Jira Action sending broken links on detection jobs

Balor · March 30, 2021, 3:18pm

Hello Elastic discuss,

Am on:
ECE 2.9.0
Elastic 7.12.

I have been using the Detection API to add actions to certain Detection jobs. I am using a Jira connector.

Am seeing this sort of behaviour in the action message body.

When using the "{{{context.results_link}}}" in the action message body, some detection jobs show the full url link with to be able to click to. But some do not, which then it will just show the broken link (paths of the link and not including the base kibana url).

Should show (seen on some rules):
https://{kibana-base-url}:{kibana-port}/app/security/detections/rules/id/{rule-id}

See in broken links:
/app/security/detections/rules/id/{rule-id}

In all instances the input used in the message body to display this link when the alert is actioned is:
{{{context.results_link}}}

Across all boards, the message template that is being used for the action alert message is below:

The {{alertName}} has been activated. 

Alert Result Link: {{{context.results_link}}}
Alert Severity: {{context.rule.severity}}
Alert Threat: {{context.rule.threat}}

Is there a work around to this? or would this be a thing that would been to do done manually when after adding this action via the API? Is there a difference in the behaviour of actions when using ML detection jobs to query jobs?

Below is a GitHub issue that has been noted:

[Security Solution][Detections] Rule context.results_link can become stale with no clear way to update · Issue #92344 · elastic/kibana · GitHub

Thanks!

austinsonger · April 1, 2021, 5:01pm

Balor:

Hello Elastic discuss,

Am on:
ECE 2.9.0
Elastic 7.12.

I have been using the Detection API to add actions to certain Detection jobs. I am using a Jira connector.

Am seeing this sort of behaviour in the action message body.

When using the " {{{context.results_link}}} " in the action message body, some detection jobs show the full url link with to be able to click to. But some do not, which then it will just show the broken link (paths of the link and not including the base kibana url).

Should show (seen on some rules):
https://{kibana-base-url}:{kibana-port}/app/security/detections/rules/id/{rule-id}

See in broken links:
/app/security/detections/rules/id/{rule-id}

In all instances the input used in the message body to display this link when the alert is actioned is:
{{{context.results_link}}}

Across all boards, the message template that is being used for the action alert message is below:

Copy to clipboard
The {{alertName}} has been activated. 

Alert Result Link: {{{context.results_link}}}
Alert Severity: {{context.rule.severity}}
Alert Threat: {{context.rule.threat}}
Is there a work around to this? or would this be a thing that would been to do done manually when after adding this action via the API? Is there a difference in the behaviour of actions when using ML detection jobs to query jobs?

Below is a GitHub issue that has been noted:

[Security Solution][Detections] Rule context.results_link can become stale with no clear way to update · Issue #92344 · elastic/kibana · GitHub

Thanks!

If you use JIRA Wiki Rendering parameters and I never get broke links like the following screenshot. Also I load pre-built rules and then I duplicate all of the rules and then delete the pre-built rules under Elastic Rules. So it will appear like the following. Elastic Rules (0) Custom Rules (480)

Jira has their own “markdown” variant, they also probably do some “linkification”, it also probably has some “issues”, and it can probably/usually be worked around by not using auto-linkification, but the specific link format prescribed by the rendering engine.

Elastic SIEM Connector to JIRA Service Desk Template #JIRA #Elastic · GitHub

system · April 29, 2021, 5:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.