Link recognition in Elastic Detections emails seem wrong and confusing

Hello,

While working with Elastic Emails alerts on detections, I've noticed several misrecognized links. For example:

image

In the above example user.name is suddenly a link.., while this is just a part of a query.

image

Another issue seems that url's with large links are not complete:

Resulting in:

Best regards,

Willem

Hi, what does the email action in your watch definition look like?

There are different ways to set the text body: body, body.text and body.html

The definition may mistakenly have body or body.html when it should be body.text

Hi @tsullivan

My issue is about Kibana alerting, not Elastic watches.

Grtz

Willem

Hello again @willemdh !

From previous discussion on html rendering of emails with markdown, I mentioned we had "linkification" turned on, and I'm guessing that is what is doing this, since ... I guess they could be hostnames.

For mustache templates that you are creating, I'm guessing that if you replaced but some back-tics ( ` ) before and after the variable reference (before {{ and after }}, the linkifier may be smart enough to know not to linkify those.

I think we'll have to add an option to email to allow the linkification to be turned off. I'll open an issue on this and post it back here ...

For that super-long link, I'd guess it's likely hopeless to get these auto-linkified correctly. Did that come from one of our existing alerting templates, or one of your own? Because I'd suggest to convert that to an explicit markdown link instead, for example [Results link](long-url-here). I can open an issue for the security alert though, if it's that's the default template it provides.

The error (with the stack walkback) you're seeing when traversing the link seems like a separate issue - it's just not handling "incorrect" URLs well. I'll open a separate issue on that.

Issue opened to look into the auto-linkification in emails: [actions] allow email auto-linkification to be turned off · Issue #94963 · elastic/kibana · GitHub

1 Like

Just opened this issue for the stack walkback you saw: error traversing malformed link into security from an action email · Issue #94967 · elastic/kibana · GitHub

1 Like

Hi @Patrick_Mueller,

Thanks for making the GH Issues and the recommendations. I think the super long link is a SIEM rule reference, I'm gonna have to take a good look if I can nest the rule references into Results link.

Fyi, this is the current configuration I'm using for our SIEM alerts. It's quite generic and can be used for both threshold and query rules. It does need to be further tested on anomaly rules though and there is a small issue with multiple filters I need to fix.

Elastic SIEM **{{context.rule.severity}}** (**{{context.rule.risk_score}}**) severity alert triggered at **{{date}}** for rule **{{alertName}}**!

{{state.signals_count}}  signals found. ({{context.rule.max_signals}} max)

{{context.rule.description}}

This is a *{{context.rule.type}}* *{{context.rule.language}}* rule with query *{{context.rule.query}}*

{{#context.rule.threshold}}
and threshold *{{.}}*
{{/context.rule.threshold}}
{{^context.rule.threshold}}
{{/context.rule.threshold}}

{{#context.rule.filters}}
and filters *{{.}}*
{{/context.rule.filters}}
{{^context.rule.filters}}
{{/context.rule.filters}}

{{#context.rule.false_positives}}
False postitives: *{{.}}*
{{/context.rule.false_positives}}
{{^context.rule.false_positives}}
{{/context.rule.false_positives}}

References:

{{#context.rule.references}}
{{.}}

{{/context.rule.references}}
{{^context.rule.references}}
No references found for this rule.

{{/context.rule.references}}

Something I would really love to see added into the SIEM alerting is a way to provide default email templates. Currently when I need to make a change I have to reconfigure 100's of rules... :frowning:

Best regards,

Willem

Thanks, I've opened an issue to track this: [alerting] customer-managed action parameter templates · Issue #95049 · elastic/kibana · GitHub

1 Like