Alert and connect mail format error

lusynda · April 1, 2021, 8:48am

Hi all i have some question
I was trying the version 7.12 for the first time, what interest me the most was that kibana finally have mail format for the siem rule, well i try cortext.alert just like how they show on github and it didn't work it doesnot show any thing on the mail, the cortext part does not event show up on the mail.

Can anyone help me!
Thanks for your time.

austinsonger · April 1, 2021, 5:02pm

Can you show what your connector looks like?

lusynda · April 2, 2021, 1:12am

my connector are just onprem exchange server which basically config as normal connector.
I really dont know how that could cause the problems

stephenb · April 2, 2021, 3:18am

Hi @lusynda

We are just asking questions because you did not give us much if any information to go on.

So we start with the most basic question, does the connector work?

Did you send a test email from the connector? Did it work? If so great then we can move on.

Can you show was which github repo you are referring to?

Can you share you configuration of the rule and action?

Perhaps someone can help if you do that.

lusynda · April 2, 2021, 3:37am

Oh ok so the connector work i have test it and i did get the mail from kibana.
The mail that i got from kibana just lack the whole part where the information should be
The alert mail i send out is like this:

test {{something}} test {{some}}

The mail i receive are just:

test test

I follow exacly what the main page on kibana say on this link:

The rule that i have are very general thing it just search for a string for testing purpose only so it should always have hit.

stephenb · April 2, 2021, 3:54am

lusynda:

The mail that i got from kibana just lack the whole part where the information should be
The alert mail i send out is like this:

Copy to clipboard
test {{something}} test {{some}}
The mail i receive are just:

Copy to clipboard
test test

If that is from the connector test then that is exactly correct.

The {{something}} syntax mean substitute the value of the field something . Since in connector test the is no actual alert data then the is no actual field something so there is no value to substitute thus result is no value / empty string.

If you would actually show me the alert / rule and action I may be able to help, If not there is no way to help.

Show us the rule a screenshot something... Not sure how we can help with no info

lusynda · April 2, 2021, 4:14am

Here is my rule set

And here is the alert that i config

Hope this help

stephenb · April 2, 2021, 3:35pm

So I think your main issue is you are using context.hits instead of context.alerts for the loop.

You need to use the correct syntax and available fields see here they can be found with the menu on the left.

Assuming you Did Preview Results it did it show matches / Detection

?

You need to use the available fields see here they can be found with the menu on the right.

Put in {{context.alerts}} that will give you a sense of the data / structure.

Also only fields available in the docs will be available... not every docs that is detected will have the same fields, you can check the fields in discover

Here is my sample action

Rule {{context.rule.name}} generated {{state.signals_count}} alerts

{{#context.alerts}} <!--- NOTE not context.hits

  Detection alert for
  _id : {{_id}} 
  event.dataset : {{event.dataset}}
  process.name : {{process.name}}
  host.name : {{host.name}} 
  source.ip : {{source.ip}}
  client.ip : {{client.ip}}
  destination.ip : {{destination.ip}}
  user.name : {{user.name}}

{{/context.alerts}}

And this is what it generated,
Note : Not all fields were available in every detection, which I could see in Discover as well

Result

Rule audit-process generated 4 alerts
###
 Detection alert for
 _id : c0b351bfb72ce111aaf3cbd6cfd5bc522f0590e724d9b4783f77f80c8b05dd15
 event.dataset : socket
 process.name :
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name :
###
 Detection alert for
 _id : 133df1b87695eee0099e246b7ed6a79f9a5f96b4b33680e5b2e013ae41bafce1
 event.dataset : socket
 process.name : filebeat
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name : root
###
 Detection alert for
 _id : a5eea73e8283dbead1f4e6ee071f65ef58c355011adeb973a14dffc1d338f600
 event.dataset : socket
 process.name :
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name :
###
 Detection alert for
 _id : c75a04c6a18103d997123b8cd113be0f3a2f5dc44f872f8ea8bafb5f2cc81c85
 event.dataset : socket
 process.name : filebeat
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name : root

lusynda · April 2, 2021, 7:25am

Oh ok it worked now.
Thanks

stephenb · April 2, 2021, 1:26pm

Cool

keep in mind the Kibana / security alerts are a complete new framework not just a port of watcher, seems like perhaps you have a watcher background, try not to make assumptions.