hive_observable_data_mapping not working for TheHive4

[siemproduct]

Hi Team,
I am using TheHive4.1.7 and trying to create a case via Elastalert.

The case is being created fine but when it comes to observables or titles or any custom fields, it is not working as expected.

I see the variable input instead of actual value in TheHIve4 alert section. Example: {rule[name]}

elast.yaml is as below:
hive_connection: hive_host: http://1.1.1.1/ hive_port: 1000 hive_apikey: key-here hive_alert_config: title: '{rule[name]}' type: 'test' source: 'test' description: '{rule[name]}' severity: 2 tags: ['{rule[name]}'] tlp: 3 status: 'New' follow: True include: [message] hive_observable_data_mapping: - message: "{match[message]}"

PFA screenshot

[ferozsalam]

Which version of ElastAlert are you using? Can you post your rule definition? And finally, can you link me to the documentation you are using to define the rule?

[siemproduct]

Thanks @ferozsalam that helped.

[ZainULArfeen]

Assalam o Alikum @ferozsalam,
Hope you are doing well, we are using TheHive 4.1.10-1 and we are writing rules, everything is working fine but we are having trouble with the CustomFields. We want to get agentname, srcip etc in customFields, below is the file we are using when we run elastalert service we get this error

"ERROR:elastalert:Error while running alert hivealerter: Error posting to TheHive: 404 Client Error: Not Found for url: https://192.168.142.74"

Here is the rule we are trying:

es_host: 104.207.142.74
es_port: 9200
name: Wazuh-Rule-ID
type: frequency
index: wazuh-alerts-4.x-*
num_events: 1
timeframe:
    hours: 1
filter:
- term:
    rule.level: "5"

# Alternative for the Title
alert_subject_args:
- rule.description
alert_subject: "{0}"

#Alternative for the description
alert_text_args: [ "rule.description", "agent.name", "@timestamp", "full_log" ]
alert_text_type: alert_text_only
alert_text:  |
     '{0} . {2}'

realert:
  minutes: 0
alert: hivealerter
hive_connection:
  hive_host: https://104.207.142.111
  hive_port: 443
  hive_apikey: zBOlBlfBY/6neow6L0HVxBPK2VcP0Tc2

hive_alert_config:
  customFields:
    - name: Agent Name
      type: string
      value: agent.name

  type: 'Security Logs'
  source: 'elastalert'
  severity: 2
  tags: ["agent.name", "agent.id", "rule.description"]
  tlp: 3
  status: 'New'
  follow: True

hive_observable_data_mapping:
    - ip: agent.ip

[ferozsalam]

Salam @ZainULArfeen - this is because your es_host value needs to point to a valid Elasticsearch client - but you seem to be pointing it at Cloudflare's public DNS server?

[ZainULArfeen]

@ferozsalam can you please recheck i have changed it, we added 1.1.1.1 just to hide our ip

[jertel]

@ZainULArfeen Please review the pinned Discussion #11. This should not have been posted to this old and unrelated discussion.