Endpoint SIEM rule trigger execution "email"

Simple idea and question for this one. SIEM rules are really nice but I'll be honest I don't keep the Alerts tabs open 24x7. I do have to sleep at some point in life...

Setting the Endpoint Security rule to perform a task on execution works but it rather limited it want it send. Using context.hits does not trigger as expected.

{{date}}Rule {{context.rule.name}}

{{#context.hits}}
  User: {{_source.user.name}}
  Machine Name: {{_source.host.name}}
  Timestamp: {{_source.context.date}}
  File Path: {{_source.file.path.text}}
  File Name: {{_source.file.name}}
  File SHA256 Hash: {{_source.file.hash.sha256}}
{{/context.hits}}

What I end up with is this:

2021-10-27T14:37:28.584ZRule Endpoint Security

"Some text I put in to test"

--

This message was sent by Kibana.

Nothing is appended to the event so the alert is useless at a glance. Do the rules use another setting then normal alerts?

Hi @PublicName,

Which version of Kibana do you use? I do not see a context.hits context variable. You can use the context.alerts variable. Is that available to you? You can access context variables from the "add rule variable" icon:

Using the context.alerts

{{#context.alerts}}
Machine Name: {{host.name}}
File Path: {{file.path.text}}
File Name: {{file.name}}
File SHA256 Hash: {{file.hash.sha256}}
{{/context.alerts}}

Best,
Christos

7.15.

Thx much for some reason I was thinking it was a query with context.hit. I'll give the alerts another try and see if it triggers this time. Was using context.alerts in 7.13 and it was always blank as well.

Ok! Let me know if that worked for your or if you need any help.

Best,
Christos

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.