Elastic Detection Rule Creation

Elk_huh · June 25, 2025, 1:10pm

How do i pull variables from .source or the following required Fields defined in the SIEM alert so i can use it in EMAIL action body

Elk_huh · July 29, 2025, 1:58pm

The First email action, the json variables are accessible through

- Timestamp: {{context.date}}
- Hostname: {{context.hits.0._source.agent.name}}
- Service:  {{context.hits.0._source.windows.service.display_name}}

Confirmed in the State of Recovered Actions email, Variables do not come through

Topic		Replies	Views
Security Detection Rules ( SIEM ) Elasticsearch	0	110	May 24, 2024
Alert Variables in email action - EQL SIEM	4	903	March 22, 2021
Additional Variable adding in Detection EMAIL body Elastic Security elastic-stack-alerting , detection-rules	5	877	June 20, 2021
Elastic Alerting Elastic Security	2	67	March 13, 2025
SIEM Detection alerts - Additional field adding in notification placeholders SIEM	4	831	March 18, 2021