Customizing Alert Security Analytics

Hi everyone,

I have been trying to find any documentation or guideline regarding the customization of alerts generated by the security analytics plugin.

The alerting plugin/monitor, I can customize the message in the trigger action, however, I have not found a similar option with the security analytics. Primarily to query the date for which it trigger the alert.

Thank you,

How about to follow this to create the alert: How to make security Analytics Rule Detection

That one is suggesting to use the standard monitors. Since I am trying to leverage the security analytics, I haven’t found a way to use the triggers from the monitors for that.

Thank you,


same here.

I need to forward Security Analytics alerts to a webhook. Within a trigger configuration inside a detector there is a notify message body like this:

Triggered alert condition:
Severity: 1 (Highest)
Threat detector: <>
Detector data sources:

Now, instead of modifying this message every time a new detector or new trigger is created, I need to generate the template itself. For one, I need JSON format for my webhook. And next, I want to include message details via Mustache scripts. None of that seems possible at the moment. I cannot even find the source of the template within the source code.

Any help would be appreciated.

Best regards,

True, no custom data source options in Message body as I tried to include some custom index fields but couldn’t save the settings.

If you omit clicking on “Generate Message” the saving works as expected.

To bring more clarity to this, let me divide that into three issues:

  1. No access to the template
    Currently you can only modify the message AFTER creating the detector. If you have 100 detectors, you must apply your customization a 100 times.

  2. No choice of format
    We are sending the information to our ticketing system via webhook. This should be a quite common scenario. Webhooks are processed by software, which usually benefits from formats like JSON.

  3. No details form th source document (i.e. finding) can be immediately included.
    In my analysis this is due to ctx.results being empty as opposed to the general Alerting where you can access ctx.results for details. Since that is done over there, I hope I can be included in Security Analytics, too. Therefore I opened a feature request here:
    [FEATURE] Security Analytics: Inlcude findings as ctx.results · Issue #696 · opensearch-project/security-analytics · GitHub

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.