Aggregation issues with TheHive alerting

[emixam3]

Hi,
I'm trying to use Elastalert to request Suricata alerts in my Elastic to send alerts to TheHive. Standards requests and alerts worked fine, and I've got all my Suricata alerts in TheHive.
But now I'm trying to aggregate these alerts (195 alerts) by signature's names (14 differents names).
This is my rule:

name: ET
type: any
index: logstash*
doc_type: doc


filter:
 - term:
     event_type: "alert"
query:
    query_string:
         query: "_exists_: alert.signature"

query_key: 'alert.signature'

aggregation:
    minutes: 10
aggregation_key: 'alert.signature'
aggregation_by_match_time: true
include:
 - src_ip
 - dest_ip
 - alert.signature

alert: hivealerter

hive_connection:
    hive_host: http:/127.0.0.1:9000
    hive_port: 9000
    hive_apikey: blablabla

hive_alert_config:
    title: '{match[alert][signature]}'
    type: 'NIDS'
    source: 'elastalert'
    description: 'Signature: {match[alert][signature]}'
    severity: 3
    tags : ['{match[src_ip]}']
    tlp: 3
    status: 'New'
    follow: True

hive_observable_data_mapping:
- ip: "{match[src_ip]}"
- ip: "{match[dest_ip]}"

Even with my 10 minutes aggregation time, all my 195 alerts are sent every 2 minutes (my request time). With --verbose, I see all aggregations ID and some adding in, so I think aggregation is quite good, but not alerting in TheHive.

Thanks

[emixam3]

In elastalert logs, I can see that all aggregation alerts are not sent to TheHive.

alert_sent: false

[emixam3]

#2263 Maybe?
@agix

[agix]

You can try it using this tag https://github.com/agix/elastalert/releases/tag/v0.2.1-agix-2

pip install git+https://github.com/agix/elastalert.git@v0.2.1-agix-2

[emixam3]

You can try it using this tag https://github.com/agix/elastalert/releases/tag/v0.2.1-agix-2

pip install git+https://github.com/agix/elastalert.git@v0.2.1-agix-2

And how looks like the alert with your version @agix?
Like in #2263, without hive description field?

[agix]

yep Le lun. 18 nov. 2019 à 11:22, emixam3 <notifications@github.com> a écrit :

…

You can try it using this tag https://github.com/agix/elastalert/releases/tag/v0.2.1-agix-2 pip install ***@***.*** And how looks like the alert with your version @agix <https://github.com/agix>? Like in #2263 <#2263>, without hive description field? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2560?email_source=notifications&email_token=AATQCH6HGZPTXFPZVJWKM7TQUJUFHA5CNFSM4JMBHSTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEJ6HUA#issuecomment-554951632>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AATQCHZTEVDG7O6T6TXYGB3QUJUFHANCNFSM4JMBHSTA> .

[emixam3]

Ok, work in progress...
Can you change alert's title? Whatever I defined, it stays as my alert name. The title: '{match[alert][signature]}' doesn't seem to work.

[emixam3]

Ok, work in progress...
Can you change alert's title? Whatever I defined, it stays as my alert name. The title: '{match[alert][signature]}' doesn't seem to work.

Find : use alert_subject and alert_subject_args, and not alert's title.
I do some tests and I will post my rule later.
But with your elastalert, @agix , it works!