I followed your Elastalert configuration tutorial video on YouTube in which you demonstrated an example rule for TheHive being hit after several failed login attempts, and after that a case (alert) for that alert was generated in TheHive. In my scenario I copied the rule that
you used in the video and edited it to my requirement but I am unable to receive any alerts on my TheHive instance, even though my rule gets hit when I test it and even shows up in the index pattern. I have Cortex and the MISP integrated in my TheHive instance too.
Here is my rule, I am detecting USB plugins on a specified PC:
I followed your Elastalert configuration tutorial video on YouTube in which you demonstrated an example rule for TheHive being hit after several failed login attempts, and after that a case (alert) for that alert was generated in TheHive. In my scenario I copied the rule that you used in the video and edited it to my requirement but I am unable to receive any alerts on my TheHive instance, even though my rule gets hit when I test it and even shows up in the index pattern. I have Cortex and the MISP integrated in my TheHive instance too. Here is my rule, I am detecting USB plugins on a specified PC:
es_host: 192.168.1.165 es_port: 9200 name: Wazuh type: frequency index: wazuh-alerts-* num_events: 1 timeframe: minutes: 1 filter:
hive_alert_config: type: 'external' source: 'elastalert' description: '{rule[name]}' severity: 2 tags: ['{rule[name]}', '{match[data][id]}', '{match[agent][name]}'] tlp: 3 status: 'New' follow: True
hive_observable_data_mapping:
I am attaching the screenshot of the Elasticsearch index pattern showing as well the result of testing the rule as well:
Please help in rectifying this problem I've been searching online for quite a while but to no avail.