hello everyone, I'm trying to create a rule in elastic security via query in a specific index, and the rule detects it normally, but in the action part the events are going with duplicate fields. for example:
Hi @RaonyO, the current behavior of rule actions is that the triggered action will have the context of all the alerts generated during the "action frequency" timeframe (i.e. on each rule execution, hourly, etc). If, for example, you selected "on each rule execution" for action frequency and the rule executes and generates 10 alerts in that rule execution, then the rule action will have 10 alerts in the context. This means that the mustache {{#context.alerts}}{{result}}{{/context.alerts}} will output result 10 times.
My guess is that you are seeing "duplicate" values in the example above because your rule generated 2 alerts during the "action frequency" timeframe. This resulted in mustache outputting 2 values for result, deviceAction, and deviceHostname. Let us know if this helps explain the behavior.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.