Skip to main content

Search

How do I configure Webhook notifications for Elastic SIEM?

Overview

Canary supports outgoing Webhooks from your Console to an endpoint of your choice. This event-driven approach ensures that alerts are sent to you as they happen!

In this guide, we’ll send data to your Elastic Stack instance, using a Thinkst Canary Generic Webhook.

1. Create Agent Policy in Elastic Fleet

  1. Go to Assets > Fleet > Policies.
  2. Click Create Agent Policy.
  3. Name it something like FleetOps
  4. Ensure "Collect system logs and metrics" is enabled.
  5. Click Create agent policy.
create agent 1 .png
Create Agent 2.png

2. Set Up the HTTP Integration

  1. Inside FleetOps, click Add integration.
  2. Search for HTTP.
  3. Choose Custom HTTP Endpoint Logs.
  4. Click Add Custom HTTP Endpoint Logs.
  5. Name your integration (e.g. http_endpoint-2).
  6. Under Change defaults:
    1. Listen address: 127.0.0.1
    2. Listen port: 8080 (or your preferred port)
    3. Dataset name: leave as default or customise
  7. Click Save and continue, then Save integration.
Add 1.png

add 2.png

add last.png

3. Enrol the Elastic Agent

You can install the Elastic Agent on any supported operating system, but the example below covers installation and enrollment on a Linux-based EC2 instance.

  1. In Kibana, go to Fleet > Agents. and click Add agent.
  2. Copy the curl and install commands shown for Linux x86_64.
  3. SSH into your EC2 instance and run:
# curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.0-linux-x86_64.tar.gz
# tar xzvf elastic-agent-9.0.0-linux-x86_64.tar.gz
# cd elastic-agent-9.0.0-linux-x86_64
# sudo ./elastic-agent install --url=<fleet-url> --enrollment-token=<your-token>
  1. After installation, your agent should appear as healthy in the Elastic UI under the FleetOps policy.

1 Agent.png

2 Agent.png

Last Agent.png

4. Configure TLS 

To ensure secure communication, it’s important to expose the Elastic Agent endpoint over HTTPS. This is the safest and recommended approach, especially for production environments.

  1. Obtaining a TLS certificate using your preferred method (e.g., Let’s Encrypt, a commercial CA, or internal PKI).
  2. Setting up a web server or reverse proxy (such as Caddy, Nginx, or Apache) to handle TLS termination and route traffic securely to the Elastic Agent.

The Elastic Agent should be bound to a local interface (e.g., 127.0.0.1:8080). Your reverse proxy should securely expose the agent endpoint over port 443 (HTTPS). Use firewall rules to ensure that only port 443 is accessible externally, while the internal agent port remains private.

  1. Add EC2 Public IP as a Webhook in Thinkst Canary
  2. In the Thinkst Canary Console, go to Settings > Webhooks.
  3. Click Add new Generic Webhook.
  4. Paste the webhook URL: https://<your-domain-or-ec2-ip>/ 

Untitled design (8).png width=

You're done! ;)

Was this article helpful?
0 out of 0 found this helpful
Return to top