[BUG] - Threat Intel Alerts not being generated

[givilleneuve]

What is the bug?
The threat intel module is not creating proper alerts after matching the IoCs.
When using the the {{#ctx.alerts}} it returns empty - Different from using standard detectors in the Security Analytics, which I believe the cause is because the alert is not being generated.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Go to 'Security Analytics'
2. Click on 'Threat Intelligence'
3. Scroll down to 'Configure the SCAN, and send the alert following for example'
   {{#ctx.alerts}}
   Document values
   {{#sample_documents}}
   Source IP {{_source.source.ip}}
   Destination IP: {{_source.destination.ip}}
   {{/sample_documents}}
   Matching queries
   {{#associated_queries}}
   Query ID: {{id}}
   RULE NAME: {{name}}
   {{/associated_queries}}
   {{/ctx.alerts}}
4. See the webhook or the destination
5. Create an ingestion that matches one of your Threat Intel sources.

What is the expected behavior?
My understanding is that the Threat Intelligence trigger an alert based on the findings if it matches the criteria for the scan.

What is your host/environment?

• OS: Windows
• Version 2.17.0

Do you have any additional context?
Threat Intel findings are being created correctly without any problems, but not the alert which also makes it difficult to send the matches with useful information.

Findings:

Alerts:

Scan alert configuration:

Thank you,

[dblock]

[Catch All Triage - 1, 2, 3, 4]