Email connector and action

Email connector and actionedit

The email connector uses the SMTP protocol to send mail messages. Email message text is sent as both plain text and html text.

  • For emails to have a footer with a link back to Kibana, set the server.publicBaseUrl configuration setting.
  • When the configuration setting is used, the email addresses used for all of the Sender (from), To, CC, and BCC properties must have email domains specified in the configuration setting.

Create connectors in Kibanaedit

You can create connectors in Stack Management > Connectors or as needed when you’re creating a rule. For example:

Email connector
Connector configurationedit

Email connectors have the following configuration properties:

The name of the connector. The name is used to identify a connector in the management UI connector listing, or in the connector list when configuring an action.
The from address for all emails sent with this connector. This must be specified in user@host-name format. See the Nodemailer address documentation for more information.
The name of the email service. If service is one of Nodemailer’s well-known email service providers, the host, port, and secure properties are defined with the default values and disabled for modification. If service is MS Exchange Server, the host, port, and secure properties are ignored and tenantId, clientId, clientSecret are required instead. If service is other, the host and port properties must be defined.
Host name of the service provider. If you are using the xpack.actions.allowedHosts setting, make sure this hostname is added to the allowed hosts.
The port to connect to on the service provider.
If true, the connection will use TLS when connecting to the service provider. Refer to the Nodemailer TLS documentation for more information. If not true, the connection will initially connect over TCP, then attempt to switch to TLS via the SMTP STARTTLS command.
Tenant ID
The directory tenant that the application plans to operate against, in GUID format.
Client ID
The application ID that is assigned to your app, in GUID format. You can find this information in the portal where you registered your app.
Client Secret
The client secret that you generated for your app in the app registration portal. The client secret must be URL-encoded before being sent. The Basic auth pattern of providing credentials in the Authorization header, per RFC 6749, is also supported.
Require authentication
If true, a username and password for login type authentication must be provided.
Username for login type authentication.
Password for login type authentication.

Test connectorsedit

You can test connectors as you’re creating or editing the connector in Kibana. For example:

Email params test

Email actions have the following configuration properties.

Each item is a list of addresses. Addresses can be specified in user@host-name format, or in name <user@host-name> format. One of To, CC, or BCC must contain an entry.
The subject line of the email.
The message text of the email. Markdown format is supported.

Connector networking configurationedit

Use the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.

Configure email accounts for well-known servicesedit

The email connector uses an integration of Nodemailer to send email from many popular SMTP email services. For Microsoft Exchange email, it uses the Microsoft Graph API.

For other email servers, you can check the list of well-known services that Nodemailer supports in the JSON file well-known/services.json. The properties of the objects in those files — host, port, and secure — correspond to the same email connector configuration properties. A missing secure property in the "well-known/services.json" file is considered false. Typically, port: 465 uses secure: true, and port: 25 and port: 587 use secure: false.

Elastic Cloudedit

Use the preconfigured email connector (Elastic-Cloud-SMTP) to send emails from Elastic Cloud.

For more information on the preconfigured email connector, see Elastic Cloud email service limits.


To create a connector that sends email from the Gmail SMTP service, set the Service to Gmail.

If you get an authentication error that indicates that you need to continue the sign-in process from a web browser when the action attempts to send email, you need to configure Gmail to allow less secure apps to access your account.

If two-step verification is enabled for your account, you must generate and use a unique App Password to send email from Kibana. See Sign in using App Passwords for more information.


To create a connector that sends email from the SMTP service, set the Service to Outlook.

When sending emails, you must provide a from address, either as the default in your connector configuration or as part of the email action in the rule.

You must use a unique App Password if two-step verification is enabled. See App passwords and two-step verification for more information.

Amazon SESedit

To create a connector that sends email from the Amazon Simple Email Service (SES) SMTP service, set the Service to Amazon SES.

You must use your Amazon SES SMTP credentials to send email through Amazon SES. For more information, see Obtaining Your Amazon SES SMTP Credentials. You might also need to verify your email address or your whole domain at AWS.

Microsoft Exchange with basic authenticationedit

[7.16.0] Deprecated in 7.16.0. This Microsoft Exchange configuration is deprecated and will be removed later because Microsoft is deprecating basic authentication.

To prepare for the removal of Basic Auth, you must update all existing Microsoft Exchange connectors with the new configuration based on the OAuth 2.0 Client Credentials Authentication.

Microsoft Exchange with OAuth 2.0edit

The email connector uses Microsoft Graph REST API v1.0, in particular the sendMail endpoint. It supports only the Microsoft Graph global service root endpoint (

Before you create an email connector for Microsoft Exchange, you must create and register the client integration application on the Azure portal:

Register client application for MS Exchange

Next, open Manage > API permissions, and then define the permissions for the registered application to send emails. Refer to the documentation for the Microsoft Graph API.

MS Exchange API permissions

Add the "Mail.Send" permission for Microsoft Graph. The permission appears in the list with the status "Not granted for <your Azure active directory>":

MS Exchange "Mail.Send" not granted

Click Grant admin consent for <your Azure active directory>.

MS Exchange grant confirmation

Confirm that the status for the "Mail.Send" permission is now granted.

MS Exchange grant confirmation
Configure the Microsoft Exchange Client secretedit

To configure the Microsoft Exchange Client secret, open Manage > Certificates & secrets:

MS Exchange secrets configuration

Add a new client secret, then copy the value and put it to the proper field in the Microsoft Exchange email connector.

Configure the Microsoft Exchange client and tenant identifiersedit

To find the Microsoft Exchange client and tenant IDs, open the Overview page:

MS Exchange Client ID and Tenant ID configuration

Create a connector and set the Service to MS Exchange Server. Copy and paste the values into the proper fields.