KeyError: 'agent' when added custom elastalert rule

utkarshborawake commented 1 year ago

The custom elastalert rule is mentioned below. I am getting hits and matches for the rule but at the same time getting the error which is mentioned below the rule.

RULE --> ACDS_cve_id: '' confidence: 90 description: This alert will trigger when Open VPN user is trying to login with invalid passwords. alert:

debug filter:
- query: query_string: query: (event.dataset:"vpn" AND event.module:"pfsense" AND event_data.message:"could not authenticate") index: ':so-beats' mitre:
- attack.persistence
- attack.T1133 name: ACDS-OVPN-User-Authentication-Failed priority: 1 realert: minutes: 0 rule.category: security type: any verified:
- attack.persistence
- attack.T1133 version: 1.0

ERROR --> Traceback (most recent call last):, File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 1298, in alert, return self.send_alert(matches, rule, alert_time=alert_time, retried=retried), File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 1375, in send_alert, alert.alert(matches), File "/opt/elastalert/modules/custom/ACDS_alerter.py", line 47, in alert, hostname = match["agent"]["name"], KeyError: 'agent'

ksnip_20221121-181530

nsano-rururu commented 1 year ago

elastalert is not maintained. Please use elastalert2. https://github.com/jertel/elastalert2/discussions

utkarshborawake commented 1 year ago

Okay Thanks

Yelp / elastalert

KeyError: 'agent' when added custom elastalert rule #3272