Filter Options for Threat Intel IP Address Alert

Greetings,

I am attempting to customize our Threat Intel IP Address Indicator alert message.

Currently this is what we have in the message:
Rule {{context.rule.name}} generated {{state.signals_count}} alerts

What I would like to do is add a filter rule that also includes the source and destination IP addresses from the alert.

We will be sending these alerts to our SOC group who may not have access into Elastic (we are still hashing that out).

If I could have the alert email show the source and destination Ip addresses they could take action if needed using our other tools.

Any assistance is much appreciated!

Hi @rwillis!

What I would like to do is add a filter rule that also includes the source and destination IP addresses from the alert.

I'm not clear on the intent behind the use of "filter rule" this statement; if this is a requirement additional to your other statements, please clarify and we can address that.

If I could have the alert email show the source and destination Ip addresses they could take action if needed using our other tools.

If the IP information is available on the alert, then you should be able to add it to the email (or any other alert action) as described in the Rule Action Variables documentation. Since you will have multiple alerts, you'll need to loop through them in your templating (the section on context has an example).

Since these are Indicator Match alerts, they should also have indicator enrichments which could also be referenced in your action. This may be useful to your use case.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.