feat(api): kibana SIEM (#3245)

keep/providers/kibana_provider/kibana_provider.py

@@ -67,6 +67,7 @@ class KibanaProvider(BaseProvider):
             }
         }
     )
+    SIEM_WEBHOOK_PAYLOAD = """{{#context.alerts}}{{{.}}}{{/context.alerts}}"""
 
     # Mock payloads for validating scopes
     MOCK_ALERT_PAYLOAD = {
@@ -373,6 +374,7 @@ def __setup_webhook_alerts(self, tenant_id: str, keep_api_url: str, api_key: str
                 self.logger.info(f"Alert {alert_rule['id']} already updated, skipping")
                 continue
 
+            rule_type_id = alert_rule.get("rule_type_id")
             action_groups = rule_types.get(alert_rule["rule_type_id"], {}).get(
                 "action_groups", []
             )
@@ -381,7 +383,14 @@ def __setup_webhook_alerts(self, tenant_id: str, keep_api_url: str, api_key: str
                     {
                         "group": action_group.get("id"),
                         "id": connector_id,
-                        "params": {"body": KibanaProvider.WEBHOOK_PAYLOAD},
+                        "params": {
+                            # SIEM can use a different payload for more context
+                            "body": (
+                                KibanaProvider.WEBHOOK_PAYLOAD
+                                if "siem" not in rule_type_id
+                                else KibanaProvider.SIEM_WEBHOOK_PAYLOAD
+                            )
+                        },
                         "frequency": {
                             "notify_when": "onActionGroupChange",
                             "throttle": None,
@@ -558,6 +567,49 @@ def _format_alert(
         if "payload" in event:
             return KibanaProvider.format_alert_from_watcher(event)
 
+        # SIEM alert
+        if "kibana" in event:
+            logger.info("Parsing SIEM Kibana alert")
+            description = (
+                event.get("kibana", {})
+                .get("alert", {})
+                .get("rule", {})
+                .get("description", "")
+            )
+            if not description:
+                logger.warning("Could not find description in SIEM Kibana alert")
+
+            name = (
+                event.get("kibana", {}).get("alert", {}).get("rule", {}).get("name", "")
+            )
+            if not name:
+                logger.warning("Could not find name in SIEM Kibana alert")
+                name = "SIEM Kibana Alert"
+
+            status = event.get("kibana", {}).get("alert", {}).get("status", "")
+            if not status:
+                logger.warning("Could not find status in SIEM Kibana alert")
+                name = "active"
+
+            # use map
+            status = KibanaProvider.STATUS_MAP.get(status, AlertStatus.FIRING)
+            severity = (
+                event.get("kibana", {})
+                .get("alert", {})
+                .get("severity", "could not find severity")
+            )
+            # use map
+            severity = KibanaProvider.SEVERITIES_MAP.get(severity, AlertSeverity.INFO)
+            alert_dto = AlertDto(
+                name=name,
+                description=description,
+                status=status,
+                severity=severity,
+                source=["kibana"],
+                **event,
+            )
+            logger.info("Finished to parse SIEM Kibana alert")
+            return alert_dto
         # Check if this is the new webhook format
         # New Kibana webhook format
         if "webhook_body" in event:
@@ -624,6 +676,9 @@ def _format_alert(
             if not event.get("url"):
                 event.pop("url", None)
 
+        if "name" not in event:
+            event["name"] = event.get("rule.name")
+
         return AlertDto(
             environment=environment,
             labels=labels,

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "keep"
-version = "0.35.8"
+version = "0.35.9"
 description = "Alerting. for developers, by developers."
 authors = ["Keep Alerting LTD"]
 packages = [{include = "keep"}]