Is it possible for an alert to trigger an action (script)?

[mskarshinski]

I would like to configure alerts that meet a certain criteria to trigger a script consisting of a series of API calls. I watched the YT SOAR tutorial using n8n/theHive but I couldn't figure out how they were latching into SO. My idea would be to automatically create tickets in my RMM for alerts that I have deemed critical or worthy of exploration.

[reyesj2]

You might be able to do something with elastalert2 https://elastalert2.readthedocs.io/en/latest/alerts.html#http-post https://docs.securityonion.net/en/2.4/elastalert.html

Similar to the youtube video you mentioned you could create an elastalert2 rule similar to below

name: Send critical alerts to ticketing system
type: any
index: "logs-*"
filter:
- query:
    query_string:
      query: "tags: alert AND event.severity_label: high"
alert: post
http_post_url: "http://example.com/api"
http_post_static_payload:
  apikey: abc123

[mskarshinski]

Thank you Jorge! I’m hoping to have some time later this week to revisit this. I think what you posted is exactly what I’m looking for. Marc