Add format string for Slack outputs

[actgardner]

Add a new configuration option for the Slack output, which allows users to customize the text of the Slack message in addition to the existing attachments. The current all and text options are verbose and make it hard to surface specific valuable information. Using Go templates also gives users some flexibility to do some basic string munging.

[Issif]

This is a really interesting idea, that could be reproduced for other outputs (Teams, SMTP) even all.

For Slack, I choosed to avoid theText field to get all informations beside the colored vertical line, it looks nicer. What do you think to use your MessageFormat template to replace theOutput used for Attachement's Text?

We must also provide more intels about available fields (.Priority, .Rule, etc) in README, some of them are always present but not all.

For example in :

messageformat: "Alert for rule '{{ .Rule }}' from process {{ index .OutputFields \"proc.name\" }}"

proc.name may not be there in all rules' outputs, how do we manage that? I didn't checked what happened if a field used by template is missing (panic?).

If Attachement's Text is overrided, we need a fallback to origin .Output, we can't loose messages.

You edited README.md but forget to do same in config_example.yml.

[actgardner]

For Slack, I choosed to avoid theText field to get all informations beside the colored vertical line, it looks nicer. What do you think to use your MessageFormat template to replace theOutput used for Attachement's Text?

I opted to put this in the message Text so it would be easy to pick out - the hope is that surfacing a subset of information makes alerts clearer for the people triaging them? I think putting it in the attachment Text could also work but it loses some differentiation from the body of the message - in a busy channel it gets hard to pick out the individual events. Plus this way it didn't conflict with any existing features, in case people want this and the output value. But I'm open to changing it if you have strong feelings about it.

proc.name may not be there in all rules' outputs, how do we manage that? I didn't checked what happened if a field used by template is missing (panic?).

There's three failure modes:

• you write an invalid template, that can't be parsed. This logs an error on startup and sends messages with an empty Text field.
• you write a valid template, but it references a top-level field of the FalcoPayload struct that doesn't exist. This would fall to Execute, we'd log an error and the message would be sent with an empty Text field.
• you write a valid template that references a map value in .OutputFields that doesn't always exist. This would evaluate to <no value> in the template, and the Text field would still be set ( see https://play.golang.org/p/7mztgw6IWs0).

We must also provide more intels about available fields (.Priority, .Rule, etc) in README, some of them are always present but not all.

You edited README.md but forget to do same in config_example.yml.

I'll write some more explicit documentation and clean this up.

[Issif]

You convinced me. Ok for your idea.

I proposed some suggestions while reviewing.

I'll test your branch next Monday and merge for 2.9.1 if ok.

[actgardner]

Sounds good, thanks for the quick review!

[Issif]

I released 2.9.1 with your PR. Thanks.