{% set es = salt['pillar.get']('global:managerip', '') %}
{% set hivehost = salt['pillar.get']('global:managerip', '') %}
{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
{% set MANAGER = salt['pillar.get']('manager:url_base', '') %}

# Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance.
#
es_host: {{es}}
es_port: 9200
name: Suricata-Alert
type: frequency
index: "*:so-ids-*"
num_events: 1
timeframe:
    minutes: 10
buffer_time:
    minutes: 10
allow_buffer_time_overlap: true
query_key: ["rule.uuid","source.ip","destination.ip"]
realert:
    days: 1
filter:
- query:
   query_string:
      query: "event.module: suricata AND rule.severity:(1 OR 2)"

alert: hivealerter

hive_connection:
  hive_host: http://{{hivehost}}
  hive_port: 9000/thehive
  hive_apikey: {{hivekey}}
  
hive_proxies:
  http: ''
  https: ''

hive_alert_config:
  title: '{match[rule][name]}'
  type: 'NIDS'
  source: 'SecurityOnion'
  description: "`SOC Hunt Pivot:` \n\n <https://{{MANAGER}}/#/hunt?q=network.community_id%3A%20%20%22{match[network][community_id]}%22%20%7C%20groupby%20source.ip%20destination.ip,event.module,%20event.dataset>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MANAGER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
  severity: 2
  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
  tlp: 3
  status: 'New'
  follow: True

hive_observable_data_mapping:
  - ip: '{match[source][ip]}'
  - ip: '{match[destination][ip]}'