How to do to show field values in Kibana alert?

Hi Everyone,

I created the custom rule to get the alert when there is successful login from public IP for Windows host. The lucene query is as per below.

(winlog.channel:Security AND winlog.event_id:4624 AND (NOT ((winlog.event_data.IpAddress:/.-./) OR (winlog.event_data.IpAddress:(/10../ OR /192.168../ OR /172.16../ OR /172.17../ OR /172.18../ OR /172.19../ OR /172.20../ OR /172.21../ OR /172.22../ OR /172.23../ OR /172.24../ OR /172.25../ OR /172.26../ OR /172.27../ OR /172.28../ OR /172.29../ OR /172.30../ OR /172.31../ OR /127../ OR /169.254../)) OR (((winlog.event_data.IpAddress:/::1/) OR (winlog.event_data.IpAddress:(/[Ff][Ee]80::./ OR /[Ff][Cc]00::./)))))))

The rule works and triggered the alert but it doesn't show the field values(user.name,source.ip,etc.,) in Kibana alert as per below screenshot.
How could I add these fields to show in alert? Looking forward your kind suggestion.
Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.