@Alex_Molina_Bastos If I understood your use case correctly, this is not something that you could easily do with Security rules as of now.
Firstly, we don't yet support the deduplication of alerts generated by a rule by a certain field. For instance, if a rule generates 50 alert documents during a single rule execution, and all the 50 alerts will have the same value of the host.name
field, you will still get 50 alerts (all of them will be created). However, one of our teams is currently working on [Security Solution][Alerts Area] Implement alert throttling by field group · Issue #130699 · elastic/kibana · GitHub which will allow to "throttle" alerts by one or several field values. In the example above, if host.name
would be specified as a throttle field, the rule would generate only one alert instead of 50.
Secondly, the mustache syntax which is used in the rule actions doesn't provide a lot of flexibility for working with json. You can't select and transform it however you want like you'd do with jq
. What you can do is you can send the whole alerts json or "print" selected fields from the alerts in the text format:
It would send something like this in the request body to the webhook (I truncated the JSON):
Alerts JSON:
{\"signal\":{\"depth\":1,\"original_event\":{\"category\":[\"process\"],\"id\":\"da7aadc4-3188-45cc-8cfe-776b260c5164\",\"kind\":\"event\",\"sequence\":0,\"type\":[\"start\"]},\"original_time\":\"2022-11-10T14:57:04.215Z\",\"reason\":\"process event with process iexlorer.exe, by rofwn0gwiu on Host-crfo8ihfl5 created low alert Test.\",\"rule\":{\"author\":[],\"created_at\":\"2022-11-10T13:50:41.233Z\",\"created_by\":\"custom_superuser\",\"description\":\"-\",\"enabled\":true,\"false_positives\":[],\"from\":\"now-90s\",\"id\":\"a9cd7f10-60fe-11ed-a4e9-b9430961b65e\",\"immutable\":false,\"interval\":\"30s\",\"license\":\"\",\"max_signals\":100,\"name\":\"Test\",\"references\":[],\"risk_score\":21,\"rule_id\":\"16f475c9-8074-4cc8-8107-1d819372101c\",\"severity\":\"low\",\"tags\":[],\"to\":\"now\",\"type\":\"query\",\"updated_at\":\"2022-11-10T14:56:52.296Z\",\"updated_by\":\"custom_superuser\",\"version\":2},\"status\":\"open\"},\"_id\":\"778afc216077c8b32a038162d2340c43cca365a45f42450d160f6baf118a2c1a\",\"_index\":\".internal.alerts-security.alerts-default-000001\",\"kibana\":{\"version\":\"8.6.0\",\"alert\":{\"rule\":{\"category\":\"Custom Query Rule\",\"consumer\":\"siem\",\"execution\":{\"uuid\":\"de691733-98d6-441e-a9f1-a7f5eb25be3f\"},\"name\":\"Test\",\"producer\":\"siem\",\"rule_type_id\":\"siem.queryRule\",\"uuid\":\"a9cd7f10-60fe-11ed-a4e9-b9430961b65e\",\"tags\":[],\"parameters\":{\"description\":\"-\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"\",\"meta\":{\"from\":\"1m\",\"kibana_siem_app_url\":\"http://localhost:5601/kbn/app/security\"},\"author\":[],\"false_positives\":[],\"from\":\"now-90s\",\"rule_id\":\"16f475c9-8074-4cc8-8107-1d819372101c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":false,\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"apm-*-transaction*\",\"auditbeat-*\",\"endgame-*\",\"filebeat-*\",\"logs-*\",\"packetbeat-*\",\"traces-apm*\",\"winlogbeat-*\",\"-*elastic-cloud-logs-*\"],\"query\":\"host.name: *\",\"filters\":[]},\"actions\":[{\"group\":\"default\",\"id\":\"5f388b80-6107-11ed-a4e9-b9430961b65e\",\"params\":{\"body\":\"Alerts JSON:\\n{{context.alerts}}\\n\\nHits JSON:\\n{{context.hits}}\\n\\n{{#context.alerts}}\\n- Host name: \\\"{{host.name}}\\\"\\n{{/context.alerts}}\\n\"},\"action_type_id\":\".webhook\"}],\"author\":[],\"created_at\":\"2022-11-10T13:50:41.233Z\",\"created_by\":\"custom_superuser\",\"description\":\"-\",\"enabled\":true,\"exceptions_list\":[],\"false_positives\":[],\"from\":\"now-90s\",\"immutable\":false,\"interval\":\"30s\",\"indices\":[\"apm-*-transaction*\",\"auditbeat-*\",\"endgame-*\",\"filebeat-*\",\"logs-*\",\"packetbeat-*\",\"traces-apm*\",\"winlogbeat-*\",\"-*elastic-cloud-logs-*\"],\"license\":\"\",\"max_signals\":100,\"references\":[],\"risk_score_mapping\":[],\"rule_id\":\"16f475c9-8074-4cc8-8107-1d819372101c\",\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"type\":\"query\",\"updated_at\":\"2022-11-10T14:56:52.296Z\",\"updated_by\":\"custom_superuser\",\"version\":2,\"meta\":{\"from\":\"1m\",\"kibana_siem_app_url\":\"http://localhost:5601/kbn/app/security\"},\"risk_score\":21,\"severity\":\"low\"},\"original_time\":\"2022-11-10T14:57:04.215Z\",\"ancestors\":[{\"id\":\"lHELYoQB3uGrpQutX8EH\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.events.process-default-2022.11.10-000001\",\"depth\":0}],\"status\":\"active\",\"workflow_status\":\"open\",\"depth\":1,\"reason\":\"process event with process iexlorer.exe, by rofwn0gwiu on Host-crfo8ihfl5 created low alert Test.\",\"severity\":\"low\",\"risk_score\":21,\"original_event\":{\"agent_id_status\":\"auth_metadata_missing\",\"sequence\":0,\"ingested\":\"2022-11-10T14:57:03Z\",\"kind\":\"event\",\"id\":\"da7aadc4-3188-45cc-8cfe-776b260c5164\",\"category\":[\"process\"],\"type\":[\"start\"]},\"uuid\":\"778afc216077c8b32a038162d2340c43cca365a45f42450d160f6baf118a2c1a\"},\"space_ids\":[\"default\"]},\"@timestamp\":\"2022-11-10T14:57:17.460Z\",\"agent\":{\"id\":\"57b53114-52cc-4c55-836d-ad169033de3f\",\"type\":\"endpoint\",\"version\":\"8.6.0\"},\"process\":{\"args\":[\"\\\"C:\\\\iexlorer.exe\\\"\",\"--24j\"],\"Ext\":{\"ancestry\":[]},\"group_leader\":{\"name\":\"fake leader\",\"pid\":607,\"entity_id\":\"dd2oz1bzr9\"},\"session_leader\":{\"name\":\"fake session\",\"pid\":575,\"entity_id\":\"dd2oz1bzr9\"},\"code_signature\":{\"subject_name\":\"Microsoft\",\"status\":\"trusted\"},\"entry_leader\":{\"name\":\"fake entry\",\"pid\":727,\"entity_id\":\"dd2oz1bzr9\"},\"name\":\"iexlorer.exe\",\"pid\":4958,\"working_directory\":\"/home/rofwn0gwiu/\",\"entity_id\":\"dd2oz1bzr9\",\"executable\":\"C:\\\\iexlorer.exe\",\"hash\":{\"md5\":\"bb24b5e3-0dd3-445a-9880-46cc9832edfd\"}},\"ecs\":{\"version\":\"1.4.0\"},\"data_stream\":{\"namespace\":\"default\",\"type\":\"logs\",\"dataset\":\"endpoint.events.process\"},\"host\":{\"hostname\":\"Host-crfo8ihfl5\",\"os\":{\"Ext\":{\"variant\":\"Windows Server Release 