Endpoint SIEM rule trigger execution "email"

Elastic Security
1

Simple idea and question for this one. SIEM rules are really nice but I'll be honest I don't keep the Alerts tabs open 24x7. I do have to sleep at some point in life...

Setting the Endpoint Security rule to perform a task on execution works but it rather limited it want it send. Using context.hits does not trigger as expected.

{{date}}Rule {{context.rule.name}}

{{#context.hits}}
  User: {{_source.user.name}}
  Machine Name: {{_source.host.name}}
  Timestamp: {{_source.context.date}}
  File Path: {{_source.file.path.text}}
  File Name: {{_source.file.name}}
  File SHA256 Hash: {{_source.file.hash.sha256}}
{{/context.hits}}

What I end up with is this:

2021-10-27T14:37:28.584ZRule Endpoint Security

"Some text I put in to test"

--

This message was sent by Kibana.

Nothing is appended to the event so the alert is useless at a glance. Do the rules use another setting then normal alerts?

2

Hi @PublicName,

Which version of Kibana do you use? I do not see a context.hits context variable. You can use the context.alerts variable. Is that available to you? You can access context variables from the "add rule variable" icon:

Screenshot 2021-11-01 at 12.50.53 PM
Screenshot 2021-11-01 at 12.50.53 PM682×722 56.4 KB

Using the context.alerts

{{#context.alerts}}
Machine Name: {{host.name}}
File Path: {{file.path.text}}
File Name: {{file.name}}
File SHA256 Hash: {{file.hash.sha256}}
{{/context.alerts}}

Best,
Christos

3

7.15.

Thx much for some reason I was thinking it was a query with context.hit. I'll give the alerts another try and see if it triggers this time. Was using context.alerts in 7.13 and it was always blank as well.

4

Ok! Let me know if that worked for your or if you need any help.

Best,
Christos

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.