From previous discussion on html rendering of emails with markdown, I mentioned we had "linkification" turned on, and I'm guessing that is what is doing this, since ... I guess they could be hostnames.
For mustache templates that you are creating, I'm guessing that if you replaced but some back-tics ( ` ) before and after the variable reference (before {{ and after }}, the linkifier may be smart enough to know not to linkify those.
I think we'll have to add an option to email to allow the linkification to be turned off. I'll open an issue on this and post it back here ...
For that super-long link, I'd guess it's likely hopeless to get these auto-linkified correctly. Did that come from one of our existing alerting templates, or one of your own? Because I'd suggest to convert that to an explicit markdown link instead, for example [Results link](long-url-here). I can open an issue for the security alert though, if it's that's the default template it provides.
The error (with the stack walkback) you're seeing when traversing the link seems like a separate issue - it's just not handling "incorrect" URLs well. I'll open a separate issue on that.
Thanks for making the GH Issues and the recommendations. I think the super long link is a SIEM rule reference, I'm gonna have to take a good look if I can nest the rule references into Results link.
Fyi, this is the current configuration I'm using for our SIEM alerts. It's quite generic and can be used for both threshold and query rules. It does need to be further tested on anomaly rules though and there is a small issue with multiple filters I need to fix.
Elastic SIEM **{{context.rule.severity}}** (**{{context.rule.risk_score}}**) severity alert triggered at **{{date}}** for rule **{{alertName}}**!
{{state.signals_count}} signals found. ({{context.rule.max_signals}} max)
{{context.rule.description}}
This is a *{{context.rule.type}}* *{{context.rule.language}}* rule with query *{{context.rule.query}}*
{{#context.rule.threshold}}
and threshold *{{.}}*
{{/context.rule.threshold}}
{{^context.rule.threshold}}
{{/context.rule.threshold}}
{{#context.rule.filters}}
and filters *{{.}}*
{{/context.rule.filters}}
{{^context.rule.filters}}
{{/context.rule.filters}}
{{#context.rule.false_positives}}
False postitives: *{{.}}*
{{/context.rule.false_positives}}
{{^context.rule.false_positives}}
{{/context.rule.false_positives}}
References:
{{#context.rule.references}}
{{.}}
{{/context.rule.references}}
{{^context.rule.references}}
No references found for this rule.
{{/context.rule.references}}
Something I would really love to see added into the SIEM alerting is a way to provide default email templates. Currently when I need to make a change I have to reconfigure 100's of rules...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.