Customizing Alert Security Analytics

gillesv · October 23, 2023, 7:48pm

Hi everyone,

I have been trying to find any documentation or guideline regarding the customization of alerts generated by the security analytics plugin.

The alerting plugin/monitor, I can customize the message in the trigger action, however, I have not found a similar option with the security analytics. Primarily to query the date for which it trigger the alert.

Thank you,

apaws06 · October 24, 2023, 4:22pm

How about to follow this to create the alert: How to make security Analytics Rule Detection

gillesv · October 25, 2023, 5:42am

That one is suggesting to use the standard monitors. Since I am trying to leverage the security analytics, I haven’t found a way to use the triggers from the monitors for that.

Thank you,

OpenAndreas · October 25, 2023, 1:55pm

Hello,

same here.

I need to forward Security Analytics alerts to a webhook. Within a trigger configuration inside a detector there is a notify message body like this:

Triggered alert condition:
Severity: 1 (Highest)
Threat detector: <>
Description:
Detector data sources:
<<some_index>>

Now, instead of modifying this message every time a new detector or new trigger is created, I need to generate the template itself. For one, I need JSON format for my webhook. And next, I want to include message details via Mustache scripts. None of that seems possible at the moment. I cannot even find the source of the template within the source code.

Any help would be appreciated.

Best regards,
Andreas

apaws06 · October 26, 2023, 1:40pm

True, no custom data source options in Message body as I tried to include some custom index fields but couldn’t save the settings.

OpenAndreas · October 27, 2023, 6:32am

If you omit clicking on “Generate Message” the saving works as expected.

OpenAndreas · October 27, 2023, 6:39am

To bring more clarity to this, let me divide that into three issues:

No access to the template
Currently you can only modify the message AFTER creating the detector. If you have 100 detectors, you must apply your customization a 100 times.
No choice of format
We are sending the information to our ticketing system via webhook. This should be a quite common scenario. Webhooks are processed by software, which usually benefits from formats like JSON.
No details form th source document (i.e. finding) can be immediately included.
In my analysis this is due to ctx.results being empty as opposed to the general Alerting where you can access ctx.results for details. Since that is done over there, I hope I can be included in Security Analytics, too. Therefore I opened a feature request here:
[FEATURE] Security Analytics: Inlcude findings as ctx.results · Issue #696 · opensearch-project/security-analytics · GitHub