Mustache Template

312 views
Skip to first unread message

Kenny

unread,
Mar 13, 2025, 2:22:03 AM3/13/25
to Wazuh | Mailing List
I would like to add more details to my email alerts.
How do I do that?

Scenario: Windows EventID: 4672 is triggered and it has a field called subjectUserNme that has the username. I would like to include that in my email alerts to show the user that triggered it. 
The email template looks like this to begin with:
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
 - Trigger: {{ctx.trigger.name}}
 - Severity: {{ctx.trigger.severity}}
 - Period start: {{ctx.periodStart}}
 - Period end: {{ctx.periodEnd}}

----I would like to add -----
- User:
but I can't use {{data.win.eventdata.subjectUserName}}
The return would be blank. I have tried adding _source.data.win.eventdata.subjectUserName and get the same result.


Do I need to use the extraction query editor instead of a visual?

Md. Nazmur Sakib

unread,
Mar 13, 2025, 2:56:06 AM3/13/25
to Wazuh | Mailing List

Hi Kenny,

To achieve this, the monitor must be configured using Extraction query editor.

You can create a per query monitor like this 


I am sharing an example Monitor query for FIM


{

    "query": {

    "bool": {

      "must": [],

      "filter": [

        {

          "match_all": {}

        },

        {

          "match_phrase": {

            "rule.groups": "syscheck"

          }

        },

        {

          "range": {

            "timestamp": {

              "gt": "now-5m",

              "lte": "now",

              "format": "strict_date_optional_time"

            }

          }

        }

      ]

    }

    }

}

Mustache templates):

Wazuh File Integrity Monitoring alerts information:

Wazuh File Integrity Monitoring


{{#ctx.results.0.hits.hits}}

- Index: {{_index}}

- Document: {{_id}} 

- Alert Description : {{_source.rule.description}} 

- Alert id : {{_source.rule.id}}

- FIM path : {{_source.syscheck.path}}

- FIM event: {{_source.syscheck.event}}

- Alert Timestamp : {{_source.@timestamp}}

{{/ctx.results.0.hits.hits}}

Check the screenshot for reference.


Alerting is a plugin from opensearch. I am sharing some reference documents from opensearch that can be useful.

https://opensearch.org/docs/latest/observing-your-data/alerting/index/



Let me know if you need any further information.

Kenny

unread,
Apr 8, 2025, 5:28:39 PM4/8/25
to Wazuh | Mailing List
Thank you

jay babariya

unread,
Apr 9, 2025, 12:37:31 AM4/9/25
to Kenny, Wazuh | Mailing List
Cloud you please help me to configure Mail alerts becouse I have tried multiple times but it's not working so please help me

Regards 
Jay 

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c38d5351-31bb-4066-b2de-9e6e3f44402en%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages