SIEM detection rule emails body customization

ajesh · December 11, 2020, 1:14pm

Hi Team,

Can you please let me know how i can add additional details to detection rules message body

For example , for root login attempt failure , i need the email message body with host.hostname, @timestamp, event.outcome, source.ip, message etc.

Thanks,
Ajesh

ajesh · December 14, 2020, 9:36am

Hello Team,

Kindly look into this we are currently evaluating the SIEM functionality.

Regards,
Ajesh

ylasri · December 14, 2020, 9:43am

There is a PR for this

ajesh · December 28, 2020, 11:20am

Hi Yassine,

Thanks for that , did you mean we don't have that feature in 7.9.0 ?

If feature exist , how can we add make it display in email body , any syntax for this.

austinsonger · December 28, 2020, 9:19pm

What you are allow to add to the rule action is here.

You may be able to accomplish what you are looking to accomplish by using elastic actions.

You could also add comments to the pull request 85488 explaining what you are trying to achieve.

system · January 25, 2021, 9:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SIEM Detection alerts - Additional field adding in notification placeholders SIEM	4	778	March 18, 2021
Additional Variable adding in Detection EMAIL body Elastic Security elastic-stack-alerting , detection-rules	5	777	June 20, 2021
Alert Variables in email action - EQL SIEM	4	844	March 22, 2021
Custom Rules not working SIEM elastic-stack-alerting	8	1468	January 13, 2021
Issue with rules creation SIEM detection-rules	15	1717	May 5, 2022