This is as good as it gets: index=index sourcetype=sourcetype status="open" reason="NEW_ALERT" u_account_contact_email!="" Translated_Severity IN (4,5) NOT "resource.data.tags{}.value"="exception"
| dedup id
| eval _time=round(('lastSeen'/1000),0)
| eval limit=round(relative_time(now(),"-13h@h"),0)
| where _time>limit
| eval remediator=rtrim(ltrim(lower('u_account_contact_email')))
| eval account="Account ID " + 'resource.accountId'
| eval policy="Policy " + 'policy.name'
| eval resource="resource(s) " + 'resource.name'
| eval target=mvzip('account','resource'," ")
| eval recommendation=if('policy.recommendation'=="" or isnull('policy.recommendation'),"No Recommendations Available",'policy.recommendation')
| stats values(target) as target by remediator policy recommendation
| eval target=mvjoin('target',"
")
| eval remediation=mvzip('recommendation','target',"
___________________________________________________
")
| eval violation=mvzip('policy','remediation',"
___________________________________________________
")
| stats values(violation) as violation by remediator
| eval violation=mvjoin('violation',"
#############################################################################
")
| table violation remediator
| map
[| makeresults
| eval violation=$violation$
| eval remediator=$remediator$
| table violation remediator
| sendemail to=$remediator$ from="infosec@company.com" subject="New Alerts for your Cloud Environments" content_type=html format=table inline=true sendresults=true ]
... View more