Help Rules File New Log event slack

[vinceplayer]

Hi I would like to have an alert sent on every new event with the validation of a certain tag, the problem is that nothing is ever sent. Could you give me a hand in the configuration files?

INFO:elastalert:Sleeping for 59.999822 seconds INFO:elastalert:Queried rule Behaviour Detection -- New Alarm! from 2021-06-05 17:14 +0200 to 2021-06-05 17:15 +0200: 0 hits INFO:elastalert:Queried rule Behaviour Detection -- New Alarm! from 2021-06-05 17:15 +0200 to 2021-06-05 17:15 +0200: 0 hits INFO:elastalert:Ran Behaviour Detection -- New Alarm! from 2021-06-05 17:14 +0200 to 2021-06-05 17:15 +0200: 0 query hits (0 already s

`# Alert when the rate of events exceeds a threshold

es_host: localhost
es_port: 9200


# (Required)
# Rule name, must be unique
name: Behaviour Detection -- New Alarm!

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
index: "filebeat-*"

use_strftime_index: true

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  seconds: 10 

# This option allows you to ignore repeating alerts for a period of time.
#realert:
#  minutes: 5

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- term:
    event_dataset: "zeek_connection"

# Only count number of records, instead of bringing all data back
use_count_query: true
doc_type: 'doc'

# (Required)
# The alert is use when a match is found
#alert:
#- "email"
#email:
#- "root@localhost"
alert:
- slack:
     slack_webhook_url: "https://hooks.slack.com/services//"
     slack_channel_override: "cybersecurity"`

[jertel]

Without seeing your Elastic documents, to know if the rule's query is correct, there's not much we can offer for assistance.