Hi all, is there a way to force elastalert to ignore the KeyError: when a match field in the observable mapping is empty or inexistent?
What I am trying to acheive is to automatically attach the observables to the alert (if and when they exist) before sending to TheHive as shown below:
The problem is, all these fields are not always present in a match: some times, a combination of 2 or 3 and some time none at all. Whenever any one of these field in not present, Elastalert will result to an error and not send the alert to thehive at all.
Hi all, is there a way to force elastalert to ignore the
KeyError:when a match field in the observable mapping is empty or inexistent? What I am trying to acheive is to automatically attach the observables to the alert (if and when they exist) before sending to TheHive as shown below:The problem is, all these fields are not always present in a match: some times, a combination of 2 or 3 and some time none at all. Whenever any one of these field in not present, Elastalert will result to an error and not send the alert to thehive at all.
I wonder if there is a solution to this issue.