# Elastic SIEM (webhook) In this guide, you'll establish a trusted relationship between Elastic SIEM and Radiant Security. Once set up, Radiant Security will receive alerts from your Elastic SIEM environment and use them to support automated triage and response. ### Prerequisites * [ ] Elastic SIEM * [ ] Superuser or elastic\_security\_admin access level, or any other role that has read access to Elastic SIEM and Connectors ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, select **Settings** > **Data Connector** and click **+ Add Connector**. 3. Select the **Elastic SIEM (webhook**) option from the list and click **Data Feeds.** 4. Under **Select your data feeds**, select **Elastic SIEM** and click **Credentials**. 5. Under **Credential Name**, give the credential an identifiable name (e.g. `Elastic Webhook Credentials`). 6. Under **Required Credentials**, enter a **Connector tag**. This value can be any string, and will be used as salt for the token that will be generated to identify your connector. 7. Click **Add Connector**. 8. Open the newly created connector. Under **Vendor Configuration**, copy and save the `Webhook URL` and the `Token` values, as you will use them later. 9. Click **Add Connector** to save the changes. ### Configure URL allow list {% hint style="info" %} **Note**: This step is only required if your environment is not using the `xpack.action.allowedHosts` setting with the default value `["*”]`. {% endhint %} The `xpack.action.allowedHosts` setting restricts the hosts that Elastic can connect to when executing actions such as webhooks. This is a security measure to prevent unauthorized or unintended network access. The steps below must be applied to all Elasticsearch nodes on the cluster: 1. Navigate to the `config` directory and open the `elasticsearch.yml` file. 2. Locate the line `xpack.action.allowedHosts`. 1. If the setting contains a value `["*”]` **,** there is no need to update it 2. If the setting contains any value different than `["*”]` , include the following entry: 3. Save and close the file. 4. Restart the node to apply the new configuration. ### Create the webhook connector In this section, you’ll create the webhook connector by adding in the **Token** and **Webhook** **URL** values. 1. Access **Kibana**. 2. From the navigation menu, click **Management** > **Stack Management** > **Connectors** and click **Create Connector**. 3. Select **Webhook** from the list. 4. Scroll down and select the Webhook option 5. On the **Configuration** tab, enter the following values: * **Connector name**: `RadiantSecurity_Webhook` * **Method**: `POST` * **URL**: Paste in the **Webhook URL** that you copied during the data connector setup * **Authentication**: `None` * Enable the **Add HTTP Header** option. * Click **Add**: * **Key**: `rs_token` * **Value**: Paste in the **Token** that you copied during the data connector setup 6. Click **Save and test**. 7. In **Edit connector,** click the **Test** tab. Copy and paste the following payload to the **Body** section: ```json { "name": "Radiant Security Webhook connection test", "isTest": "true" } ``` 8. Click **Run**. 9. If the test is successful, click **Close**. 10. If the test fails, review the **URL** and the **Token** in the **Configuration** tab and make sure they match the values provided during the **Add the data connector in Radiant Security** section. ### Configure rules to use the webhook action In this step you'll configure the detection rules to use the webhook action to send alerts to Radiant Security. 1. Access **Kibana**. 2. From the navigation menu, click **Security** > **Rules**. 3. For each rule you want to forward notifications to Radiant Security, configure the following: 1. Click on the rule name. 2. Click **Edit rule settings**. 3. Navigate to the **Actions** tab. 4. Click **Webhook** and select the newly created Webhook connector (e.g.,   `RadiantSecurity_Webhook`). 5. On the Webhook connector section, select the newly created Webhook connector. 6. For **Action frequency**, select **For each alert** and then **Per rule run**. 7. Copy the following template and paste it in the **Body** section. 8. Click **Save changes**. ```python { "rule_name": "{{rule.name}}", "alert_id": "{{context.alerts.0._id}}", "rule_uuid": "{{alert.uuid}}", "alert_timestamp": "{{context.alerts.0.kibana.alert.last_detected}}", "rule_severity": "{{context.rule.severity}}", "alert_count": "{{state.signals_count}}", "rule_description": "{{context.rule.description}}", "rule_index": "{{context.rule.index}}", "rule.tags": "{{rule.tags}}", "event": { "event_index": "{{context.alerts.0.kibana.alert.ancestors.0.index}}", "event_timestamp": "{{context.alerts.0.@timestamp}}", "hostname": "{{context.alerts.0.host.name}}", "srcIP": "{{context.alerts.0.source.ip}}", "destIP": "{{context.alerts.0.destination.ip}}", "srcport": "{{context.alerts.0.source.port}}", "destport": "{{context.alerts.0.destination.port}}", "url": "{{url.full}}", "username": "{{context.alerts.0.user.name}}", "action": "{{context.alerts.0.event.action}}", "filename": "{{context.alerts.0.event.file.name}}", "filepath": "{{context.alerts.0.event.file.path}}", "filemd5": "{{context.alerts.0.event.file.hash.md5}}", "filesha256": "{{context.alerts.0.event.file.hash.sha256}}", "vendor": "{{context.alerts.0.event.observer.vendor}}", "product": "{{context.alerts.0.event.observer.product}}", "threat": "{{context.alerts.0.kibana.alert.rule.parameters.threat}}", "category": "{{context.alerts.0.kibana.alert.rule.category}}", "rawData": "{{context.alerts}}" } } ```