2\"},\"name\":\"Windows\",\"family\":\"windows\",\"version\":\"6.3\",\"platform\":\"Windows\",\"full\":\"Windows Server 2012R2\"},\"ip\":[\"10.109.146.91\"],\"name\":\"Host-crfo8ihfl5\",\"id\":\"675b73c2-9b5d-41f9-a9f5-3a72b747dd02\",\"mac\":[\"9f-e9-76-28-31-5f\"],\"architecture\":\"4d5uenqhyo\"},\"user\":{\"domain\":\"v38igs0p60\",\"name\":\"rofwn0gwiu\"},\"event\":{\"agent_id_status\":\"auth_metadata_missing\",\"sequence\":0,\"ingested\":\"2022-11-10T14:57:03Z\",\"kind\":\"signal\",\"id\":\"da7aadc4-3188-45cc-8cfe-776b260c5164\",\"category\":[\"process\"],\"type\":[\"start\"]}},{\"signal\":{\"depth\":1,\"original_event\":{\"category\":[\"process\"],\"id\":\"20e21870-5024-466b-b50e-ceca144a822f\",\"kind\":\"event\",\"sequence\":1,\"type\":[\"start\"]},\"original_time\":\"2022-11-10T14:57:05.215Z\",\"reason\":\"process event with process powershell.exe, by 2qv98zp1y0 on Host-crfo8ihfl5 created low alert Test.\",\"rule\":{\"author\":[],\"created_at\":\"2022-11-10T13:50:41.233Z\",\"created_by\":\"custom_superuser\",\"description\":\"-\",\"enabled\":true,\"false_positives\":[],\"from\":\"now-90s\",\"id\":\"a9cd7f10-60fe-11ed-a4e9-b9430961b65e\",\"immutable\":false,\"interval\":\"30s\",\"license\":\"\",\"max_signals\":100,\"name\":\"Test\",\"references\":[],\"risk_score\":21,\"rule_id\":\"16f475c9-8074-4cc8-8107-1d819372101c\",\"severity\":\"low\",\"tags\":[],\"to\":\"now\",\"type\":\"query\",\"updated_at\":\"2022-11-10T14:56:52.296Z\",\"updated_by\":\"custom_superuser\",\"version\":2},\"status\":\"open\"},\"_id\":\"9b81e0fb63958748ee216ad10884aba25496db2999d213e8961a296bc0e815f4\",\"_index\":\".internal.alerts-security.alerts-default-000001\",\"kibana\":{\"version\":\"8.6.0\",\"alert\":{\"rule\":{\"category\":\"Custom Query Rule\",\"consumer\":\"siem\",\"execution\":{\"uuid\":\"de691733-98d6-441e-a9f1-a7f5eb25be3f\"},\"name\":\"Test\",\"producer\":\"siem\",\"rule_type_id\":\"siem.queryRule\",\"uuid\":\"a9cd7f10-60fe-11ed-a4e9-b9430961b65e\",\"tags\":[],\"parameters\":{\"description\":\"-\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"\",\"meta\":{\"from\":\"1m\",\"kibana_siem_app_url\":\"http://localhost:5601/kbn/app/security\"},\"author\":[],\"false_positives\":[],\"from\":\"now-90s\",\"rule_id\":\"16f475c9-8074-4cc8-8107-1d819372101c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":false,\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"apm-*-transaction*\",\"auditbeat-*\",\"endgame-*\",\"filebeat-*\",\"logs-*\",\"packetbeat-*\",\"traces-apm*\",\"winlogbeat-*\",\"-*elastic-cloud-logs-*\"],\"query\":\"host.name: *\",\"filters\":[]},\"actions\":[{\"group\":\"default\",\"id\":\"5f388b80-6107-11ed-a4e9-b9430961b65e\",\"params\":{\"body\":\"Alerts JSON:\\n{{context.alerts}}\\n\\nHits JSON:\\n{{context.hits}}\\n\\n{{#context.alerts}}\\n- Host name: \\\"{{host.name}}\\\"\\n{{/context.alerts}}\\n\"},\"action_type_id\":\".webhook\"}],\"author\":[],\"created_at\":\"2022-11-10T13:50:41.233Z\",\"created_by\":\"custom_superuser\",\"description\":\"-\",\"enabled\":true,\"exceptions_list\":[],\"false_positives\":[],\"from\":\"now-90s\",\"immutable\":false,\"interval\":\"30s\",\"indices\":[\"apm-*-transaction*\",\"auditbeat-*\",\"endgame-*\",\"filebeat-*\",\"logs-*\",\"packetbeat-*\",\"traces-apm*\",\"winlogbeat-*\",\"-*elastic-cloud-logs-*\"],\"license\":\"\",\"max_signals\":100,\"references\":[],\"risk_score_mapping\":[],\"rule_id\":\"16f475c9-8074-4cc8-8107-1d819372101c\",\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"type\":\"query\",\"updated_at\":\"2022-11-10T14:56:52.296Z\",\"updated_by\":\"custom_superuser\",\"version\":2,\"meta\":{\"from\":\"1m\",\"kibana_siem_app_url\":\"http://localhost:5601/kbn/app/security\"},\"risk_score\":21,\"severity\":\"low\"},\"original_time\":\"2022-11-10T14:57:05.215Z\",\"ancestors\":[{\"id\":\"lXELYoQB3uGrpQutX8EH\",\"type\":\"event\",\"index\":\".ds-logs-endpoint.events.process-default-2022.11.10-000001\",\"depth\":0}],\"status\":\"active\",\"workflow_status\":\"open\",\"depth\":1,\"reason\":\"process event with process powershell.exe, by 2qv98zp1y0 on Host-crfo8ihfl5 created low alert Test.\",\"severity\":\"low\",\"risk_score\":21,\"original_event\":{\"agent_id_status\":\"auth_metadata_missing\",\"sequence\":1,\"ingested\":\"2022-11-10T14:57:03Z\",\"kind\":\"event\",\"id\":\"20e21870-5024-466b-b50e-ceca144a822f\",\"category\":[\"process\"],\"type\":[\"start\"]},\"uuid\":\"9b81e0fb63958748ee216ad10884aba25496db2999d213e8961a296bc0e815f4\"},\"space_ids\":[\"default\"]},\"@timestamp\":\"2022-11-10T14:57:17.461Z\",\"agent\":{\"id\":\"57b53114-52cc-4c55-836d-ad169033de3f\",\"type\":\"endpoint\",\"version\":\"8.6.0\"},\"process\":{\"Ext\":{\"ancestry\":[\"dd2oz1bzr9\"]},\"parent\":{\"pid\":4958,\"entity_id\":\"dd2oz1bzr9\"},\"group_leader\":{\"name\":\"fake leader\",\"pid\":453,\"entity_id\":\"dd2oz1bzr9\"},\"pid\":3660,\"working_directory\":\"/home/2qv98zp1y0/\",\"entity_id\":\"6nknbziq0x\",\"executable\":\"C:\\\\powershell.exe\",\"args\":[\"\\\"C:\\\\powershell.exe\\\"\",\"--8h4\"],\"session_leader\":{\"name\":\"fake session\",\"pid\":520,\"entity_id\":\"dd2oz1bzr9\"},\"code_signature\":{\"subject_name\":\"Microsoft\",\"status\":\"trusted\"},\"entry_leader\":{\"name\":\"fake entry\",\"pid\":337,\"entity_id\":\"dd2oz1bzr9\"},\"name\":\"powershell.exe\",\"hash\":{\"md5\":\"882a7b31-f717-424c-a437-dd19c3b45494\"}},\"ecs\":{\"version\":\"1.4.0\"},\"data_stream\":{\"namespace\":\"default\",\"type\":\"logs\",\"dataset\":\"endpoint.events.process\"},\"host\":{\"hostname\":\"Host-crfo8ihfl5\",\"os\":{\"Ext\":{\"variant\":\"Windows Server Release 2\"},\"name\":\"Windows\",\"family\":\"windows\",\"version\":\"6.3\",\"platform\":\"Windows\",\"full\":\"Windows Server 2012R2\"},\"ip\":[\"10.109.146.91\"],\"name\":\"Host-crfo8ihfl5\",\"id\":\"675b73c2-"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-rcsgxu4c5c"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-rcsgxu4c5c"
- Host name: "Host-crfo8ihfl5"
- Host name: "Host-rcsgxu4c5c"
- Host name: "Host-crfo8ihfl5"
Then, on the receiving side of the webhook connector (e.g. a bitbucket pipeline) you could probably implement parsing of these request bodies and deduplication of the field values, if the receiving side allows doing that.