Merge pull request #659 from aquasecurity/incident-email-template

NoamBAqua · web-flow · commit cffde2d3dd2d · 2025-03-13T15:03:55.000+02:00
add incident-html template
diff --git a/rego-templates/incident-html.rego b/rego-templates/incident-html.rego
@@ -1,242 +1,154 @@
 package postee.incident.html
 
 import data.postee.with_default
+import future.keywords.in
+import future.keywords.if
 
-############################################## Templates ################################################
+capitalize(str) := sprintf("%s%s", [upper(substring(str, 0, 1)), lower(substring(str, 1, -1))])
 
-# Main template to render message
-tpl := `
+# Outlook for windows use word for HTML rendering, so all styles have to be inline
+info_table(label1, value1, label2, value2) := sprintf(`
+  <table width="100%%" border="0" cellpadding="4" cellspacing="0" style="width: 100%%; border-collapse: collapse; table-layout: fixed;">
+    <tr>
+      <td style="font-size: 15px; width: 40%%; padding: 10px 4px; color: #6B7887; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;"><strong>%s:</strong> %s</td>
+      <td style="font-size: 15px; width: 40%%; padding: 10px 4px; color: #6B7887; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;"><strong>%s:</strong> %s</td>
+    </tr>
+  </table>
+`, [label1, value1, label2, value2])
+
+severity_color := "#FF0036" if {
+	input.severity_score == 3
+} else := "#BB0505"
+
+parsed_data := json.unmarshal(input.data)
+
+html_tpl := `
 <!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    %s
     <title>Incident Report</title>
 </head>
 <body>
-    <div class="incident-container">
-        <!-- Thin Red Line -->
-        <div class="severity-indicator"></div>
-
-        <!-- Severity Box -->
-        <div class="severity-box">
-            <span style="font-size: 23px">%s</span> <br> <span style="font-size: 13px">%s Severity</span>
-        </div>
-
-        <!-- Logo -->
-        <div class="logo">
-            %s
-        </div>
-
-        <!-- Incident Overview -->
-        <div class="section">
-            <h3>Incident Overview</h3>
-            <div class="info-grid divider">
-                <p><strong>Category:</strong> %s</p>
-                <p><strong>Host Name:</strong> %s</p>
-            </div>
-            <div class="info-grid divider">
-                <p><strong>Type:</strong> %s</p>
-                <p><strong>Host ID:</strong> %s</p>
-            </div>
-            <div class="info-grid">
-                <p><strong>Name:</strong> %s</p>
-                <p><strong>URL:</strong> <a href="%s">%s</a></p>
-                <p><strong>Result:</strong> %s</p>
-            </div>
-        </div>
-
-        <!-- Malware Detection -->
-        <div class="section">
-            <h3>Malware Detection</h3>
-            <div class="info-grid divider">
-                <p><strong>Malware Name:</strong> %s</p>
-                <p><strong>Host IP:</strong> %s</p>
-            </div>
-            <div class="info-grid divider">
-                <p><strong>Malware Type:</strong> %s</p>
-                <p><strong>Action:</strong> %s</p>
-            </div>
-            <div class="info-grid divider">
-                <p><strong>Scan Type:</strong> %s</p>
-                <p><strong>Level:</strong> %s</p>
-            </div>
-            <div class="info-grid">
-                <p><strong>Resource:</strong> %s</p>
-                <p><strong>Cluster:</strong> %s</p>
-            </div>
-        </div>
-
-        <!-- Attack Details -->
-        <div class="section">
-            <h3>Attack Details</h3>
-            <p><strong>Tactics:</strong> %s</p>
-            <p><strong>Techniques:</strong> %s</p>
-            <p><strong>Rule Type:</strong> %s</p>
-        </div>
-
-        <!-- Policy Information -->
-        <div class="section policy-details">
-            <p><strong>Response Policy Name:</strong> %s</p>
-            <p><strong>Application Scope:</strong> %s</p>
-        </div>
-
-        <div class="copyright">
-            Copyright (C) 2022 Aqua Security Software Ltd.
