Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Opsgenie: extra properties filtering

Roman Pankovski
Roman Pankovski June 5, 2022

Hello everyone in this community!

 

I need help to create Perfect view of created Opsgenie alert :)

Let me show details.

I have custom multi-select field Post-Incident Review Actions  with 2 options:

  • Investigation of financial losses
  • Security team analysis

ScreenShot 2022-06-05 at 22.19.35@2x.jpg

When I "ask" JSON payload

ScreenShot 2022-06-05 at 22.21.10@2x.jpg

of Opsgenie+Jira Management integration for this CustomField data with {{ customFields.customfield_10189.value }}

ScreenShot 2022-06-05 at 22.20.17@2x.jpg

I get this not beautiful, but quite informative output in created Opsgenie alert:

ScreenShot 2022-06-05 at 22.19.58@2x.jpg

Can I filter this output to create clear and informative Opsgenie alert? I need to receive in Opsgenie created alert data from Value JSON payload.  

For clarification: this output is enough for next steps (assign, route and so on) in Opsgenie.

I want to understand the filtering mechanism (if it can be used in this case).

Will be very glad for any kind of help.

Answer
Watch
Like Elzha Odie likes this
1927 views

1 answer

1 accepted

1 vote
Answer accepted
Nick H
Nick H
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 6, 2022

Hi @Roman Pankovski ,

Similar to what you are using in the field, Service for Review, you will most likely want to use some form or string processing or regex to clean up the data being extracted.

Maybe something like:

{{ customFields.customfield_10189.substringBetween("value=",",")}}

 

But are you trying to pull both of these values?

cf1.jpg

 

If yes, then the string processing method above would only work on the first match, and it appears there might be two values parsing in this custom field.

 

In that case, string processing should still work, but might need to be a bit more specific for each value. Maybe something like these two - but all depending how they parse in the payload as well:

{{ customFields.customfield_10189.substringBetween("10264,value=",",")}}

{{ customFields.customfield_10189.substringBetween("10265,value=",",")}}
View More Comments
Nick H
Nick H
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 6, 2022

These also might work as well:

{{customFields.customfield_10189.substringBefore("id").substringBetween("value=",",")}}

{{customFields.customfield_10189.substringAfter("id").substringBetween("value=",",")}}
Like Roman Pankovski likes this
Roman Pankovski
Roman Pankovski June 7, 2022

Hi, @Nick H! Thnx for answering!

I applied your suggestions in my workflow and can show what I receive.

1.

{{ customFields.customfield_10189.substringBetween("10264,value=",",")}}

{{ customFields.customfield_10189.substringBetween("10265,value=",",")}}

 Output: null null

2. 

{{customFields.customfield_10189.substringBefore("id").substringBetween("value=",",")}}

Output: Investigation of financial losses (this is the first value)

{{customFields.customfield_10189.substringAfter("id").substringBetween("value=",",")}}

Output: Security team analysis (this is the second value)

Conclusion: 2-nd option is working!

But, in my opinion, this is specific solution acceptable for not more than 2 options - we take only BeforeAfter values of payload.

 

I move a little bit forward and modify your suggestions like this:

{{customFields.customfield_10189.substringAfter("10264").substringBetween("value=",",")}}, 

{{customFields.customfield_10189.substringAfter("10265").substringBetween("value=",",")}}

Output: Investigation of financial losses, Security team analysis (both values here!)

But there is another annoying thing - if Reporter choose only one option (example: Investigation of financial losses) here is what I receive in output:

Investigation of financial losses, null

 

Questions:
1. is there any way to filter "null" from output?
2. is there any way to make multiline output?

Example of multiline output: 
Investigation of financial losses
Security team analysis

Like
Radzhiv Apasov
Radzhiv Apasov August 22, 2023

Hello @Nick H , 

I'm trying to extract information about findings' resources from the "Message" field and present it in a human-readable format. Specifically, I want to retrieve details from the "findings" array, specifically the "Resources" object within it. 

here is the json: 

