[FEATURE] deliver security alerts with meaningful, structured information.

[larsw]

(This feature request could probably exist in other OpenSearch repositories,
but I've added it to the one I felt was the most relevant one).

With the current Alerting capabilities in OpenSearch, it is possible to deliver alerts via webhooks,
but sadly the feature is at best mostly useless for delivering structured information about the alert system -> system.
The information delivered over the webhook can resemble JSON - but it's not.
The information lacks any trace of the originating (sigma) rule that caused the alarm to be raised.

--
It should be possible to setup webhooks that get's sensible, structured data delivered when an Alarm is raised.
To fix this, I'm guessing that changes need to be made to multiple OpenSearch sub components.

[tallyoh]

Yes, I agree with the sentiment above, mustache variable substitutions would be extremely helpful in this regard as would normalized JSON. I would like to be able to construct a link back to the detection in dashboard, link to the document which triggered the alert, etc. But currently the alerts body text is too bare bones. We've worked around this by querying the indices directly for detections and create our own external integrations. Not ideal but necessary. I appreciate all the work being done in this module and look forward to seeing improvements in this area.

[agoerl]

+1

[sacha-athias-wmx]

+1

[praveensameneni]

We are working on updating the ctx variable to be able to pull the relevant information - rule/alert/query.
opensearch-project/alerting#1450
Since Security Analytics is primarily based on Doc level monitors, can use the same concept to get the rule information. H

[engechas]

Closing this as completed by #1450. Please reopen if there are additional context gaps that you would like to see covered that were not addressed by the enhancements in #1450.