Watcher is a feature of the Elastic Stack which enables users to send alerts or trigger actions based on certain events or threshold limits within their data. Integrate your Elastic Watches to send information via webhook when certain conditions or thresholds generate an alert.

1. Have configured your elastic instance 

           ***For help with this process please view elastic documentation:              

2. Create Inbound AlertOps Integration 

            1 ) Create an Integration Name 

            2) Use the Elastic Escalation Rule
                     **You will configure this later on so select a random rule

            3) In URL Mapping select POST method and JSON for content 

            4) Enter source as your see fit 

            5) For Source Name enter:  metadata^name 

            6) For Source ID enter: watch_id 

            7) For Source Status enter: metadata 

            8) Use Body for the Open alert When field 

                         A) Select contains any 

                         B) Enter watch_id

3. Configure Elastic Watch (Advanced JSON)

Before continuing with this step, you must have your elastic watch and  
         conditions configured. For help with this process please review Elastic's watcher

            A) Once configured according to your own specific checks, replace the actions                   field with the following based on the template provided below:  

                        1) Change the Name of your watch 

                        2) Change the path to your Elastic integration 

                        3) If wanted, change Throttle period 

                                                a. When a watch’s alerts are acknowledged via alertops,                                                     subsequent messages will stop being sent. In order to                                                       reduce alert noise, you can set a Throttle Period on a                                                         watch in minutes to stop sending messages to alertops f                                                  following one that was sent for the specified time                                                              period. 

                        4) Save Watch 


"actions": {

"Name of your Watch": {

"throttle_period": "0m",

"webhook": {

"scheme": "https",

"host": "",

"port": 443,

"method": "post",

"path": "/Path to /your /Elastic integration",

"params": {},

"headers": {

"Content-Type": "application/json"


"body": "{{#toJson}}ctx{{/toJson}}"





4. Configure Outbound Integration and Outbound Action AlertOps
            A) Select Outbound Integrations from the main menu.
                        1) Select ADD OUTBOUND INTEGRATION 

                        2) Create an Integration Name 

                        3) Select Basic as Web Security Type 

                        4) Generate an API Key in Kibana and place it in the Public Key field of                                your outbound integration 

                        5) Enter your UserName and Password in their respective fields in the                               Outbound Integration Detail and SAVE & CONTINUE 

            B) Configure Outbound Action Method For Outbound Integration
                        1) In your Outbound Integrations Screen Select the Methods tab on the                              bottom portion of the view and select ADD METHOD 

                                                ***This Outbound method is needed to acknowledge                                                            back to AlertOps. You must have a cloud instance of                                                          Elastic in order for alertops to send acknowledgement                                                      back to the source instance. 

                        2) Input a name for the method used to acknowledge 

                        3) Select REST for type 

                        4) Select Standard Alert for Alert Type 

                        5) For URI, use the following format 


                                                ***Only change the hostname in the above URI 

                        6) For Request Type select JSON 

                        7) Select PUT for Web Method 

                        8) Select JSON for Response Data Type 

                        9) Select Update Alert Fields for Response Action. 

5. Configure Workflow with Outbound Action in AlertOps 

            A) Under the Main Menu select Workflows and select ADD WORKFLOW 

                        1) Enter a name for your Workflow 

                        2) For Type Select MessageThread 

                        3) For Alert Type Select Standard Alert and click SAVE & CONTINUE 

                        4) On the bottom portion of the screen select the ACTIONS tab 

                                                a. Under Start Conditions, under Match All Conditions                                                            select ADD 

                                                              1. Select Standard for the Attribute 

                                                              2. Select MessageThreadStatusType for the                                                                            Name 

                                                              3. Select is for the relationship 

                                                              4. And Select Assigned for the Value 

                        5) Underneath Start Conditions, Navigate to the Actions                                                        Section and Select ADD
                                                a. Select Outbound Service Notification 

                                                b. In the Outbound Action dropdown, select the                                                                      Outbound Action you just created within your                                                                     Outbound Integration and select SAVE 

                        6) At the top of the Workflow page, select the Enabled checkbox and                                  click UPDATE 

6. Configure Escalation Rule and add Workflow in AlertOps 

            A) In the main menu select Escalation Rules and click ADD ESCALATION RULE 

                        1) Enter your Rule Name 

                        2) Select the priority you’d like for your specific integration 

                        3) You can enter your own integration description: 

                                                ie. Standard Description: Escalation Rule for Elastic                                                                 Kibana Watcher and Acknowledgement back to                                                                 source system 

                        4) Select Quick Launch and click SAVE & CONTINUE 

                        5) You should see the bottom portion of the screen now. Under                                             WORKFLOWS tab, select ADD WORKFLOW 

                                                a. Select the Workflow you just configured for Elastic 

                        6) Under the OUTBOUND ACTIONS TAB 

                                                a. Select the Outbound Action that you created and                                                              configured in your outbound integration and used in                                                          your workflow 

                        7) Under Services, click ADD SERVICE and select your Outbound                                        Elastic Integration 

7. Return to your Inbound Integration that you initially configured
            A) Select your inbound integration for Elastic and change the escalation rule to                  the one you just created and click UPDATE

Did this answer your question?