-        </div>
-    </div>
+    %s
 </body>
 </html>
 `
 
-# Style definition with dynamic colors based on severity_score
-style := sprintf(`
-<style>
-    body {
-        font-family: Helvetica;
-        margin: 0;
-        padding: 0;
-        color: #333;
-        background-color: #f8f8f8;
-    }
-
-    .incident-container {
-        margin: 20px auto;
-        padding: 20px;
-        background-color: #fff;
-        border-radius: 8px;
-        box-shadow: 0px 4px 6px rgba(0, 0, 0, 0.1);
-        max-width: 800px;
-    }
-
-    .severity-indicator {
-        background-color: %s;
-        height: 5px;
-        width: 100%%;
-        margin: 0;
-    }
-
-    .severity-box {
-        margin-left: 44px;
-        display: inline-block;
-        background-color: %s;
-        color: #fff;
-        padding: 10px 15px;
-        font-size: 18px;
-        font-weight: bold;
-        border-bottom-left-radius: 7px;
-        border-bottom-right-radius: 7px;
-        text-align: center;
-        margin-bottom: 20px;
-    }
-
-    .logo {
-        text-align: center;
-        margin: 20px 0;
-    }
-
-    .logo img {
-        height: 40px;
-    }
-
-    h3 {
-        color: #183278;
-        margin-top: 30px;
-    }
-
-    .section {
-        margin-bottom: 20px;
-        margin-left: 44px;
-        color: #6B7887;
-    }
-
-    .divider {
-        border-bottom: 1px solid #F3F5F9;
-        width: 100%%;
-        margin-bottom: 20px;
-    }
-
-    .info-grid {
-        display: grid;
-        grid-template-columns: 1fr 1fr;
-        gap: 1rem;
-    }
-
-    .info-grid p {
-        display: inline-block;
-        vertical-align: middle;
-        max-width: 290px;
-        white-space: nowrap;
-        overflow: hidden;
-        text-overflow: ellipsis;
-      }
-
-    .policy-details {
-        display: flex;
-        justify-content: space-between;
-        padding-right: 100px;
-    }
-
-    .policy-details p {
-        overflow-wrap: break-word;
-        word-wrap: break-word;
-        white-space: normal;
-    }
-
-    .copyright {
-        color: #405a75;
-        font-family: "Inter-SemiBold", sans-serif;
-        font-size: 15px;
-        line-height: 26px;
-        font-weight: 600;
-        margin-top: 30px;
-        text-align: center;
-    }
-</style>
-`, [severity_color, severity_color])
-
-logo := `<img
-           class="aqua-logo"
-           src="data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMTEwIiBoZWlnaHQ9IjM1IiB2aWV3Qm94PSIwIDAgODggMjUiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzE0OTRfMTIzNjgpIj4KICAgIDxwYXRoIGQ9Ik0xNi45MDk5IDEwLjYxMjFWMS41NTEyOEMxNi45MTAxIDEuNDY1MTEgMTYuODkzMiAxLjM3OTc0IDE2Ljg2MDMgMS4zMDAwOUMxNi44MjczIDEuMjIwNDQgMTYuNzc4OSAxLjE0ODA3IDE2LjcxNzggMS4wODcxNEMxNi42NTY3IDEuMDI2MjEgMTYuNTg0MSAwLjk3NzkxIDE2LjUwNDIgMC45NDUwMjRDMTYuNDI0MyAwLjkxMjEzOSAxNi4zMzg3IDAuODk1MzEyIDE2LjI1MjMgMC44OTU1MUgxMy4xMjIxVjEzLjM4MTNDMTMuMTIyMSAxMy44ODM1IDEzLjczMDggMTQuMTM0NSAxNC4wODQxIDEzLjc3ODVMMTYuNjYxOSAxMS4yMDc5QzE2Ljc0MDUgMTEuMTI5