From 0b0d8e21ed2db355141ab53b921f3713b7229dfa Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Thu, 31 Oct 2019 11:08:52 -0400
Subject: [PATCH] Adds NIDS SID to Hive Alert as a Tag

---
 salt/elastalert/files/rules/so/nids2hive.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml
index 7d55b4675..92de99537 100644
--- a/salt/elastalert/files/rules/so/nids2hive.yaml
+++ b/salt/elastalert/files/rules/so/nids2hive.yaml
@@ -40,7 +40,7 @@ hive_alert_config:
   source: 'SecurityOnion'
   description: "`NIDS Dashboard:` \n\n <https://{{es}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:{match[sid]}')),sort:!('@timestamp',desc))> \n\n `IPs: `{match[source_ip]}:{match[source_port]} --> {match[destination_ip]}:{match[destination_port]} \n\n `Signature:` {match[rule_signature]}"
   severity: 2
-  tags: ['elastalert', 'SecurityOnion', 'NIDS']
+  tags: ['elastalert', 'SecurityOnion', 'NIDS','{match[sid]}']
   tlp: 3
   status: 'New'
   follow: True