Add winlogbeat Info to Email Action

Hello all!

I'm very new to the Elastic stack so I'll try to not sound completely dumb.

Under Security -> Detections, I have modified the existing detection rule that detects when the process whoami.exe is ran and added an action to send me an email. The problem is that when I try to use the Mustache language to reference some of the winlogbeat info inside the detection, I am unable to do so.

For instance, in the detection, it clearly outlines agent.hostname and but when I try to add those to the body of the email using {{agent.hostname}} and {{}} it does not work. What am I doing wrong? When I click the + to add alert variables, there's a bunch of pre-defined {{context.rule.XXXXX}} but none of that info is helpful about the alert.

I've done hours worth of searching online and on the forum but was unable to find an answer. Please help, thanks!

Hi @Nyhmesis, thanks for trying things out. The variables are limited at the moment but you can follow any number of tickets we have for expanding them for alerting:

And then when you see it solved, you will know which release it will be in and then upgrade to get the feature when it is released.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.