search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.74k forks source link

Aggregation issues with TheHive alerting #2560

Open emixam3 opened 4 years ago

emixam3 commented 4 years ago

Hi, I'm trying to use Elastalert to request Suricata alerts in my Elastic to send alerts to TheHive. Standards requests and alerts worked fine, and I've got all my Suricata alerts in TheHive. But now I'm trying to aggregate these alerts (195 alerts) by signature's names (14 differents names). This is my rule:

name: ET
type: any
index: logstash*
doc_type: doc

filter:
 - term:
     event_type: "alert"
query:
    query_string:
         query: "_exists_: alert.signature"

query_key: 'alert.signature'

aggregation:
    minutes: 10
aggregation_key: 'alert.signature'
aggregation_by_match_time: true
include:
 - src_ip
 - dest_ip
 - alert.signature

alert: hivealerter

hive_connection:
    hive_host: http:/127.0.0.1:9000
    hive_port: 9000
    hive_apikey: blablabla

hive_alert_config:
    title: '{match[alert][signature]}'
    type: 'NIDS'
    source: 'elastalert'
    description: 'Signature: {match[alert][signature]}'
    severity: 3
    tags : ['{match[src_ip]}']
    tlp: 3
    status: 'New'
    follow: True

hive_observable_data_mapping:
- ip: "{match[src_ip]}"
- ip: "{match[dest_ip]}"

Even with my 10 minutes aggregation time, all my 195 alerts are sent every 2 minutes (my request time). With --verbose, I see all aggregations ID and some adding in, so I think aggregation is quite good, but not alerting in TheHive.

Thanks

emixam3 commented 4 years ago

In elastalert logs, I can see that all aggregation alerts are not sent to TheHive.

alert_sent: false
emixam3 commented 4 years ago

2263 Maybe?

@agix

agix commented 4 years ago

You can try it using this tag https://github.com/agix/elastalert/releases/tag/v0.2.1-agix-2

pip install git+https://github.com/agix/elastalert.git@v0.2.1-agix-2

emixam3 commented 4 years ago

You can try it using this tag https://github.com/agix/elastalert/releases/tag/v0.2.1-agix-2

pip install git+https://github.com/agix/elastalert.git@v0.2.1-agix-2

And how looks like the alert with your version @agix? Like in #2263, without hive description field?

agix commented 4 years ago

yep

Le lun. 18 nov. 2019 à 11:22, emixam3 notifications@github.com a écrit :

You can try it using this tag https://github.com/agix/elastalert/releases/tag/v0.2.1-agix-2

pip install git+https://github.com/agix/elastalert.git@v0.2.1-agix-2

And how looks like the alert with your version @agix https://github.com/agix? Like in #2263 https://github.com/Yelp/elastalert/pull/2263, without hive description field?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Yelp/elastalert/issues/2560?email_source=notifications&email_token=AATQCH6HGZPTXFPZVJWKM7TQUJUFHA5CNFSM4JMBHSTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEJ6HUA#issuecomment-554951632, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATQCHZTEVDG7O6T6TXYGB3QUJUFHANCNFSM4JMBHSTA .

emixam3 commented 4 years ago

Ok, work in progress... Can you change alert's title? Whatever I defined, it stays as my alert name. The title: '{match[alert][signature]}' doesn't seem to work.

emixam3 commented 4 years ago

Ok, work in progress... Can you change alert's title? Whatever I defined, it stays as my alert name. The title: '{match[alert][signature]}' doesn't seem to work.

Find : use alert_subject and alert_subject_args, and not alert's title. I do some tests and I will post my rule later. But with your elastalert, @agix , it works!