Elastic Security field values in connector getting duplicated

hello everyone, I'm trying to create a rule in elastic security via query in a specific index, and the rule detects it normally, but in the action part the events are going with duplicate fields. for example:

"result": "QuarantinedQuarantined"
"deviceAction": "QuarantineQuarantine"
"deviceHostName": "ubcloud123ubcloud123"
"severity": "66"

and here is the body of my alert action(via webhook):

"id": "{{#context.alerts}}{{_id}}{{/context.alerts}}",

Does anyone know how to tell me why the content of the fields are sent duplicates?

Hi @RaonyO, the current behavior of rule actions is that the triggered action will have the context of all the alerts generated during the "action frequency" timeframe (i.e. on each rule execution, hourly, etc). If, for example, you selected "on each rule execution" for action frequency and the rule executes and generates 10 alerts in that rule execution, then the rule action will have 10 alerts in the context. This means that the mustache {{#context.alerts}}{{result}}{{/context.alerts}} will output result 10 times.

My guess is that you are seeing "duplicate" values in the example above because your rule generated 2 alerts during the "action frequency" timeframe. This resulted in mustache outputting 2 values for result, deviceAction, and deviceHostname. Let us know if this helps explain the behavior.

yes, that's right you were right! I used {{context.alerts.0.result}}, {{context.alerts.0.deviceHostname}} and it didn't send a duplicate.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.