Query Another Index with an Enhancement in ElastAlert 2

[VirusProtect]

Hi,

I have a rule where the index logs-test-* contains the endpoint name, but it does not include user.name. Can I use an enhancement to query another index to extract user.name?

In alert_text i add 'enrich_user.name':

alert_text: "@timestamp: {0}\nendpoint.name': {1}\nenrich_user.name: {2}
alert_text_args:
  - "@timestamp"
  - endpoint.name'
  - enriched_user_name

and I created enhacmenet:

from elastalert.enhancements import BaseEnhancement

class Enhancement(BaseEnhancement):
    def process(self, match):
        endpoint_name = match.get('endpoint.name', None)

        if endpoint_name is None:
            return

        try:
            es_response = self.rules['es_client'].search(
                index="logs-users-*",
                body={
                    "query": {
                        "bool": {
                            "must": [
                                {
                                    "match": {
                                        "endpoint.name": endpoint_name
                                    }
                                },
                                {
                                    "range": {
                                        "@timestamp": {
                                            "gte": "now-8h",
                                            "lte": "now"
                                        }
                                    }
                                }
                            ]
                        }
                    },
                    "_source": ["user.name"]
                }
            )

            if es_response['hits']['total']['value'] > 0:
                user_name = es_response['hits']['hits'][0]['_source'].get('user.name', 'Unknown User')
                match['enriched_user_name'] = user_name
            else:
                match['enriched_user_name'] = 'No User Found'

        except Exception as e:
            match['enriched_user_name'] = 'Query Error'

Do the elastalert2 support these type of enchamenet ?

[jertel]

I've never tried to do that so I don't know how easy it will be to do this. However, assuming you can get it to work you're likely going to find that this is very inefficient. Suppose your rule detects 1000 matches in the last timeframe and triggers the alert. It's going to loop over all of those matches and execute that additional Elasticsearch query.

[VirusProtect]

I want to enrich the current alert with additional information from another index. For example, the original alert might not include user.name, but I can extract this information by querying another index using matching values from the original alert.

The Elasticsearch query can be updated to be more specific, ensuring it retrieves only the relevant result.

[VirusProtect]

Can ElastAlert2 enhancements interact with external APIs or other services to enrich alerts? For example, if the alert lacks a specific field (like user.name), could an enhancement query an external API or service, retrieve the necessary information, and include it in the alert?

I wonder if there's support for external integrations or if there are any known limitations ?

[jertel]

It's just python code. You can make it do whatever you want it to do.