Send index information to Jira when a detection is triggered

Hi, community! I hope you're doing great!

I'm struggling with some issues to send the correct information to Jira in rule actions.

When I configure a new detection, I want to send some fields of the detection that are not part of the signal and rule description to Jira.

For example, I obtain the following JSON in the detection, that includes the rule information, and the index data associated with that detection:

{
  "_id": "1192046112c6e1c468edba5c1202cb4af6cfb406f5d3914d2b9688dc4a0d9618",
  "_index": ".siem-signals-default-000001",
  "_score": "1",
  "_type": "_doc",
  "@timestamp": "2021-04-09T20:28:46.606Z",
  "@version": "1",
  "advisory_createdAt": "2020-11-02T14:30:46Z",
  "createdAt": "2019-05-11T01:34:22Z",
  "databaseId": "744",
  "description": "aware of a denial of service vulnerability",
  "ecosystem": "NUGET",
  "event": {
    "kind": "signal"
  },
  "nameWithOwner": "Bob",
  "severity": "MODERATE",
  "signal": {
    "_meta": {
      "version": "14"
    },
    "ancestors": "{\"id\":\"_jhSuHgBxz-xmoFeLcsh\",\"type\":\"event\",\"index\":\"vulnerabilities\",\"depth\":0}",
    "depth": "1",
    "original_time": "2021-04-09T20:28:16.325Z",
    "parent": {
      "depth": "0",
      "id": "_jhSuHgBxz-xmoFeLcdh",
      "index": "vulnerabilities",
      "type": "event"
    },
    "parents": "{\"id\":\"_jhSuHgBxz-xmoFeLfsh\",\"type\":\"event\",\"index\":\"vulnerabilities\",\"depth\":0}",
    "rule": {
      "actions": "",
      "author": "",
      "created_at": "2021-04-09T17:16:20.566Z",
      "created_by": "elastic",
      "description": "new vulnerabilities",
      "enabled": "true",
      "exceptions_list": "",
      "false_positives": "",
      "filters": "",
      "from": "now-120s",
      "id": "4d222560-9957-11eb-8ae3-8f61beeae94c",
      "immutable": "false",
      "index": "vulnerabilities",
      "interval": "1m",
      "language": "kuery",
      "license": "",
      "max_signals": "100",
      "meta": {
        "from": "1m",
        "kibana_siem_app_url": "https://localhost:5601/app/security"
      },
      "name": "new vulnerabilities detected",
      "output_index": ".siem-signals-default",
      "query": "databaseId : *",
      "references": "",
      "risk_score": "21",
      "risk_score_mapping": "",
      "rule_id": "015d49b4-3558-4464-a153-de6d3fa4d5ff",
      "severity": "low",
      "severity_mapping": "",
      "tags": "",
      "threat": "",
      "to": "now",
      "type": "query",
      "updated_at": "2021-04-09T20:27:44.663Z",
      "updated_by": "elastic",
      "version": "1"
    },
    "status": "open"
  },
  "summary": "Moderate severity vulnerability that affects Kestrel.Core",
  "vulnerableVersionRange": ">= 2.0.0"
}

so I understand that I can send the following variables onto Jira, that are part of the rule information:

Rule: {{context.rule.name}}

Description: {{context.rule.description}}
Severity: {{context.rule.severity}}

For this example, they would have the following values:

Rule: "new vulnerabilities detected"

Description: "new vulnerabilities"
Severity: "low"

So what I'm trying to achieve is to send more data than the rule information, this would include data from the detected index. In this example, I would like to send the following message to Jira:

Rule: "new vulnerabilities detected"

Description: "new vulnerabilities"
Severity: "low"
summary: "Moderate severity vulnerability that affects Kestrel.Core",
vulnerableVersionRange: ">= 2.0.0"

Is it possible to do that? How could I achieve that?

Thank you in advance!

Like this?

- *Number of Alerts*: {{state.signals_count}}
- *Risk score*: {{context.rule.risk_score}}
- *Severity*: {{context.rule.severity}}

 h2. Rule Details
 [View Detection Alert|{{{context.results_link}}}]
- *Rule Description*: {quote}{{context.rule.description}}{quote}
- *Rule Query*: {quote}{{context.rule.query}}{quote}

 h2. Source
 {{#context.alerts}}
- *Source IP Address*: {noformat}{{source.ip}}{noformat}
- *Source Port*: {noformat}{{source.port}}{noformat}
 {{/context.alerts}}

 h2. Destination
 {{#context.alerts}}
- *Destination IP Address*: {noformat}{{destination.ip}}{noformat}
- *Destination Port*: {noformat}{{destination.port}}{noformat}
 {{/context.alerts}}

 h3. Process
 {{#context.alerts}}
- *Hash MD5*: {noformat}{{process.hash.md5}}{noformat}
- *Hash SH1*: {noformat}{{process.hash.sha1}}{noformat}
- *Hash SHA25*: {noformat}{{process.hash.sha256}}{noformat}
- *Process Name*: {noformat}{{process.name}}{noformat}
- *Process Parent Executable*: {noformat}{{process.parent.executable}}{noformat}
- *Process Parent Name*: {noformat}{{process.parent.name}}{noformat}
 {{/context.alerts}}

 h3. File
 {{#context.alerts}}
- *File Name*: {noformat}{{file.name}}{noformat}
- *File Owner*: {noformat}{{file.owner}}{noformat}
- *File Path*: {noformat}{{file.path}}{noformat}
- *File size*: {noformat}{{file.size}}{noformat}
- *File Target Path*: {noformat}{{file.target_path}}{noformat}
- *File Type*: {noformat}{{file.type}}{noformat}
 {{/context.alerts}}

Here is my setup on github. Elastic SIEM Connector to JIRA Service Desk Template #JIRA #Elastic (github.com)

Here is a list of fields you can use in this manner.
FIELDS | Elastic (elk.wiki)

Thank you very much @austinsonger !!! That was the answer I was searching for! Do you know how I could add more fields to the ECS, so I can send the values to Jira?

I was able to send them without needing the ecs mapping. Replicating the example it would be

Rule: {{context.rule.name}}

Description: {{context.rule.description}}
Severity: {{context.rule.severity}}

{{#context.alerts}}
{{summary}}
{{vulnerableVersionRange}}
{{/context.alerts}}

In the Jira message field. With this, you should be able to pass the values of the fields that were detected in the detection.

Hope that this works!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.