Closed adilraad2001 closed 4 months ago
Hello When i try send alert from elastalert2 to thehive it's work but when i want to add some alert config like
title: {rule[index]} or title: {rule[name]}
i receive in the hive alert a alert with the name rule[index] so i get i=only the variable not the value:
My rules file
description: Detects creation of WMI event subscription persistence method exponential_realert: minutes: 60 filter: - query: query_string: query: event.code:("19" OR "20" OR "21") http_post_static_payload: sigma_rule_metadata: description: Detects creation of WMI event subscription persistence method level: medium index: .ds-winlogbeat-* name: 0f06a3a5-6a09-413f-8743-e6cf35561297 priority: 2 realert: minutes: 0 type: any query_key: - name tags: "name" alert: - "hivealerter" # (required, email specific) # a list of email addresses to send alerts to hive_connection: hive_host: http:// hive_port: 9000 hive_apikey: k9aKB6ogFEUUWjE8QkHWPrdvLlx9ufiq hive_alert_config: type: 'external' source: 'instance1' # description: '{rule[name]}' title: {rule[index]} description: '{match[alert]}' severity: 2 tags: [ "{{rule[name]}}", '{match[data][alert][signature]}', '{match[data][alert][signature_id]}'] tlp: 3 status: 'New' follow: True hive_observable_data_mapping: - ip: "{match[data][srcip]}"
Hello When i try send alert from elastalert2 to thehive it's work but when i want to add some alert config like
title: {rule[index]} or title: {rule[name]}
i receive in the hive alert a alert with the name rule[index] so i get i=only the variable not the value:
My rules file