Hi! Can someone help with some knowledge about Alert module? Right now we can create alerts, but we want alert being sent both to SOAR and third-party webhook (Telegram). On Alert rule creation page we can do one of those only. When thinking for a workaround, we have got another question - is it possible to create an alert on events in alert-* index, without creating new alert event in that index ? How can we add custom fields (i.g. alert_severity, or MITRE/PCI DSS/other tags) in alert, using Alert rules?

Energ Logserver - Alerts - add stom field - Energy Logserver Community

Energ Logserver - Alerts - add stom field

cobalt8315

Hi!

Can someone help with some knowledge about Alert module?

Right now we can create alerts, but we want alert being sent both to SOAR and third-party webhook (Telegram). On Alert rule creation page we can do one of those only.
When thinking for a workaround, we have got another question - is it possible to create an alert on events in alert-* index, without creating new alert event in that index ?
How can we add custom fields (i.g. alert_severity, or MITRE/PCI DSS/other tags) in alert, using Alert rules?

SzymonC

Hi,

Alert can execute multiple methods/responses, but for now only one can be selected from UI. Second method has to be put in Rule Definition. Luckily it's not that difficult to do.
For example if you want to SOAR + email + command:

Use Energy SOAR integration from UI with selection from Alert Method

Add following codes to the Rule Definition:

alert:
#Below executes mailing method
  - elastalert_modules.playbook.EmailAlerter
#Below executes command method
  - elastalert_modules.playbook.CommandAlerter

#Below settings reflects detail settings for mail method
email:
  - recipient-mail@example.com
alert_text_type: alert_text_only
alert_subject: 'Alert z WWW / Alert for too many HTTP requests client.ip:{0} on vhost.name:{1}'
alert_subject_args:
  - client.ip
  - vhost.name
alert_text: "## Summary\r\n \r\n\r\n |  |  |\r\n |---|---|\r\n | Client IP | {} |\r\n | Agent name | {} |\r\n | Link | [Event]({}) |\r\n \r\n **Log**\r\n ```\r\n {}\r\n ```\r\n"
alert_text_args:
  - client.ip
  - agent.name
  - kibana_discover_url
  - message

#Below settings reflects detail settings for command method
command:
  - /usr/local/bin/alert-block.sh
  - '-t'
  - '{match[@timestamp]}'
  - '-i'
  - '{match[client][ip]}'
new_style_string_format: true

As for the second question: alert types of Chain and Logical are based on documents in alert index. So as a different workaround you can create two or three Chain alerts, each with different method in UI. But in general every alert will generate new document in alert index.

Finally third: Answer depends on the use case. Alert itself so far isn't able to create new fields for internal documents (ELS documents) from UI. This however can be done by using very simple python codes for alert, called enhancements. We can even help with building them. If you're thinking about webhook method, then it's able to produce completely new fields in webhook payload. Values of that fields can be either hardcoded or set as a variable based on the value from source document.

I hope that this answer your questions. 🙂
If I can help with anything else, please let me know!