Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Opsgenie: extra properties filtering

Roman Pankovski
Roman Pankovski Jun 05, 2022

Hello everyone in this community!

 

I need help to create Perfect view of created Opsgenie alert :)

Let me show details.

I have custom multi-select field Post-Incident Review Actions  with 2 options:

  • Investigation of financial losses
  • Security team analysis

ScreenShot 2022-06-05 at 22.19.35@2x.jpg

When I "ask" JSON payload

ScreenShot 2022-06-05 at 22.21.10@2x.jpg

of Opsgenie+Jira Management integration for this CustomField data with {{ customFields.customfield_10189.value }}

ScreenShot 2022-06-05 at 22.20.17@2x.jpg

I get this not beautiful, but quite informative output in created Opsgenie alert:

ScreenShot 2022-06-05 at 22.19.58@2x.jpg

Can I filter this output to create clear and informative Opsgenie alert? I need to receive in Opsgenie created alert data from Value JSON payload.  

For clarification: this output is enough for next steps (assign, route and so on) in Opsgenie.

I want to understand the filtering mechanism (if it can be used in this case).

Will be very glad for any kind of help.

Answer
Watch
Like Elzha Odie likes this
1460 views

1 answer

1 accepted

1 vote
Answer accepted
Nick H
Nick H
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 06, 2022

Hi @Roman Pankovski ,

Similar to what you are using in the field, Service for Review, you will most likely want to use some form or string processing or regex to clean up the data being extracted.

Maybe something like:

{{ customFields.customfield_10189.substringBetween("value=",",")}}

 

But are you trying to pull both of these values?

cf1.jpg

 

If yes, then the string processing method above would only work on the first match, and it appears there might be two values parsing in this custom field.

 

In that case, string processing should still work, but might need to be a bit more specific for each value. Maybe something like these two - but all depending how they parse in the payload as well:

{{ customFields.customfield_10189.substringBetween("10264,value=",",")}}

{{ customFields.customfield_10189.substringBetween("10265,value=",",")}}
View More Comments
Nick H
Nick H
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 06, 2022

These also might work as well:

{{customFields.customfield_10189.substringBefore("id").substringBetween("value=",",")}}

{{customFields.customfield_10189.substringAfter("id").substringBetween("value=",",")}}
Like Roman Pankovski likes this
Roman Pankovski
Roman Pankovski Jun 07, 2022 • edited

Hi, @Nick H! Thnx for answering!

I applied your suggestions in my workflow and can show what I receive.

1.

{{ customFields.customfield_10189.substringBetween("10264,value=",",")}}

{{ customFields.customfield_10189.substringBetween("10265,value=",",")}}

 Output: null null

2. 

{{customFields.customfield_10189.substringBefore("id").substringBetween("value=",",")}}

Output: Investigation of financial losses (this is the first value)

{{customFields.customfield_10189.substringAfter("id").substringBetween("value=",",")}}

Output: Security team analysis (this is the second value)

Conclusion: 2-nd option is working!

But, in my opinion, this is specific solution acceptable for not more than 2 options - we take only BeforeAfter values of payload.

 

I move a little bit forward and modify your suggestions like this:

{{customFields.customfield_10189.substringAfter("10264").substringBetween("value=",",")}}, 

{{customFields.customfield_10189.substringAfter("10265").substringBetween("value=",",")}}

Output: Investigation of financial losses, Security team analysis (both values here!)

But there is another annoying thing - if Reporter choose only one option (example: Investigation of financial losses) here is what I receive in output:

Investigation of financial losses, null

 

Questions:
1. is there any way to filter "null" from output?
2. is there any way to make multiline output?

Example of multiline output: 
Investigation of financial losses
Security team analysis

Like
Radzhiv Apasov
Radzhiv Apasov Aug 22, 2023

Hello @Nick H , 

I'm trying to extract information about findings' resources from the "Message" field and present it in a human-readable format. Specifically, I want to retrieve details from the "findings" array, specifically the "Resources" object within it. 

here is the json: 

