Sending Alerts via IPv4 Webhooks

Hello there,

I am new to SearchGuard. I already tried opendistro and I found a problem about webhooks not supporting IPv4 in order to send alerts to an internal instance of TheHive.

Does SearchGuard has de same issue ? anyone tried it before ?

Thank you

Hi
The last time I checked the webhook action in the SearchGuard Signals app, it worked. Here is the doc Webhook Actions | Alerting for Elasticsearch | Search Guard

There is no issue with IPv4.

1 Like

I finally got my hands around signals creation. After many errors I got my alert logic to give me back some result now i am stuck the the action part of my webhook to Thehive.

This is the error I get :

{
  "tenant": "_main",
  "watch_id": "mywatch",
  "status": {
    "code": "ACTION_FAILED",
    "detail": "All actions failed"
  },
  "execution_start": "2020-08-14T15:38:43.514Z",
  "execution_end": "2020-08-14T15:38:43.606Z",
  "actions": [
    {
      "name": "my_webhook_action",
      "status": {
        "code": "ACTION_FAILED",
        "detail": "Web hook returned error: HTTP/1.1 400 Bad Request\n\n{\"type\":\"AttributeCheckingError\",\"message\":\"[Attribute type is missing][Attribute source is missing][Attribute sourceRef is missing][Attribute title is missing][Attribute description is missing]\",\"errors\":[{\"name\":\"type\",\"type\":\"MissingAttributeError\"},{\"name\":\"source\",\"type\":\"MissingAttributeError\"},{\"name\":\"sourceRef\",\"type\":\"MissingAttributeError\"},{\"name\":\"title\",\"type\":\"MissingAttributeError\"},{\"name\":\"description\",\"type\":\"MissingAttributeError\"}]}"
      },
      "error": {
        "message": "Web hook returned error: HTTP/1.1 400 Bad Request\n\n{\"type\":\"AttributeCheckingError\",\"message\":\"[Attribute type is missing][Attribute source is missing][Attribute sourceRef is missing][Attribute title is missing][Attribute description is missing]\",\"errors\":[{\"name\":\"type\",\"type\":\"MissingAttributeError\"},{\"name\":\"source\",\"type\":\"MissingAttributeError\"},{\"name\":\"sourceRef\",\"type\":\"MissingAttributeError\"},{\"name\":\"title\",\"type\":\"MissingAttributeError\"},{\"name\":\"description\",\"type\":\"MissingAttributeError\"}]}"
      },
      "execution_start": "2020-08-14T15:38:43.524Z",
      "execution_end": "2020-08-14T15:38:43.599Z"
    }
  ],
  "node": "elk-sg",
  "_id": "vsaf7XMB7DSIF7OVjucZ",
  "_index": ".signals_log_2020.08.14"
}

This is my action :

"actions": [{
    "type": "webhook",
    "name": "my_webhook_action",
    "request": {
      "url": "http://192.168.20.220:9000/api/alert",
      "method": "POST",
      "body": "{\"text\": \"Powershell Process was created {{data.PowershellProcessCreation.hits.hits.length}} time over the last {{data.myconstants.window}}\"}\n",
      "headers": {
					"Content-Type": "application/json",
					"Authorization": "Bearer 3H9GBe6Xxkz+55wilOMn0TZZReMCPBW5"
			}
    }
  }]

Thank you

the search on the watch gives me matches on process creation :

But the action is the only point of my failure at this point

These are required by TheHive I just figured out this. Sorry!

Im gonna leave this for anyone like me new to this trying to figure out how to send alerts from SearchGuard to th TheHive :

"actions": [{
    "type": "webhook",
    "name": "my_webhook_action",
    "request": {
      "url": "http://<THEHIVE_IP>:9000/api/alert",
      "method": "POST",
      "body": "{\"title\": \"Title Example\",\n \"description\": \"Descritpion Example\",\n \"type\": \"external\",\n \"source\": \"sourceexample\",\n \"sourceRef\": \"searchguard-signal\"}\n",
      "headers": {
					"Content-Type": "application/json",
					"Authorization": "Bearer <YOUR API KEY>"
			}
    }
  }]

thank you!

1 Like

One thing to take note of is that TheHive creates an internal alert ID from an MD5 hash value of {type, source, sourceRef}. so one of them should be unique in order to keep generating an alert everytime something is detected.

1 Like

@H1L021 thank you for the feedback.