Elastic Alerts

The built-in Elastic Alerts triggers initiate a flow when they receive a request from an Elastic Kibana action. You can use the Elastic Alerts (Connector) trigger when using the xMatters Connector in Elastic v8.2 or later. Or use the Elastic Alerts (Webhook) trigger with a generic webhook from Elastic.

Add the trigger to the canvas

The following instructions describe how to add Elastic Alerts (Connector) and Elastic Alerts (Webhook) triggers to your Flow Designer canvas.

  1. Go to the Triggers tab in the palette, expand the App Triggers section, and drag the Elastic Alerts (Connector) trigger onto the canvas.
  2. Double-click the trigger (or click the pencil icon).
  3. Set the authenticating user, and then copy the URL — you'll use this to set up the xMatters Connector in Elastic. Alternatively, you can create an integration user to use as the authenticating user.

  4. Click the Flood Control tab to edit the trigger's default flood control settings. For more information about these settings, see Trigger Flood Control.
  5. Click Done.
  6. On the flow canvas, connect the steps you want to run when xMatters receives a request from the xMatters Connector in Elastic.

You're now ready to configure Elastic to target the trigger.

  1. Go to the Triggers tab in the palette, expand the App Triggers section, and drag the Elastic Alerts (Webhook) trigger onto the canvas.
  2. Double-click the trigger (or click the pencil icon).
  3. Set the authenticating user, and then copy the URL and Configuration Payload — you'll use these to set up the webhook in Elastic. Alternatively, you can create an integration user to use as the authenticating user.

  4. Click the Flood Control tab to edit the trigger's default flood control settings. For more information about these settings, see Trigger Flood Control.
  5. Click Done.
  6. On the flow canvas, connect the steps you want to run when xMatters receives a request to that URL.

You're now ready to configure Elastic to target the trigger.

Configure Elastic to send requests to the trigger URL

To have Elastic send alerts to the flow trigger, you need to configure a webhook and set it to use the trigger URL. You can use either the xMatters connector in Elastic for v8.2 or later, or configure a generic webhook.

  1. In Elastic, select the project you want to connect to xMatters.
  2. Under Kibana, select Stack Management.
  3. Click Alerts and Actions, then select Connectors from the left-hand menu.
  4. Select xMatters from the list of available connectors.
  5. On the xMatters connector window, give the connector a unique name.

  6. Select whether to use Basic or URL Authentication.
    • For Basic Authentication: 
      • Initiation URL: paste the trigger URL you copied from the Elastic Alerts (Connector) trigger in Flow Designer. Add the target names of any recipients you want to notify when the alert fires to the end of the URL using a question mark.
        • For example, if you want to notify Barry Gull and the on-call members in the group responsible for the Cassiopeia service, you'd add ?recipients=bgull,cassiopeia to the end of the URL.
        • You must URL-encode any special characters or spaces in the target names.
      • Enter the Username and Password for the authenticating user.
    • For URL Authentication: 
      • Initiation URL: paste the xMatters trigger URL you copied from the Elastic Alerts (Connector) trigger in Flow Designer. Add the target names of any recipients you want to notify when the alert fires to the end of the URL using an ampersand.
        • For example, if you want to notify Emma Pearson and the on-call members in the group responsible for the Antares service, you'd add &recipients=epearson,antares to the end of the URL.
        • You must URL-encode any special characters or spaces in the target names.
  7. Click Save, or Save & test to test the connector.

If you click Save & test, the Edit connector window opens, and you can set parameters for your test.

  1. Use the Severity drop-down menu to select a severity level.
  2. Add any optional tags.
  3. Click Run to run the test.

    4. The connector sends the test request to xMatters and the results of the test are displayed in the Results section of the window.

  4. Click Save & close.

You're ready to use the webhook to trigger automated flows, including steps such as sending alerts and initiating incidents, though we always recommend testing before putting things into use.

  1. In Elastic, select the project you want to connect to xMatters.
  2. Under Kibana, select Stack Management.
  3. Click Alerts and Actions, then select Connectors from the left-hand menu.

  4. In the URL field paste the xMatters trigger URL you copied from the Elastic trigger in Flow Designer.
  5.  Add the target names of any recipients you want to notify when the alert fires.
    • For example, if you want to notify Emma Pearson, Mary McBride, and the on-call members in the Monitor Team responsible for the service, you'd add ?recipients=epearson,mmcbride,monitor%20team to the URL.
    • You must URL-encode any special characters or spaces in the target names.

