Unable to send Http additional alert field with Script Callback

Helllo! We’ve been trying to use “Legacy script alert Callback” function to send alerts to a “Alert Management tool”
Although we see the necessary field in alert definition (ufw_src_ip) we are not able to send it to alert management tool. We see the stream_id in our alarm management tool but ufw_src_ip is emtpy. Can you help?

Below is our config,
we defined a grok pattern to parse the ufw alert and we would like to pass the ufw_src_ip field that we identified with grok pattern, with script alert callback notification script.

^^^ Here you can see our defined notification.

#!/bin/bash
curl -v -XPOST -H 'Authorization: Bearer AAAAAAAAAAAAAAAAAAAA' -H 'Content-Type: application/json' http:/111.111.111.11:1111/api/xxxxx -d '{
 "title" : "UFW_BLOCK",
 "description": "xxxxx_block",
 "type": "external",
 "source": "'"$1"'",
 "sourceRef": "ddddd",
 "artifacts": [
    { "dataType": "ufw_src_ip", "data": "'"$2"'", "tags": ["home", "TheHive"]},
    { "dataType": "stream_id", "data": "'"$3"'", "tags": ["home", "TheHive"]}
 ]
}'   

Check your Message Backlog parameter in Alerts Event Definition - Edit - tab Notifications, check checkbox and insert 1. It’s a number of messages to be included in Notifications.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.