# Search Guard Integration

By integrating [Search Guard](https://search-guard.com/) Signals with ilert, you can route custom-defined alerts – such as detected failed authentications, TLS certificate expirations, or node disconnects – from Elasticsearch logs or metrics into your on-call workflows. These technical alerts trigger ilert’s escalation policies and ensure that responders are notified promptly, enhancing the security and operational stability of your cluster.

## In ilert: Create a Search Guard alert source <a href="#in-ilert" id="in-ilert"></a>

1. Go to **Alert sources** --> **Alert sources** and click on **Create new alert source**

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FjX0cS4q7woTXKajZmc1W%2FScreenshot%202023-08-28%20at%2010.21.10.png?alt=media&#x26;token=8ef3666b-84eb-4b51-abee-f07303313941" alt=""><figcaption></figcaption></figure>
2. Search for **Search Guard** in the search field, click on the Search Guard tile and click on **Next**.

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FlXzQlJpaTFSR49AZk0xA%2FScreenshot%202023-08-28%20at%2010.24.23.png?alt=media&#x26;token=cffeacb4-57b9-47d4-827d-b0f6b1afd914" alt=""><figcaption></figcaption></figure>
3. Give your alert source a name, optionally assign teams and click **Next**.
4. Select an **escalation policy** by creating a new one or assigning an existing one.

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FNnuZqONaIhbOf6fn4OkZ%2FScreenshot%202023-08-28%20at%2011.37.47.png?alt=media&#x26;token=8a74f7b5-5bd2-4eea-97fa-1c1dbb041333" alt=""><figcaption></figcaption></figure>
5. Select you [Alert grouping](https://docs.ilert.com/alerting/configure-alerting/alert-sources#alert-grouping) preference and click **Continue setup**. You may click **Do not group alerts** for now and change it later.

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FueugN4JgHn1c90ggFA6u%2FScreenshot%202023-08-28%20at%2011.38.24.png?alt=media&#x26;token=b8009daf-3ca8-4264-a6fa-e42ef7333205" alt=""><figcaption></figcaption></figure>
6. The next page show additional settings such as customer alert templates or notification prioritiy. Click on **Finish setup** for now.
7. On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FJ1QwcjLiVLOyieOrgmpC%2FScreenshot%202023-08-28%20at%2011.47.34.png?alt=media&#x26;token=72dc29a2-ded0-44cd-89bc-229bb0569626" alt=""><figcaption></figcaption></figure>

## In Search Guard: Create watch <a href="#in-topdesk" id="in-topdesk"></a>

1. Go to Search Guard to open the main menu and choose **Search Guard -> Signals**

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MTCtqmABn7i9S9NaZ_k%2F-MTCv4KS3MHZd3e0lvbp%2FScreenshot_10_02_21__22_49.png?alt=media\&token=29ce12c4-54a4-495f-aebe-fc6a97e05cbc)

2. On the next page click on the **New** button to create a new watch

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MTCtqmABn7i9S9NaZ_k%2F-MTCw9UKuJ3iPEMBXCgK%2FScreenshot_10_02_21__22_53.png?alt=media\&token=4540b21b-f863-4572-a625-e38261082747)

3. On the next view name the watch e.g. **My Watch** scroll down and configure the watch to your liking.

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MTCtqmABn7i9S9NaZ_k%2F-MTCxINynrp_tGiQgV6t%2FScreenshot_10_02_21__22_56.png?alt=media\&token=4032f5d0-760f-40a9-9145-735c39959c91)

4. Scroll down to **Actions** and add the **Webhook** action

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MTCtqmABn7i9S9NaZ_k%2F-MTCxm18amHG14cphdV9%2FScreenshot_10_02_21__23_00.png?alt=media\&token=c6151b80-0afd-44f6-af4b-3dccf2610cc9)

5. Name the action e.g. **iLert**, paste the **Webhook URL** that you generated in ilert, change headers as required and paste the following **json** as body template

```
{
  "incidentKey": "{{watch.id}}",
  "summary": "SearchGuard alert: {{watch.id}}",
  "details": "Problem occurred at {{execution_time}}",
  "serverUrl": "https://my-server.com"
}
```

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MTCy6wL2_wXkkp1BVCU%2F-MTCz1fnIOaU8S6NlUtK%2FScreenshot_10_02_21__23_06.png?alt=media\&token=d788e43e-ee21-4e26-b745-ac014e53b072)

6. Click on **Create** to save the watch.
7. Finished! Your Elastic Search Guard alerts will now create alerts in ilert.

## FAQ <a href="#faq" id="faq"></a>

**Will alerts in ilert be resolved automatically?**

No, unfortunately Search Guard watch(es) will not fire resolve events for alerts.

**Can I connect Search Guard with multiple alert sources from ilert?**

Yes, simply create more watches in Search Guard.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ilert.com/integrations/inbound-integrations/search-guard.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.