Alert Variables in email action - EQL

Hello,

Can someone please help to add additional field to the alert variable? I have mentioned the Detection EQL rule logic below.

sequence with maxspan=5m
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name
[authentication where event.type == "authentication_failure"] by user.name

I need to add the user.name field as a alert variable in email action body.

I have tried with below parameters and its not working.
{{user.name}}
{{context.user.name}}

Thanks and regards

1 Like

Is this the same post? I responded to this one over here:

I have tried with all following options and its not working. All are giving blank result.

{{context.alerts.0.user.name}}
{{context.alerts}}
{{context.rule.0.user.name}}
{{user.name}}
{{context.user.name}}

You're on 7.10 though? That particular feature looks to be added in 7.11. I don't think on 7.10 you will be able to get the context.alerts fwiw compared to 7.11.