{% set es = salt['pillar.get']('global:managerip', '') %}
{% set hivehost = salt['pillar.get']('global:managerip', '') %}
{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
{% set MANAGER = salt['pillar.get']('manager:url_base', '') %}

# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance.
#
es_host: {{es}}
es_port: 9200
name: Wazuh-Alert
type: any
index: "*:so-ossec-*"
buffer_time:
    minutes: 5
realert:
    days: 1
filter:
- query:
   query_string:
      query: "event.module: ossec AND rule.level>=8"

alert: hivealerter

hive_connection:
  hive_host: http://{{hivehost}}
  hive_port: 9000/thehive
  hive_apikey: {{hivekey}}
  
hive_proxies:
  http: ''
  https: ''

hive_alert_config:
  title: '{match[rule][name]}'
  type: 'wazuh'
  source: 'SecurityOnion'
  description: "`SOC Hunt Pivot:` \n\n <https://{{MANAGER}}/#/hunt?q=event.module%3A%20ossec%20AND%20rule.id%3A{match[rule][id]}%20%7C%20groupby%20host.name%20rule.name>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MANAGER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))>"
  severity: 2
  tags: ['{match[rule][id]}','{match[host][name]}']
  tlp: 3
  status: 'New'
  follow: True

hive_observable_data_mapping:
  - other: '{match[host][name]}'