Opensearch discover link support

[luffynextgen]

Description

This pull request aim to add the possibility to create opensearch discover url from the elastalert query, the same way it is done for the kibana discover url.

I tried to minimize the change, so I only added one key in the yaml schema ( generate_opensearch_discover_url ).
This feature reuse all the current kibana related variable.

Checklist

• I have reviewed the contributing guidelines.
• I have included unit tests for my changes or additions.
• I have successfully run make test-docker with my changes.
• I have manually tested all relevant modes of the change in this PR.
• I have updated the documentation.
• I have updated the changelog.

Questions or Comments

I have tested this in my environment making elastalert run on an Opensearch SIEM in 2.11. The alert triggered with this feature were sent to thehive and slack.
The link in thehive was added to the description of the alert and worked. In slack the "Discover in Kibana" button also worked.

This feature for now was only tested with opensearch 2.11

[jertel]

I like the new feature! I can definitely see the value here for OpenSearch users.

Instead of referencing kibana_* vars within the OpenSearch logic, it would be cleaner to replace the kibana_ references with something more generic, so that it makes sense to share those vars with both OpenSearch and Elasticsearch. The drawback to doing this is it would still have to support the kibana_* as well, so that existing users didn't break after upgrading. An alternative is to simply create the corresponding vars using the opensearch name. That is simpler, but means a little more work since the schema and docs need to be updated. It would be less work than the other option though. I know you are trying to minimize changes but not doing this will cause confusion to future developers, when they're scratching their heads trying to figure out why OpenSearch logic is reference Kibana URLs, etc.

The new Python code will also need unit tests coverage before this can be merged in. It's a lot of work to add the coverage but it's very valuable for future developers so they don't break your changes when they add new functionality.

Thanks for helping to keep the project growing!

[nsano-rururu]

If you added the settings to slack, please add the settings below as well.

• Mattermost
• MS Teams
• RocketChat

[nsano-rururu]

Does opensearch have a Shorten URL API like kibana? . If not, I think there is no need to add any related settings.

[luffynextgen]

Hello @nsano-rururu ,

I'm currently writing the test code, I'll add the documentation for the variable afterward.

It does have a shorten API but for now, I let it aside. For now the code call to kibana external formater url only to finish the url, the base url add happen in this file for kibana and opensearch

[luffynextgen]

ruletyles.rst

Please add the following to each design of mattermost, rocket_chat, slack, and ms_teams.

``mattermost_attach_opensearch_discover_url``: Enables the attachment of the ``opensearch_discover_url`` to the mattermost notification. The config ``generate_opensearch_discover_url`` must also be ``True`` in order to generate the url. Defaults to ``False``.

``mattermost_opensearch_discover_color``: The color of the Opensearch Discover url attachment. Defaults to ``#ec4b98``.

``mattermost_opensearch_discover_title``: The title of the Opensearch Discover url attachment. Defaults to ``Discover in opensearch``.

``rocket_chat_attach_opensearch_discover_url``: Enables the attachment of the ``opensearch_discover_url`` to the Rocket.Chat notification. The config ``generate_opensearch_discover_url`` must also be ``True`` in order to generate the url. Defaults to ``False``.

``rocket_chat_opensearch_discover_color``: The color of the Opensearch Discover url attachment. Defaults to ``#ec4b98``.

``rocket_chat_opensearch_discover_title``: The title of the Opensearch Discover url attachment. Defaults to ``Discover in opensearch``.

``slack_attach_opensearch_discover_url``: Enables the attachment of the ``opensearch_discover_url`` to the slack notification. The config ``generate_opensearch_discover_url`` must also be ``True`` in order to generate the url. Defaults to ``False``.

``slack_opensearch_discover_color``: The color of the Opensearch Discover url attachment. Defaults to ``#ec4b98``.

``slack_opensearch_discover_title``: The title of the Opensearch Discover url attachment. Defaults to ``Discover in opensearch``.

``ms_teams_attach_opensearch_discover_url``: Enables the attachment of the ``opensearch_discover_url`` to the MS Teams notification. The config ``generate_opensearch_discover_url`` must also be ``True`` in order to generate the url. Defaults to ``False``.

``ms_teams_opensearch_discover_title``: The title of the Opensearch Discover url attachment. Defaults to ``Discover in opensearch``.

Done

[nsano-rururu]

@jertel
I can't find anything else to point out.
is there anything else?

[jertel]

Thanks for the contribution! And thanks to @nsano-rururu for the detailed code reviews!