Hi, community! I hope you're doing great!
I'm struggling with some issues to send the correct information to Jira in rule actions.
When I configure a new detection, I want to send some fields of the detection that are not part of the signal and rule description to Jira.
For example, I obtain the following JSON in the detection, that includes the rule information, and the index data associated with that detection:
{
"_id": "1192046112c6e1c468edba5c1202cb4af6cfb406f5d3914d2b9688dc4a0d9618",
"_index": ".siem-signals-default-000001",
"_score": "1",
"_type": "_doc",
"@timestamp": "2021-04-09T20:28:46.606Z",
"@version": "1",
"advisory_createdAt": "2020-11-02T14:30:46Z",
"createdAt": "2019-05-11T01:34:22Z",
"databaseId": "744",
"description": "aware of a denial of service vulnerability",
"ecosystem": "NUGET",
"event": {
"kind": "signal"
},
"nameWithOwner": "Bob",
"severity": "MODERATE",
"signal": {
"_meta": {
"version": "14"
},
"ancestors": "{\"id\":\"_jhSuHgBxz-xmoFeLcsh\",\"type\":\"event\",\"index\":\"vulnerabilities\",\"depth\":0}",
"depth": "1",
"original_time": "2021-04-09T20:28:16.325Z",
"parent": {
"depth": "0",
"id": "_jhSuHgBxz-xmoFeLcdh",
"index": "vulnerabilities",
"type": "event"
},
"parents": "{\"id\":\"_jhSuHgBxz-xmoFeLfsh\",\"type\":\"event\",\"index\":\"vulnerabilities\",\"depth\":0}",
"rule": {
"actions": "",
"author": "",
"created_at": "2021-04-09T17:16:20.566Z",
"created_by": "elastic",
"description": "new vulnerabilities",
"enabled": "true",
"exceptions_list": "",
"false_positives": "",
"filters": "",
"from": "now-120s",
"id": "4d222560-9957-11eb-8ae3-8f61beeae94c",
"immutable": "false",
"index": "vulnerabilities",
"interval": "1m",
"language": "kuery",
"license": "",
"max_signals": "100",
"meta": {
"from": "1m",
"kibana_siem_app_url": "https://localhost:5601/app/security"
},
"name": "new vulnerabilities detected",
"output_index": ".siem-signals-default",
"query": "databaseId : *",
"references": "",
"risk_score": "21",
"risk_score_mapping": "",
"rule_id": "015d49b4-3558-4464-a153-de6d3fa4d5ff",
"severity": "low",
"severity_mapping": "",
"tags": "",
"threat": "",
"to": "now",
"type": "query",
"updated_at": "2021-04-09T20:27:44.663Z",
"updated_by": "elastic",
"version": "1"
},
"status": "open"
},
"summary": "Moderate severity vulnerability that affects Kestrel.Core",
"vulnerableVersionRange": ">= 2.0.0"
}
so I understand that I can send the following variables onto Jira, that are part of the rule information:
Rule: {{context.rule.name}}
Description: {{context.rule.description}}
Severity: {{context.rule.severity}}
For this example, they would have the following values:
Rule: "new vulnerabilities detected"
Description: "new vulnerabilities"
Severity: "low"
So what I'm trying to achieve is to send more data than the rule information, this would include data from the detected index. In this example, I would like to send the following message to Jira:
Rule: "new vulnerabilities detected"
Description: "new vulnerabilities"
Severity: "low"
summary: "Moderate severity vulnerability that affects Kestrel.Core",
vulnerableVersionRange: ">= 2.0.0"
Is it possible to do that? How could I achieve that?
Thank you in advance!