So I think your main issue is you are using context.hits
instead of context.alerts
for the loop.
You need to use the correct syntax and available fields see here they can be found with the menu on the left.
Assuming you Did Preview Results it did it show matches / Detection
?
You need to use the available fields see here they can be found with the menu on the right.
Put in {{context.alerts}}
that will give you a sense of the data / structure.
Also only fields available in the docs will be available... not every docs that is detected will have the same fields, you can check the fields in discover
Here is my sample action
Rule {{context.rule.name}} generated {{state.signals_count}} alerts
{{#context.alerts}} <!--- NOTE not context.hits
Detection alert for
_id : {{_id}}
event.dataset : {{event.dataset}}
process.name : {{process.name}}
host.name : {{host.name}}
source.ip : {{source.ip}}
client.ip : {{client.ip}}
destination.ip : {{destination.ip}}
user.name : {{user.name}}
{{/context.alerts}}
And this is what it generated,
Note : Not all fields were available in every detection, which I could see in Discover as well
Result
Rule audit-process generated 4 alerts
###
Detection alert for
_id : c0b351bfb72ce111aaf3cbd6cfd5bc522f0590e724d9b4783f77f80c8b05dd15
event.dataset : socket
process.name :
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name :
###
Detection alert for
_id : 133df1b87695eee0099e246b7ed6a79f9a5f96b4b33680e5b2e013ae41bafce1
event.dataset : socket
process.name : filebeat
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name : root
###
Detection alert for
_id : a5eea73e8283dbead1f4e6ee071f65ef58c355011adeb973a14dffc1d338f600
event.dataset : socket
process.name :
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name :
###
Detection alert for
_id : c75a04c6a18103d997123b8cd113be0f3a2f5dc44f872f8ea8bafb5f2cc81c85
event.dataset : socket
process.name : filebeat
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name : root