Hello there,
I have few webhook actions set for some security rules and I'm including some fields from {{context.alerts}} in the POST request. However I've noticed that when 2 (probably more ) alerts of the same type occurs at the very same time with only few milliseconds apart, the webhook action POST request will include the details of both alerts in a single action. The effect of this issue is that the resolved field will contain merged data from both alerts. Example the result of this field {{#context.alerts}}{{host.name}}{{/contect.alert}} will be 'host1host2' where it should be either host1 or2
More detailed example.
An alert is raised when windows event id 4624 is generated.
log - eventId - host - user - alert_created(hh:mm:ss.ms)
WindowsForwarding - 4624 - host1 - user1 - 10:00:00.000
WindowsForwarding - 4624 - host2 - user2 - 10:00:00.002
Result of {{#context.alerts}}{{host.name}}{{/contect.alert}} will be 'host1host2'
Is this expected behavior and is there a way to fix or go around this ?
tks
Daniel