Elasticsearch alert integration

Overview

For the Elasticsearch alert integration to work using Cydarm’s webhook receiver, you will need to have a Gold tier license for Elastic Cloud.

Steps to set up the integration

1. Create a Webhook Connector in Cydarm

Go to Settings → Advanced Connectors
Click Create connector → Select connector type Webhook Endpoint
Configure:
- Name: Your webhook name
- Description: Your description
- Webhook URL: Your endpoint URL (autogenerated - copy this)
- Data Format: JSON
- Case Description Template:
  
  {{data.rule_name}} ({{data.alert_count}})
Save the connector

2. Add Action to Detection Rule in Elastic

Go to Security → Rules
Edit your rule → Actions tab
Create a webhook connector:
- Name: Cydarm
- Method: POST
- Webhook URL: use the one from Cydarm in step 1
- Authentication: none
- Add HTTP header:
  - Content-Type: application/json
Set Action frequency:
- Summary of alerts - batched notifications at intervals
- For each alert - immediate per-alert notifications

3. Configure the Webhook Body in Elastic

Use this template with ParseHjson to ensure valid JSON output:

{{#ParseHjson}}
{
"alerts": [
{{#context.alerts}}
{
"id": "{{{_id}}}",
"timestamp": "{{{@timestamp}}}",
"severity": "{{{kibana.alert.severity}}}",
"risk_score": {{{kibana.alert.risk_score}}},
"status": "{{{kibana.alert.workflow_status}}}",
"rule": {
"name": "{{{kibana.alert.rule.name}}}",
"id": "{{{kibana.alert.rule.uuid}}}",
"description": "{{{kibana.alert.rule.description}}}",
"category": "{{{kibana.alert.rule.category}}}"
},
"reason": "{{{kibana.alert.reason}}}",
"source": {
"host": "{{{agent.name}}}",
"cloud_provider": "{{{cloud.provider}}}",
"region": "{{{cloud.region}}}",
"instance_id": "{{{cloud.instance.id}}}"
},
"original_event_time": "{{{kibana.alert.original_time}}}",
"alert_url": "{{{kibana.alert.url}}}"
}{{^last}},{{/last}}
{{/context.alerts}}
],
"rule_name": "{{{rule.name}}}",
"alert_count": "{{{context.alerts.length}}}",
"execution_time": "{{{date}}}"
}
{{/ParseHjson}}