Alert mail siem format question

Hi all i have a question regarding elastic alert mail in siem.
last time i get the test mail send was successfully parse the field to the mail.
but this time i want to know that if the data that i have is not like json type of field would it work.
ex: normally the data dns.question.name would be like this

 question: {
    name: something
  }
}

but mine due to some problems appear like this:

dns.question.name: something

and now the mail that it send no longer parse the dns field for me anymore
since {{dns.question.name}} doesnot work any more.
So is there a syntax to send the mail with field that look like json type but not.

Thanks for your time.

Hey there @lusynda! :wave:

I'm not sure I completely follow, but sounds like you're just trying to deal with a field mis-match and need to determine what the right syntax is for accessing the desired field.

For this sorta thing I recommend setting up an action with the below message (docs):

{{#context.alerts}} {{.}} {{/context.alerts}}

This will print every field in the alert, and you can then determine which key matches the field.

Alternatively of course, you can just look at the Alert Details for an alert from that rule and determine the exact key you should be referencing. E.g.

As above, please check out the docs for all the right syntax in looping over the alert fields, as you may just have something incorrect there.

Hope that helps -- and let us know if you have any more details to add from the above!

Cheers!
Garrett

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.