How to create a Kibana webhook connector

Webhook connectors in Kibana deliver rule and alert payloads to external HTTP endpoints for automation, incident response, and notifications. Using a connector keeps the destination URL and authentication details in one place so multiple rules can reuse the same integration.

Connectors are managed by the Kibana Actions framework and stored as saved objects. The .webhook connector type sends an HTTP request to a configured URL using the selected method, while sensitive fields such as Basic authentication credentials are stored as encrypted secrets.

Secrets are encrypted using Encrypted Saved Objects and require a stable xpack.encryptedSavedObjects.encryptionKey in kibana.yml for persistence across restarts and multiple Kibana instances. Outbound requests may be constrained by xpack.actions.allowedHosts, proxy, and TLS settings, so the webhook host must be permitted. The curl commands below assume POSIX shell quoting.

Steps to create a Kibana webhook connector:

Create the webhook connector with the API.

$ curl -s -u elastic:password -H "kbn-xsrf: true" -H "Content-Type: application/json" -X POST "http://localhost:5601/api/actions/connector" -d '{
  "name": "Ops webhook",
  "connector_type_id": ".webhook",
  "config": {
    "method": "post",
    "url": "https://hooks.example.net/alert"
  },
  "secrets": {
    "user": "alerting",
    "password": "change-me"
  }
}'
{
  "id": "b7f113a0-7b50-11ee-84f8-71e65b5c2d9a",
  "name": "Ops webhook"
}

Replace elastic:password with a Kibana username and password that can manage connectors. Prefix the API path with /s/<space_id> when targeting a non-default Kibana space.

Use HTTPS for remote Kibana endpoints; plain HTTP exposes credentials and connector secrets in transit.

List connectors to confirm the new entry.

$ curl -s -u elastic:password -H "kbn-xsrf: true" "http://localhost:5601/api/actions/connectors"
[
  {"id":"b7f113a0-7b50-11ee-84f8-71e65b5c2d9a","name":"Ops webhook"}
]

Use the returned id value when attaching the connector to a rule action.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.