IRIS alert context does not work correctly #1348
-
Elasticsearch 7.17.0
hostname, domain, ip, user and timestamp dont work. This fields in IRIS are empty. The dot somehow gets in the way... Please, help. All fields of Windows logs contain dot. |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 10 replies
-
Please see #11 and format your message appropriately. |
Beta Was this translation helpful? Give feedback.
-
Hi, @Areopagit For the test, I used the following document from my test ES:
And the next block in rule:
Could you provide more details about your issue? It would be helpful to have an example document and any errors, if they exist, on Iris's side, if possible. |
Beta Was this translation helpful? Give feedback.
-
Hi, @malinkinsa. I used the following document from my ELK Stack (7.17.0):
This is my rule:
And result in IRIS:
I don't see any errors, an alert is being created, but some fields are empty...
I am just considering the transition from TheHive to IRIS. But my IOCs worked:
|
Beta Was this translation helpful? Give feedback.
-
Sorry to bother you, I also found that IOCs about IP-address are not working (marked #):
More precisely, when using them, the alert is not sent at all with error 400. I didn't find anything about this error in the documentation. |
Beta Was this translation helpful? Give feedback.
-
@Areopagit hello. Regarding IOC and IPs, the problem lies in the fact that your IP data is formatted as a list |
Beta Was this translation helpful? Give feedback.
@Areopagit hello.
There was an issue with nested JSON within the document. To fix it, I borrowed the approach used in TheHive's alerter. I checked both options - couldn't replicate the problem after the fix. Also expanded the tests.
Regarding IOC and IPs, the problem lies in the fact that your IP data is formatted as a list
[]
and therefore doesn't pass the IRIS validator. Ideally, you should parse it into a separate field and request that.@jertel
PR ready, any feedback is welcome.