Seperate email alerts per detection?

Hi Everyone,

I've been doing some testing with the Email Alerts, to alert us when a specific event code is generated.

I've done this under Security > Rules, and it runs every 5 minutes. It works absolutely fine but the issue is if multiple detections are found these are all included in the single email alert, although the documentation I've read seems to suggest a seperate email woud be generated per detection:

Although there is talk of Watchers & Alerting being seperate which may be the issue? But this has lost me a little to be honest as further research seems to circle back to the initial alerting page.

This is my current Action using the Email connector:

Subject: 
A scan has been initiated on{{#context.alerts}} {{agent.name}} {{/context.alerts}}

Message:
Rule {{context.rule.name}} generated {{state.signals_count}} alerts

{{#context.alerts}}
**Agent Name:** {{agent.name}}  

**Scan Type:** {{winlog.event_data.Scan Type}}

**User:** {{winlog.event_data.User}}

**Elastic Timestamp:** {{@timestamp}}
{{/context.alerts}}

So when there has been one instance everything looks great, but if multiple have triggered since the rule last ran then all the Hosts are listed in the Subject and then one after another in the message body, followed by the next field etc. destroying any readability.

Am I going about this the wrong way?

2 Likes

Hey there @Josh_G, thanks for all the details here and using Elastic Security! :slightly_smiling_face:

So unfortunately, the documentation you're referencing is for the Stack Alerting feature, not the Security Alerting feature, which differs in implementation in a few areas.

Currently, all Security Rule types are only capable of running the alert action for the group of alerts either created during the execution, or created since the action last fired (if the action is configured to run at an interval).

I went ahead and created this enhancement to add a feature that allows the user to specify the granularity for which they would like to fire their actions (per alert, per grouping, etc). If I missed any part of your use case please feel free to add a comment to the issue so we can capture it in planning.

Cheers!
Garrett

2 Likes

Hi Garrett, thanks for clarifying.

I have managed to clean my output up since my post with some solid lines to seperate the alerts etc, but seperate emails per alert would certainly be preferable for how we are using them.

The enhancement request captures what I'm after.

Thanks again for your help.

Josh

1 Like