Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite part of thehivealerter #2263

Closed
wants to merge 4 commits into from
Closed

Rewrite part of thehivealerter #2263

wants to merge 4 commits into from

Conversation

agix
Copy link

@agix agix commented May 27, 2019

Using hive_alert_config_type: classic option, thehivealerter now use the standard create_title and create_alert_body methods as the other alerter.

The rest of the specificity of thehive is handled as before.

For aggregations, only one alert is created with standard aggregation_summary_text and artifacts are combined across the matches.

@agix
Copy link
Author

agix commented May 27, 2019

Example of rule

name: 'Test'

alert:
  - hivealerter
aggregation:
  seconds: 15
aggregation_key: aggregation_key

summary_table_fields:
  - field1
  - field2

filter:
- query:
    query_string:
      query: "(type:test)"

alert_text: |
  {0}
  {1}
alert_text_args:
  - name
  - aggregation_key
  - aggregation_summary

hive_alert_config_type: classic

hive_alert_config:
  type: 'test'
  source: 'elastalert-{rule[name]}'
  severity: 3
  tags: ['malicious behavior']
  tlp: 2
  status: 'New'
  follow: True

hive_observable_data_mapping:
  - ip: "{match[field1]}"
  - source: "{match[field2]}"

magic_capture_20190527_214942
magic_2_capture_20190527_215004

@agix agix force-pushed the rewrite_thehivealerter branch from 2bc43c8 to cd57c4d Compare May 27, 2019 22:03
@agix agix mentioned this pull request Jun 2, 2019
Merged
@agix agix force-pushed the rewrite_thehivealerter branch from 3c16ecd to 116ed6d Compare October 21, 2019 14:07
@emixam3 emixam3 mentioned this pull request Nov 12, 2019
Open
@agix agix mentioned this pull request Nov 27, 2019
Open
@agix
Copy link
Author

agix commented Nov 27, 2019

Merged in #2585

@agix agix closed this Nov 27, 2019
JasperJuergensen added a commit to JasperJuergensen/elastalert that referenced this pull request Apr 1, 2020
@JasperJuergensen
Updates the hive alerter
471efbe 
This is based on the pull request by agix Yelp#2585 (Yelp#2585).
This is a merge of:
- Yelp#2263 (Yelp#2263)
- Yelp#2265 (Yelp#2265)
- Yelp#2266 (Yelp#2266)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@agix