Hello,

I have a couple of issues with alerts with logs from winlogbeats.

I have alerts created that trigger correctly and send that alert to TheHive, but then I found two issues:

• The first is that I can't extract observables such as:
  operative_system: "{match[host.os.name]}" or event_id: "{match[winlog.event_id]}"

The only observables that I receive on theHive are those without . ,i.e:
msg: "{match[message]}"

• The other issue is that I receive the following exception when the alert triggers:
  elasticsearch.exceptions.RequestError: RequestError(400, 'mapper_parsing_exception', "failed to parse field [match_body.host] of type [text] in document...

Nevertheless, the fields host.XXX appear in ELK.

I don't know if both issues are related.

Can you help?

Solved in TheHive-Project/TheHive#1209