KeyError: 'agent' when added custom elastalert rule
utkarshborawake opened this issue · 2 comments
The custom elastalert rule is mentioned below. I am getting hits and matches for the rule but at the same time getting the error which is mentioned below the rule.
RULE -->
ACDS_cve_id: ''
confidence: 90
description: This alert will trigger when Open VPN user is trying to login with invalid
passwords.
alert:
- debug
filter: - query:
query_string:
query: (event.dataset:"vpn" AND event.module:"pfsense" AND event_data.message:"could
not authenticate")
index: ':so-beats'
mitre: - attack.persistence
- attack.T1133
name: ACDS-OVPN-User-Authentication-Failed
priority: 1
realert:
minutes: 0
rule.category: security
type: any
verified: - attack.persistence
- attack.T1133
version: 1.0
ERROR -->
Traceback (most recent call last):, File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 1298, in alert, return self.send_alert(matches, rule, alert_time=alert_time, retried=retried), File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 1375, in send_alert, alert.alert(matches), File "/opt/elastalert/modules/custom/ACDS_alerter.py", line 47, in alert, hostname = match["agent"]["name"], KeyError: 'agent'
elastalert is not maintained. Please use elastalert2.
https://github.com/jertel/elastalert2/discussions
Okay Thanks