Hi all i have a question regarding elastic alert mail in siem.
last time i get the test mail send was successfully parse the field to the mail.
but this time i want to know that if the data that i have is not like json type of field would it work.
ex: normally the data dns.question.name would be like this
question: {
name: something
}
}
but mine due to some problems appear like this:
dns.question.name: something
and now the mail that it send no longer parse the dns field for me anymore
since {{dns.question.name}} doesnot work any more.
So is there a syntax to send the mail with field that look like json type but not.
I'm not sure I completely follow, but sounds like you're just trying to deal with a field mis-match and need to determine what the right syntax is for accessing the desired field.
For this sorta thing I recommend setting up an action with the below message (docs):
{{#context.alerts}} {{.}} {{/context.alerts}}
This will print every field in the alert, and you can then determine which key matches the field.
Alternatively of course, you can just look at the Alert Details for an alert from that rule and determine the exact key you should be referencing. E.g.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.