Hi all i have some question
I was trying the version 7.12 for the first time, what interest me the most was that kibana finally have mail format for the siem rule, well i try cortext.alert just like how they show on github and it didn't work it doesnot show any thing on the mail, the cortext part does not event show up on the mail.
Can anyone help me!
Thanks for your time.
Can you show what your connector looks like?
my connector are just onprem exchange server which basically config as normal connector.
I really dont know how that could cause the problems
Hi @lusynda
We are just asking questions because you did not give us much if any information to go on.
So we start with the most basic question, does the connector work?
Did you send a test email from the connector? Did it work? If so great then we can move on.
Can you show was which github repo you are referring to?
Can you share you configuration of the rule and action?
Perhaps someone can help if you do that.
Oh ok so the connector work i have test it and i did get the mail from kibana.
The mail that i got from kibana just lack the whole part where the information should be
The alert mail i send out is like this:
test {{something}} test {{some}}
The mail i receive are just:
test test
I follow exacly what the main page on kibana say on this link:
The rule that i have are very general thing it just search for a string for testing purpose only so it should always have hit.
If that is from the connector test then that is exactly correct.
The {{something}} syntax mean substitute the value of the field something . Since in connector test the is no actual alert data then the is no actual field something so there is no value to substitute thus result is no value / empty string.
If you would actually show me the alert / rule and action I may be able to help, If not there is no way to help.
Show us the rule a screenshot something... Not sure how we can help with no info
So I think your main issue is you are using context.hits instead of context.alerts for the loop.
You need to use the correct syntax and available fields see here they can be found with the menu on the left.
Assuming you Did Preview Results it did it show matches / Detection
?You need to use the available fields see here they can be found with the menu on the right.
Put in {{context.alerts}} that will give you a sense of the data / structure.
Also only fields available in the docs will be available... not every docs that is detected will have the same fields, you can check the fields in discover
Here is my sample action
Rule {{context.rule.name}} generated {{state.signals_count}} alerts
{{#context.alerts}} <!--- NOTE not context.hits
Detection alert for
_id : {{_id}}
event.dataset : {{event.dataset}}
process.name : {{process.name}}
host.name : {{host.name}}
source.ip : {{source.ip}}
client.ip : {{client.ip}}
destination.ip : {{destination.ip}}
user.name : {{user.name}}
{{/context.alerts}}
And this is what it generated,
Note : Not all fields were available in every detection, which I could see in Discover as well
Result
Rule audit-process generated 4 alerts
###
Detection alert for
_id : c0b351bfb72ce111aaf3cbd6cfd5bc522f0590e724d9b4783f77f80c8b05dd15
event.dataset : socket
process.name :
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name :
###
Detection alert for
_id : 133df1b87695eee0099e246b7ed6a79f9a5f96b4b33680e5b2e013ae41bafce1
event.dataset : socket
process.name : filebeat
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name : root
###
Detection alert for
_id : a5eea73e8283dbead1f4e6ee071f65ef58c355011adeb973a14dffc1d338f600
event.dataset : socket
process.name :
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name :
###
Detection alert for
_id : c75a04c6a18103d997123b8cd113be0f3a2f5dc44f872f8ea8bafb5f2cc81c85
event.dataset : socket
process.name : filebeat
host.name : pcf-mysql-0
source.ip : 127.0.0.1
client.ip : 127.0.0.1
destination.ip : 127.0.0.53
user.name : rootOh ok it worked now.
Thanks
Cool
keep in mind the Kibana / security alerts are a complete new framework not just a port of watcher, seems like perhaps you have a watcher background, try not to make assumptions.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.