Version: 7.x-36.0.0

This is a technical preview. Technical preview features are not fully supported, may not be functionally complete, and are not suitable for deployment in production. We encourage you to try them out and provide your feedback, good and bad, on the Search Guard forum. This will help us improve and add any features you might be missing.

HTTP input

An HTTP input pulls in data by accessing an HTTP endpoint. Most commonly, this will be a REST API.

All data from all inputs can be combined by using Transformation and Calculations, used in Conditions and pushed to action endpoints.

For example, if you aggregate data from the Search Guard Audit Log, you can use an HTTP input to retrieve Geo Data information for the logged IP adresses and enrich the data from the audit log.

Example

{
  "trigger": { ... },
  "checks": [{
    "type": "http",
    "name": "testhttp",
    "target": "samplejson",
    "request": {
      "url": "https://jsonplaceholder.typicode.com/todos/1",
      "method": "GET",
      "auth": {"type":"basic","username":"admin","password":"admin"}
    }
  }],
  "actions": [ ... ]
}
Name Description
type http, defines this input as HTTP input type
target the name under which the data is available in later execution steps.
request The HTTP request details
request.url The URL for this HTTP input
request.method One of: GET, PUT, POST, DELETE
request.auth Optional. The authentication method for the HTTP request.
request.body The body of the HTTP request. Optional. Mustache templates can be used to render attributes from the watch runtime data.

Accessing HTTP input data in the execution chain

In this example, the return values from the HTTP call can be accessed in later execution steps like:

data.samplejson.mykey

Dynamic Endpoints

The HTTP endpoint in the request.url attribute cannot be changed dynamically directly. However, you can use the configuration attributes request.path and request.query_params to define the respective parts of the URL using Mustache templates. The resulting path and/or query parameters then override the respective parts of the URL defined in request.url.

{
  "trigger": { ... },
  "checks": [{
    "type": "http",
    "name": "testhttp",
    "target": "samplejson",
    "request": {
      "method": "GET",
      "url": "https://jsonplaceholder.typicode.com/",
      "path": "todos/",
      "auth": {"type":"basic","username":"admin","password":"admin"}
    }
  }],
  "actions": [ ... ]
}

Authentication

Authentication credentials are configured in the auth section if the request configuration. At the time of writing, the only authentication method is HTTP Basic Authentication.

Technical Preview Limitations

In the current version of the tech preview, the password is stored unencrypted and returned in verbatim when the watch is retrieved using the REST API. Future versions will provide a more secure way of storing authentication data.

Advanced Functionality

Furthermore, HTTP inputs provide these configuration options:

connection_timeout: Specifies the time after which the try to create an connection shall time out. Optional. Specified in seconds.

read_timeout: Specifies the timeout for reading the response data after a connection has been already established. Optional. Specified in seconds.

Security Considerations

Keep in mind that webhook actions allow to send arbitrary HTTP requests from Elasticsearch nodes. We are working on mechanisms to define restrictions on the use of webhook actions and the allowed endpoints.


Not what you were looking for? Try the search.