I finally got my hands around signals creation. After many errors I got my alert logic to give me back some result now i am stuck the the action part of my webhook to Thehive.
This is the error I get :
{
"tenant": "_main",
"watch_id": "mywatch",
"status": {
"code": "ACTION_FAILED",
"detail": "All actions failed"
},
"execution_start": "2020-08-14T15:38:43.514Z",
"execution_end": "2020-08-14T15:38:43.606Z",
"actions": [
{
"name": "my_webhook_action",
"status": {
"code": "ACTION_FAILED",
"detail": "Web hook returned error: HTTP/1.1 400 Bad Request\n\n{\"type\":\"AttributeCheckingError\",\"message\":\"[Attribute type is missing][Attribute source is missing][Attribute sourceRef is missing][Attribute title is missing][Attribute description is missing]\",\"errors\":[{\"name\":\"type\",\"type\":\"MissingAttributeError\"},{\"name\":\"source\",\"type\":\"MissingAttributeError\"},{\"name\":\"sourceRef\",\"type\":\"MissingAttributeError\"},{\"name\":\"title\",\"type\":\"MissingAttributeError\"},{\"name\":\"description\",\"type\":\"MissingAttributeError\"}]}"
},
"error": {
"message": "Web hook returned error: HTTP/1.1 400 Bad Request\n\n{\"type\":\"AttributeCheckingError\",\"message\":\"[Attribute type is missing][Attribute source is missing][Attribute sourceRef is missing][Attribute title is missing][Attribute description is missing]\",\"errors\":[{\"name\":\"type\",\"type\":\"MissingAttributeError\"},{\"name\":\"source\",\"type\":\"MissingAttributeError\"},{\"name\":\"sourceRef\",\"type\":\"MissingAttributeError\"},{\"name\":\"title\",\"type\":\"MissingAttributeError\"},{\"name\":\"description\",\"type\":\"MissingAttributeError\"}]}"
},
"execution_start": "2020-08-14T15:38:43.524Z",
"execution_end": "2020-08-14T15:38:43.599Z"
}
],
"node": "elk-sg",
"_id": "vsaf7XMB7DSIF7OVjucZ",
"_index": ".signals_log_2020.08.14"
}
This is my action :
"actions": [{
"type": "webhook",
"name": "my_webhook_action",
"request": {
"url": "http://192.168.20.220:9000/api/alert",
"method": "POST",
"body": "{\"text\": \"Powershell Process was created {{data.PowershellProcessCreation.hits.hits.length}} time over the last {{data.myconstants.window}}\"}\n",
"headers": {
"Content-Type": "application/json",
"Authorization": "Bearer 3H9GBe6Xxkz+55wilOMn0TZZReMCPBW5"
}
}
}]
Thank you