Rules and connectors examples?

PublicName · October 6, 2021, 6:17pm

This seems pretty simple but I haven't found a way to get it accomplished.

For rules and alerts I'm looking to send an email triggered from a windows event id. For example EventID 4740. The elastic query works it triggers as expected but it's useless atm.

For the email body I've tried a number of different things to add in yet nothing has triggered.
For desperation example which I figured wouldn't work and it didn't.

User: {{user.name}} {{winlog.event_data.TargetUserName}}
Machine Name: {{host.name} {{winlog.event_data.TargetDomainName
Event Action: {{event.action}}
Timestamp: {{context.date}}
EventID: {{winlog.event_id}}

Any tips or pointers on where I can find examples?

ying.mao · October 7, 2021, 3:51pm

Hi @PublicName,

It sounds like you are using the Elasticsearch query rule and you want to get information stored within the matches in your email?

If that is the case, you can use the {{context.hits}} variable to access fields within the source document. Documentation is available for this.

You will want to use mustache array syntax to iterate over the hits:

{{#context.hits}}
  User: {{_source.user.name}} {{_source.winlog.event_data.TargetUserName}}
  Machine Name: {{_source.host.name} {{_source.winlog.event_data.TargetDomainName
  Event Action: {{_source.event.action}}
  Timestamp: {{context.date}}
  EventID: {{_source.winlog.event_id}}
{{/context.hits}}

You may have to adapt based on the exact structure of your source documents. Let me know if that works for you.

Thanks,

system · November 4, 2021, 3:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.