Hi a.
The mail format for elastic siem was a little weird for me at this point.
For most case the mail got the right format out to me but on the case of winevent log it is a bit difference.
when i try the {{winlog.event_data.SamAccountName}}
This never worked for me.
And some how some of the json never worked as well.
Thanks for your time.