hive_alert_config title and description fields

[shortstack]

Hi,

We've had the following in our alert configuration prior to the latest upgrade. It was working as expected.

Now, these fields no longer render properly and the docs are a little confusing regarding how the variables in the title and description should be formatted.

Can someone clarify what the proper format is? I've tried several and it just spits out the text instead of the actual variable content and at this point it would be quicker to ask than to keep fighting it.

The tags render fine, but the title and description do not.

Thanks in advance.

Praeco v1.8.8 and ElastAlert v2.1.2

hive_connection:
   hive_host: 
   hive_port:
   hive_apikey: 

hive_alert_config:
  title: "ElastAlert - {match[rule][title]} - {match[agent][hostname]}"
  type: 'external'
  source: 'elastalert'
  description: |
    {match[rule][title]}


    **Hostname:** {match[agent][hostname]}


    **Timestamp:** {match[@timestamp]}


    **Message:** {match[message]}
  severity: 2
  tags: ['elastalert', '{match[rule][title]}', '{match[rule][level]}', '{match[clientid]}']
  tlp: 3
  status: 'New'
  follow: True

[ferozsalam]

Hi - excuse my brevity as I'm on a phone right now with no access to a computer for a few hours.

I will have to check about the title for certain when I'm behind a computer but you should be able to use the standard ElastAlert syntax, alert_subject and alert_subject_args as described at https://elastalert2.readthedocs.io/en/latest/ruletypes.html#alert-subject - you don't need to set a custom title in the hive_alert_config.

The description and (see my reply in thread below) tags can be templated by using the field values from the rule or the match directly - i.e. match[agent][hostname] should be templated as agent.hostname and rule[title] can be templated as title.

This matches how the alert_text field is populated in other alerters across ElastAlert. Where there's a common field in a match and in a rule, the match is given precedence.

Let me know whether this makes sense, happy to help more with getting it working.

[shortstack]

thank you, will give this a shot asap!

[ferozsalam]

I just realised there's an example at https://www.github.com/jertel/elastalert2/tree/master/examples%2Frules%2Fexample_thehive_frequency.yaml which might be useful.

Instead of using the description field within the hive_alert_config you can use the standard ElastAlert alert_text and alert_text_args as shown in the example

[shortstack]

THANK YOU :) perfect. worked like a charm.