webhook) option from the list and click Data Feeds.

  4. Under Select your data feeds, select Elastic SIEM and click Credentials.

  5. Under Credential Name, give the credential an identifiable name (e.g. Elastic Webhook Credentials).

  6. Under Required Credentials, enter a Connector tag. This value can be any string, and will be used as salt for the token that will be generated to identify your connector.

  7. Click Add Connector.

  8. Open the newly created connector. Under Vendor Configuration, copy and save the Webhook URL and the Token values, as you will use them later.

  9. Click Add Connector to save the changes.

Configure URL allow list

Note: This step is only required if your environment is not using the xpack.action.allowedHosts setting with the default value ["*”].

The xpack.action.allowedHosts setting restricts the hosts that Elastic can connect to when executing actions such as webhooks. This is a security measure to prevent unauthorized or unintended network access.

The steps below must be applied to all Elasticsearch nodes on the cluster:

  1. Navigate to the config directory and open the elasticsearch.yml file.

  2. Locate the line xpack.action.allowedHosts.

    1. If the setting contains a value ["*”] , there is no need to update it

    2. If the setting contains any value different than ["*”] , include the following entry: https://api.app.blastradius.ai

  3. Save and close the file.

  4. Restart the node to apply the new configuration.

Create the webhook connector

In this section, you’ll create the webhook connector by adding in the Token and Webhook URL values.

  1. Access Kibana.

  2. From the navigation menu, click Management > Stack Management > Connectors and click Create Connector.

  3. Select Webhook from the list.

  4. Scroll down and select the Webhook option

  5. On the Configuration tab, enter the following values:

    • Connector name: RadiantSecurity_Webhook

    • Method: POST

    • URL: Paste in the Webhook URL that you copied during the data connector setup

    • Authentication: None

    • Enable the Add HTTP Header option.

    • Click Add:

      • Key: rs_token

      • Value: Paste in the Token that you copied during the data connector setup

  6. Click Save and test.

  7. In Edit connector, click the Test tab. Copy and paste the following payload to the Body section:

    {
    "name": "Radiant Security Webhook connection test",
    "isTest": "true"
}

  8. Click Run.

  9. If the test is successful, click Close.

  10. If the test fails, review the URL and the Token in the Configuration tab and make sure they match the values provided during the Add the data connector in Radiant Security section.

Configure rules to use the webhook action

In this step you'll configure the detection rules to use the webhook action to send alerts to Radiant Security.

  1. Access Kibana.

  2. From the navigation menu, click Security > Rules.

  3. For each rule you want to forward notifications to Radiant Security, configure the following:

    1. Click on the rule name.

    2. Click Edit rule settings.

    3. Navigate to the Actions tab.

    4. Click Webhook and select the newly created Webhook connector (e.g.,   RadiantSecurity_Webhook).

    5. On the Webhook connector section, select the newly created Webhook connector.

    6. For Action frequency, select For each alert and then Per rule run.

    7. Copy the following template and paste it in the Body section.

    8. Click Save changes.

    {
  "rule_name": "{{rule.name}}",
  "alert_id": "{{context.alerts.0._id}}",
  "rule_uuid": "{{alert.uuid}}",
  "alert_timestamp": "{{context.alerts.0.kibana.alert.last_detected}}",
  "rule_severity": "{{context.rule.severity}}",
  "alert_count": "{{state.signals_count}}",
  "rule_description": "{{context.rule.description}}",
  "rule_index": "{{context.rule.index}}",
  "rule.tags": "{{rule.tags}}",
  "event": {
  "event_index": "{{context.alerts.0.kibana.alert.ancestors.0.index}}",
  "event_timestamp": "{{context.alerts.0.@timestamp}}",
  "hostname": "{{context.alerts.0.host.name}}",
  "srcIP": "{{context.alerts.0.source.ip}}",
  "destIP": "{{context.alerts.0.destination.ip}}",
  "srcport": "{{context.alerts.0.source.port}}",
  "destport": "{{context.alerts.0.destination.port}}",
  "url": "{{url.full}}",
  "username": "{{context.alerts.0.user.name}}",
  "action": "{{context.alerts.0.event.action}}",
  "filename": "{{context.alerts.0.event.file.name}}",
  "filepath": "{{context.alerts.0.event.file.path}}",
  "filemd5": "{{context.alerts.0.event.file.hash.md5}}",
  "filesha256": "{{context.alerts.0.event.file.hash.sha256}}",
  "vendor": "{{context.alerts.0.event.observer.vendor}}",
  "product": "{{context.alerts.0.event.observer.product}}",
  "threat": "{{context.alerts.0.kibana.alert.rule.parameters.threat}}",
  "category": "{{context.alerts.0.kibana.alert.rule.category}}",
  "rawData": "{{context.alerts}}"
  }
}

PreviousDragos PlatformNextForcepoint NGFW (syslog)

Last updated