Edwin AI Elastic Integration

Use the LogicMonitor Edwin AI Elastic Integration to receive events in Edwin AI from your Elastic environment. This integration enables automated response, alert enrichment, and cross-platform incident correlation.

This integration supports structured JSON payloads using the Edwin Common Event Format (CEF) to enrich event data with test metrics, rule metadata, and more.

Requirements for Configuring Edwin AI Elastic Integration

To configure the Edwin AI Elastic Integration, you need the following:

• Access to create Connector actions in your Elastic account
• An Edwin AI Client ID and Client Secret. For more information, see Edwin AI API Credentials Management.

Configuring the Edwin AI Elastic Integrtation Webhook

1. Configure a webhook connector in Elastic.
   For more information, see Webhook connector and action from Elastic.
2. Include the following details in a new contact point:
   • In the Name field, add a Connector name
   • In Connector settings, select “POST” from the Method dropdown menu.
   • In the URL field, enter https://<accountname>.dexda.ai/integration/event/v1 
   • Select Basic authentication and apply the following:
     • Username—Edwin API client ID
     • Password—Edwin API client secret
     • Toggle Add HTTP header and add in key “Content-Type” with value “application/json”
     • Select Certificate authority
     • Select “None” from the Verification mode dropdown menu.
3. Attach the connector you create directly to an alert rule, or route alerts to it through a notification policy.
   For more information, see Create and manage alerting rules with Kibana from Elastic.
4. On the Edit Rule page, do the following to map event objects to Edwin AI using a custom payload:
   1. Select Test API request.
   2. In the Body field, apply the custom payload template.
      For more information, see Custom Payload Template Example.
   3. Select Save.

The webhook connector will now send events to Edwin AI.

Custom Payload Template Example

Elastic supports Mustache templates to transform outbound payloads and dynamically apply any value from context, rule, and alert Elasticsearch objects.

The following payload example dynamically maps Elasticsearch event objects to the Edwin AI CEF structure:

[
  {
    "cef": {
      "eventCi": "{{context.title}}",
      "eventObject": "{{rule.name}}",
      "eventName": "{{alert.actionGroupName}}",
      "eventDescription": "{{context.description}}-{{context.reason}}",
      "eventSeverity": 3,
      "eventId": "{{alert.uuid}}",
      "eventTimestamp": {{#FormatDate}} {{{date}}} ; ; x {{/FormatDate}},
      "eventSourceIdLink": "{{rule.url}}",
      "eventSourceId": "{{context.source_id}}-{{rule.id}}",
      "eventSource": "Elastic",
      "sourceRecord": {},
      "class": "event",
      "version": "1.1",
      "eventDomain": ""
    },
    "enrichments": {}
    }
  ]

For more information, see Event Records.