SIEM Detection alerts - Additional field adding in notification placeholders

Hi,

How can i add additional fields in alert email action body in detection rules. I am using ELK 7.10.

For eg: Need to include user.name and source.ip field in the rule alert in the body of alert email action.

Rule Logic is: More than 3 authentication failure in 5min from same user.
I have created this rule using Threshold option in Detections.

Thanks

@badger
@Frank_Hassanabad
Kindly help help with issue mentioned above.

@Frank_Hassanabad Could you please help to resolve the below mentioned issue.

I am trying to add additional fields in alert email action body in detection rules in ELK 7.10.

For eg: Need to include user.name field in the rule alert in the body of alert email action.

Rule Logic is: More than 3 authentication failure in 5min from same user.
I am able to create this rule using Threshold and EQL option in Detections and alerts are triggering, but i couldn't find an option to add one additional field in notification placeholder.

Thanks

I'm not overall familiar with this part of the features and the code with actions. Was hoping someone else would jump in on this one.

You're on 7.10, but is this feature which was introduce in 7.11 what is currently missing for you to be able to do this?

1 Like