NyAxNi44MDI4IDExLjAzNjkgMTYuODQ1NCAxMC45MzQ2QzE2Ljg4NzkgMTAuODMyNCAxNi45MDk5IDEwLjcyMjggMTYuOTA5OSAxMC42MTIxWiIgZmlsbD0iI0ZGMDAzNiI+PC9wYXRoPgogICAgPHBhdGggZD0iTTEzLjEyMiAwLjg5NTUwOEg3LjE2OTdDNy4wNTg3IDAuODk1NTY0IDYuOTQ4NzkgMC45MTc0MzYgNi44NDYyNyAwLjk1OTg3MkM2Ljc0Mzc1IDEuMDAyMzEgNi42NTA2MiAxLjA2NDQ4IDYuNTcyMjEgMS4xNDI4M0wzLjk5NDM2IDMuNzEzNDRDMy42NDExMyA0LjA2NTY4IDMuODg5MTUgNC42NzI3MyA0LjM5MjY5IDQuNjcyNzNIMTMuMTI1OFYwLjg5NTUwOEgxMy4xMjJaIiBmaWxsPSIjRkZDOTAwIj48L3BhdGg+CiAgICA8cGF0aCBkPSJNOS43NDM5NiAxNy43NTc3SDAuNjU3NjE1QzAuNTcxMjAxIDE3Ljc1NzkgMC40ODU1OTggMTcuNzQxMSAwLjQwNTcyMyAxNy43MDgyQzAuMzI1ODQ5IDE3LjY3NTMgMC4yNTMyNzUgMTcuNjI3IDAuMTkyMTcgMTcuNTY2MUMwLjEzMTA2NiAxNy41MDUxIDAuMDgyNjMzOSAxNy40MzI4IDAuMDQ5NjU1OSAxNy4zNTMxQzAuMDE2Njc3OSAxNy4yNzM1IC0wLjAwMDE5NjQ3NCAxNy4xODgxIDEuNzI1OWUtMDYgMTcuMTAxOVYxMy45ODA1SDEyLjUyMUMxMy4wMjQ1IDEzLjk4MDUgMTMuMjc2MyAxNC41ODc1IDEyLjkxOTMgMTQuOTM5OEwxMC4zNDE0IDE3LjUxMDRDMTAuMjYzMSAxNy41ODg4IDEwLjE3IDE3LjY1MTEgMTAuMDY3NSAxNy42OTM1QzkuOTY0OTMgMTcuNzM2IDkuODU0OTggMTcuNzU3OCA5Ljc0Mzk2IDE3Ljc1NzdaIiBmaWxsPSIjMTkwNERBIj48L3BhdGg+CiAgICA8cGF0aCBkPSJNMCAxMy45ODEyVjguMDQ1NThDNS42ODI1NmUtMDUgNy45MzQ4OCAwLjAyMTk5MDIgNy44MjUyOSAwLjA2NDU0NjEgNy43MjMwNkMwLjEwNzEwMiA3LjYyMDgyIDAuMTY5NDQ2IDcuNTI3OTYgMC4yNDgwMTQgNy40NDk3NkwyLjgyNTg2IDQuODc5MTVDMy4xNzkwOSA0LjUyNjkxIDMuNzg3ODYgNC43NzQyMyAzLjc4Nzg2IDUuMjc2MzZWMTMuOTg1TDAgMTMuOTgxMloiIGZpbGw9IiMwOEIxRDUiPjwvcGF0aD4KICAgIDxwYXRoIGQ9Ik0zNi44MTg4IDE2LjkyNjRIMjkuMTk4QzI0Ljk5NjcgMTYuOTI2NCAyMS41NzcxIDEzLjUxNjQgMjEuNTc3MSA5LjMyNjk1QzIxLjU3NzEgNS4xMzc1MyAyNC45OTY3IDEuNzI3NTQgMjkuMTk4IDEuNzI3NTRDMzMuMzk5MiAxLjcyNzU0IDM2LjgxODggNS4xMzc1MyAzNi44MTg4IDkuMzI2OTVWMTYuOTI2NFpNMjkuMTk4IDQuODE1MjdDMjguNjAzOCA0LjgxNTI3IDI4LjAxNTUgNC45MzE5NyAyNy40NjY1IDUuMTU4N0MyNi45MTc2IDUuMzg1NDMgMjYuNDE4OSA1LjcxNzc2IDI1Ljk5ODcgNi4xMzY3MUMyNS41Nzg2IDYuNTU1NjYgMjUuMjQ1MyA3LjA1MzAyIDI1LjAxOCA3LjYwMDQxQzI0Ljc5MDYgOC4xNDc3OSAyNC42NzM2IDguNzM0NDcgMjQuNjczNiA5LjMyNjk1QzI0LjY3MzYgOS45MTk0MyAyNC43OTA2IDEwLjUwNjEgMjUuMDE4IDExLjA1MzVDMjUuMjQ1MyAxMS42MDA5IDI1LjU3ODYgMTIuMDk4MiAyNS45OTg3IDEyLjUxNzJDMjYuNDE4OSAxMi45MzYxIDI2LjkxNzYgMTMuMjY4NSAyNy40NjY1IDEzLjQ5NTJDMjguMDE1NSAxMy43MjE5IDI4LjYwMzggMTMuODM4NiAyOS4xOTggMTMuODM4NkgzMy43MjIzVjkuMzI2OTVDMzMuNzIxMSA4LjEzMDc0IDMzLjI0NDEgNi45ODM4NyAzMi4zOTU5IDYuMTM4MDNDMzEuNTQ3NiA1LjI5MjE4IDMwLjM5NzUgNC44MTY0NiAyOS4xOTggNC44MTUyN1oiIGZpbGw9IiMwNzI0MkQiPjwvcGF0aD4KICAgIDxwYXRoIGQ9Ik04Ny45OTk5IDE2LjkyNjRIODAuMzc5MUM3Ni4xNzc5IDE2LjkyNjQgNzIuNzU4MyAxMy41MTY0IDcyLjc1ODMgOS4zMjY5NUM3Mi43NTgzIDUuMTM3NTMgNzYuMTc3OSAxLjcyNzU0IDgwLjM3OTEgMS43Mjc1NEM4NC41ODAzIDEuNzI3NTQgODcuOTk5OSA1LjEzNzUzIDg3Ljk5OTkgOS4zMjY5NVYxNi45MjY0Wk04MC4zNzkxIDQuODE1MjdDNzkuMTc5MiA0LjgxNTI3IDc4LjAyODQgNS4yOTA2MSA3Ny4xNzk5IDYuMTM2NzFDNzYuMzMxNCA2Ljk4MjgxIDc1Ljg1NDcgOC4xMzAzOCA3NS44NTQ3IDkuMzI2OTVDNzUuODU0NyAxMC41MjM1IDc2LjMzMTQgMTEuNjcxMSA3Ny4xNzk5IDEyLjUxNzJDNzguMDI4NCAxMy4zNjMzIDc5LjE3OTIgMTMuODM4NiA4MC4zNzkxIDEzLjgzODZIODQuOTAzNVY5LjMyNjk1Qzg0LjkwNzIgNi44Mzg3OCA4Mi44NzQzIDQuODE1MjcgODAuMzc5MSA0LjgxNTI3WiIgZmlsbD0iIzA3MjQyRCI+PC9wYXRoPgogICAgPHBhdGggZD0iTTYzLjI3MDEgMTYuOTMwNUM1OS4wNjUxIDE2LjkzMDUgNTUuNjQ1NSAxMy41MjA1IDU1LjY0NTUgOS4zMjczVjIuMTk2MjlINTguNzQxOVY5LjMyNzNDNTguNzQxOSAxMS44MTU1IDYwLjc3NDkgMTMuODQyNyA2My4yNzAxIDEzLjg0MjdDNjUuNzY1MiAxMy44NDI3IDY3Ljc5ODIgMTEuODE1NSA2Ny43OTgyIDkuMzI3M1YyLjE5NjI5SDcwLjg5NDZWOS4zMjczQzcwLjg5NDYgMTMuNTIwNSA2Ny40NzUgMTYuOTMwNSA2My4yNzAxIDE2LjkzMDVaIiBmaWxsPSIjMDcyNDJEIj48L3BhdGg+CiAgICA8cGF0aCBkPSJNNDYuMjQzNCAxLjcyNzU0QzQyLjA0MjEgMS43Mjc1NCAzOC42MjI2IDUuMTM3NTMgMzguNjIyNiA5LjMyNjk1QzM4LjYyMjYgMTMuNTE2NCA0Mi4wNDIxIDE2LjkyNjQgNDYuMjQzNCAxNi45MjY0TDQ5LjMzOTggMTMuODM4Nkg0Ni4yNDM0QzQ1LjM0ODUgMTMuODM4NiA0NC40NzM4IDEzLjU3NCA0My43Mjk3IDEzLjA3ODNDNDIuOTg1NyAxMi41ODI1IDQyLjQwNTggMTEuODc3OSA0Mi4wNjM0IDExLjA1MzVDNDEuNzIwOSAxMC4yMjkxIDQxLjYzMTMgOS4zMjE5NSA0MS44MDU5IDguNDQ2NzdDNDEuOTgwNSA3LjU3MTU5IDQyLjQxMTQgNi43Njc2OCA0My4wNDQxIDYuMTM2NzFDNDMuNjc2OSA1LjUwNTc0IDQ0LjQ4MzEgNS4wNzYwNCA0NS4zNjA3IDQuOTAxOTZDNDYuMjM4MyA0LjcyNzg4IDQ3LjE0OCA0LjgxNzIyIDQ3Ljk3NDggNS4xNTg3QzQ4LjgwMTUgNS41MDAxOCA0OS41MDgxIDYuMDc4NDUgNTAuMDA1MiA2LjgyMDM5QzUwLjUwMjQgNy41NjIzNCA1MC43Njc3IDguNDM0NjIgNTAuNzY3NyA5LjMyNjk1VjI0LjE4MUg1My44NjQyVjkuMzI2OTVDNTMuODY0MiA1LjEzNzUzIDUwLjQ0NDYgMS43Mjc1NCA0Ni4yNDM0IDEuNzI3NTRaIiBmaWxsPSIjMDcyNDJEIj48L3BhdGg+CiAgPC9nPgogIDxkZWZzPgogICAgPGNsaXBQYXRoIGlkPSJjbGlwMF8xNDk0XzEyMzY4Ij4KICAgICAgPHJlY3Qgd2lkdGg9Ijg4IiBoZWlnaHQ9IjIzLjI4NTQiIGZpbGw9IndoaXRlIiB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwIDAuODk1NTA4KSI+PC9yZWN0PgogICAgPC9jbGlwUGF0aD4KICA8L2RlZnM+Cjwvc3ZnPg=="
-           alt="aqua"
-         />`
-
-
-# Determine colors based on input.severity_score
-severity_color = "#FF0036" {
-    input.severity_score == 3
-} else = "#BB0505"
-
-title:="Incident Detection"
+severity_indicator := sprintf(`
+  <div style="height: 5px; background-color: %s; width: 100%%;"></div>
+`, [severity_color])
 
-parsed_data := json.unmarshal(input.data)
+severity_box := sprintf(`
+  <div style="padding-left: 44px; padding-bottom: 10px;">
+    <div style="margin-left: 44px; display: inline-block; background-color: %s; color: #fff; font-weight: bold; border-bottom-left-radius: 7px; border-bottom-right-radius: 7px; width: 130px; height: 65px; text-align: center; margin-bottom: 20px;  padding-top: 10px;">
+      <span style="font-size: 28px;">%v</span><br>
+      <span style="font-size: 16px;">%s</span>
+    </div>
+  </div>
+`, [severity_color, input.severity_score, capitalize(input.severity)])
 
-result = msg {
-    msg := sprintf(tpl, [
-        style,
-        sprintf("%v", [input.severity_score]),
-        input.severity,
-        logo,
-        input.category,
-        input.host,
-        input.type,
-        input.hostid,
-        input.name,
-        input.url,
-        input.url,
-        sprintf("%v", [with_default(parsed_data, "result", 0)]),
-        parsed_data.malware,
-        parsed_data.hostip,
-        parsed_data.malware_type,
-        parsed_data.action,
-        parsed_data.malware_scan_type,
-        parsed_data.level,
-        parsed_data.resource,
