[Teams] - Kibana Discover URL and Facts

CHANGELOG.md

@@ -15,7 +15,7 @@
 - Dockerfile refactor for app home and user home to be the same directory (/opt/elastalert/). Before app home is /opt/elastalert/ and user home is /opt/elastalert/elastalert. After app home and user home are the same /opt/elastalert/ - [#656](https://github.com/jertel/elastalert2/pull/656)
 
 ## New features
-- TBD - [#000](https://github.com/jertel/elastalert2/pull/000) - @some_elastic_contributor_tbd
+- [MS Teams] Kibana Discover URL and Facts - [#660](https://github.com/jertel/elastalert2/pull/660) - @thib12
 
 ## Other changes
 - Load Jinja template when loading an alert - [#654](https://github.com/jertel/elastalert2/pull/654) - @thib12

docs/source/ruletypes.rst

@@ -2500,6 +2500,42 @@ Optional:
 
 ``ms_teams_alert_fixed_width``: By default this is ``False`` and the notification will be sent to MS Teams as-is. Teams supports a partial Markdown implementation, which means asterisk, underscore and other characters may be interpreted as Markdown. Currenlty, Teams does not fully implement code blocks. Setting this attribute to ``True`` will enable line by line code blocks. It is recommended to enable this to get clearer notifications in Teams.
 
+``ms_teams_alert_facts``: You can add additional facts to your MS Teams alerts using this field. Specify the title using `name` and a value for the field using `value`.
+
+Example ms_teams_alert_facts::
+
+    ms_teams_alert_facts:
+      - name: Host
+        value: monitor.host
+      - name: Status
+        value: monitor.status
+      - name: Zone
+        value: beat.name
+
+``ms_teams_attach_kibana_discover_url``: Enables the attachment of the ``kibana_discover_url`` to the MS Teams notification. The config ``generate_kibana_discover_url`` must also be ``True`` in order to generate the url. Defaults to ``False``.
+
+``ms_teams_kibana_discover_title``: The title of the Kibana Discover url attachment. Defaults to ``Discover in Kibana``.
+
+Example ms_teams_attach_kibana_discover_url, ms_teams_kibana_discover_title::
+
+    # (Required)
+    generate_kibana_discover_url: True
+    kibana_discover_app_url: "http://localhost:5601/app/discover#/"
+    kibana_discover_index_pattern_id: "4babf380-c3b1-11eb-b616-1b59c2feec54"
+    kibana_discover_version: "7.15"
+
+    # (Optional)
+    kibana_discover_from_timedelta:
+      minutes: 10
+    kibana_discover_to_timedelta:
+      minutes: 10
+
+    # (Required)
+    ms_teams_attach_kibana_discover_url: True
+
+    # (Optional)
+    ms_teams_kibana_discover_title: "Discover in Kibana"
+
 ``ms_teams_ca_certs``: Set this option to ``True`` if you want to validate the SSL certificate.
 
 ``ms_teams_ignore_ssl_errors``: By default ElastAlert 2 will verify SSL certificate. Set this option to ``False`` if you want to ignore SSL errors.

elastalert/alerters/teams.py

@@ -1,8 +1,9 @@
+import copy
 import json
 import requests
 
 from elastalert.alerts import Alerter, DateTimeEncoder
-from elastalert.util import EAException, elastalert_logger
+from elastalert.util import EAException, elastalert_logger, lookup_es_key
 from requests.exceptions import RequestException
 
 
@@ -21,20 +22,31 @@ def __init__(self, rule):
         self.ms_teams_theme_color = self.rule.get('ms_teams_theme_color', '')
         self.ms_teams_ca_certs = self.rule.get('ms_teams_ca_certs')
         self.ms_teams_ignore_ssl_errors = self.rule.get('ms_teams_ignore_ssl_errors', False)
+        self.ms_teams_alert_facts = self.rule.get('ms_teams_alert_facts', '')
+        self.ms_teams_attach_kibana_discover_url = self.rule.get('ms_teams_attach_kibana_discover_url', False)
+        self.ms_teams_kibana_discover_title = self.rule.get('ms_teams_kibana_discover_title', 'Discover in Kibana')
 
     def format_body(self, body):
         if self.ms_teams_alert_fixed_width:
             body = body.replace('`', "'")
             body = "```{0}```".format('```\n\n```'.join(x for x in body.split('\n'))).replace('\n``````', '')
         return body
 
+    def populate_facts(self, matches):
+        alert_facts = []
+        for arg in self.ms_teams_alert_facts:
+            arg = copy.copy(arg)
+            arg['value'] = lookup_es_key(matches[0], arg['value'])
+            alert_facts.append(arg)
+        return alert_facts
+
     def alert(self, matches):
         body = self.create_alert_body(matches)
 
         body = self.format_body(body)
         # post to Teams
         headers = {'content-type': 'application/json'}
-    
+
         if self.ms_teams_ca_certs:
             verify = self.ms_teams_ca_certs
         else:
@@ -49,18 +61,38 @@ def alert(self, matches):
             '@context': 'http://schema.org/extensions',
             'summary': self.ms_teams_alert_summary,
             'title': self.create_title(matches),
-            'text': body
+            'sections': [{'text': body}],
         }
+
+        if self.ms_teams_alert_facts != '':
+            payload['sections'][0]['facts'] = self.populate_facts(matches)
+
         if self.ms_teams_theme_color != '':
             payload['themeColor'] = self.ms_teams_theme_color
 
+        if self.ms_teams_attach_kibana_discover_url:
+            kibana_discover_url = lookup_es_key(matches[0], 'kibana_discover_url')
+            if kibana_discover_url:
+                payload['potentialAction'] = [
+                    {
+                        '@type': 'OpenUri',
+                        'name': self.ms_teams_kibana_discover_title,
+                        'targets': [
+                            {
+                                'os': 'default',
+                                'uri': kibana_discover_url,
+                            }
+                        ],
+                    }
+                ]
+
         for url in self.ms_teams_webhook_url:
             try:
                 response = requests.post(url, data=json.dumps(payload, cls=DateTimeEncoder),
                                          headers=headers, proxies=proxies, verify=verify)
                 response.raise_for_status()
             except RequestException as e:
-                raise EAException("Error posting to ms teams: %s" % e)
+                raise EAException("Error posting to MS Teams: %s" % e)
         elastalert_logger.info("Alert sent to MS Teams")
 
     def get_info(self):

elastalert/schema.yaml

@@ -46,6 +46,17 @@ definitions:
     type: array
     items: *slackField
 
+  msTeamsFact: &msTeamsFact
+    type: object
+    additionalProperties: false
+    properties:
+      name: {type: string}
+      value: {type: string}
+
+  arrayOfMsTeamsFacts: &arrayOfMsTeamsFacts
+    type: array
+    items: *msTeamsFact
+
   mattermostField: &mattermostField
     type: object
     additionalProperties: false
@@ -508,6 +519,9 @@ properties:
   ms_teams_theme_color: {type: string}
   ms_teams_proxy: {type: string}
   ms_teams_alert_fixed_width: {type: boolean}
+  ms_teams_alert_facts: *arrayOfMsTeamsFacts
+  ms_teams_attach_kibana_discover_url: {type: boolean}
+  ms_teams_kibana_discover_title: {type: string}
   ms_teams_ca_certs: {type: boolean}
   ms_teams_ignore_ssl_errors: {type: boolean}