We setup a custom detection in InsightIDR and we configured it to send email notifications when triggered. We received the first one and it says “The log line that triggered this alert is not included because the person who created the alert opted out of it. To see that information, contact the creator of the alert.”
How do we opt-in to include the log details in the notification? I don’t see any setting that seems to apply to this in the detection rule.
This one is a little hidden, you need to Navigate to Detection Rules → Basic Custom Detection Rules → Labels &
Notifications
Notification Targets → Find the Target in question, hit the Edit Pencil
Then change the log context to Send Only Log line and save
Log context here refers to other logs that happened before the log in question, which is usually only relevant in some particular scenarios.
David
Thanks for your response. That helped me change the setting.
I cannot find evidence of a pencil in the notification (emails/integrations) sections – was this removed? the e-mail alerts are useless without the log data
Hey @dkane I can still see it, perhaps your user has insufficient permissions or perhaps you aren’t in the right spot. In order to find it you need to Navigate to Detection Rules → Basic Detection Rules → labels and notifications → notification targets.
You cannot edit directly from the Detection rule create or edit page itself.
David
Ahh now I see it, you are right its tricky I was looking in the rule details
Thanks for the assist !!!