Simple idea and question for this one. SIEM rules are really nice but I'll be honest I don't keep the Alerts tabs open 24x7. I do have to sleep at some point in life...
Setting the Endpoint Security rule to perform a task on execution works but it rather limited it want it send. Using context.hits
does not trigger as expected.
{{date}}Rule {{context.rule.name}}
{{#context.hits}}
User: {{_source.user.name}}
Machine Name: {{_source.host.name}}
Timestamp: {{_source.context.date}}
File Path: {{_source.file.path.text}}
File Name: {{_source.file.name}}
File SHA256 Hash: {{_source.file.hash.sha256}}
{{/context.hits}}
What I end up with is this:
2021-10-27T14:37:28.584ZRule Endpoint Security
"Some text I put in to test"
--
This message was sent by Kibana.
Nothing is appended to the event so the alert is useless at a glance. Do the rules use another setting then normal alerts?