crowdsecurity · LaurenceJJones · Jul 1, 2025 · Jul 1, 2025 · Jul 2, 2025 · Jul 2, 2025
diff --git a/...api/notification_plugins/elasticsearch.md → ...pi/notification_plugins/elasticsearch.mdx b/...api/notification_plugins/elasticsearch.md → ...pi/notification_plugins/elasticsearch.mdx
@@ -3,6 +3,8 @@ id: elastic
 title: Elasticsearch
 ---
 
+import TryTemplateButton from "@site/src/components/TryTemplateButton";
+
 CrowdSec can forward Alerts to Elasticsearch using the HTTP plugin. This guide will show you how to configure the plugin to send alerts to your Elasticsearch instance.
 
 ## Configuring the plugin
@@ -38,6 +40,14 @@ headers:
  Content-Type: "application/json"
 ```
 
+<TryTemplateButton
+    template={` {{ range .}}
+  {"index": { "_index": "crowdsec"} }
+  {{.|toJson}}
+ {{ end }}
+`}
+/>
+
 
 ### Authentication
 

diff --git a/...s/local_api/notification_plugins/email.md → .../local_api/notification_plugins/email.mdx b/...s/local_api/notification_plugins/email.md → .../local_api/notification_plugins/email.mdx
@@ -3,6 +3,8 @@ id: email
 title: Email Plugin
 ---
 
+import TryTemplateButton from '@site/src/components/TryTemplateButton';
+
 The Email plugin is shipped by default with CrowdSec. The following guide shows how to configure, test and enable it.
 
 ## Configuring the plugin
@@ -74,6 +76,17 @@ encryption_type: "ssltls"
 # ...
 ```
 
+<TryTemplateButton 
+    template={`<html><body>
+{{range . -}}
+  {{$alert := . -}}
+  {{range .Decisions -}}
+    <p><a href="https://www.whois.com/whois/{{.Value}}">{{.Value}}</a> will get <b>{{.Type}}</b> for next <b>{{.Duration}}</b> for triggering <b>{{.Scenario}}</b> on machine <b>{{$alert.MachineID}}</b>.</p> <p><a href="https://app.crowdsec.net/cti/{{.Value}}">CrowdSec CTI</a></p>
+  {{end -}}
+{{end -}}
+</body></html>`}
+/>
+
 The `format` configuration directive is a [go template](https://pkg.go.dev/text/template), which receives a list of [Alert](https://pkg.go.dev/github.com/crowdsecurity/crowdsec@master/pkg/models#Alert) objects.
 
 Typical port and TLS/SSL settings

diff --git a/...cs/local_api/notification_plugins/file.md → ...s/local_api/notification_plugins/file.mdx b/...cs/local_api/notification_plugins/file.md → ...s/local_api/notification_plugins/file.mdx
@@ -3,6 +3,8 @@ id: file
 title: File Plugin
 ---
 
+import TryTemplateButton from '@site/src/components/TryTemplateButton';
+
 The File plugin is by default shipped with your CrowdSec installation and allows you to write Alerts to an external file that can be monitored by external applications. The following guide shows how to configure, test and enable it.
 
 ## Configuring the plugin
@@ -43,6 +45,12 @@ rotate:
   compress: true # Compress rotated files using gzip
 ```
 
+<TryTemplateButton 
+    template={`{{range . -}}
+ { "time": "{{.StopAt}}", "program": "crowdsec", "alert": {{. | toJson }} }
+{{ end -}}`}
+/>
+
 **Note** that the `format` is a [go template](https://pkg.go.dev/text/template), which is fed a list of [Alert](https://pkg.go.dev/github.com/crowdsecurity/crowdsec@master/pkg/models#Alert) objects.
 
 :::warning
@@ -65,6 +73,13 @@ format: |
    { "time": "{{.StopAt}}", "source": "crowdsec", "alert": {{. | toJson }} }
   {{ end -}}
 ```
+
+<TryTemplateButton 
+    template={`{{range . -}}
+ { "time": "{{.StopAt}}", "source": "crowdsec", "alert": {{. | toJson }} }
+{{ end -}}`}
+/>
+
 #### Wazuh
 
