Skip to content

Jinja templating

The notification section of a detection rule works with an email template to send a message when the detection rule is triggered. The email template has placeholder fields, and the notification determines what fills those placeholder fields in the actual email that the recipient gets. This is possible because of Jinja templating. (Learn about writing email templates before you learn about Jinja fields.)

notification and email template with Jinja notification and email template with Jinja

Format

Format all Jinja template fields with two braces (curly brackets) on each side of the field name in both Markdown and HTML email templates. You can use or not use a space on either side of the field name.

{{fieldname}} OR {{ fieldname }}

For a more in-depth explanation of Jinja templating, visit this tutorial.

if expression

You might want to use the same email template for multiple detection rules. Since different detection rules might have different data included, some parts of your email might only be relevant for some detection rules. You can use if to include a section only if a certain key in the notification template has a value. This helps you avoid unpopulated template fields or nonsensical text in an email.

In this example, anything between if and endif is only included in the email if the key sender has a value in the notification section of the detection rule. (If there is no value for sender, this section won't appear in the email.)

{% if sender %}

The email address {{ sender }} has sent a suspicious number of emails.

{% endif %}

For more details, visit this tutorial.

for expression

Use for when you might have multiple values from the same category that you want to appear as a list in your email.

In this example, events is the actual template field that you'd see in the notification, and it might contain multiple values (in this case, multiple log IDs). Here, log is just a temporary variable used only in this for expression to represent one value that the notification sends from the field events. (This temporary variable could be any word, as it refers only to itself in the email template.) The for expression allows the template to display these multiple values as a bulleted list (mutliple instances).

{% for log in events %}

- {{ log }}

{% endfor %}

For more details, visit this tutorial.

Thanks to TeskaLabs ASAB Iris, you can include links in your emails that change based on tenant or events detected by the rule.

Link to a tenant's home page:

{{lmio_url}}/?tenant={{tenant}}#/
You don't have to include the field tenant in your detection rule notification section for the link to work.

Link to a specific log:

[{{event}}]({{lmio_url}}/?tenant={{tenant}}#/discover/lmio-{{tenant}}-events?aggby=minute&filter={{event}}&ts=now-2d&te=now&refresh=off&size=40)
You don't have to include tenant or lmio_url in your detection rule notification section for the link to work.