Hello, we have created a local_decoder for an internal application and extract a user and srcip. When an alert is triggered within our local_rules.xml is there anyway to use the captured user id within the desc field of the rule; some sort of variable substitution ?
-- Thanks, Phil
