From 3ac9f1800bb1860a33c7b909f332fb6b6201efdb Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Fri, 24 Jul 2020 22:04:30 +0000
Subject: [PATCH] Make sure we are searching all clusters when running rules

---
 salt/elastalert/files/rules/so/suricata_thehive.yaml | 2 +-
 salt/elastalert/files/rules/so/wazuh_thehive.yaml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml
index cd887c9f9..fb6c6448d 100644
--- a/salt/elastalert/files/rules/so/suricata_thehive.yaml
+++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml
@@ -9,7 +9,7 @@ es_host: {{es}}
 es_port: 9200
 name: Suricata-Alert
 type: frequency
-index: "so-ids-*"
+index: "*:so-ids-*"
 num_events: 1
 timeframe:
     minutes: 10
diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml
index ccb79e1e5..c01bb5894 100644
--- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml
+++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml
@@ -9,7 +9,7 @@ es_host: {{es}}
 es_port: 9200
 name: Wazuh-Alert
 type: frequency
-index: "so-ossec-*"
+index: "*:so-ossec-*"
 num_events: 1
 timeframe:
     minutes: 10