{
"Type": "Notification",
"MessageId": "96d4c7c2-999e-57ab-aade",
"TopicArn": "arn:aws:sns:us-west-2:test",
"Message": {
"version": "0",
"id": "3ee38987-e0ce--91a1",
"detail-type": "EC2 Instance State-change Notification",
"source": "aws.ec2",
"account": "abc",
"time": "2017-09-11T10:49:41Z",
"region": "us-west-2",
"resources": ["arn:aws:ec2:us-west-2:asdf:instance/i-abc"],
"detail": {
"actionName": "custom-action-name",
"actionDescription": "description of the action",
"findings": [
{
"AwsAccountId": "abc",
"Compliance": { "Status": "PASSED" },
"Confidence": 42,
"CreatedAt": "2017-03-22T13:22:13.933Z",
"Criticality": 99,
"Description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.",
"FirstObservedAt": "2017-03-22T13:22:13.933Z",
"GeneratorId": "acme-vuln-9ab348",
"Id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef",
"LastObservedAt": "2017-03-23T13:22:13.933Z",
"Malware": [
{ "Name": "Stringler", "Type": "COIN_MINER", "Path": "/usr/sbin/stringler", "State": "OBSERVED" }
],
"Network": {
"Direction": "IN",
"Protocol": "TCP",
"SourceIpV4": "1.2.3.4",
"SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C",
"SourcePort": "42",
"SourceDomain": "here.com",
"SourceMac": "00:0d:83:b1:c0:8e",
"DestinationIpV4": "2.3.4.5",
"DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C",
"DestinationPort": "80",
"DestinationDomain": "there.com"
},
"Note": {
"Text": "Don't forget to check under the mat.",
"UpdatedBy": "jsmith",
"UpdatedAt": "2018-08-31T00:15:09Z"
},
"Process": {
"Name": "syslogd",
"Path": "/usr/sbin/syslogd",
"Pid": 12345,
"ParentPid": 56789,
"LaunchedAt": "2018-09-27T22:37:31Z",
"TerminatedAt": "2018-09-27T23:37:31Z"
},
"ProductArn": "arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default",
"ProductFields": {
"generico/secure-pro/Count": "6",
"Service_Name": "cloudtrail.amazonaws.com",
"aws/inspector/AssessmentTemplateName": "My daily CVE assessment",
"aws/inspector/AssessmentTargetName": "My prod env",
"aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures"
},
"RecordState": "ACTIVE",
"RelatedFindings": [
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" },
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder--x189dx7824" }
],
"Remediation": {
"Recommendation": {
"Text": "Run sudo yum update and cross your fingers and toes.",
"Url": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"
}
},
"Resources": [
{
"Type": "AwsEc2Instance",
"Id": "i-cafebabe",
"Partition": "aws",
"Region": "us-west-2",
"Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" },
"Details": {
"AwsEc2Instance": {
"Type": "i3.xlarge",
"ImageId": "ami-abcd1234",
"IpV4Addresses": ["54.194.252.215", "192.168.1.88"],
"IpV6Addresses": ["2001:db8:1234:1a2b::123"],
"KeyName": "my_keypair",
"IamInstanceProfileArn": "arn:aws:iam:::instance-profile/AdminRole",
"VpcId": "vpc-11112222",
"SubnetId": "subnet-56f5f633",
"LaunchedAt": "2018-05-08T16:46:19.000Z"
}
}
}
],
"SchemaVersion": "2018-10-08",
"Severity": { "Product": 8.3, "Normalized": 25 },
"SourceUrl": "string",
"ThreatIntelIndicators": [
{
"Type": "IPV4_ADDRESS",
"Value": "8.8.8.8",
"Category": "BACKDOOR",
"LastObservedAt": "2018-09-27T23:37:31Z",
"Source": "Threat Intel Weekly",
"SourceUrl": "http://threatintelweekly.org/backdoors/8888"
}
],
"Title": "title",
"Types": ["Software and Configuration Checks/Vulnerabilities/CVE"],
"UpdatedAt": "123578964332",
"UserDefinedFields": { "reviewedByCio": "true", "comeBackToLater": "Check this again on Monday" },
"VerificationState": "string",
"WorkflowState": "NEW"
}
]
}
},
"Timestamp": "2017-09-11T10:49:42.630Z",
"SignatureVersion": "1",
"Signature": "sign",
"SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotification.pem",
"UnsubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:"
}

 

I'm seeking guidance on the correct approach to achieve my goal of making the alert more human-readable and extracting information from the "Message" field's "findings" section. Any assistance or insights you can provide would be greatly appreciated.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Opsgenie
Opsgenie
TAGS
AUG Leaders

Atlassian Community Events

See all events