SIEM detection rule emails body customization

Hi Team,

Can you please let me know how i can add additional details to detection rules message body

For example , for root login attempt failure , i need the email message body with host.hostname, @timestamp, event.outcome, source.ip, message etc.


1 Like

Hello Team,

Kindly look into this we are currently evaluating the SIEM functionality.


There is a PR for this

Hi Yassine,

Thanks for that , did you mean we don't have that feature in 7.9.0 ?

If feature exist , how can we add make it display in email body , any syntax for this.

What you are allow to add to the rule action is here.

You may be able to accomplish what you are looking to accomplish by using elastic actions.

You could also add comments to the pull request 85488 explaining what you are trying to achieve.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.