Alert Ingestion
Alert Ingestion writes alerts from SIEM or detection platforms into ASP Redis Streams. It is the upstream layer of Modules and does not directly create Cases / Alerts / Artifacts.
text
SIEM Rule / Alert
-> Webhook or ELK Index Action
-> Redis Stream
-> Module
-> Case / Alert / ArtifactStream naming is the key contract between Alert Ingestion and Modules. Splunk
search_name, Kibanarule.name, or ELK Index Actionrule.nameshould match the target ModuleSTREAM_NAME.
Ingestion methods
| Method | Scenario | Next step |
|---|---|---|
| Splunk Webhook | Splunk Alert can directly access ASP API. | Webhook writes result to the Redis Stream named by search_name. |
| Kibana Webhook | Kibana Rule can directly access ASP API. | Webhook writes context.hits to the Redis Stream named by rule.name. |
| ELK Index Action | Kibana cannot directly POST to ASP, or you prefer writing actions to Elasticsearch first. | Worker polls the Action Index and writes to the Redis Stream named by rule.name. |
Relationship to other custom development pages
- Mock Data: generates SIEM test logs for alert rules.
- SIEM YAML: describes log indexes and fields for queries and Agent understanding.
- Module Development: consumes Redis Stream raw alerts and creates ASP resources.
- Custom Console: checks whether Modules are loaded, Streams exist, and messages have entered Streams.
- Custom Examples: shows how Mock SIEM, alert queries, Modules, and Playbooks work together.
Recommendations
- If the SIEM can directly reach ASP, prefer Webhook.
- If Kibana uses Community Edition or cannot directly reach ASP, use ELK Index Action.
- To validate a full local flow, first generate SIEM logs with Mock Data, then configure alert ingestion and Module consumption.