  6. If you use Basic Authentication, complete the Authentication information. If you're using URL Authentication, turn this toggle off.
  7. Click Save, or Save & test to test the webhook.

Now we need to create two alert actions; one that sends a signal to trigger xMatters when something has happened in Elastic, and the other that tells xMatters the trigger is cleared in Elastic. First let's create an Alert action.

  1. In the Alerts and Actions section, click Create alert and select Webhook from the list of options.
  2. On the Create alert page, fill in the following fields: 
    • Name:xMatters
    • Alert type: Select an alert type from the list of available options.
  3. To create an alert signal, under Actions expand the webhook connector you just created.

    • From the Run when drop-down menu, select the alert type you want to send. For example, Threshold met.
    • In the Body field, paste the Configuration Payload you copied from the Elastic Alerts (Webhook) trigger on the Flow Designer canvas:
      Copy
      {
      "alertActionGroup": "{{alertActionGroup}}",
      "alertActionGroupName": "{{alertActionGroupName}}",
      "alertId": "{{alertId}}",
      "alertInstanceId": "{{alertInstanceId}}",
      "alertName": "{{alertName}}",
      "date": "{{date}}",
      "spaceId": "{{spaceId}}",
      "tags": "{{tags}}"
      }.
  4. Click Save.

You'll then need to create another action that becomes the Clear signal.

  1. In the Alerts and Actions section, click Create alert and select Webhook from the list of options.
  2. Under Actions, select the webhook connector you created.
  3. Click the Run when drop-down menu and select Recovered.
  4. In the Body field, paste the Configuration Payload you copied from the Elastic Alerts (Webhook) trigger on the Flow Designer canvas:
    Copy
    {
        "alertActionGroup": "{{alertActionGroup}}",
        "alertActionGroupName": "{{alertActionGroupName}}",
        "alertId": "{{alertId}}",
        "alertInstanceId": "{{alertInstanceId}}",
        "alertName": "{{alertName}}",
        "date": "{{date}}",
        "spaceId": "{{spaceId}}",
        "tags": "{{tags}}"
    }.
  5. Click Save.

The completed actions are listed in the Actions section.

You're ready to use the webhook to trigger automated flows, including steps such as sending alerts and initiating incidents, though we always recommend testing before putting things into use.

Outputs

The Elastic Alerts (Connector) has the following outputs you can use as inputs to steps further along the flow.

Label

 Description
Recipients List of targeted recipients. Recipients are set by adding a recipients query parameter to the trigger URL when you configure the connector in Elastic. See the configuration instructions for more details.
Signal Mode Determines the flow path to follow, based on the value of the Alert Action Group Name parameter.
Signal ID Key or identifier used to terminate or correlate alerts.
Alert Action Group Name Name of the alert action group that scheduled actions for the alert.
Date Date the alert scheduled the action in ISO format.
Rule Name Name of the Elastic rule.
Severity xMatters severity level set in the Elastic connector.
Space ID Unique ID of the alert space in Elastic.
Tags Comma-separated list of tags for the alert as provided by Elastic.
Raw Request JSON representation of the request that can be parsed separately to get additional context on outputs.

The Elastic Alerts (Webhook) trigger has the following outputs you can use as inputs to steps further along the flow.

Label

 Description
Recipients List of targeted recipients. Recipients are set by adding a recipients query parameter to the trigger URL when you configure the webhook in Elastic. See the instructions for configuring the webhook for details.
Signal Mode Determines the flow path to follow, based on the value of the Alert Action Group Name parameter.
Signal ID Key or identifier used to terminate or correlate alerts.
Alert Action Group Name Name of the alert action group that scheduled actions for the alert.
Alert ID Unique ID of the alert.
Alert Instance ID ID of the Elastic alert instance that scheduled actions for the alert.
Alert Name Name of the alert.
Date Date the alert scheduled the action in ISO format.
Space ID Unique ID of the alert space in Elastic.
Tags Comma-separated list of tags for the alert as provided by Elastic.
Raw Request JSON representation of the request that can be parsed separately to get additional context on outputs.