Additional Variable adding in Detection EMAIL body

jancodenew · May 18, 2021, 12:56pm

Hi,

I am trying to add additional fields in EMAIL message in my detection email alert action.

{{#context.alerts}}
 Message : {{message}} 
port: {{port}}
URL Host : {{url.host}}
Http Connect: {{http.connect.host}}    
{{/context.alerts}}

'message' and 'port' field value is reflecting in the email. But url.host and http.connect.host value is missing. Only single fields like 'message' and 'port' values is getting in the email body.

Can someone please help with this?

Michael_Olorunnisola · May 19, 2021, 5:24pm

Hi @jancodenew, thanks for reaching out! Can you let us know the type of rule you're using to create the alert as well as a sample of an alert that it generates? Thanks!

jancodenew · May 19, 2021, 7:31pm

Hi @Michael_Olorunnisola

Thanks for your reply.

I am using custom query type rule in my ELK7.12.1

I cannot share the generated alerts due to the security reason.

Thanks

austinsonger · May 21, 2021, 11:05pm

This is the setup I have for sending to JIRA.
IGNORE: {quote},{noformat}

- *Number of Alerts*: {{state.signals_count}}
- *Risk score*: {{context.rule.risk_score}}
- *Severity*: {{context.rule.severity}}

 h2. Rule Details
 [View Detection Alert|{{{context.results_link}}}]
- *Rule Description*: {quote}{{context.rule.description}}{quote}
- *Rule Query*: {quote}{{context.rule.query}}{quote}

 h2. Source
 {{#context.alerts}}
- *Source IP Address*: {noformat}{{source.ip}}{noformat}
- *Source Port*: {noformat}{{source.port}}{noformat}
 {{/context.alerts}}

 h2. Destination
 {{#context.alerts}}
- *Destination IP Address*: {noformat}{{destination.ip}}{noformat}
- *Destination Port*: {noformat}{{destination.port}}{noformat}
 {{/context.alerts}}

 h3. Process
 {{#context.alerts}}
- *Hash MD5*: {noformat}{{process.hash.md5}}{noformat}
- *Hash SH1*: {noformat}{{process.hash.sha1}}{noformat}
- *Hash SHA25*: {noformat}{{process.hash.sha256}}{noformat}
- *Process Name*: {noformat}{{process.name}}{noformat}
- *Process Parent Executable*: {noformat}{{process.parent.executable}}{noformat}
- *Process Parent Name*: {noformat}{{process.parent.name}}{noformat}
 {{/context.alerts}}

 h3. File
 {{#context.alerts}}
- *File Name*: {noformat}{{file.name}}{noformat}
- *File Owner*: {noformat}{{file.owner}}{noformat}
- *File Path*: {noformat}{{file.path}}{noformat}
- *File size*: {noformat}{{file.size}}{noformat}
- *File Target Path*: {noformat}{{file.target_path}}{noformat}
- *File Type*: {noformat}{{file.type}}{noformat}
 {{/context.alerts}}

Here are the fields that you can use
Elastic Security ECS field reference | Elastic Security Solution [7.12] | Elastic

jancodenew · May 23, 2021, 10:14am

Thank you @austinsonger

Above format is not fetching field values from my index. Looks like I have to change the template to match with ECS format.

Can we expect the same output for additional variable adding setup mentioned above in aggregation rules(Threshold rules)?

Also, kindly share if there is any workaround to manage this without changing templates to 100% ECS format. we have a huge number of index data that need to be changed to make these all adhere to ECS format.

Thanks in advanc.

system · June 20, 2021, 10:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.