Hello all!
I'm very new to the Elastic stack so I'll try to not sound completely dumb.
Under Security -> Detections, I have modified the existing detection rule that detects when the process whoami.exe is ran and added an action to send me an email. The problem is that when I try to use the Mustache language to reference some of the winlogbeat info inside the detection, I am unable to do so.
For instance, in the detection, it clearly outlines agent.hostname and user.name but when I try to add those to the body of the email using {{agent.hostname}} and {{user.name}} it does not work. What am I doing wrong? When I click the + to add alert variables, there's a bunch of pre-defined {{context.rule.XXXXX}} but none of that info is helpful about the alert.
I've done hours worth of searching online and on the forum but was unable to find an answer. Please help, thanks!