Action variables for a Logs threshold rule

Hi everyone,

I have set up a log threshold rule to retrieve incoming suricata alerts data and send them to another tool using a webhook action.

I tried accessing available variables using mustache such as {{#context.alerts}}{{.}}{{/context.alerts} or {{#context}}{{.}}{{/context}} but nothing shows or the variables are just rule related, I feel like I am very constrained in the variables I can use, exept from the one I can access though the scrolling menu when setting up my action body.
Is there a way to get variables such as suricata.eve part (source ip address and stuff like that), as I would do using {{context.hits}} or {{context.alerts}} in other rule types ?

Thanks in advance

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.