Elastic Stack ES|QL Alert Not Passing Fields to TheHive Webhook

Elastic Stack Kibana
, ,
1

Hi community,
I'm currently using Elastic Stack 8.x and TheHive 5 (Docker deployment). I'm trying to create an ES|QL-based detection rule for SSH brute-force attempts and send alerts to TheHive using a webhook.

The alert is triggered correctly, but in TheHive, the description field is empty, even though I try to include data like source.ip, user.name, and host.name.

What I Did

1. ES|QL Rule:

sql

CopierModifier

FROM logs-* 
| WHERE @timestamp >= NOW() - 5m
  AND event.dataset == "system.auth"
  AND event.outcome == "failure"
  AND process.name == "sshd"
| STATS
    failures = COUNT(),
    last_seen = MAX(@timestamp)
  BY source.ip, user.name, host.name
| WHERE failures >= 3

2. Webhook JSON:

json

CopierModifier

{
  "title": "SSH Brute Force",
  "description": "User {{context.alert.user.name}} failed {{context.alert.failures}} SSH logins from IP {{context.alert.source.ip}} on host {{context.alert.host.name}}. Last seen: {{context.alert.last_seen}}",
  "type": "external",
  "source": "Elastic SIEM",
  "sourceRef": "{{context.rule.id}}-{{context.alert.id}}",
  "severity": 2,
  "tlp": 2,
  "pap": 2
}
2

Hello @aymane

Welcome to the community!!

If the description is blank for testing just try sending the {{context}} as part of the 1st test, this will give you the complete output. Now from this we need to extract the data as per our requirement.

Example :

"IP {{#context.hits}}{{_source.clientip}} failed {{_source.failures}} on host {{_source.host}}. {{/context.hits}}Total Count: {{context.value}}"

Output :

IP 30.156.16.163 failed 1 on host www.elastic.co. 176.25.204.175 failed 1 on host cdn.elastic-elastic-elastic.org. Total Count: 2

Thanks!!