hello there, quick question about Datadog SIEM notification variables (https://docs.datadoghq.com/security/notifications/variables/?tab=cloudsiem)
I have some security events that have a field “target,” which is an array of different. Objects with various fields (including id). I tried using this target field in a SIEM alert message but it doesn’t display anything and I guess I am not using a correct syntax or maybe this is not supported.
Does someone know how I can specify that I want to print the parameters of the first target or for all targets, etc??
Example event:
"target": [
{
"alternateId": "<mailto:test@gmail.com|test@gmail.com>",
"displayName": "Test user",
"id": "01uaof0g3l2Br34aad91",
"type": "User"
},
{
"alternateId": "unknown",
"displayName": "Test group",
"id": "11atsddoaD2a45ahd6aa",
"type": "UserGroup"
}
],
"usr": {
"name": "Test admin",
"id": "ssra63y2232Yu3J5y696",
"type": "SystemPrincipal",
"email": "<mailto:test-admin@test.com|test-admin@test.com>"
}
}```
if I try adding something like this to a SIEM rule notification description:
```The admin {{@usr.name}} added {{@target[0].displayName}} to {{@target[1].displayName}} group.```
Only `{{@usr.name}}` gets correctly replaced in the notification, is there any way to access array elements with another syntax?