-        input.cluster,
-        parsed_data.tactic,
-        parsed_data.technique,
-        parsed_data.rule_type,
-        input.response_policy_name,
-        concat(", ", with_default(input, "application_scope", []))
-    ])
-}
+logo := `
+  <div align="center" style="padding-top: 20px; padding-bottom: 20px;">
+    <img src="https://get.aquasec.com/aqua_email_logo.png" alt="Aqua Security" width="120" style="display: block;" />
+  </div>
+`
+
+policy_info := sprintf(`
+  <div style="padding-left: 44px; padding-bottom: 20px; color: #6B7887;">
+    <h3 style="color: #183278; margin: 0;">Policy Information</h3>
+    %s
+  </div>
+`, [info_table("Response Policy Name", input.response_policy_name, "Application Scope", concat(", ", with_default(input, "application_scope", [])))])
+
+incident_overview := sprintf(`
+  <div style="padding-left: 44px; padding-bottom: 20px; color: #6B7887;">
+    <h3 style="color: #183278; margin: 0;">Incident Overview</h3>
+    %s
+  </div>
+`, [concat("", [
+    info_table("Type", capitalize(input.main_category), "Name Space", with_default(input, "namespace", "")),
+    info_table("Category", with_default(input, "category", ""), "Deployment", with_default(input, "deployment", "")),
+    info_table("Incident Name", with_default(input, "name", ""), "Host Name", with_default(input, "host", "")),
+    info_table("Enforcer Group", with_default(input, "host_group", ""), "Host ID", with_default(input, "hostid", "")),
+    info_table("Image Name", with_default(input, "image", ""), "URL", sprintf("<a href=\"%s\" style=\"color: #007BFF; text-decoration: underline;\">%s</a>", [input.url, input.url])),
+    info_table("Cluster Name", with_default(input, "cluster", ""), "Timestamp", time.format([input.timestamp * 1000000, "", "Jan 2, 2006 03:04:05.0"]))
+])])
+
+malware_detection_section := sprintf(`
+  <div style="padding-left: 44px; padding-bottom: 20px; color: #6B7887;">
+    <h3 style="color: #183278; margin: 0;">Malware Detection</h3>
+    %s
+    <p style="color: #6B7887; padding: 10px 4px; font-size: 15px;"><strong>Resource Digest:</strong> %s</p>
+    <h3 style="color: #183278; margin: 0;">Attack Details</h3>
+    <p style="color: #6B7887;  padding-top: 10px; font-size: 15px;"><strong>Tactics:</strong> %s</p>
+    <p style="color: #6B7887;  padding-top: 10px; font-size: 15px;"><strong>Techniques:</strong> %s</p>
+    <p style="color: #6B7887;  padding-top: 10px; font-size: 15px;"><strong>Rule Type:</strong> %s</p>
+  </div>
+`, [
+    concat("", [
+        info_table("Malware Name", with_default(parsed_data, "malware", ""), "Host IP", with_default(parsed_data, "hostip", "")),
+        info_table("Malware Type", with_default(parsed_data, "malware_type", ""), "Action", with_default(parsed_data, "action", "")),
+        info_table("Resource", with_default(parsed_data, "resource", ""), "Cluster", with_default(input, "cluster", ""))
+    ]),
+    with_default(parsed_data, "resource_digest", ""),
+    with_default(parsed_data, "tactic", ""),
