elastalert2 icon indicating copy to clipboard operation
elastalert2 copied to clipboard
verified publisher icon jertel

Allow dynamic severity for TheHive alerter

Open Thibault-Van-Win opened this issue 1 year ago • 5 comments

Description

A rule for TheHive can currently only set a static severity with possible values being {1, 2, 3, 4}. The alerts in my project are highly dynamic with a severity scale ranging from 0-100. I added an option to the config that allows to specify a custom severity scale, given a severity field in the match. The new config options look as follows:

hive_alert_config:
  severity: 'alert.severity'

# Add custom severity scale
severity_scale:
  - severity: 1
    min: 0
    max: 24
  - severity: 2
    min: 25
    max: 49
  - severity: 3
    min: 50
    max: 74
  - severity: 4
    min: 75
    max: 100

This would not break older configurations as these are still valid.

Let me know if this seems like a valid contribution. In this case, I will write some tests and update the documentation. if not, feel free to reject.

Checklist

  • [x] I have reviewed the contributing guidelines.
  • [ ] I have included unit tests for my changes or additions.
  • [x] I have successfully run make test-docker with my changes.
  • [x] I have manually tested all relevant modes of the change in this PR.
  • [ ] I have updated the documentation.
  • [ ] I have updated the changelog.

Questions or Comments

Thibault-Van-Win avatar May 10 '24 14:05 Thibault-Van-Win

I like the idea of a dynamic severity, but the current implementation looks very specific to your needs. Do you have any ideas to make it less specific? I'm referring to the concept of a severity scale with it's specific level thresholds.

jertel avatar May 10 '24 21:05 jertel

This PR is stale because it has been open for 30 days with no activity. The longer a PR remains stale the more out of date with the main branch it becomes.

github-actions[bot] avatar Jun 10 '24 20:06 github-actions[bot]

I removed the custom severity scale in favour of a dynamic severity field to make it more general. This makes it less tailored to our use case. Now, the severity scale can be removed from the config while the severity can now point to a field. Example config:

hive_alert_config:
  severity: 'alert.severity'

In our own project, we moved the severity scale to a custom enhancer that fits our specific needs.

Let me know what you think!

Thibault-Van-Win avatar Jul 05 '24 10:07 Thibault-Van-Win

I like the simplicity of this. Are 1-4 the only supported severities? If not then perhaps it should check if the severity value is a number, and if not then do a lookup.

Otherwise it looks good. Please work on the remaining checklist items. I plan to release the next version in mid July so if you'd like this in that release the checklist will need to be finished before then.

jertel avatar Jul 05 '24 12:07 jertel

Yes enum{1, 2, 3, 4} contains the only supported values here: image

I will try to finish the rest of the checklist before the next release.

Thibault-Van-Win avatar Jul 05 '24 13:07 Thibault-Van-Win

This PR is stale because it has been open for 30 days with no activity. The longer a PR remains stale the more out of date with the main branch it becomes.

github-actions[bot] avatar Aug 04 '24 20:08 github-actions[bot]

This PR was closed because it has been inactive for 30 days since being marked as stale. It will be automatically locked after an additional 30 days. If there is still a commitment to finishing this PR please re-open it, or request that a project maintainer re-open it before it becomes locked.

github-actions[bot] avatar Sep 04 '24 20:09 github-actions[bot]