We configured a rule to send alerts to TheHive when it triggers. However, it is sending the same alerts every minute. Is it possible to make it stop doing it and send alerts only when it was not triggered before? By the way, all alerts in TheHive have the same alert id, which means for sure that it is dublicating Here is the rule itself: filter: query_string: query: "SPAM AND source_context: \"ESET Filtering Agent\"" terms_window_size: days: 1 aggregation: minutes: 30 alert_text_type: alert_text_only alert_text: "TEST-alert-id: {}\n\nIndex: {}\n\nSender address: {}\n\nRecipient address: {}\n\nMessage subject: {}" alert_text_args: alert_id _index sender_address recipient_address message_subject

Alert dublicates

anonymous

We configured a rule to send alerts to TheHive when it triggers. However, it is sending the same alerts every minute. Is it possible to make it stop doing it and send alerts only when it was not triggered before?

By the way, all alerts in TheHive have the same alert id, which means for sure that it is dublicating
Here is the rule itself:
filter:

query_string:
query: "SPAM AND source_context: \"ESET Filtering Agent\""
terms_window_size:
days: 1
aggregation:
minutes: 30
alert_text_type: alert_text_only
alert_text: "TEST-alert-id: {}\n\nIndex: {}\n\nSender address: {}\n\nRecipient address: {}\n\nMessage subject: {}"
alert_text_args:
alert_id
_index
sender_address
recipient_address
message_subject

SzymonC

Seems like realert function is what you are looking for:

realert

This option allows you to ignore repeating alerts for a period of time. If the rule uses a query_key, this option will be applied on a per key basis. All matches for a given rule, or for matches with the same query_key, will be ignored for the given time. All matches with a missing query_key will be grouped together using a value of _missing. This is applied to the time the alert is sent, not to the time of the event. It defaults to one minute, which means that if alert is run over a large time period which triggers many matches, only the first alert will be sent by default. If you want every alert, set realert to 0 minutes. (Optional, time, default 1 minute)

Example:

filter:
- query_string:
    query: "_exists_: hoststate AND datatype: \"HOSTPERFDATA\" AND _exists_: hostname"

query_key: hostname
realert:
  minutes: 5

By the way, I encourage you to add ``` ... ``` or ` ... ` signs around configs, codes, function, messages and alerts definition, as it greatly helps us to understand structure and read the configs. Thanks. 🙂

anonymous

I am encountering the same problem now and relaert did not help to solve this problem. The issue is that the rule triggers once, and then this alert dublicates in TheHive and telegram messages every minute unstoppably.

If you take a look in discover tab, index alert, it shows nearly 1k logs with the same timestamp:

In Incidents tab, it shows 20 alerts:

The rule itself:

filter:
  - query_string:
      query: "SPAM AND source_context: \"ESET Filtering Agent\""
timeframe:
  minutes: 30
realert:
  hours: 1
alert_text_type: alert_text_only
alert_text: "Index: {}\n\nSender address: {}\n\nRecipient address: {}\n\nMessage subject: {}"
alert_text_args:
  - _index
  - sender_address
  - recipient_address
  - message_subject

SzymonC

Hm, interesting. I'll look it up further.
I'm guessing you are using rule type of Any? Could you check it out with type Frequency and use num_events: 1? Something like below:

filter:
  - query_string:
      query: "SPAM AND source_context: \"ESET Filtering Agent\""
timeframe:
  minutes: 30
num_events: 1  
realert:
  hours: 1

alert_text_type: alert_text_only
alert_text: "Index: {}\n\nSender address: {}\n\nRecipient address: {}\n\nMessage subject: {}"
alert_text_args:
  - _index
  - sender_address
  - recipient_address
  - message_subject

With Type Frequency: