Alerting Conditions and Email Body

I am having some troubles with the alerting functions in Watcher, below is part of my JSON query which allows you to understand what I'm trying to do and which fields I am using.

 "aggs": {
    "2": {
      "significant_terms": {
        "field": "TargetUserName.keyword",
        "size": 10


"key": "UserTest",
          "doc_count": 5,
          "score": 5131.956340020576,
          "bg_count": 27

I am trying to set up alerting that will trigger each time a user fails to logon 3 times in 3 minutes. I have set up the query and cal pull the data in. I can also send email alerts however I need help with adding fields to the body.

Below you can see my condition, I would like the condition to be met when a user fails to logon 3 times in 3 minutes. The JSON below currently doesn't work can anyone give me any pointers?

"condition": {
    "compare": {
      "ctx.payload.aggregation.significant.total": {
        "gte": 3

MY second question is how do I include field values in the email alert? I would like to show the username and the amount of times the user failed to logon, how do I do this? Below is my attempt.

"subject": "Multiple Failed Logons Detected",
        "body": {
          "text": "{{TargetUserName.keyword}} has failed to logon multiple times"

Cheers,

G

both answers require us to take a look at the contents of the payloads, which in this case is the search response. Can you include the full output of the Execute Watch API which contains all of those information please?

Also, please take some time to use markdown to properly format your messages, as this makes it a million times easier to read code/json snippets.

Thanks a lot!

--Alex

1 Like

Hi there @spinscale,

Below is the search response:

{
  "took": 1133,
  "timed_out": false,
  "_shards": {
    "total": 40,
    "successful": 40,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 95,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "2": {
      "doc_count": 95,
      "bg_count": 4591523,
      "buckets": [
        {
          "key": "TestAccount",
          "doc_count": 29,
          "score": 14753.619058171744,
          "bg_count": 29
        },
        {
          "key": "-",
          "doc_count": 34,
          "score": 14002.545648331356,
          "bg_count": 42
        },
        {
          "key": "User",
          "doc_count": 30,
          "score": 8638.937228871582,
          "bg_count": 53
        }
      ]
    }
  }
} 

So for the alert condition, it would be triggered when "doc_count" was greater than or equal to 3 within the last 3 minutes. I would also like to send the email alert and include the "key" and the "doc_count" fields as it would provide a lot of useful information in the alert.

If you need anymore information, please do not hesitate to ask.

Cheers,

G

you can use the min_doc_count parameter in the aggregation to 3 and then you only need to check the size of your buckets in the condition like

return ctx.payload.aggregations['2'].buckets.size() > 0

You can circumvent that awkward syntax with 2 above by just setting a proper name like accounts and use that one.

Hi @spinscale,

I am new to JSON as of last week and am struggling to get my head around what you suggested. How do I use the min_doc_count? Also I'm not really sure what that condition does.

I have tried looking at the documentation however theers so much to read and take in I struggled. If you could give me some advice that'd
be great.

Cheers,

G

Hey,

I was referring to this min_doc_count parameter

--Alex

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

The below JSON doesn't seem to work and I'm not sure why, has anyone got any ideas?

    {
      "_id": "W1234_c6a3dba0-f4d4-431c-933b-aaad98b05a07-2018-01-15T10:08:34.685Z",
      "watch_record": {
        "watch_id": "W1234",
        "node": "uy-aQe2PT12NAjCj-B7QKQ",
        "state": "execution_not_needed",
        "status": {
          "state": {
            "active": true,
            "timestamp": "2018-01-15T10:08:28.352Z"
          },
          "last_checked": "2018-01-15T10:08:34.685Z",
          "actions": {
            "email_admin": {
              "ack": {
                "timestamp": "2018-01-15T10:08:28.352Z",
                "state": "awaits_successful_execution"
              }
            }
          },
          "execution_state": "execution_not_needed",
          "version": 22325
        },
        "trigger_event": {
          "type": "manual",
          "triggered_time": "2018-01-15T10:08:34.685Z",
          "manual": {
            "schedule": {
              "scheduled_time": "2018-01-15T10:08:34.685Z"
            }
          }
        },
        "input": {
          "search": {
            "request": {
              "search_type": "query_then_fetch",
              "indices": [
                "*"
              ],
              "types": [],
              "body": {
                "size": 0,
                "query": {
                  "bool": {
                    "filter": [
                      {
                        "range": {
                          "@timestamp": {
                            "gte": "now-5m",
                            "lte": "now"
                          }
                        }
                      },
                      {
                        "term": {
                          "EventID": "4625"
                        }
                      }
                    ]
                  }
                },
                "aggs": {
                  "User": {
                    "terms": {
                      "field": "TargetUserName.keyword"
                    }
                  }
                }
              }
            }
          }
        },
        "condition": {
          "compare": {
            "ctx.payload.aggregations[User]buckets.0.doc_count": {
              "gt": 3
            }
          }
        },
        "metadata": {
          "name": "Failed User Logons",
          "xpack": {
            "type": "json"
          }
        },
        "result": {
          "execution_time": "2018-01-15T10:08:34.685Z",
          "execution_duration": 9,
          "input": {
            "type": "search",
            "status": "success",
            "payload": {
              "_shards": {
                "total": 116,
                "failed": 0,
                "successful": 116,
                "skipped": 0
              },
              "hits": {
                "hits": [],
                "total": 0,
                "max_score": 0
              },
              "took": 9,
              "timed_out": false,
              "aggregations": {
                "User": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 0,
                  "buckets": []
                }
              }
            },
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "*"
                ],
                "types": [],
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "filter": [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-5m",
                              "lte": "now"
                            }
                          }
                        },
                        {
                          "term": {
                            "EventID": "4625"
                          }
                        }
                      ]
                    }
                  },
                  "aggs": {
                    "User": {
                      "terms": {
                        "field": "TargetUserName.keyword"
                      }
                    }
                  }
                }
              }
            }
          },
          "condition": {
            "type": "compare",
            "status": "success",
            "met": false,
            "compare": {
              "resolved_values": {
                "ctx.payload.aggregations[User]buckets.0.doc_count": null
              }
            }
          },
          "actions": []
        },
        "messages": []
      }
    }

Cheers

G

The reason that this Watch wasn't working was due to the condition.

The old non working condition:

"condition": {
          "compare": {
            "ctx.payload.aggregations[User]buckets.0.doc_count": {
              "gt": 3
            }
          }
        },

The new working condition:

"condition": {
    "compare": {
      "ctx.payload.aggregations.User.buckets.0.doc_count": {
        "gte": 3
      }
    }
  },

Cheers,

G

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.