 Wazuh has set of reserved top level keys and may cause logs not to be sent by the agent. The following format can be used to be compatible with Wazuh:
@@ -76,6 +91,12 @@ format: |
   {{ end -}}
 ```
 
+<TryTemplateButton 
+    template={`{{range . -}}
+ { "crowdsec": { "time": "", "program": "crowdsec", "alert": {{. | toJson }} }}
+{{ end -}}`}
+/>
+
 ## Testing the plugin
 
 Before enabling the plugin it is best to test the configuration so the configuration is validated and you can see the output of the plugin. 

diff --git a/.../local_api/notification_plugins/gotify.md → ...local_api/notification_plugins/gotify.mdx b/.../local_api/notification_plugins/gotify.md → ...local_api/notification_plugins/gotify.mdx
@@ -3,6 +3,8 @@ id: gotify
 title: Gotify
 ---
 
+import TryTemplateButton from "@site/src/components/TryTemplateButton"
+
 CrowdSec can forward Alerts to Gotify via the HTTP plugin. This guide will show you how to configure the HTTP plugin to send alerts to your Gotify instance.
 
 ## Configuring the plugin
@@ -64,7 +66,24 @@ headers:
   Content-Type: application/json
 # skip_tls_verification:  # true or false. Default is false
 ```
-
+<TryTemplateButton
+  template={`{{ range . -}}
+  {{ $alert := . -}}
+  {
+    "extras": {
+      "client::display": {
+      "contentType": "text/markdown"
+    }
+  },
+  "priority": 3,
+  {{range .Decisions -}}
+  "title": "{{.Type }} {{ .Value }} for {{.Duration}}",
+  "message": "{{.Scenario}}  \n\n[crowdsec cti](https://app.crowdsec.net/cti/{{.Value -}})  \n\n[shodan](https://shodan.io/host/{{.Value -}})"
+  {{end -}}
+  }
+  {{ end -}}
+`}
+/>
 ## Testing the plugin
 
 Before enabling the plugin it is best to test the configuration so the configuration is validated and you can see the output of the plugin. 

diff --git a/crowdsec-docs/docs/local_api/notification_plugins/helpers.mdx b/crowdsec-docs/docs/local_api/notification_plugins/helpers.mdx
@@ -0,0 +1,69 @@
+---
+id: template_helpers
+title: Templating helpers
+---
+
+In order to simplify some operation in the templates, we provide some custom helpers.
+
+## Sprig
+
+The [Sprig](https://masterminds.github.io/sprig/) library is available in the templates, and provides a lot of useful functions. Refer to the sprig documentation for more information.
+
+## CrowdSec specific helpers
+
+### `HTMLEscape`
+
+:::info
+When displaying untrusted data sources, such as metadata (for example, URIs), it is best to use this function to prevent the data from being rendered in notifications that support HTML format, such as emails.
+:::
+
+The string is processed through the [`html.EscapeString`](https://pkg.go.dev/html#EscapeString) function, which converts special characters into their HTML-encoded equivalents.
+
+```go
+{{ "I am <img src=x /> not escaped" }} // I am <img src=x /> not escaped
+{{ "I am <img src=x /> escaped" | HTMLEscape }} // I am &lt;img src=x /&gt; escaped
+```
+
+:::note
+This function only escapes five specific characters:
+
+| Character | Escape Sequence |
+|-----------|-----------------|
+| `<`       | `&lt;`          |
+| `>`       | `&gt;`          |
+| `&`       | `&amp;`         |
+| `'`       | `&#39;`         |
+| `"`       | `&quot;`        |
+
+It does not provide comprehensive sanitization.
+:::
+
+### `Hostname`
+
+Returns the hostname of the machine running crowdsec.
+
+### `GetMeta(alert, key)`
+
+Return the list of meta values for the given key in the specified alert.
+
+```go
+{{ range . }}
+{{ $alert := .}}
+{{ GetMeta $alert "username"}}
+{{ end }}
+```
+
+### `CrowdsecCTI`
+
+Queries the crowdsec CTI API to get information about an IP based on the smoke database.
+
+Documentation on the available fields and methods is [here](https://pkg.go.dev/github.com/crowdsecurity/crowdsec/pkg/cticlient#SmokeItem).
+
+```go
+  {{range . -}}
+  {{$alert := . -}}
+  :flag-{{$alert.Source.Cn}}: <https://app.crowdsec.net/cti/{{$alert.Source.IP}}|{{$alert.Source.IP}}> triggered *{{$alert.Scenario}}* ({{$alert.Source.AsName}}) : Maliciousness Score is 
+  {{- $cti := $alert.Source.IP | CrowdsecCTI  -}}
+  {{" "}}{{mulf $cti.GetMaliciousnessScore 100 | floor}} %
+  {{- end }}
+```
diff --git a/...cs/local_api/notification_plugins/http.md → ...s/local_api/notification_plugins/http.mdx b/...cs/local_api/notification_plugins/http.md → ...s/local_api/notification_plugins/http.mdx
@@ -3,6 +3,8 @@ id: http
 title: HTTP Plugin
 ---
 
+import TryTemplateButton from '@site/src/components/TryTemplateButton';
+
 The HTTP plugin is by default shipped with your CrowdSec installation. The following guide shows how to configure, test and enable it.
 
