Unfortunately, the ESA rule's description is not included in the raw alert data, so there is no way to add this information to SMTP (or any other) ESA outputs.
The fields included in any ESA alert can be seen within Respond-->Alerts by clicking on any of the alert name hyperlinks and viewing the JSON in the Raw Alert pane:
Alternatively, you can output all the available variables with a simple template like this:
<#list .data_model?keys as key>
${key}
</#list>
...which you can use in any of the alert notification outputs:
For simple reference, these are:
- events
- statement
- moduleName
- id
- engineUri
- instanceId
- time
- severity
- notificationReasons
- respondEnabled
- eventSourceId
- actualEventsCount
- suppressNotification
- suppressMessageBus
- transientAlert
- moduleType
- moduleId
One option for you, if you're able to put the extra time in to adjust your existing ESA rules, is to convert any/all alerts you want to have a description field to Advanced Rules, and add a @Name annotation to each of them. Alerting: ESA Annotations
Note: You can specify any number of meta keys in the statement for dynamic statement name generation.
The length of individual meta key is limited to 64, after which the value is truncated and appended with “…”.
The length of the dynamic generation of statement name is limited to 128, after which the value is truncated to 128 and appended with “…”. All the remaining values post truncation will be treated as static values.
While this annotation is not intended for long descriptions (128 character max length), I don't see why it can't be repurposed to meet (most of) your need.
As an example, I have rule like this:
...which generates alerts like this:
...where the ESA Rule Name becomes the alert moduleName field, and the @Name annotation becomes the statement field....and the statement field is already part of the default SMTP template:
We can do more with that statement field, like incident aggregation, but I'll leave that aside for now.
