Escape dot in mustache to access elastic query _source field in alerts

Nabeel_Ahmed_NAK · December 23, 2022, 12:32pm

Hi All
I have enabled elastic defend and enabled rules to detect security events.
Now I want to generate alerts from the Kibana rule and connector to slack.
I have encountered that Elasticsearch mapping of kibana rule fields are not in that form which I can access it in mustache to generate body of alerts.
for example:

here you can see that field name are in this form kibana.alert.rule.name where as it has to be in json object like
kibana :{
alert : {
.............
}
}
now the dot . containing fields name are not able access in mustache due to especial character.
I want to now how can I access those fields?
Thanks

jcger · December 23, 2022, 1:27pm

Hey,

Rule name can be used as {{rule.name}}. You'll see all available variables that can be accessed by selecting the add variable button just above the textarea in the message field

Nabeel_Ahmed_NAK · December 23, 2022, 3:36pm

Hi
Rule name are not usable for me because I'm not gonna manage alerts for particular thread level.
I want to create general alert using Elasticsearch query and wants to access like this
{{#context.hits}}
Time: {{_source.@timestamp}}
Rule Name: {{_source.kibana.alert.rule.name}}
Destination IP and Port: {{_source.destination.ip}} : {{_source.destination.port}}
Destination Country: {{_source.destination.geo.country_name}}
Source IP and Port: {{_source.source.ip}} : {{_source.source.port}}
Source Country: {{_source.source.geo.country_name}}
Event Provider: {{_source.event.provider}}
Event Action: {{context.event.action}}
{{/context.hits}}

as I have mentioned before kibana.alert.rule.name is not parse by elasticsearch itself and not able to fetch its information in mustache. So, is there any way to fix it.

Nabeel_Ahmed_NAK · December 27, 2022, 7:21am

@jcger

jcger · December 27, 2022, 11:32am

Hi @Nabeel_Ahmed_NAK ,

Sorry for the delay.

I'm gonna forward your question. In the meantime, have you tried with the fields response as mentioned here ?

As the fields response always returns an array of values for each field, the Mustache template array syntax is used to iterate over these values in your actions as the following example shows:

{{#context.hits}} Labels: {{#fields.labels}} - {{.}} {{/fields.labels}} {{/context.hits}}

Nabeel_Ahmed_NAK · December 27, 2022, 12:18pm

Yeah I did it rule.name will fetch the title name of alert which is hardcoded means I define it when I do create alert well In my case it's generic and I need to access more fields it was just an example.
Thanks

Patrick_Mueller · December 27, 2022, 1:58pm

There is a problem today with accessing mustache fields that have the "." character in them. We've added some code to make those accessible, which should be available in version 8.6.0, added in this PR [ResponseOps][Actions] support mustache context variables with periods in the name by doakalexi · Pull Request #143703 · elastic/kibana · GitHub

If you happen to be using 8.5.0, and this is the Elasticsearch Query rule type, there's a work-around using runtime fields, but it will require some work - basic idea is outlined here: [responseOps] support mustache context variables with periods in the name · Issue #127748 · elastic/kibana · GitHub . That's the only work-around I'm aware of until the real fix in 8.6.0.

Nabeel_Ahmed_NAK · December 29, 2022, 9:03am

@Patrick_Mueller
Thanks for your help now I'm using runtime fields and hopefully latest version will update this fix.

system · January 26, 2023, 9:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.