Alert Variables in email action - EQL

jancodenew · February 18, 2021, 11:20am

Hello,

Can someone please help to add additional field to the alert variable? I have mentioned the Detection EQL rule logic below.

sequence with maxspan=5m
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name

I need to add the user.name field as a alert variable in email action body.

I have tried with below parameters and its not working.
{{user.name}}
{{context.user.name}}

Thanks and regards

Frank_Hassanabad · February 19, 2021, 12:04am

Is this the same post? I responded to this one over here:

jancodenew · February 22, 2021, 9:02am

I have tried with all following options and its not working. All are giving blank result.

Frank_Hassanabad · February 22, 2021, 5:32pm

You're on 7.10 though? That particular feature looks to be added in 7.11. I don't think on 7.10 you will be able to get the context.alerts fwiw compared to 7.11.

system · March 22, 2021, 5:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SIEM Detection alerts - Additional field adding in notification placeholders SIEM	4	773	March 18, 2021
Additional Variable adding in Detection EMAIL body Elastic Security elastic-stack-alerting , detection-rules	5	773	June 20, 2021
Security Detection Rules ( SIEM ) Elasticsearch	0	86	May 24, 2024
Add winlogbeat Info to Email Action Elastic Security elastic-stack-alerting	2	475	October 23, 2020
Email action message Kibana	1	171	October 24, 2023

Alert Variables in email action - EQL

Related Topics