Rules ( EMail variables Alerts )

We have email alerts on two rules that stopped working upon the Update to 8.1.3

This example shown below is the Rule that shows the Windows Service Accounts that have failed log ons. I have this working as shown below and the issue is shown below.

Query is

winlog.event_id : "4625" and (user.name : svc* or user.name : svc or user.name : WIN- or user.name : .* or user.name : Svc or user.name : Svc or user.name : *$ )

Group by is

user.name and winlog.computer_name

Threshold

Results aggregated by user.name,winlog.computer_name >= 10

Under Actions of the Rule Settings we currently have this set to Email, and the following works:

Rule {{context.rule.name}} generated {{state.signals_count}} alerts

{{context.rule.description}}

Below is a list of the Failed Logons for the Windows Service Accounts :

{{#context.alerts}}

User Name : {{user.name}}

Source Computer: {{winlog.computer_name}} .

{{/context.alerts}}

Click the link for investigations;

Failed Logons

Result is the following email;

Rule sw_Windows Service Failed Logons generated 25 alerts Windows Service Accounts ; where the winlog.event_id : "4625" and (user.name : svc* or user.name : svc or user.name : WIN- or user.name : .* or user.name : *Svc or user.name : *$ ) AND the Count on Failed logon Attempt is greater than or equal to 10.

Below is a list of the Failed Logons for the Windows Service Accounts :

User Name : UserName$
Source Computer: We are getting the computer name here, just removed this for security sake.

User Name : UserNamesvc
Source Computer: We are getting the computer name here, just removed this for security sake.

ISSUE IS

According to the documentation, the following should work and this did work on the previous release, but the “signal.threshold” loop is not working since the upgrade.

Plus we also need to have the count for each “{{value}}”.

{{#context.alerts}}

{{#signal.threshold_result.terms}}

{{value}}

{{/signal.threshold_result.terms}}

{{/context.alerts}}

Link to the documentation that shows the above Create a detection rule | Elastic Security Solution [8.1] | Elastic

If you need more information please let me know

Hi @sbemiller

Can you let me know which version of Kibana you used before the update, and which worked fine?

Additionally, when looking onto generated alert on alert details view: are there any threshold_result.terms present?
To look into it, please go to alerts table, and click on View Details icon, near alert name, and look for this property on table tab

Screenshot 2022-05-16 at 17.42.592164×1330 317 KB

Thanks, Vitalii

On the threshold_result.terms, yes they are present. It is showing the field names and values.

The version before the upgrade was 7.17 I am pretty positive. We ran through the minor version updates leading up to 8.x and then made the big update to what was the current version.

@sbemiller It does appear that this functionality no longer works in 8.1.3. The matching terms are now copied to the alert document, however, so you can just reference them directly. In your case, the fields in question are user.name and winlog.computer_name, which you correctly used in the first (working) template.

Is there a reason you'd like to access them using signal.threshold_result.terms instead of the through the source fields?

The count of matching events is available under kibana.alert.threshold_result.count.

Thank you

We needed the count on the Email alert. Thank You for the assistance. I have them working now

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.