How to get context Alert Data in SUBJECT of Security Alert SIEM

Rohit_Kumbhar · August 24, 2022, 11:28am

Hi,

I Have a Security Alert where I have to get data_stream.namespace and host.name in SUBJECT of Alert

Can someone please guide me through it?

I have tried below but got blank in output mail subject

Subject : AlertName | {{context.alerts.data_stream.namespace}} | {{context.alerts.host.name}}

I am getting results in email body as I put following syntax


{{#context.alerts}}

Namespace : {{data_stream.namespace}}
Hostname : {{host.name}}

{{/context.alerts}}

Help would be much appreciated

Thanks !!

gmmorris · August 24, 2022, 11:33am

Hi Rohit,

The reason your subject line is empty is that context.alerts is an array and you have to iterate through it, by doing something like: {{#context.alerts}}{{data_stream.namespace}}{{/context.alerts}}.

That said, I'm guessing you don't want all the namespaces in your subject line as it would the nbe very long, so perhaps try this: {{context.alerts.0.data_stream.namespace}}. This would give you the namespace in the first alert document contained in context.alerts.

Rohit_Kumbhar · August 30, 2022, 12:21pm

Thanks for the blazing fast reply @gmmorris !
It really helped !!

system · September 27, 2022, 12:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Data_stream.namespace in subject for Jira Action Elastic Security	2	221	December 26, 2023
Alert and connector email context format Kibana	2	692	February 10, 2021
Alert mail siem format question Elastic Security elastic-stack-alerting	2	581	June 3, 2021
Filter Alerts by data_stream.namespace SIEM	1	249	October 19, 2023
SIEM rule action: Send raw json `context.alerts` to webhook Elastic Security	2	476	December 31, 2021

How to get context Alert Data in SUBJECT of Security Alert SIEM

Related topics