Users would like to be able to include custom context inside of their alerts. For example, the alert body should contain data from the event other than the default ECS fields that recurrently include inside of the alert body from the source event. To enable this, we currently have inside of our python detection framework. The ability to define a alert_context function that can be used to populate the alert with additional metadata via key value pairs.

We should enable including this in the alert, as currently the feature needs to be enabled/tested.

User request from discord

Does anyone try to do some custom context for the Context details for initial rule matches? I didn't find doc about it and I was wondering if it is possible to add additional context from the event to the alerts. currently, the aws default context comes with

cloud.account.id: 0000000001
cloud.region: us-east-1
event.action: ListPolicies  ListRoleTags  ListAttachedRolePolicies
event.outcome: success
event.provider: iam.amazonaws.com
event.type: info
matano.table: aws_cloudtrail
source.address: 1.1.1.1
source.ip: 1.1.1.1
user.id: asdasd1asdjsdasdiasduhasid:john.doe@company.com
user.name: thecia-company

and I want to add some additional fields from the event like aws.cloudtrail.flattened.request_parameters.policyArn: youarehackedpolycyarn