Describe the bug
When adding an email alert action in the deployments yml file, it does not include the following setting that enables the email to be sent.
Expected behavior
With the current config in the deployments yml file:
name: ESCU Default Configuration Anomaly
id: a9e210c6-9f50-4f8b-b60e-71bb26e4f216
date: '2021-12-21'
author: Patrick Bareiss
type: Anomaly
description: This configuration file applies to all detections of type anomaly.
These detections will use Risk Based Alerting.
scheduling:
#cron_schedule: 0 * * * *
cron_schedule: "*/5 * * * *"
earliest_time: -70m@m
latest_time: -10m@m
schedule_window: auto
alert_action:
rba:
enabled: 'true'
email:
subject: '[$result.organization$] %name%'
message: 'test message'
to: 'soc@company.org'I would expect to find the setting
I guess it could be easily solved by adding it to this j2 template.
https://github.com/splunk/contentctl/blob/5daee4ae40a606b7262eb4f3780423fe38ed4d73/contentctl/output/templates/savedsearches_detections.j2
Line: 75
Screenshots
contentctl Version:
v5.0.0
Additional context
Add any other context about the problem here.
Describe the bug
When adding an email alert action in the deployments yml file, it does not include the following setting that enables the email to be sent.
Expected behavior
With the current config in the deployments yml file:
I would expect to find the setting
action.email = 1I guess it could be easily solved by adding it to this j2 template.
https://github.com/splunk/contentctl/blob/5daee4ae40a606b7262eb4f3780423fe38ed4d73/contentctl/output/templates/savedsearches_detections.j2
Line: 75
Screenshots
contentctl Version:
v5.0.0
Additional context
Add any other context about the problem here.