I have created a rule using Kibana rules, by following the below steps:
- Created a new rule by selecting "Rule" under the "Security" section
- Then selected the rule type as "Event Correlation", wherein I added the index pattern and wrote the EQL (which included the
wherecondition to include the events) - Added the required fields in the Action section, and then saved the rule.
I am getting the email alerts based on the condition written, but the alerts are such that:
Suppose a single mail contains the below content -
ClientName: ABC
HostName: ABC
ClientName: ABC
HostName: ABC
ClientName: DEF
HostName: DEF
But I want to group the mail so that each mail should have data related to only 1 clientName. As in this case email should have contained data of only those clients whose name is ABC
Whereas the data of clientName DEF, should be sent in a different mail.
Is there a way to achieve this type of grouping based on the clientName? This similar situation can be done using watcher as given in this answer, but can anyone please let me know what the ideal way to do that in my case ?