Alerting Conditions and Email Body

MultiplierMultiplier · January 5, 2018, 3:12pm

I am having some troubles with the alerting functions in Watcher, below is part of my JSON query which allows you to understand what I'm trying to do and which fields I am using.

 "aggs": {
    "2": {
      "significant_terms": {
        "field": "TargetUserName.keyword",
        "size": 10


"key": "UserTest",
          "doc_count": 5,
          "score": 5131.956340020576,
          "bg_count": 27

I am trying to set up alerting that will trigger each time a user fails to logon 3 times in 3 minutes. I have set up the query and cal pull the data in. I can also send email alerts however I need help with adding fields to the body.

Below you can see my condition, I would like the condition to be met when a user fails to logon 3 times in 3 minutes. The JSON below currently doesn't work can anyone give me any pointers?

"condition": {
    "compare": {
      "ctx.payload.aggregation.significant.total": {
        "gte": 3

MY second question is how do I include field values in the email alert? I would like to show the username and the amount of times the user failed to logon, how do I do this? Below is my attempt.

"subject": "Multiple Failed Logons Detected",
        "body": {
          "text": "{{TargetUserName.keyword}} has failed to logon multiple times"

Cheers,

G

spinscale · January 8, 2018, 8:11am

both answers require us to take a look at the contents of the payloads, which in this case is the search response. Can you include the full output of the Execute Watch API which contains all of those information please?

Also, please take some time to use markdown to properly format your messages, as this makes it a million times easier to read code/json snippets.

Thanks a lot!

--Alex

MultiplierMultiplier · January 8, 2018, 9:17am

Hi there @spinscale,

Below is the search response:

{
  "took": 1133,
  "timed_out": false,
  "_shards": {
    "total": 40,
    "successful": 40,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 95,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "2": {
      "doc_count": 95,
      "bg_count": 4591523,
      "buckets": [
        {
          "key": "TestAccount",
          "doc_count": 29,
          "score": 14753.619058171744,
          "bg_count": 29
        },
        {
          "key": "-",
          "doc_count": 34,
          "score": 14002.545648331356,
          "bg_count": 42
        },
        {
          "key": "User",
          "doc_count": 30,
          "score": 8638.937228871582,
          "bg_count": 53
        }
      ]
    }
  }
}

So for the alert condition, it would be triggered when "doc_count" was greater than or equal to 3 within the last 3 minutes. I would also like to send the email alert and include the "key" and the "doc_count" fields as it would provide a lot of useful information in the alert.

If you need anymore information, please do not hesitate to ask.

Cheers,

G

spinscale · January 8, 2018, 11:23am

you can use the min_doc_count parameter in the aggregation to 3 and then you only need to check the size of your buckets in the condition like

return ctx.payload.aggregations['2'].buckets.size() > 0

You can circumvent that awkward syntax with 2 above by just setting a proper name like accounts and use that one.

MultiplierMultiplier · January 9, 2018, 2:08pm

Hi @spinscale,

I am new to JSON as of last week and am struggling to get my head around what you suggested. How do I use the min_doc_count? Also I'm not really sure what that condition does.

I have tried looking at the documentation however theers so much to read and take in I struggled. If you could give me some advice that'd
be great.

Cheers,

G

spinscale · January 10, 2018, 8:21am

Hey,

I was referring to this min_doc_count parameter

--Alex

MultiplierMultiplier · January 12, 2018, 12:14pm

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

MultiplierMultiplier · January 15, 2018, 10:11am

The below JSON doesn't seem to work and I'm not sure why, has anyone got any ideas?

