Escape dot in mustache to access elastic query _source field in alerts

Hi All
I have enabled elastic defend and enabled rules to detect security events.
Now I want to generate alerts from the Kibana rule and connector to slack.
I have encountered that Elasticsearch mapping of kibana rule fields are not in that form which I can access it in mustache to generate body of alerts.
for example:

here you can see that field name are in this form where as it has to be in json object like
kibana :{
alert : {
now the dot . containing fields name are not able access in mustache due to especial character.
I want to now how can I access those fields?


Rule name can be used as {{}}. You'll see all available variables that can be accessed by selecting the add variable button image just above the textarea in the message field

Rule name are not usable for me because I'm not gonna manage alerts for particular thread level.
I want to create general alert using Elasticsearch query and wants to access like this
Time: {{_source.@timestamp}}
Rule Name: {{}}
Destination IP and Port: {{_source.destination.ip}} : {{_source.destination.port}}
Destination Country: {{_source.destination.geo.country_name}}
Source IP and Port: {{_source.source.ip}} : {{_source.source.port}}
Source Country: {{_source.source.geo.country_name}}
Event Provider: {{_source.event.provider}}
Event Action: {{context.event.action}}

as I have mentioned before is not parse by elasticsearch itself and not able to fetch its information in mustache. So, is there any way to fix it.


Hi @Nabeel_Ahmed_NAK ,

Sorry for the delay.

I'm gonna forward your question. In the meantime, have you tried with the fields response as mentioned here ?

As the fields response always returns an array of values for each field, the Mustache template array syntax is used to iterate over these values in your actions as the following example shows:

{{#context.hits}} Labels: {{#fields.labels}} - {{.}} {{/fields.labels}} {{/context.hits}}

Yeah I did it will fetch the title name of alert which is hardcoded means I define it when I do create alert well In my case it's generic and I need to access more fields it was just an example.

There is a problem today with accessing mustache fields that have the "." character in them. We've added some code to make those accessible, which should be available in version 8.6.0, added in this PR [ResponseOps][Actions] support mustache context variables with periods in the name by doakalexi · Pull Request #143703 · elastic/kibana · GitHub

If you happen to be using 8.5.0, and this is the Elasticsearch Query rule type, there's a work-around using runtime fields, but it will require some work - basic idea is outlined here: [responseOps] support mustache context variables with periods in the name · Issue #127748 · elastic/kibana · GitHub . That's the only work-around I'm aware of until the real fix in 8.6.0.

1 Like

Thanks for your help now I'm using runtime fields and hopefully latest version will update this fix.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.