Can someone please help to add additional field to the alert variable? I have mentioned the Detection EQL rule logic below.
sequence with maxspan=5m
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name
I need to add the user.name field as a alert variable in email action body.
I have tried with below parameters and its not working.
{{user.name}}
{{context.user.name}}
You're on 7.10 though? That particular feature looks to be added in 7.11. I don't think on 7.10 you will be able to get the context.alerts fwiw compared to 7.11.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.