    {
      "_id": "W1234_c6a3dba0-f4d4-431c-933b-aaad98b05a07-2018-01-15T10:08:34.685Z",
      "watch_record": {
        "watch_id": "W1234",
        "node": "uy-aQe2PT12NAjCj-B7QKQ",
        "state": "execution_not_needed",
        "status": {
          "state": {
            "active": true,
            "timestamp": "2018-01-15T10:08:28.352Z"
          },
          "last_checked": "2018-01-15T10:08:34.685Z",
          "actions": {
            "email_admin": {
              "ack": {
                "timestamp": "2018-01-15T10:08:28.352Z",
                "state": "awaits_successful_execution"
              }
            }
          },
          "execution_state": "execution_not_needed",
          "version": 22325
        },
        "trigger_event": {
          "type": "manual",
          "triggered_time": "2018-01-15T10:08:34.685Z",
          "manual": {
            "schedule": {
              "scheduled_time": "2018-01-15T10:08:34.685Z"
            }
          }
        },
        "input": {
          "search": {
            "request": {
              "search_type": "query_then_fetch",
              "indices": [
                "*"
              ],
              "types": [],
              "body": {
                "size": 0,
                "query": {
                  "bool": {
                    "filter": [
                      {
                        "range": {
                          "@timestamp": {
                            "gte": "now-5m",
                            "lte": "now"
                          }
                        }
                      },
                      {
                        "term": {
                          "EventID": "4625"
                        }
                      }
                    ]
                  }
                },
                "aggs": {
                  "User": {
                    "terms": {
                      "field": "TargetUserName.keyword"
                    }
                  }
                }
              }
            }
          }
        },
        "condition": {
          "compare": {
            "ctx.payload.aggregations[User]buckets.0.doc_count": {
              "gt": 3
            }
          }
        },
        "metadata": {
          "name": "Failed User Logons",
          "xpack": {
            "type": "json"
          }
        },
        "result": {
          "execution_time": "2018-01-15T10:08:34.685Z",
          "execution_duration": 9,
          "input": {
            "type": "search",
            "status": "success",
            "payload": {
              "_shards": {
                "total": 116,
                "failed": 0,
                "successful": 116,
                "skipped": 0
              },
              "hits": {
                "hits": [],
                "total": 0,
                "max_score": 0
              },
              "took": 9,
              "timed_out": false,
              "aggregations": {
                "User": {
                  "doc_count_error_upper_bound": 0,
                  "sum_other_doc_count": 0,
                  "buckets": []
                }
              }
            },
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "*"
                ],
                "types": [],
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "filter": [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-5m",
                              "lte": "now"
                            }
                          }
                        },
                        {
                          "term": {
                            "EventID": "4625"
                          }
                        }
                      ]
                    }
                  },
                  "aggs": {
                    "User": {
                      "terms": {
                        "field": "TargetUserName.keyword"
                      }
                    }
                  }
                }
              }
            }
          },
          "condition": {
            "type": "compare",
            "status": "success",
            "met": false,
            "compare": {
              "resolved_values": {
                "ctx.payload.aggregations[User]buckets.0.doc_count": null
              }
            }
          },
          "actions": []
        },
        "messages": []
      }
    }

Cheers

G

MultiplierMultiplier · January 15, 2018, 12:47pm

The reason that this Watch wasn't working was due to the condition.

The old non working condition:

"condition": {
          "compare": {
            "ctx.payload.aggregations[User]buckets.0.doc_count": {
              "gt": 3
            }
          }
        },

The new working condition:

"condition": {
    "compare": {
      "ctx.payload.aggregations.User.buckets.0.doc_count": {
        "gte": 3
      }
    }
  },

Cheers,

G

system · February 12, 2018, 12:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Include Fields in Watcher Email Alert Elasticsearch elastic-stack-alerting	19	11079	March 5, 2018
Watcher Assistance Elasticsearch	1	343	March 7, 2020
Need help with watcher to send the correct fields of result in the email Elasticsearch elastic-stack-alerting	6	1286	June 23, 2020
How to create alert for multiple login attemps (failed attempts) for every 10mins Elasticsearch elastic-stack-alerting	2	1381	June 7, 2019
Watcher Assistance (ii) Elasticsearch elastic-stack-alerting	3	443	April 2, 2021

Alerting Conditions and Email Body

Related topics