# Elastic SIEM (webhook)

In this guide, you'll establish a trusted relationship between Elastic SIEM and Radiant Security. Once set up, Radiant Security will receive alerts from your Elastic SIEM environment and use them to support automated triage and response.

### Prerequisites

* [ ] Elastic SIEM
* [ ] Superuser or elastic\_security\_admin access level, or any other role that has read access to Elastic SIEM and Connectors

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Data Connector** and click **+ Add Connector**.
3. Select the **Elastic SIEM (webhook**) option from the list and click **Data Feeds.**
4. Under **Select your data feeds**, select **Elastic SIEM** and click **Credentials**.
5. Under **Credential Name**, give the credential an identifiable name (e.g. `Elastic Webhook Credentials`).
6. Under **Required Credentials**, enter a **Connector tag**. This value can be any string, and will be used as salt for the token that will be generated to identify your connector.
7. Click **Add Connector**.
8. Open the newly created connector. Under **Vendor Configuration**, copy and save the `Webhook URL` and the `Token` values, as you will use them later.
9. Click **Add Connector** to save the changes.

### Configure URL allow list

{% hint style="info" %}
**Note**: This step is only required if your environment is not using the `xpack.action.allowedHosts` setting with the default value `["*”]`.
{% endhint %}

The `xpack.action.allowedHosts` setting restricts the hosts that Elastic can connect to when executing actions such as webhooks. This is a security measure to prevent unauthorized or unintended network access.

The steps below must be applied to all Elasticsearch nodes on the cluster:

1. Navigate to the `config` directory and open the `elasticsearch.yml` file.
2. Locate the line `xpack.action.allowedHosts`.
   1. If the setting contains a value `["*”]` **,** there is no need to update it
   2. If the setting contains any value different than `["*”]` , include the following entry: <kbd><https://api.app.blastradius.ai></kbd>
3. Save and close the file.
4. Restart the node to apply the new configuration.

### Create the webhook connector

In this section, you’ll create the webhook connector by adding in the **Token** and **Webhook** **URL** values.

1. Access **Kibana**.
2. From the navigation menu, click **Management** > **Stack Management** > **Connectors** and click **Create Connector**.
3. Select **Webhook** from the list.
4. Scroll down and select the Webhook option
5. On the **Configuration** tab, enter the following values:
   * **Connector name**: `RadiantSecurity_Webhook`
   * **Method**: `POST`
   * **URL**: Paste in the **Webhook URL** that you copied during the data connector setup
   * **Authentication**: `None`
   * Enable the **Add HTTP Header** option.
   * Click **Add**:
     * **Key**: `rs_token`
     * **Value**: Paste in the **Token** that you copied during the data connector setup
6. Click **Save and test**.
7. In **Edit connector,** click the **Test** tab. Copy and paste the following payload to the **Body** section:

   ```json
   {
       "name": "Radiant Security Webhook connection test",
       "isTest": "true"
   }
   ```
8. Click **Run**.
9. If the test is successful, click **Close**.
10. If the test fails, review the **URL** and the **Token** in the **Configuration** tab and make sure they match the values provided during the **Add the data connector in Radiant Security** section.

### Configure rules to use the webhook action

In this step you'll configure the detection rules to use the webhook action to send alerts to Radiant Security.

1. Access **Kibana**.
2. From the navigation menu, click **Security** > **Rules**.
3. For each rule you want to forward notifications to Radiant Security, configure the following:

   1. Click on the rule name.
   2. Click **Edit rule settings**.
   3. Navigate to the **Actions** tab.
   4. Click **Webhook** and select the newly created Webhook connector (e.g.,   `RadiantSecurity_Webhook`).
   5. On the Webhook connector section, select the newly created Webhook connector.
   6. For **Action frequency**, select **For each alert** and then **Per rule run**.
   7. Copy the following template and paste it in the **Body** section.&#x20;
   8. Click **Save changes**.

   ```python
   {
     "rule_name": "{{rule.name}}",
     "alert_id": "{{context.alerts.0._id}}",
     "rule_uuid": "{{alert.uuid}}",
     "alert_timestamp": "{{context.alerts.0.kibana.alert.last_detected}}",
     "rule_severity": "{{context.rule.severity}}",
     "alert_count": "{{state.signals_count}}",
     "rule_description": "{{context.rule.description}}",
     "rule_index": "{{context.rule.index}}",
     "rule.tags": "{{rule.tags}}",
     "event": {
     "event_index": "{{context.alerts.0.kibana.alert.ancestors.0.index}}",
     "event_timestamp": "{{context.alerts.0.@timestamp}}",
     "hostname": "{{context.alerts.0.host.name}}",
     "srcIP": "{{context.alerts.0.source.ip}}",
     "destIP": "{{context.alerts.0.destination.ip}}",
     "srcport": "{{context.alerts.0.source.port}}",
     "destport": "{{context.alerts.0.destination.port}}",
     "url": "{{url.full}}",
     "username": "{{context.alerts.0.user.name}}",
     "action": "{{context.alerts.0.event.action}}",
     "filename": "{{context.alerts.0.event.file.name}}",
     "filepath": "{{context.alerts.0.event.file.path}}",
     "filemd5": "{{context.alerts.0.event.file.hash.md5}}",
     "filesha256": "{{context.alerts.0.event.file.hash.sha256}}",
     "vendor": "{{context.alerts.0.event.observer.vendor}}",
     "product": "{{context.alerts.0.event.observer.product}}",
     "threat": "{{context.alerts.0.kibana.alert.rule.parameters.threat}}",
     "category": "{{context.alerts.0.kibana.alert.rule.category}}",
     "rawData": "{{context.alerts}}"
     }
   }
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/elastic-siem-webhook.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.