I am trying to format the alert email triggered on an event. I have the following search query, which WORKS. It lists all the three fields
configurationItem.resourceType=TERM(AWS::EC2::SecurityGroup) configurationItemDiff.changeType=UPDATE "configurationItem.configuration.ipPermissions{}.ipRanges{}"="0.0.0.0/0" | fields + configurationItem.configuration.groupName,configurationItem.configuration.groupId,configurationItem.configuration.ipPermissions{}.fromPort
In the email action I have the following:
The security group "$result.configurationItem.configuration.groupName$" with group id: "$result.configurationItem.configuration.groupId$" was modified to allow ingress from 0.0.0.0/0 on port "$result.configurationItem.configuration.ipPermissions{}.fromPort$". This is against security best practices.
The output (email received) is:
The security group "management-sonar" with group id: "sg-0869426c" was modified to allow ingress from 0.0.0.0/0 on port "$result.configurationItem.configuration.ipPermissions{}.fromPort$". This is against security best practices.
The fromPort field is not interpolated. Any advice on why this doesn't work?
Regards.
Got this working by tweaking the query to include rename
configurationItem.resourceType=TERM(AWS::EC2::SecurityGroup) configurationItemDiff.changeType=UPDATE "configurationItem.configuration.ipPermissions{}.ipRanges{}"="0.0.0.0/0" | fields + configurationItem.configuration.groupName,configurationItem.configuration.groupId,configurationItem.configuration.ipPermissions{}.fromPort | rename configurationItem.configuration.ipPermissions{}.fromPort AS fromPort
and including "fromPort" field in the email template:
The security group "$result.configurationItem.configuration.groupName$" with group id: "$result.configurationItem.configuration.groupId$" was modified to allow ingress from 0.0.0.0/0 on port "$result.fromPort$". This is against security best practices.