[ML] Tokens in custom URLs to security plugin are not being substituted with anomaly values

[peteharverson]

Jobs in the siem_auditbeat and siem_winlogbeat modules contain custom URLs to the Hosts page in the Security plugin with $ delimited tokens to pass the anomalous user.name or process.name for use in the query in the target page. However these tokens are no longer being substituted with values from the anomaly.

For example, the rare_process_by_host_linux_ecs job contains the 'Host Details by process name' custom URL:

security/hosts/ml-hosts/$host.name$?_g=()&query=(query:'process.name%20:%20%22$process.name$%22',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')),timeline:(linkTo:!(global),timerange:(from:'$earliest$',kind:absolute,to:'$latest$')))

But the anomalous process.name is not being substituted on opening, and instead a URL of the form

security/hosts/ml-hosts/mothra?_g=()&query=(query:'',language:kuery)&timerange=(global:(linkTo:!(timeline),timerange:(from:'2020-07-22T23:00:00.000Z',kind:absolute,to:'2020-07-23T22:59:59.999Z')),timeline:(linkTo:!(global),timerange:(from:'2020-07-22T23%3A00%3A00.000Z',kind:absolute,to:'2020-07-23T22%3A59%3A59.999Z')))

is opened, where only the host.name, earliest and latest tokens are being substituted. The value of the process.name from the anomaly should be substituted into the custom URL too.

[elasticmachine]

Pinging @elastic/ml-ui (:ml)