Alert Variables in email action - EQL

jancodenew · February 18, 2021, 11:20am

Hello,

Can someone please help to add additional field to the alert variable? I have mentioned the Detection EQL rule logic below.

sequence with maxspan=5m
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name

I need to add the user.name field as a alert variable in email action body.

I have tried with below parameters and its not working.
{{user.name}}
{{context.user.name}}

Thanks and regards

Frank_Hassanabad · February 19, 2021, 12:04am

Is this the same post? I responded to this one over here:

jancodenew · February 22, 2021, 9:02am

I have tried with all following options and its not working. All are giving blank result.

Frank_Hassanabad · February 22, 2021, 5:32pm

You're on 7.10 though? That particular feature looks to be added in 7.11. I don't think on 7.10 you will be able to get the context.alerts fwiw compared to 7.11.

system · March 22, 2021, 5:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.