TechQA.

How can I list all the unique values under max cardinality to an email alert

46 views Asked by At 
name: Recon-Same Source IP Scanning Multiple IPs
index: "*:so-*"
type: cardinality
cardinality_field: "destination.ip"
max_cardinality: 15
timeframe:
  minutes: 5
filter:
- query_string:
    query: "event.module:panw AND source.ip:*"
query_key: source.ip    
alert:
- "email"

Is there a way for me to extract the unique list of destination.ip that triggered this rule and show it on my email alert ?

I tried this on my email part of the config.

email: 
 - "[email protected]"
 - "[email protected]"

from_addr: "[email protected]"

###########################
email_format: "html"
###########################
alert_text_type: alert_text_only
alert_text_args: [source.ip, "@timestamp", destination.ip, max_cardinality_result, count]
alert_text: |
        The following source IP has scanned multiple destination IPs:
    
        Source IP: {{ctx.results.0.query_key}}
    
        Unique Destination IPs:
        {{#ctx.results.0.aggregations.unique_ips.buckets}}
          - {{key}}
        {{/ctx.results.0.aggregations.unique_ips.buckets}}
        <p>Source IP: {2}</p>
        <p>Destination IP count {4}{{destination.ip}}{{ports}}</p>
elasticsearch elastalert elastalert2
Original Q&A
0

There are 0 answers

Related Questions in ELASTICSEARCH

Related Questions in ELASTALERT

Related Questions in ELASTALERT2

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions