How to send email alert to groups based on condition success using Kibana Rules

bhavya · August 16, 2022, 2:53pm

I have created a rule using Kibana rules, by following the below steps:

Created a new rule by selecting "Rule" under the "Security" section
Then selected the rule type as "Event Correlation", wherein I added the index pattern and wrote the EQL (which included the where condition to include the events)
Added the required fields in the Action section, and then saved the rule.

I am getting the email alerts based on the condition written, but the alerts are such that:

Suppose a single mail contains the below content -

ClientName: ABC
HostName: ABC

ClientName: ABC
HostName: ABC

ClientName: DEF
HostName: DEF

But I want to group the mail so that each mail should have data related to only 1 clientName. As in this case email should have contained data of only those clients whose name is ABC

Whereas the data of clientName DEF, should be sent in a different mail.

Is there a way to achieve this type of grouping based on the clientName? This similar situation can be done using watcher as given in this answer, but can anyone please let me know what the ideal way to do that in my case ?

system · September 13, 2022, 4:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana rules and group by Kibana	2	1640	June 13, 2022
Seperate email alerts per detection? SIEM elastic-stack-security	3	515	June 14, 2022
Alerts/Rules - Elasticsearch query grouped on hostname Kibana elastic-stack-alerting , detection-rules	1	721	December 23, 2021
Elasticsearch query - subject line for email Kibana	3	40	January 16, 2025
Alert for every document based on the field value Kibana elastic-stack-alerting	6	1765	February 3, 2023

How to send email alert to groups based on condition success using Kibana Rules

Related topics