mahaffey
commented
5 years ago Hey! Did you ever figure this out? I am looking to have a link to the log in question for the alerts as well.
Open sebash1992 opened 5 years ago
mahaffey
commented
5 years ago Hey! Did you ever figure this out? I am looking to have a link to the log in question for the alerts as well.
sebash1992
commented
5 years ago Hi @mahaffey I did my own alerter. I am using microsoft teams and i wanted to have a better control over the cards that i send. I told you that because i add parameters to the alerter i order to generate the link.
alert_kibana_link: "Link to kivana discover"
alert_kibana_link_args:
and in the alerter i did the remplacement
. If you need i can share with you the alerter.
Regards
mahaffey
commented
5 years ago thanks I will try this out. Sending the alerter would not hurt :)
BrassPeddler
commented
4 years ago Hi @mahaffey I did my own alerter. I am using microsoft teams and i wanted to have a better control over the cards that i send. I told you that because i add parameters to the alerter i order to generate the link.
alert_kibana_link: "Link to kivana discover"
alert_kibana_link_args:
- param1
- param2
- param3
and in the alerter i did the remplacement
. If you need i can share with you the alerter.
Regards
@sebash1992 Can you send me your alerter or can you publish it on github? :)
crosbymichael1
commented
4 years ago @sebash1992 Yes I would love to see the alerter :)
Hi all, i am creating manually a kibana link in my alarm in order to redirect to the discover with filter and the timeframe that has fired the alarm.
I was able to create the filter part but i am having issue in the timeframe part. I want to know if there is any way to format the starttime to use the same way that kibana use.
Here is my alert part
alert_text: "We found {0} matches.
Sample message: {1}
{5}
<a href=\"https://XXXX/app/kibana#/discover?_g=(refreshInterval:(display:Off,pause:!f,section:0,value:0),time:(from:'2018-10-08 15:10:37.162946+00:00',mode:absolute,to:'2018-10-08T15:25:13.318Z'))&_a=(columns:!(host.ip),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:af9d4b00-af91-11e8-810d-a32a5255336e,key:client.location,negate:!f,params:(query:{3},type:phrase),type:phrase,value:{3}),query:(match:(client.location:(query:{3},type:phrase)))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:af9d4b00-af91-11e8-810d-a32a5255336e,key:msg,negate:!f,params:(query:'Probable+port+scan+detected',type:phrase),type:phrase,value:'Probable+port+scan+detected'),query:(match:(msg:(query:'Probable+port+scan+detected',type:phrase)))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:af9d4b00-af91-11e8-810d-a32a5255336e,key:client.name,negate:!f,params:(query:{2},type:phrase),type:phrase,value:{2}),query:(match:(client.name:(query:{2},type:phrase)))),('$state':(store:appState),meta:(alias:!n,disabled:!f,index:af9d4b00-af91-11e8-810d-a32a5255336e,key:host.ip,negate:!f,params:(query:'{4}',type:phrase),type:phrase,value:'{4}'),query:(match:(host.ip:(query:'{4}',type:phrase))))),index:af9d4b00-af91-11e8-810d-a32a5255336e,interval:auto,query:(language:lucene,query:''),sort:!('@timestamp',desc))\" >LINK TO KIBANA" alert_text_args:
my idea is to change this time with the starttime and the time that the alarm was fired time:(from:'2018-10-08 15:10:37.162946+00:00',mode:absolute,to:'2018-10-08T15:25:13.318Z'))
regards