Elastalert alert not showing in TheHive4 #5
Description
I followed your Elastalert configuration tutorial video on YouTube in which you demonstrated an example rule for TheHive being hit after several failed login attempts, and after that a case (alert) for that alert was generated in TheHive. In my scenario I copied the rule that
you used in the video and edited it to my requirement but I am unable to receive any alerts on my TheHive instance, even though my rule gets hit when I test it and even shows up in the index pattern. I have Cortex and the MISP integrated in my TheHive instance too.
Here is my rule, I am detecting USB plugins on a specified PC:
es_host: 192.168.1.165
es_port: 9200
name: Wazuh
type: frequency
index: wazuh-alerts-*
num_events: 1
timeframe:
minutes: 1
filter:
- term:
agent.name: "siemdev-PowerEdge-T440" - query:
query_string:
query: "data.id:usb"
realert:
minutes: 3
alert: hivealerter
hive_connection:
hive_host: http://192.168.1.247
hive_port: 9000
hive_apikey: NOhN9pkOSyFYHG8fMTLw4GRVq/070lzM
hive_alert_config:
type: 'external'
source: 'elastalert'
description: '{rule[name]}'
severity: 2
tags: ['{rule[name]}', '{match[data][id]}', '{match[agent][name]}']
tlp: 3
status: 'New'
follow: True
hive_observable_data_mapping:
- ip: "{match[agent][ip]}"
I am attaching the screenshot of the Elasticsearch index pattern showing as well the result of testing the rule as well:
Please help in rectifying this problem I've been searching online for quite a while but to no avail.