 Every alert which would pass the profile's filter would be dispatched to `http_default` plugin.
@@ -53,6 +55,10 @@ method: POST # eg either of "POST", "GET", "PUT" and other http verbs is valid v
 
 ```
 
+<TryTemplateButton 
+    template={`{{.|toJson}}`}
+/>
+
 :::info
 `format` is a [go template](https://pkg.go.dev/text/template), which is fed a list of [Alert](https://pkg.go.dev/github.com/crowdsecurity/crowdsec@master/pkg/models#Alert) objects.
 :::

diff --git a/...ocal_api/notification_plugins/sentinel.md → ...cal_api/notification_plugins/sentinel.mdx b/...ocal_api/notification_plugins/sentinel.md → ...cal_api/notification_plugins/sentinel.mdx
@@ -3,6 +3,8 @@ id: sentinel
 title: Sentinel Plugin
 ---
 
+import TryTemplateButton from '@site/src/components/TryTemplateButton';
+
 The sentinel plugin is by default shipped with your CrowdSec installation. The following guide shows how to configure, test and enable it.
 
 ## Configuring the plugin
@@ -47,6 +49,10 @@ log_type: crowdsec
 
 ```
 
+<TryTemplateButton 
+    template={`{{.|toJson}}`}
+/>
+
 **Note** that the `format` is a [go template](https://pkg.go.dev/text/template), which is fed a list of [Alert](https://pkg.go.dev/github.com/crowdsecurity/crowdsec@master/pkg/models#Alert) objects.
 
 ### Configuration options

diff --git a/...s/local_api/notification_plugins/slack.md → .../local_api/notification_plugins/slack.mdx b/...s/local_api/notification_plugins/slack.md → .../local_api/notification_plugins/slack.mdx
@@ -3,6 +3,8 @@ id: slack
 title: Slack Plugin
 ---
 
+import TryTemplateButton from '@site/src/components/TryTemplateButton';
+
 The slack plugin is by default shipped with your CrowdSec installation. The following guide shows how to enable it.
 
 ## Configuring the plugin: 
@@ -39,6 +41,18 @@ webhook: https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxxxxxxxxx # Replace
 
 ```
 
+<TryTemplateButton 
+    template={`{{range . -}}
+{{$alert := . -}}
+{{range .Decisions -}}
+{{if $alert.Source.Cn -}}
+:flag-{{$alert.Source.Cn}}: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'. <https://www.shodan.io/host/{{.Value}}|Shodan>{{end}}
+{{if not $alert.Source.Cn -}}
+:pirate_flag: <https://www.whois.com/whois/{{.Value}}|{{.Value}}> will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine '{{$alert.MachineID}}'.  <https://www.shodan.io/host/{{.Value}}|Shodan>{{end}}
+{{end -}}
+{{end -}}`}
+/>
+
 **Don't forget to replace the webhook with your own webhook**
 
 See [slack guide](https://slack.com/intl/en-in/help/articles/115005265063-Incoming-webhooks-for-Slack) for instructions to obtain webhook.

diff --git a/.../local_api/notification_plugins/splunk.md → ...local_api/notification_plugins/splunk.mdx b/.../local_api/notification_plugins/splunk.md → ...local_api/notification_plugins/splunk.mdx
@@ -3,6 +3,8 @@ id: splunk
 title: Splunk Plugin
 ---
 
+import TryTemplateButton from '@site/src/components/TryTemplateButton';
+
 The splunk plugin is by default shipped with your CrowdSec installation. The following guide shows how to enable it.
 
 ## Configuring the plugin:
@@ -40,6 +42,9 @@ url: https://xxx.yyyy.splunkcloud.com:8088/services/collector
 # timeout: # duration to wait for response from plugin before considering this attempt a failure. eg "10s"
 ```
 
+<TryTemplateButton 
+    template={`{{.|toJson}}`}
+/>
 
 See [splunk guide](https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/UsetheHTTPEventCollector) for instructions to obtain the token and  url.