Watcher is a feature of the Elastic Stack which enables users to send alerts or trigger actions based on certain events or threshold limits within their data. Integrate your Elastic Watches to send information via webhook when certain conditions or thresholds generate an alert.
1. Have configured your elastic instance
***For help with this process please view elastic documentation:
https://www.elastic.co/guide/index.html
2. Create Inbound AlertOps Integration
1 ) Create an Integration Name
2) Use the Elastic Escalation Rule
**You will configure this later on so select a random rule
3) In URL Mapping select POST method and JSON for content
4) Enter source as your see fit
5) For Source Name enter: metadata^name
6) For Source ID enter: watch_id
7) For Source Status enter: metadata
8) Use Body for the Open alert When field
A) Select contains any
B) Enter watch_id
3. Configure Elastic Watch (Advanced JSON)
***Before continuing with this step, you must have your elastic watch and
conditions configured. For help with this process please review Elastic's watcher
documentation: https://www.elastic.co/guide/en/kibana/current/watcher-ui.html
A) Once configured according to your own specific checks, replace the actions field with the following based on the template provided below:
1) Change the Name of your watch
2) Change the path to your Elastic integration
3) If wanted, change Throttle period
a. When a watch’s alerts are acknowledged via alertops, subsequent messages will stop being sent. In order to reduce alert noise, you can set a Throttle Period on a watch in minutes to stop sending messages to alertops f following one that was sent for the specified time period.
4) Save Watch
**************************************************************************************************************
"actions": {
"Name of your Watch": {
"throttle_period": "0m",
"webhook": {
"scheme": "https",
"host": "notify.alertops.com",
"port": 443,
"method": "post",
"path": "/Path to /your /Elastic integration",
"params": {},
"headers": {
"Content-Type": "application/json"
},
"body": "{{#toJson}}ctx{{/toJson}}"
}
}
},
**************************************************************************************************************
4. Configure Outbound Integration and Outbound Action AlertOps
A) Select Outbound Integrations from the main menu.
1) Select ADD OUTBOUND INTEGRATION
2) Create an Integration Name
3) Select Basic as Web Security Type
4) Generate an API Key in Kibana and place it in the Public Key field of your outbound integration
5) Enter your UserName and Password in their respective fields in the Outbound Integration Detail and SAVE & CONTINUE
B) Configure Outbound Action Method For Outbound Integration
1) In your Outbound Integrations Screen Select the Methods tab on the bottom portion of the view and select ADD METHOD
***This Outbound method is needed to acknowledge back to AlertOps. You must have a cloud instance of Elastic in order for alertops to send acknowledgement back to the source instance.
2) Input a name for the method used to acknowledge
3) Select REST for type
4) Select Standard Alert for Alert Type
5) For URI, use the following format
***Only change the hostname in the above URI
6) For Request Type select JSON
7) Select PUT for Web Method
8) Select JSON for Response Data Type
9) Select Update Alert Fields for Response Action.
5. Configure Workflow with Outbound Action in AlertOps
A) Under the Main Menu select Workflows and select ADD WORKFLOW
1) Enter a name for your Workflow
2) For Type Select MessageThread
3) For Alert Type Select Standard Alert and click SAVE & CONTINUE
4) On the bottom portion of the screen select the ACTIONS tab
a. Under Start Conditions, under Match All Conditions select ADD
1. Select Standard for the Attribute
2. Select MessageThreadStatusType for the Name
3. Select is for the relationship
4. And Select Assigned for the Value
5) Underneath Start Conditions, Navigate to the Actions Section and Select ADD
a. Select Outbound Service Notification
b. In the Outbound Action dropdown, select the Outbound Action you just created within your Outbound Integration and select SAVE
6) At the top of the Workflow page, select the Enabled checkbox and click UPDATE
6. Configure Escalation Rule and add Workflow in AlertOps
A) In the main menu select Escalation Rules and click ADD ESCALATION RULE
1) Enter your Rule Name
2) Select the priority you’d like for your specific integration
3) You can enter your own integration description:
ie. Standard Description: Escalation Rule for Elastic Kibana Watcher and Acknowledgement back to source system
4) Select Quick Launch and click SAVE & CONTINUE
5) You should see the bottom portion of the screen now. Under WORKFLOWS tab, select ADD WORKFLOW
a. Select the Workflow you just configured for Elastic
6) Under the OUTBOUND ACTIONS TAB
a. Select the Outbound Action that you created and configured in your outbound integration and used in your workflow
7) Under Services, click ADD SERVICE and select your Outbound Elastic Integration
7. Return to your Inbound Integration that you initially configured
A) Select your inbound integration for Elastic and change the escalation rule to the one you just created and click UPDATE
