Hello Team
I'm implementing detection rules in Elastic Security (Kibana v8.x) and want to notify alerts in Slack using the Slack API connector. However, I can only use the predefined variables listed in the + Add variable selector (e.g., alert.severity, alert.risk_score, alerts.new.count, etc.) Elastic.
My goal is to also include custom fields that I add to the alert document (e.g., user metadata or labels defined in the index), but when I try to reference them with Mustache ({{my_custom_field}} or {{context.alerts.0.my_custom_field}}), Slack ignores them or expands them to empty...
What I've tried
- Slack API connector with standard Mustache (
{{alert.*}},{{alerts.*}},{{context.results_link}}): works only with predefined variables. - Trying to reference
context.rule.*: It doesn't work because those scopes only contain rule metadata, not the alert itself Stack Overflow. - In Kibana 8.8+, I've seen that
context.alertsexists as an array, but when using it in the Slack connector, it doesn't recognize it directly Discuss the Elastic Stack.
Is there a native way, without using intermediate Webhooks, for the Slack API connector to expose arbitrary fields that come in the alert JSON?