Namespace Option in Slack Connector

Is it possible to add the namespace information in the slack connector?

i.e

Rule {{context.rule.name}} with severity {{context.rule.severity}} generated {{state.signals_count}} alerts in the {{context.data_stream.namespace}} namespace.

I don't see the option in the mustache syntax, but maybe it's possible?

The Kibana space id is available via mustache variable rule.spaceId .

see: Create and manage rules | Kibana Guide [7.17] | Elastic

So that is the Space, not the actual namespace. We use namespaces for data segmentation, so the Space ID doesn't help too much.

Sorry, not sure what "namespace" is then - I thought you were referring to Kibana spaces.

I assume then it must be something specific to the rule you are using. Which rule type are you using? The rule types provide the context variables ... it seems like a SIEM-related alert, but could you validate?

The drop-down list next to the text editor should show all the variables available, and rule-specific variables are always in the context object container. If it's not listed, it likely isn't available, in which case you could open a feature request issue in Kibana for it:

(note, the link to the "create new issue" page is below in the GitHub ad box - not sure why it did that kind of formatting on it ...)

Hey there @bm11100!

I believe you're talking about this namespace field correct?

If so, it'll exist on each individual alert document, so you'll need to loop over the alerts and fetch each one (instead of it being on the root context obj itself).

I just tested with the following template and was able to retrieve the data_stream.namespace off each alert generated:

{{#context.alerts}}
  {{data_stream.namespace}}
{{/context.alerts}}

Hope this helps!

Cheers!
Garrett

Wizard!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.