Failed send alert to TheHive

[tgocoh]

TheHive alert is attempting access to TheHive host's 80 port it seems cannot get value from hive_port. Nginx is working on TheHive server. Config is:

alert:
- hivealerter
hive_connection:
  hive_host: http://192.168.222.111
  hive_port: 9000
  hive_apikey: Y/tcXkAihckFrm6/dEMJE0HbuGMtm8D+
  hive_proxies:
    http: ""
    https: ""
hive_alert_config:
  title: "HiveAlert"
  type: "external"
  source: "elastalert"
  description: "{rule[name]} Sample description"
  severity: 2
  tags: ["tag1", "tag2 {rule[name]}"]
  tlp: 3
  status: "New"
  follow: True
hive_observable_data_mapping:
  - ip: "{match[process_path]}"

description: Detects the execution of whoami, which is often used by attackers after
  exloitation / privilege escalation but rarely used by administrators
filter:
- query:
    query_string:
      query: (event_id:"4688" AND (process_path.keyword:*\\whoami.exe OR file_name_original:"whoami.exe") AND NOT process_command_line.keyword:*csv*)
index: logs-endpoint-winevent-security-*
name: Whoami-Execution_0
priority: 2
realert:
  minutes: 0
type: any

[tgocoh]

Replaced alerts.py with v0.2.0's alerts.py that works fine. v0.2.1 was not tested TheHive related changes.

[JoshuaSmeda]

Do you have a proxy pass in your nginx config to port 9000 (TheHive)?

[msszafar]

@tgocoh this rule worked fine for me

name: Elastalert to Thehive Test

type: frequency

index: .siem-signals-*

num_events: 1

timeframe: minutes: 500

filter:

• query: query_string: {query: "alert_name: 'test - unique src IP count is greater than 20'"}

alert: hivealerter

hive_connection: hive_host: https://aaa.aaa.aaa/ hive_port: 443 hive_apikey: m7yDdYy8m45WtUY5e2rXaMcNk8Rt4e82

hive_alert_config: title: 'testing' type: 'external' source: 'elastalert' description: 'Sample description' severity: 2 tags: ['tag1', 'test'] tlp: 3 status: 'New' follow: True