Query regarding setting up and forwarding alerts from SIEM to Slack

[WilsonNeo]

Hi,

I have questions regarding the Alerting tool of the SIEM OpenSearch. I understand alerts and their triggers can be setup from the SIEM OpenSearch dashboard console and subsequently forward the triggered alerts to channels such as Slack.

I have setup my SIEM to visualise the logs data from various AWS services like GuardDuty, Security Hub, etc and also setup alerts and their triggers so as to forward these alerts to a Slack channel. However, I noticed that due to the nature of the alerts' trigger, I can only set a trigger condition and have alerts forwarded to Slack if the trigger condition is met. The alert forwarded to Slack only show that the condition has been met with no other descriptive explanation on what caused the condition to be met.

May I know if there is a way for the SIEM alerting tool to forward more informative alerts to Slack?

• (E.g: Event forwarding, like for AWS Security Hub service, there is a High severity finding prompt. The SIEM that visualise this finding via the GuardDuty logs then triggers an alert and forward it to Slack with the finding's information.)

[jtwp]

Unless I've misunderstood your specific request, you can configure the Slack message with content from the query response. Unless it's your query response that doesn't contain any other information?

https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors

Within Monitors, when you run the "Define extraction query" and then in the pane to the right see the "Extraction query response" do you see values for fields you would like to see in your Slack message? If so, you can extract those fields/values by using the ctx.results variables, e.g. in your defined Trigger --> Action --> Slack Message

{{ctx.results.0.hits.hits.0._source.awsRegion}}

It all depends on the structure of the response of course.

I use this for various alerts. One example is alerting on Security Groups with "open ports". The query is run against CloudTrail logs and the Slack message has all the information needed; aws account, region, security group name/Id, ports, cidr, the user who created it etc..

[WilsonNeo]

Thank you for your reply. I understand alerts can be setup based on their pre-determined monitor, condition and trigger. I now understand that the Slack message can be customised to include additional information regarding the alert.

However, may I know if the SIEM can forward alerts to Slack in the manner similar to event forwarding whereby no conditions are set and all events/findings from an AWS service is auto-forwarded to Slack via SIEM?

E.g: There is a new finding in SecurityHub / GuardDuty and since their logs are filtered into the SIEM Opensearch service, the SIEM will also show this new finding. The finding and its details are then auto-forwarded to Slack without requiring a condition (assuming I do not know what is this new finding about and do not know what kind of monitor/trigger to set)

[jtwp]

Ah I see. Okay, I think that would be possible. I actually don't work on this project, but do use it myself, so just trying to help where I can, so I might not be best placed to provide a solution. But, I would think you could just create the Monitor Query to look for any log entry on your index e.g. "aws-securityhub-*" or whatever it might be. So the query would be generic enough to capture any log entry sent to that index. Then it can be sent on to your destination (Slack).

[WilsonNeo]

Understood, thanks. Just to check 1 more question, is there a proper documentation on how the extraction query is written or how to check the structure of ctx.results variables? I am unsure how to write a extraction query that will output a field's value into the ctx.results variable

[jtwp]

You can reference the Monitors and the basic variable structure here: https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors#available-variables

You just then have to work out what your ctx variable path will be, as it will differ depending on the query response. But it's basically just the json path. Bit of trial and error too 😀

[WilsonNeo]

I think I got the hang of it after multiple trial and errors. Managed to forward the findings/events to Slack. Thanks for your help.