{
"Type": "Notification",
"MessageId": "96d4c7c2-999e-57ab-aade",
"TopicArn": "arn:aws:sns:us-west-2:test",
"Message": {
"version": "0",
"id": "3ee38987-e0ce--91a1",
"detail-type": "EC2 Instance State-change Notification",
"source": "aws.ec2",
"account": "abc",
"time": "2017-09-11T10:49:41Z",
"region": "us-west-2",
"resources": ["arn:aws:ec2:us-west-2:asdf:instance/i-abc"],
"detail": {
"actionName": "custom-action-name",
"actionDescription": "description of the action",
"findings": [
{
"AwsAccountId": "abc",
"Compliance": { "Status": "PASSED" },
"Confidence": 42,
"CreatedAt": "2017-03-22T13:22:13.933Z",
"Criticality": 99,
"Description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.",
"FirstObservedAt": "2017-03-22T13:22:13.933Z",
"GeneratorId": "acme-vuln-9ab348",
"Id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef",
"LastObservedAt": "2017-03-23T13:22:13.933Z",
"Malware": [
{ "Name": "Stringler", "Type": "COIN_MINER", "Path": "/usr/sbin/stringler", "State": "OBSERVED" }
],
"Network": {
"Direction": "IN",
"Protocol": "TCP",
"SourceIpV4": "1.2.3.4",
"SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C",
"SourcePort": "42",
"SourceDomain": "here.com",
"SourceMac": "00:0d:83:b1:c0:8e",
"DestinationIpV4": "2.3.4.5",
"DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C",
"DestinationPort": "80",
"DestinationDomain": "there.com"
},
"Note": {
"Text": "Don't forget to check under the mat.",
"UpdatedBy": "jsmith",
"UpdatedAt": "2018-08-31T00:15:09Z"
},
"Process": {
"Name": "syslogd",
"Path": "/usr/sbin/syslogd",
"Pid": 12345,
"ParentPid": 56789,
"LaunchedAt": "2018-09-27T22:37:31Z",
"TerminatedAt": "2018-09-27T23:37:31Z"
},
"ProductArn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default",
"ProductFields": {
"generico/secure-pro/Count": "6",
"Service_Name": "cloudtrail.amazonaws.com",
"aws/inspector/AssessmentTemplateName": "My daily CVE assessment",
"aws/inspector/AssessmentTargetName": "My prod env",
"aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures"
},
"RecordState": "ACTIVE",
"RelatedFindings": [
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" },
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder--x189dx7824" }
],
"Remediation": {
"Recommendation": {
"Text": "Run sudo yum update and cross your fingers and toes.",
"Url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"
}
},
"Resources": [
{
"Type": "AwsEc2Instance",
"Id": "i-cafebabe",
"Partition": "aws",
"Region": "us-west-2",
"Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" },
"Details": {
"AwsEc2Instance": {
"Type": "i3.xlarge",
"ImageId": "ami-abcd1234",
"IpV4Addresses": ["54.194.252.215", "192.168.1.88"],
"IpV6Addresses": ["2001:db8:1234:1a2b::123"],
"KeyName": "my_keypair",
"IamInstanceProfileArn": "arn:aws:iam:::instance-profile/AdminRole",
"VpcId": "vpc-11112222",
"SubnetId": "subnet-56f5f633",
"LaunchedAt": "2018-05-08T16:46:19.000Z"
}
}
}
],
"SchemaVersion": "2018-10-08",
"Severity": { "Product": 8.3, "Normalized": 25 },
"SourceUrl": "string",
"ThreatIntelIndicators": [
{
"Type": "IPV4_ADDRESS",
"Value": "8.8.8.8",
"Category": "BACKDOOR",
"LastObservedAt": "2018-09-27T23:37:31Z",
"Source": "Threat Intel Weekly",
"SourceUrl": "http://threatintelweekly.org/backdoors/8888"
}
],
"Title": "title",
"Types": ["Software and Configuration Checks/Vulnerabilities/CVE"],
"UpdatedAt": "123578964332",
"UserDefinedFields": { "reviewedByCio": "true", "comeBackToLater": "Check this again on Monday" },
"VerificationState": "string",
"WorkflowState": "NEW"
}
]
}
},
"Timestamp": "2017-09-11T10:49:42.630Z",
"SignatureVersion": "1",
"Signature": "sign",
"SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotification.pem",
"UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:"
}

 

I'm seeking guidance on the correct approach to achieve my goal of making the alert more human-readable and extracting information from the "Message" field's "findings" section. Any assistance or insights you can provide would be greatly appreciated.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Opsgenie
Opsgenie
TAGS
AUG Leaders

Atlassian Community Events

    See all events