+    with_default(parsed_data, "technique", ""),
+    with_default(parsed_data, "rule_type", "")
+])
+
+runtime_control_section := sprintf(`
+  <div style="padding-left: 44px; padding-bottom: 20px; color: #6B7887;">
+    <h3 style="color: #183278; margin: 0;">Runtime Control</h3>
+    %s
+  </div>
+`, [concat("", [
+    info_table("Control Name", with_default(parsed_data, "control", ""), "Container Name", with_default(input, "container", "")),
+    info_table("Runtime Policy", with_default(parsed_data, "rule", ""), "MITRE Tactic", with_default(parsed_data, "tactic", "")),
+    info_table("Action", with_default(parsed_data, "level", ""), "MITRE Technique", with_default(parsed_data, "technique", "")),
+    info_table("User", with_default(parsed_data, "user", ""), "Process Name", with_default(parsed_data, "resource", ""))
+])])
+
+behavioral_detection_section := sprintf(`
+  <div style="padding-left: 44px; padding-bottom: 20px; color: #6B7887;">
+    <h3 style="color: #183278; margin: 0;">Behavioral Detection</h3>
+    %s
+    <p style="color: #6B7887;  padding-top: 10px; font-size: 15px;"><strong>MITRE Tactic:</strong> %s</p>
+    <p style="color: #6B7887;  padding-top: 10px; font-size: 15px;"><strong>Description:</strong> %s</p>
+  </div>
+`, [
+    concat("", [
+        info_table("User", with_default(parsed_data, "user", ""), "MITRE Technique", with_default(parsed_data, "technique", "")),
+        info_table("Container Name", with_default(input, "container", ""), "Process Name", with_default(parsed_data, "process", ""))
+    ]),
+    with_default(parsed_data, "tactic", ""),
+    with_default(parsed_data, "signature_description", "")
+])
+
+dynamic_section := malware_detection_section if {
+    input.main_category == "malware"
+}
+dynamic_section := runtime_control_section if {
+    input.main_category == "runtime"
+}
+dynamic_section := behavioral_detection_section if {
+    input.main_category == "behavioral"
+}
+
+sections := [
+    severity_indicator,
+    severity_box,
+    logo,
+    policy_info,
+    incident_overview,
+    dynamic_section
+]
+
+html_content := concat("", sections)
+
+location := input.container if {
+    input.container != ""
+} else := input.host
+title := sprintf("%s Incident on %s", [capitalize(input.main_category), location])
+
+result := sprintf(html_tpl, [html_content])
diff --git a/rego-templates/issues-email.rego b/rego-templates/issues-email.rego
@@ -102,15 +102,6 @@ style := sprintf(`<style>
                       white-space: normal;
                   }
 
-                  .copyright {
-                      color: #405a75;
-                      font-family: "Inter-SemiBold", sans-serif;
-                      font-size: 15px;
-                      line-height: 26px;
-                      font-weight: 600;
-                      margin-top: 30px;
-                      text-align: center;
-                  }
                   table {
                       width: 100%;
                       border-collapse: collapse;
