I have been trying to find any documentation or guideline regarding the customization of alerts generated by the security analytics plugin.
The alerting plugin/monitor, I can customize the message in the trigger action, however, I have not found a similar option with the security analytics. Primarily to query the date for which it trigger the alert.
How about to follow this to create the alert: How to make security Analytics Rule Detection
That one is suggesting to use the standard monitors. Since I am trying to leverage the security analytics, I haven’t found a way to use the triggers from the monitors for that.
I need to forward Security Analytics alerts to a webhook. Within a trigger configuration inside a detector there is a notify message body like this:
Triggered alert condition:
Severity: 1 (Highest)
Threat detector: <>
Detector data sources:
Now, instead of modifying this message every time a new detector or new trigger is created, I need to generate the template itself. For one, I need JSON format for my webhook. And next, I want to include message details via Mustache scripts. None of that seems possible at the moment. I cannot even find the source of the template within the source code.
Any help would be appreciated.
True, no custom data source options in Message body as I tried to include some custom index fields but couldn’t save the settings.
If you omit clicking on “Generate Message” the saving works as expected.
To bring more clarity to this, let me divide that into three issues:
No access to the template
Currently you can only modify the message AFTER creating the detector. If you have 100 detectors, you must apply your customization a 100 times.
No choice of format
We are sending the information to our ticketing system via webhook. This should be a quite common scenario. Webhooks are processed by software, which usually benefits from formats like JSON.
No details form th source document (i.e. finding) can be immediately included.
In my analysis this is due to ctx.results being empty as opposed to the general Alerting where you can access ctx.results for details. Since that is done over there, I hope I can be included in Security Analytics, too. Therefore I opened a feature request here:
[FEATURE] Security Analytics: Inlcude findings as ctx.results · Issue #696 · opensearch-project/security-analytics · GitHub