Kibana Email Alert

_Thomas · April 22, 2022, 10:29am

Hi Guys,
I hope someone can shed some light on a strange thing.

Long story short: I would like to receive Email-alerts whenever a certain Event-ID has been triggered. In my case Event ID: 4672 (with this information part as to "who has logged in)
I did however find an older Post which basically has all the things I'm looking for (Rules and connectors examples?) - I also found it very handy that there are some Code-bits which I actually also need.

The thing is however, I cannot get this to work. I set up an Rule with an Email Alert, that gets triggered whenever Event ID 4672 has been triggered, but when I receive those E-Mails they are either completely empty, or they only have things like "Username: Event ID, etc) in their Mailbody.

I used this Code:

{{#context.hits}}
  User: {{_source.user.name}} {{_source.winlog.event_data.TargetUserName}}
  Machine Name: {{_source.host.name}} {{_source.winlog.event_data.TargetDomainName}}
  Event Action: {{_source.event.action}}
  Timestamp: {{context.date}}
  EventID: {{_source.winlog.event_id}}
  Event Message: {{message}}
{{/context.hits}}

If I place those User, Machine Name, Event Action etc within those "context.hits" my Emails are emtpy, if I place them outside those tags, I only receive "Username: Event ID: ... etc). I have Elasticsearch, Kibana and Winlogbeat as Ver 8.1.3. I can search my Data fine, they appear in the discovery section as well as in the Dev Console.

I appreciate any help.

Patrick_Mueller · April 25, 2022, 12:30pm

You can try using {{.}} within that message to get a listing of ALL the variables that are available. To make that specific within each context.hits item, put it inside there, perhaps just above your User: line. The next time the action is run, you should see the JSON version of all the variables that are available.

_Thomas · April 25, 2022, 12:40pm

Does this mean I have to make an context.hit for each field I'm interested in? As in one for "User", another one for "Machine Name" etc etc?

Like:

{{#context.hits}} 
{{.}} 
User: 
{{/context.hits}}

What I forgot to mention is, that I have selected the Query Rule for the E-Mail Alert - my query is:

winlog.event_id IS ONE OF <numbers of Event ID's>

Do you maybe happen to know, whether I can actually display the Message from the Event ID, with all its information in it?

Sorry for those stupid questions.

_Thomas · April 26, 2022, 5:42am

UPDATE:
That's how my Messagebody looks like in the Kibana Email Alert section:

Rule {{context.rule.name}} generated {{state.signals_count}} alerts

{{#context.hits}}
{{.}}
User: {{_source.user.name}} {{_source.winlog.event_data.TargetUserName}}
Machine Name: {{_source.host.name}} {{_source.winlog.event_data.TargetDomainName}}
Event Action: {{winlog.event_data.PrivilegeList}}
Timestamp: {{context.date}}
EventID: {{winlog.event_id}}
{{/context.hits}}

I tried using {{.}} above the Username, but within the context.hits - however, the E-Mail I have received looks like this:

Rule "Winlog Event ID" generated 5 alerts

--

This Message was sent by Kibana.

Do you happen to know as to why this is not reading my fields properly? Have I potentially missed one or more steps in order to achieve what I'm looking for?

_Thomas · April 26, 2022, 8:52am

Further update:
I've tried the following on ver 7.17.x - instead of "context.hits" I've used the "context.alerts":

{{#context.alerts}}
Event ID: {{winlog.event_id}}
Event Message: {{message}}
Timestamp: {{context.date}} or {{event.created}}
{{/context.alerts}}

This gave me basically the output I was kinda expecting, however, the formating doesn't seem to be correct.

_Thomas · April 27, 2022, 6:28am

FOR ANYONE WHO MIGHT COME ACROSS THIS POST IN THE FUTURE - THIS IS HOW I GOT TO DISPLAY THE INFOS I'M LOOKING FOR
You can copy and paste this into the E-Mail Body of your Kibana alert:

Rule {{context.rule.name}} generated {{state.signals_count}} alerts

{{#context.alerts}}
------
  Timestamp: {{@timestamp}}|{{event.created}}

  Username: {{winlog.event_data.SubjectUserName}}

  Event ID: {{winlog.event_id}} 

  Event Message: {{message}}

{{/context.alerts}}

Patrick_Mueller · May 17, 2022, 4:16pm

Sounds like you're all good now?

From looking at one of your earlier replies, I think there's probably a way to be able to "test" a mustache template outside of Kibana, until we have such a method available inside Kibana (there's an issue open).

Idea is this: use a live mustache tester like: Mustache Tester - or you could write a CLI version of that. Create an action on the rule providing the message as {{.}}. This will be the JSON body that you can enter in the first text area on that page (labeled "JSON body to parse"). Then you can edit the mustache template till it's the way you like.

_Thomas · June 3, 2022, 9:42am

Thank you for getting back to me.
As of now I'm quite happy with the output - I'll have a look into this Mustache Tester.

system · July 1, 2022, 9:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.