search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.69k stars 8.24k forks source link

[Alerting] Conditional statement support for connectors #95622

Open Aqualie opened 3 years ago

Aqualie commented 3 years ago

Describe the feature: Presently a security operator/administrator needs to develop multiple alert action templates for SIEM detection rules to provide detailed information tailored to specific rules. To use the prebuilt detection rules as an example this can be a hassle to both develop and maintain as the information available per rule can vary. As such the common approach is to use a generic non-detailed template that covers all of the available rules. While also including the result_link in the alert so that the analyst can simply bring up the alert to review all the relevant information and action the alert if necessary.

This feature would introduce support for if statements to perform decision-making allowing an security operator/administrator to simply craft a single detailed template that can be applied to all detection rule actions. The if statement should have access to at minimum the information present at "/api/detection_engine/rules?id=" which include tags, indices, name, id etc... and as well the information available under "{{#context.alerts}}" which holds the JSON data that triggered the detection rule. Basic example below using a webhook connector:

{
    "title": "{{context.rule.name}}",
    "description": "{{context.rule.description}}",
    "creator": {
        "name": "{{alert.author}}",
        "profileImage": "https://kibana.com/favico.ico"
    },
    "createdUtc": "{{date.UTC}}",
    "viewUrl": "{{context.results_link}}",
    "properties": [
{{context.alerts.observer.hostname:* }} ## Exists
        {
            "key": "Hostname",
            "value": "{{#context.alerts}}{{observer.hostname}}\n{{/context.alerts}}"
        },
{{endif}}
{{context.alerts.observer.hostname: ["bob","frank"] }} ## Contains
        {
            "key": "Hostname",
            "value": "{{#context.alerts}}{{observer.hostname}}\n{{/context.alerts}}"
        },
{{endif}}
{{context.alerts.observer.hostname: "bob" }} ## Equals
        {
            "key": "Hostname",
            "value": "{{#context.alerts}}{{observer.hostname}}\n{{/context.alerts}}"
        },
{{endif}}
{{context.alerts.observer.hostname: "bob" AND (context.alerts.observer.hostname: "frank"  OR context.alerts.observer.hostname: "john")}} ## AND OR
        {
            "key": "Hostname",
            "value": "{{#context.alerts}}{{observer.hostname}}\n{{/context.alerts}}"
        },
{{endif}}
        {
            "key": "Footer",
            "value": "Kibana {{kibana.version}}"
        }
    ]
}
elasticmachine commented 3 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 3 years ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)