Hi all
I want to format to output some information regarding the detection in SIEM.
For example i want to output the source.ip when some query that i have for dns log.
To be more precise, i have an detection rule that query for any dns query, if hit i want to see the source.ip field in the email so that i dont really have to access siem app just to view it.
Can anyone help me.
Thanks for your time.
Hey there @lusynda! 
This functionality will be available in the upcoming 7.11 release and was added as part of this PR. So for example, you'll be able to print out the source.ip for each matching alert by using something like the following within your email alert payload:
{{#context.alerts}}Source IP of alert: {{source.ip}}{{/context.alerts}}
Hope this helps! 
Cheers!
Garrett
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.