Elastic Security is the SIEM capability built into the Elastic Stack. Calseta receives Elastic alerts via webhook actions and normalizes them for agent consumption.
Ingestion Endpoint
Setting Up the Webhook
Detection Rule Webhook Action
- In Kibana, go to Security → Rules
- Edit the detection rule you want to forward
- Under Actions, add a Webhook action
- Configure:
- URL:
https://your-calseta-host/v1/ingest/elastic
- Method:
POST
- Headers:
Authorization: Bearer cai_your_api_key
- Body: Use the default alert JSON template
Connector Setup
If you haven’t created a webhook connector:
- Go to Stack Management → Connectors
- Create a Webhook connector
- Set the URL and authentication headers
- Reference this connector in your detection rule actions
Calseta expects the standard Elastic Security alert format. Key field mappings:
| Elastic Field | Calseta Field |
|---|
signal.rule.name or kibana.alert.rule.name | title |
signal.rule.severity or kibana.alert.severity | severity |
@timestamp | occurred_at |
signal.rule.threat | Mapped to mitre_tactics / mitre_techniques |
Severity Mapping
| Elastic | Calseta |
|---|
low | Low (2) |
medium | Medium (3) |
high | High (4) |
critical | Critical (5) |
source.ip, destination.ip — network indicatorsuser.name, user.email — account indicatorsfile.hash.md5, file.hash.sha1, file.hash.sha256 — file hash indicatorsurl.full, url.domain — URL and domain indicators- Custom field mappings against
raw_payload
Webhook Signature Verification
Set ELASTIC_WEBHOOK_SECRET in your .env file. Configure the same secret in the Elastic webhook connector’s authentication settings.
Example Payload
{
"@timestamp": "2025-01-15T10:28:00Z",
"signal": {
"rule": {
"name": "Brute Force Login Attempts",
"severity": "high",
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": { "id": "TA0006", "name": "Credential Access" },
"technique": [{ "id": "T1110", "name": "Brute Force" }]
}
]
}
},
"source": { "ip": "203.0.113.42" },
"user": { "name": "admin" },
"event": { "action": "authentication_failed", "outcome": "failure" }
}
Elastic Security has evolved its alert schema across versions. Calseta handles both the legacy signal.* format and the newer kibana.alert.* format.
API Reference
See Ingest Alert for the full endpoint documentation. 
