Helllo! We’ve been trying to use “Legacy script alert Callback” function to send alerts to a “Alert Management tool”
Although we see the necessary field in alert definition (ufw_src_ip) we are not able to send it to alert management tool. We see the stream_id in our alarm management tool but ufw_src_ip is emtpy. Can you help?
Below is our config,
we defined a grok pattern to parse the ufw alert and we would like to pass the ufw_src_ip field that we identified with grok pattern, with script alert callback notification script.
^^^ Here you can see our defined notification.
#!/bin/bash
curl -v -XPOST -H 'Authorization: Bearer AAAAAAAAAAAAAAAAAAAA' -H 'Content-Type: application/json' http:/111.111.111.11:1111/api/xxxxx -d '{
"title" : "UFW_BLOCK",
"description": "xxxxx_block",
"type": "external",
"source": "'"$1"'",
"sourceRef": "ddddd",
"artifacts": [
{ "dataType": "ufw_src_ip", "data": "'"$2"'", "tags": ["home", "TheHive"]},
{ "dataType": "stream_id", "data": "'"$3"'", "tags": ["home", "TheHive"]}
]
}'