{% set es = salt['pillar.get']('static:masterip', '') %}
{% set hivehost = salt['pillar.get']('static:masterip', '') %}
{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
es_host: {{es}}
es_port: 9200
name: Alert-Name
type: frequency
index: "*:logstash-*"
num_events: 1
timeframe:
    minutes: 10
buffer_time:
    minutes: 10
allow_buffer_time_overlap: true

filter:
- query:
   query_string:
      query: 'select from test'

alert: modules.so.thehive.TheHiveAlerter

hive_connection:
  hive_host: https://{{hivehost}}/thehive/
  hive_apikey: {{hivekey}}

hive_proxies:
  http: ''
  https: ''

hive_alert_config:
  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
  type: 'external'
  source: 'SecurityOnion'
  description: '`Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}'
  severity: 2
  tags: ['elastalert', 'SecurityOnion']
  tlp: 3
  status: 'New'
  follow: True
  caseTemplate: '5000'

hive_observable_data_mapping:
  - ip: '{match[osquery][EndpointIP1]}'
  - ip: '{match[osquery][EndpointIP2]}'
  - other: '{match[osquery][hostIdentifier]}'
  - other: '{match[osquery][hostname]}'
  - ip: '{match[osquery][columns][address]}'