Hello,
While working with Elastic Emails alerts on detections, I've noticed several misrecognized links. For example:
In the above example user.name is suddenly a link.., while this is just a part of a query.
Another issue seems that url's with large links are not complete:
Resulting in:
Best regards,
Willem
Hi, what does the email action in your watch definition look like?
There are different ways to set the text body: body, body.text and body.html
The definition may mistakenly have body or body.html when it should be body.text
Hello again @willemdh !
From previous discussion on html rendering of emails with markdown, I mentioned we had "linkification" turned on, and I'm guessing that is what is doing this, since ... I guess they could be hostnames.
For mustache templates that you are creating, I'm guessing that if you replaced but some back-tics ( ` ) before and after the variable reference (before {{ and after }}, the linkifier may be smart enough to know not to linkify those.
I think we'll have to add an option to email to allow the linkification to be turned off. I'll open an issue on this and post it back here ...
For that super-long link, I'd guess it's likely hopeless to get these auto-linkified correctly. Did that come from one of our existing alerting templates, or one of your own? Because I'd suggest to convert that to an explicit markdown link instead, for example [Results link](long-url-here). I can open an issue for the security alert though, if it's that's the default template it provides.
The error (with the stack walkback) you're seeing when traversing the link seems like a separate issue - it's just not handling "incorrect" URLs well. I'll open a separate issue on that.
Issue opened to look into the auto-linkification in emails: [actions] allow email auto-linkification to be turned off · Issue #94963 · elastic/kibana · GitHub
Just opened this issue for the stack walkback you saw: error traversing malformed link into security from an action email · Issue #94967 · elastic/kibana · GitHub
Hi @Patrick_Mueller,
Thanks for making the GH Issues and the recommendations. I think the super long link is a SIEM rule reference, I'm gonna have to take a good look if I can nest the rule references into Results link.
Fyi, this is the current configuration I'm using for our SIEM alerts. It's quite generic and can be used for both threshold and query rules. It does need to be further tested on anomaly rules though and there is a small issue with multiple filters I need to fix.
Elastic SIEM **{{context.rule.severity}}** (**{{context.rule.risk_score}}**) severity alert triggered at **{{date}}** for rule **{{alertName}}**!
{{state.signals_count}} signals found. ({{context.rule.max_signals}} max)
{{context.rule.description}}
This is a *{{context.rule.type}}* *{{context.rule.language}}* rule with query *{{context.rule.query}}*
{{#context.rule.threshold}}
and threshold *{{.}}*
{{/context.rule.threshold}}
{{^context.rule.threshold}}
{{/context.rule.threshold}}
{{#context.rule.filters}}
and filters *{{.}}*
{{/context.rule.filters}}
{{^context.rule.filters}}
{{/context.rule.filters}}
{{#context.rule.false_positives}}
False postitives: *{{.}}*
{{/context.rule.false_positives}}
{{^context.rule.false_positives}}
{{/context.rule.false_positives}}
References:
{{#context.rule.references}}
{{.}}
{{/context.rule.references}}
{{^context.rule.references}}
No references found for this rule.
{{/context.rule.references}}
Something I would really love to see added into the SIEM alerting is a way to provide default email templates. Currently when I need to make a change I have to reconfigure 100's of rules... 
Best regards,
Willem
Thanks, I've opened an issue to track this: [alerting] customer-managed action parameter templates · Issue #95049 · elastic/kibana · GitHub
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.