Send index information to Jira when a detection is triggered

Elastic Security
1

Hi, community! I hope you're doing great!

I'm struggling with some issues to send the correct information to Jira in rule actions.

When I configure a new detection, I want to send some fields of the detection that are not part of the signal and rule description to Jira.

For example, I obtain the following JSON in the detection, that includes the rule information, and the index data associated with that detection:

{
  "_id": "1192046112c6e1c468edba5c1202cb4af6cfb406f5d3914d2b9688dc4a0d9618",
  "_index": ".siem-signals-default-000001",
  "_score": "1",
  "_type": "_doc",
  "@timestamp": "2021-04-09T20:28:46.606Z",
  "@version": "1",
  "advisory_createdAt": "2020-11-02T14:30:46Z",
  "createdAt": "2019-05-11T01:34:22Z",
  "databaseId": "744",
  "description": "aware of a denial of service vulnerability",
  "ecosystem": "NUGET",
  "event": {
    "kind": "signal"
  },
  "nameWithOwner": "Bob",
  "severity": "MODERATE",
  "signal": {
    "_meta": {
      "version": "14"
    },
    "ancestors": "{\"id\":\"_jhSuHgBxz-xmoFeLcsh\",\"type\":\"event\",\"index\":\"vulnerabilities\",\"depth\":0}",
    "depth": "1",
    "original_time": "2021-04-09T20:28:16.325Z",
    "parent": {
      "depth": "0",
      "id": "_jhSuHgBxz-xmoFeLcdh",
      "index": "vulnerabilities",
      "type": "event"
    },
    "parents": "{\"id\":\"_jhSuHgBxz-xmoFeLfsh\",\"type\":\"event\",\"index\":\"vulnerabilities\",\"depth\":0}",
    "rule": {
      "actions": "",
      "author": "",
      "created_at": "2021-04-09T17:16:20.566Z",
      "created_by": "elastic",
      "description": "new vulnerabilities",
      "enabled": "true",
      "exceptions_list": "",
      "false_positives": "",
      "filters": "",
      "from": "now-120s",
      "id": "4d222560-9957-11eb-8ae3-8f61beeae94c",
      "immutable": "false",
      "index": "vulnerabilities",
      "interval": "1m",
      "language": "kuery",
      "license": "",
      "max_signals": "100",
      "meta": {
        "from": "1m",
        "kibana_siem_app_url": "https://localhost:5601/app/security"
      },
      "name": "new vulnerabilities detected",
      "output_index": ".siem-signals-default",
      "query": "databaseId : *",
      "references": "",
      "risk_score": "21",
      "risk_score_mapping": "",
      "rule_id": "015d49b4-3558-4464-a153-de6d3fa4d5ff",
      "severity": "low",
      "severity_mapping": "",
      "tags": "",
      "threat": "",
      "to": "now",
      "type": "query",
      "updated_at": "2021-04-09T20:27:44.663Z",
      "updated_by": "elastic",
      "version": "1"
    },
    "status": "open"
  },
  "summary": "Moderate severity vulnerability that affects Kestrel.Core",
  "vulnerableVersionRange": ">= 2.0.0"
}

so I understand that I can send the following variables onto Jira, that are part of the rule information:

Rule: {{context.rule.name}}

Description: {{context.rule.description}}
Severity: {{context.rule.severity}}

For this example, they would have the following values:

Rule: "new vulnerabilities detected"

Description: "new vulnerabilities"
Severity: "low"

So what I'm trying to achieve is to send more data than the rule information, this would include data from the detected index. In this example, I would like to send the following message to Jira:

Rule: "new vulnerabilities detected"

Description: "new vulnerabilities"
Severity: "low"
summary: "Moderate severity vulnerability that affects Kestrel.Core",
vulnerableVersionRange: ">= 2.0.0"

Is it possible to do that? How could I achieve that?

Thank you in advance!

2

Like this?

- *Number of Alerts*: {{state.signals_count}}
- *Risk score*: {{context.rule.risk_score}}
- *Severity*: {{context.rule.severity}}

 h2. Rule Details
 [View Detection Alert|{{{context.results_link}}}]
- *Rule Description*: {quote}{{context.rule.description}}{quote}
- *Rule Query*: {quote}{{context.rule.query}}{quote}

 h2. Source
 {{#context.alerts}}
- *Source IP Address*: {noformat}{{source.ip}}{noformat}
- *Source Port*: {noformat}{{source.port}}{noformat}
 {{/context.alerts}}

 h2. Destination
 {{#context.alerts}}
- *Destination IP Address*: {noformat}{{destination.ip}}{noformat}
- *Destination Port*: {noformat}{{destination.port}}{noformat}
 {{/context.alerts}}

 h3. Process
 {{#context.alerts}}
- *Hash MD5*: {noformat}{{process.hash.md5}}{noformat}
- *Hash SH1*: {noformat}{{process.hash.sha1}}{noformat}
- *Hash SHA25*: {noformat}{{process.hash.sha256}}{noformat}
- *Process Name*: {noformat}{{process.name}}{noformat}
- *Process Parent Executable*: {noformat}{{process.parent.executable}}{noformat}
- *Process Parent Name*: {noformat}{{process.parent.name}}{noformat}
 {{/context.alerts}}

 h3. File
 {{#context.alerts}}
- *File Name*: {noformat}{{file.name}}{noformat}
- *File Owner*: {noformat}{{file.owner}}{noformat}
- *File Path*: {noformat}{{file.path}}{noformat}
- *File size*: {noformat}{{file.size}}{noformat}
- *File Target Path*: {noformat}{{file.target_path}}{noformat}
- *File Type*: {noformat}{{file.type}}{noformat}
 {{/context.alerts}}

Here is my setup on github. Elastic SIEM Connector to JIRA Service Desk Template #JIRA #Elastic (github.com)

Here is a list of fields you can use in this manner.
FIELDS | Elastic (elk.wiki)

3

Thank you very much @austinsonger !!! That was the answer I was searching for! Do you know how I could add more fields to the ECS, so I can send the values to Jira?

4

I was able to send them without needing the ecs mapping. Replicating the example it would be

Rule: {{context.rule.name}}

Description: {{context.rule.description}}
Severity: {{context.rule.severity}}

{{#context.alerts}}
{{summary}}
{{vulnerableVersionRange}}
{{/context.alerts}}

In the Jira message field. With this, you should be able to pass the values of the fields that were detected in the detection.

Hope that this works!

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.