Add winlogbeat Info to Email Action

Nyhmesis · September 22, 2020, 1:08pm

Hello all!

I'm very new to the Elastic stack so I'll try to not sound completely dumb.

Under Security -> Detections, I have modified the existing detection rule that detects when the process whoami.exe is ran and added an action to send me an email. The problem is that when I try to use the Mustache language to reference some of the winlogbeat info inside the detection, I am unable to do so.

For instance, in the detection, it clearly outlines agent.hostname and user.name but when I try to add those to the body of the email using {{agent.hostname}} and {{user.name}} it does not work. What am I doing wrong? When I click the + to add alert variables, there's a bunch of pre-defined {{context.rule.XXXXX}} but none of that info is helpful about the alert.

I've done hours worth of searching online and on the forum but was unable to find an answer. Please help, thanks!

Frank_Hassanabad · September 25, 2020, 2:06pm

Hi @Nyhmesis, thanks for trying things out. The variables are limited at the moment but you can follow any number of tickets we have for expanding them for alerting:

And then when you see it solved, you will know which release it will be in and then upgrade to get the feature when it is released.

system · October 23, 2020, 2:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana Email Alert Kibana elastic-stack-alerting	8	3469	July 1, 2022
Rules and connectors examples? Kibana elastic-stack-alerting	2	1759	November 4, 2021
Email action message Kibana	1	174	October 24, 2023
[Detection Rule for Security]: Extract fields from {{context.alerts}} in the Kibana Connector Message Service Kibana	2	1462	August 13, 2021
Adding visual alerts on my Kibana Dashboards Kibana	6	2346	August 27, 2018

Add winlogbeat Info to Email Action

Related topics