Alert Variables in email action - EQL

Hello,

Can someone please help to add additional field to the alert variable? I have mentioned the Detection EQL rule logic below.

sequence with maxspan=5m
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name

I need to add the user.name field as a alert variable in email action body.

I have tried with below parameters and its not working.
{{user.name}}
{{context.user.name}}

Thanks and regards

1 Like

Is this the same post? I responded to this one over here:

I have tried with all following options and its not working. All are giving blank result.

{{context.alerts.0.user.name}}
{{context.alerts}}
{{context.rule.0.user.name}}
{{user.name}}
{{context.user.name}}

You're on 7.10 though? That particular feature looks to be added in 7.11. I don't think on 7.10 you will be able to get the context.alerts fwiw compared to 7.11.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.