You can use the reserved Jinja placeholders in the Logpoint fields that support Jinja. You can use the Jinja placeholders as templates to customize the output of a subject, message, or view. Refer to Setting Up Alert Notifications and Creating an Alert Rule to know more about the Jinja supported fields of Logpoint.
Placeholders |
Description |
|---|---|
{{alert_name}}
|
Displays the name of the alert. |
{{alertrule_id}}
|
Displays the ID of the alert. |
{{attack_category}}
|
Displays the attack category associated with the alert. This corresponds to the tactics in Mitre ATT&CK Framework. |
{{attack_id}}
|
Displays the ID of the attack tags associated with the alert. This corresponds to the ID in Mitre ATT&CK Framework. |
{{attack_tag}}
|
Displays the attack tag associated with the alert. This corresponds to the techniques and sub-techniques in Mitre ATT&CK Framework. |
{{description}}
|
Displays the description of the alert. |
{{detection_timestamp}}
|
Displays the Epoch time when the alert was triggered. |
{{extra_info}}
|
Displays the information related to alert in a key-value format. |
{{format}}
|
Displays the timestamp format of the alert according to Year, Month, Day, Hour, Minutes, and Seconds. |
{{incident_id}}
|
Displays the ID of the incident generated by the alert. |
{{loginspect_ip_dns}}
|
Displays the IP of the Logpoint where the alert was triggered. |
{{logpoint_name}}
|
Displays the name of the Logpoint where the alert was triggered. |
{{log_source}}
|
Displays the log sources associated with the alert. |
{{risk_level}}
|
Displays the risk level of the alert. |
{{rows}}
|
Displays the log messages that triggered the alert. |
{{rows_count}}
|
Displays the total count of log messages that triggered the alert. |
{{search_link}}
|
Displays the link to search for alert related log. |
{{status}}
|
Displays the resolution status of incident generated by the alert. |
{{time_range}}
|
Displays the time-range of the alert in Epoch time. |
{{timezone}}
|
Displays the device timezone (UTC, GMT, ECT) |
{{type}}
|
Displays the query type of the alert. |
{{user_id}}
|
Displays the identity of the user account that triggered the alert. |
{{_id}}
|
Displays the object ID of the incident generated by the alert. |
Note
These are the publicly available Jinja placeholders. However, there are other Logpoint supported Jinja placeholders as well that are assigned for internal usage only.