Alert and connect mail format error

lusynda · April 1, 2021, 8:48am

Hi all i have some question
I was trying the version 7.12 for the first time, what interest me the most was that kibana finally have mail format for the siem rule, well i try cortext.alert just like how they show on github and it didn't work it doesnot show any thing on the mail, the cortext part does not event show up on the mail.

Can anyone help me!
Thanks for your time.

austinsonger · April 1, 2021, 5:02pm

Can you show what your connector looks like?

lusynda · April 2, 2021, 1:12am

my connector are just onprem exchange server which basically config as normal connector.
I really dont know how that could cause the problems

stephenb · April 2, 2021, 3:18am

Hi @lusynda

We are just asking questions because you did not give us much if any information to go on.

So we start with the most basic question, does the connector work?

Did you send a test email from the connector? Did it work? If so great then we can move on.

Can you show was which github repo you are referring to?

Can you share you configuration of the rule and action?

Perhaps someone can help if you do that.

lusynda · April 2, 2021, 3:37am

Oh ok so the connector work i have test it and i did get the mail from kibana.
The mail that i got from kibana just lack the whole part where the information should be
The alert mail i send out is like this:

test {{something}} test {{some}}

The mail i receive are just:

test test

I follow exacly what the main page on kibana say on this link:

github.com/elastic/kibana

[Alerting] Search alert

elastic:master ← ymao1:alerting/search-alert

opened 08:55PM - 15 Jan 21 UTC

ymao1

+3072 -294

Resolves https://github.com/elastic/kibana/issues/61313 ## Summary New sta…ck alert for executing ES DSL (query only, no aggregation support) and evaluating the number of matches against a threshold condition. ### UI Alert params expression contains a JSON editor allowing users to enter query DSL and test their query. Screenshots attached. <details> <summary> Search alert in alert types list </summary> <img width="422" alt="Screen Shot 2021-01-22 at 11 05 17 AM" src="https://user-images.githubusercontent.com/13104637/105516454-e6690900-5ca3-11eb-8732-aabc0b65a6a9.png"> </details> <details> <summary> Search alert params </summary> <img width="596" alt="Screen Shot 2021-01-25 at 12 11 45 PM" src="https://user-images.githubusercontent.com/13104637/105739856-976ede00-5f06-11eb-8305-2bba254e0cdf.png"> </details> <details> <summary> Test query success </summary> <img width="584" alt="Screen Shot 2021-01-25 at 12 11 54 PM" src="https://user-images.githubusercontent.com/13104637/105739897-a05faf80-5f06-11eb-9da1-02dea6b2b486.png"> </details> <details> <summary> Test query failure </summary> <img width="582" alt="Screen Shot 2021-01-25 at 12 12 06 PM" src="https://user-images.githubusercontent.com/13104637/105739932-a9508100-5f06-11eb-826a-4d75eeadca3b.png"> </details> ### Alert executor Each run of the alert executor builds an ES query with the user-defined query clause and the user defined time window relative to the date/time of the alert execution. In order to avoid counting a single document multiple times during multiple executions of the alert, we keep track of the timestamp of the last document that matched a threshold condition. This is passed through the alert state and used during the next execution as an additional filter for the query. ### Action context Matching documents are passed through to actions using `context.hits`. This can be used with mustache templates to create a message for each matching document containing information about that document. <summary> Example action message </summary> ``` You have {{context.value}} matches! {{#context.hits}} Document with {{_id}} and hostname {{_source.host.name}} has {{_source.system.memory.actual.free}} bytes of memory free {{/context.hits}} ``` <details> <summary> Resulting Slack Notification </summary> <img width="714" alt="Screen Shot 2021-01-25 at 12 09 54 PM" src="https://user-images.githubusercontent.com/13104637/105739614-4959da80-5f06-11eb-9d99-0827a027b0e9.png"> </details> ### Docs <details> <summary> Documentation </summary> <img width="782" alt="Screen Shot 2021-01-25 at 1 53 24 PM" src="https://user-images.githubusercontent.com/13104637/105752078-da37b280-5f14-11eb-8094-a6a3400c57fc.png"> <img width="821" alt="Screen Shot 2021-01-25 at 1 53 37 PM" src="https://user-images.githubusercontent.com/13104637/105752088-dc9a0c80-5f14-11eb-99d4-12cd85899bfb.png"> <img width="776" alt="Screen Shot 2021-01-25 at 1 53 49 PM" src="https://user-images.githubusercontent.com/13104637/105752118-e28fed80-5f14-11eb-817d-8df0c33467cf.png"> </details> ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [x] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [x] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))

