Hi,
I'm using ELK v7.12.1. I have enabled few SIEM rules and configured an email action. I'm able to access the event details through {{#context.alerts}} {{.}}{{/context.alerts}}.
But when sending the mail the content is coming in one line. Is there any way to format the SIEM alert using HTML tags?
Thanks
Hi @vishnug !
Thanks for your post. Have you taken a look at our documentation for email action here? Markdown is supported in formatting the email message.
This PR description may also be helpful in understanding how to customize your action.
I hope this helps! Let us know if you need further assistance.
Best,
Yara
So you platform that the alert is going to be rendered, you must know how it renders
So if you see the following example that I use for JIRA (it uses it own Markdown Text Formatting Notation Help., so I had to add the JIRA Markup syntax around Elastic syntax
- *Number of Alerts*: {{state.signals_count}}
- *Risk score*: {{context.rule.risk_score}}
- *Severity*: {{context.rule.severity}}
h2. Rule Details
[View Detection Alert|{{{context.results_link}}}]
- *Rule Description*: {quote}{{context.rule.description}}{quote}
- *Rule Query*: {quote}{{context.rule.query}}{quote}
h2. Source
{{#context.alerts}}
- *Source IP Address*: {noformat}{{source.ip}}{noformat}
- *Source Port*: {noformat}{{source.port}}{noformat}
{{/context.alerts}}
h2. Destination
{{#context.alerts}}
- *Destination IP Address*: {noformat}{{destination.ip}}{noformat}
- *Destination Port*: {noformat}{{destination.port}}{noformat}
{{/context.alerts}}
h3. Process
{{#context.alerts}}
- *Hash MD5*: {noformat}{{process.hash.md5}}{noformat}
- *Hash SH1*: {noformat}{{process.hash.sha1}}{noformat}
- *Hash SHA25*: {noformat}{{process.hash.sha256}}{noformat}
- *Process Name*: {noformat}{{process.name}}{noformat}
- *Process Parent Executable*: {noformat}{{process.parent.executable}}{noformat}
- *Process Parent Name*: {noformat}{{process.parent.name}}{noformat}
{{/context.alerts}}
h3. File
{{#context.alerts}}
- *File Name*: {noformat}{{file.name}}{noformat}
- *File Owner*: {noformat}{{file.owner}}{noformat}
- *File Path*: {noformat}{{file.path}}{noformat}
- *File size*: {noformat}{{file.size}}{noformat}
- *File Target Path*: {noformat}{{file.target_path}}{noformat}
- *File Type*: {noformat}{{file.type}}{noformat}
{{/context.alerts}}
This is what it looks like if I use the Detection API to update my rules.
- *Number of Alerts*: {{state.signals_count}}\n- *Risk score*: {{context.rule.risk_score}}\n- *Severity*: {{context.rule.severity}}\n\n h2. Rule Details\n [View Detection Alert|{{{context.results_link}}}]\n- *Rule Description*: {quote}{{context.rule.description}}{quote}\n- *Rule Query*: {quote}{{context.rule.query}}{quote}\n\n h2. Source\n {{#context.alerts}}\n- *Source IP Address*: {noformat}{{source.ip}}{noformat}\n- *Source Port*: {noformat}{{source.port}}{noformat}\n {{/context.alerts}}\n\n h2. Destination\n {{#context.alerts}}\n- *Destination IP Address*: {noformat}{{destination.ip}}{noformat}\n- *Destination Port*: {noformat}{{destination.port}}{noformat}\n {{/context.alerts}}\n\n h3. Process\n {{#context.alerts}}\n- *Hash MD5*: {noformat}{{process.hash.md5}}{noformat}\n- *Hash SH1*: {noformat}{{process.hash.sha1}}{noformat}\n- *Hash SHA25*: {noformat}{{process.hash.sha256}}{noformat}\n- *Process Name*: {noformat}{{process.name}}{noformat}\n - *Process Parent Executable*: {noformat}{{process.parent.executable}}{noformat}\n- *Process Parent Name*: {noformat}{{process.parent.name}}{noformat}\n {{/context.alerts}}\n\n h3. File\n {{#context.alerts}}\n- *File Name*: {noformat}{{file.name}}{noformat}\n- *File Owner*: {noformat}{{file.owner}}{noformat}\n- *File Path*: {noformat}{{file.path}}{noformat}\n- *File size*: {noformat}{{file.size}}{noformat}\n- *File Target Path*: {noformat}{{file.target_path}}{noformat}\n- *File Type*: {noformat}{{file.type}}{noformat}\n {{/context.alerts}}\n
This is my setup Elastic-Security/Bulk Rule Modification at main · austinsonger/Elastic-Security (github.com)
And this is what it looks like when it formats in JIRA
Here are the HTML Tags supported for Email
So here is a example for you, if this helps.
<h3>File<h3>
{{#context.alerts}}
<ul>
<li>File Name: {{file.name}}</li>
<li>File Owner: {{file.owner}}</li>
<li>File Path: {{file.path}}</li>
<li>File size: {{file.size}}</li>
<li>File Target Path: {{file.target_path}}</li>
<li>File Type: {{file.type}}</li>
</ul>
{{/context.alerts}}
Now to place that in a code block would look like this, but a lot email providers won't render <pre> or <code> HTML tags.
<pre><code><h3>File<h3>
{{#context.alerts}}
<ul>
<li>File Name: {{file.name}}</li>
<li>File Owner: {{file.owner}}</li>
<li>File Path: {{file.path}}</li>
<li>File size: {{file.size}}</li>
<li>File Target Path: {{file.target_path}}</li>
<li>File Type: {{file.type}}</li>
</ul>
{{/context.alerts}}
</code></pre>
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.