Correlation Rules: Actions -> Send Email (Full Customization of all fields)

Normally, the message field is not recommended to be used with Correlation Rules due to the fact that processing this would require heavy processor usage but there are situations where an alert being generated may need to see the full message which was prompted the alert.

Currently, when attempting to create an email alert and include the $msg$ field, it only returns the first word in the message which the rule fired from. There should be a feature which allows users to include the full message field (while accepting that it may slow down a system).

It seems that currently there must be a limit in the coding which prevents anymore than the first word. This should be something that can be optional to include x number of characters.

Customers who use file connectors and directly pass log files into the Sentinel system may not have "event ids" which are easily recognized. They may want to pass a full message along in an email to display not only the Rule Name but the whole message which generated the alert.

by: Brian M. | over a year ago | Configuration