Telegram parse_mode change

[polshe-v]

I use ElastAlert2 to send alerts to Telegram from Suricata IDS. I insert the signature name to the alert text. Sometimes there is even number of '_' in the signature name (e.g. ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) - zero '_'), but sometimes not (e.g. "ET WEB_SERVER HP OpenView Network Node Manager Remote Command Execution Attempt" - 1 opened '_') and therefore I receive an error, because markdown is invalid:

Error posting to Telegram: 400 Client Error: Bad Request for url: https://api.telegram.org/bot***:***/sendMessage. Details: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 295"}

I don't think this is a good idea to go through all Suricata signatures and change the name of every signature deleting all '_' (there always will be new signatures).
Because ElastAlert2 generates alert_text and sends the resulting text to Telegram, the right way is to solve this problem in ElastAlert2. Could you please change parse_mode in telegram alerter to html here? HTML parse_mode could be more independent of alert text.

Or maybe you could provide separate option for parse_mode, so it would be possible to set this option in alert rule? (like already setting telegram_bot_token, telegram_api_url, etc)

[nsano-rururu]

Do you mean the corresponding image below?
If so, could you please check the operation and make a pull request?

elastalert/alerters/telegram.py

add

self.telegram_parse_mode = self.rule.get('telegram_parse_mode', 'markdown')

modify

'parse_mode': 'markdown',
　　　 ↓
'parse_mode': self.telegram_parse_mode

elastalert/schema.yaml

add

telegram_parse_mode: {type: string, enum: ['markdown', 'html']}

Documentation update

docs/source/ruletypes.rst#telegram

[polshe-v]

Thank you for your help, @nsano-rururu!
I made PR #924 and tested it - works fine.