Observables for TheHive

[akiradreams]

I have the rule already created, but it doesn't send me any observable no and I don't know what the problem is, the alert is created but without any observable.
Code:

name: demo
type: frequency
index: filebeat-*

num_events: 3

timeframe:
  hours: 1

realalert:
  minutes: 0

filter: []

alert: hivealerter

hive_connection:
  hive_host: http://xxx.xxx.xxx.xxx
  hive_port: 9000
  hive_apikey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  hive_proxies:
    http: ''
    https: ''

hive_alert_config:
  title: 'Test For Alerts'
  type: 'external'
  source: 'elastalert'
  description: '{match[message]}'
  severity: 2
  tags: ['elastalert', 'from {rule[name]}']
  tlp: 3
  status: 'New'
  follow: True

hive_observable_data_mapping:
  - alert: "{match[dissect.alert]}"

The dissect.alert, is a field created with the dissect option of filebeat.

Thanks for reading :)

[ferozsalam]

It looks like you're using the old-style TheHive alerter syntax. Which version of ElastAlert are you using? If you're using the latest version of ElastAlert, you need to use the syntax described in the documentation here: https://elastalert2.readthedocs.io/en/latest/ruletypes.html#thehive

[akiradreams]

OMG i'm retard.
Thank's you a lot bro ;)

[akiradreams]

I can change this specific type?

[ferozsalam]

This is the list of observable types - I think for any further assistance you need to speak to the maintainers of TheHive.

[akiradreams]

Ohhh okay, thanks

[markus-nclose]

I used a conversion script to migrate my rules to the new format. Just adding the relevant part in the discussion if someone needs to migrate. This simply removes all the formatting {match[]}

#!/bin/bash
for file in *.yaml; do
  sed -i -E 's/'\''\{match\[//' "$file"
  sed -i -E 's/\]\}'\''//' "$file"
  sed -i -E 's/\"\{match\[//' "$file"
  sed -i -E 's/\]\}\"//' "$file"
  sed -i -E 's/\]\[/./' "$file"
done