The rule that i have are very general thing it just search for a string for testing purpose only so it should always have hit.

stephenb · April 2, 2021, 3:52am

lusynda:

The mail that i got from kibana just lack the whole part where the information should be
The alert mail i send out is like this:

Copy to clipboard
test {{something}} test {{some}}
The mail i receive are just:

Copy to clipboard
test test

If that is from the connector test then that is exactly correct.

The {{something}} syntax mean substitute the value of the field something . Since in connector test the is no actual alert data then the is no actual field something so there is no value to substitute thus result is no value / empty string.

If you would actually show me the alert / rule and action I may be able to help, If not there is no way to help.

Show us the rule a screenshot something... Not sure how we can help with no info

lusynda · April 2, 2021, 4:14am

Here is my rule set

And here is the alert that i config

Hope this help

stephenb · April 2, 2021, 6:44am

So I think your main issue is you are using context.hits instead of context.alerts for the loop.

You need to use the correct syntax and available fields see here they can be found with the menu on the left.

Assuming you Did Preview Results it did it show matches / Detection

?

You need to use the available fields see here they can be found with the menu on the right.

Put in {{context.alerts}} that will give you a sense of the data / structure.

Also only fields available in the docs will be available... not every docs that is detected will have the same fields, you can check the fields in discover

Here is my sample action

Rule {{context.rule.name}} generated {{state.signals_count}} alerts

{{#context.alerts}} <!--- NOTE not context.hits

  Detection alert for
  _id : {{_id}} 
  event.dataset : {{event.dataset}}
  process.name : {{process.name}}
  host.name : {{host.name}} 
  source.ip : {{source.ip}}
  client.ip : {{client.ip}}
  destination.ip : {{destination.ip}}
  user.name : {{user.name}}

{{/context.alerts}}

And this is what it generated,
Note : Not all fields were available in every detection, which I could see in Discover as well

Result

Rule audit-process generated 4 alerts
###
 Detection alert for
 _id : c0b351bfb72ce111aaf3cbd6cfd5bc522f0590e724d9b4783f77f80c8b05dd15
 event.dataset : socket
 process.name :
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name :
###
 Detection alert for
 _id : 133df1b87695eee0099e246b7ed6a79f9a5f96b4b33680e5b2e013ae41bafce1
 event.dataset : socket
 process.name : filebeat
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name : root
###
 Detection alert for
 _id : a5eea73e8283dbead1f4e6ee071f65ef58c355011adeb973a14dffc1d338f600
 event.dataset : socket
 process.name :
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name :
###
 Detection alert for
 _id : c75a04c6a18103d997123b8cd113be0f3a2f5dc44f872f8ea8bafb5f2cc81c85
 event.dataset : socket
 process.name : filebeat
 host.name : pcf-mysql-0
 source.ip : 127.0.0.1
 client.ip : 127.0.0.1
 destination.ip : 127.0.0.53
 user.name : root

lusynda · April 2, 2021, 7:25am

Oh ok it worked now.
Thanks

stephenb · April 2, 2021, 1:26pm

Cool

keep in mind the Kibana / security alerts are a complete new framework not just a port of watcher, seems like perhaps you have a watcher background, try not to make assumptions.

system · April 30, 2021, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.