Variables in webhook

Hi,

I created a rule with a post-action using webhook so how I can get source ip or hostname in the body .

Thanks

Hey there @angelolol, welcome to the community! :wave:

We've got some documentation outlining example action templates, and just above that section is a list of available action variables you can use as well.

To loop over all the alerts generated within the action context and output each Source IP / Host Name you could use something like the following:

Rule {{context.rule.name}} generated {{state.signals_count}} alerts

{{#context.alerts}}
Detection alert for source.ip: {{source.ip}} and host.name: {{host.name}}
{{/context.alerts}}

Hope this helps, and welcome again to the Elastic Security community! :slightly_smiling_face:

P.S. We've got an enhancement logged here for adding templating and inline examples/documentation links here to improve UX.

Cheers!
Garrett

Hi @spong, thanks a lot. Thats works for my case but how could I limit the number of responses because when de signal count is greater than one repeat the field.

I´ve that json body

and as you said I could get the fields in this case "process.name" but if I have a lot alerts then generate more than one in my destination app, Can I limit a only one?

image

Hey there @angelolol -- glad it's working for you now :slightly_smiling_face:

As for:

how could I limit the number of responses because when de signal count is greater than one repeat the field

So the action templates support mustache templating, so you should be able to leverage any of the features outlined there to traverse/limit your results.

That said, each execution or interval that your action fires for can have any number of alerts, and each alert will have it's own unique fields (source.ip/host.name/etc, hence why you're seeing multiple), so you'll need to take that into account when looping over the alerts.

Let me know if that makes sense or if you have any other questions.

Cheers!
Garrett