Chain input Watcher multi result

Hi,

I am really struggling to implement the following; I need a watcher which determines if for a username 2 different events occur after each other in a 24h window.

Requirements

First event:

{
    "@version": "1",
    "useraudit": {
      "datetime": "10-12-2019 11:07:35.843",
      "message": "role admin granted for jane by system",
      "level": "INFO",
      "actor": "system",
      "entity": "jane",
      "security": true
    },
    "tags": [
      "useraudit",
      "system",
    ],
    "logevent": "{\"datetime\":\"10-12-2019 11:07:35.843\",\"message\":\"role admin granted for jane by system\",\"entity\":\"jane\",\"actor\":\"system\",\"level\":\"INFO\",\"security\":true}",
    "@timestamp": "2019-12-10T11:43:09.341Z",
    "id": 850
}

So the watcher should look for these events, and then for every results, determine if for the entity (jane) the second event occured in 24hours since the first event.

Second event:

{
    "@version": "1",
    "useraudit": {
      "datetime": "10-12-2019 13:07:35.843",
      "message": "role admin revoked for jane by system",
      "level": "INFO",
      "actor": "system",
      "entity": "jane",
      "security": true
    },
    "tags": [
      "useraudit",
      "system",
    ],
    "logevent": "{\"datetime\":\"10-12-2019 13:07:35.843\",\"message\":\"role admin revoked for jane by system\",\"entity\":\"jane\",\"actor\":\"system\",\"level\":\"INFO\",\"security\":true}",
    "@timestamp": "2019-12-10T13:43:09.341Z",
    "id": 851
}

Watcher

The watcher I have uses a chain input, search input for each query.

{
  "trigger": {
    "schedule": {
      "interval": "30s"
    }
  },
  "input": {
    "chain": {
      "inputs": [
        {
          "granting": {
            "search": {
              "request": {
                "indices": ["filebeat-*"],
                "body": {
                  "size": 2,
                  "query": {
                    "bool": {
                      "must": [
                          {
                              "range": {
                                  "@timestamp": {
                                      "gte": "now-30d"
                                  }
                              }
                          },
                          {
                              "match_phrase": {
                                  "tags": "useraudit"
                              }
                          },
                          {
                              "match_phrase": {
                                  "tags": "outsystems"
                              }
                          },
                          {
                              "wildcard": {
                                  "useraudit.message": "role * granted for * by *"
                              }
                          }
                      ]
                    }
                  }
                }
              }
            }
          }
        },
        {
          "revoking": {
            "search": {
              "request": {
                "indices": ["filebeat-*"],
                "body": {
                  "size": 1,
                  "query": {
                    "bool": {
                      "must": [
                          {
                              "range": {
                                  "@timestamp": {
                                      "gte": "now-30d"
                                  }
                              }
                          },
                          {
                              "match_phrase": {
                                  "tags": "useraudit"
                              }
                          },
                          {
                              "match_phrase": {
                                  "tags": "outsystems"
                              }
                          },
                          {
                              "wildcard": {
                                  "useraudit.message": "role * revoked for {{ctx._source.useraudit.entity}} by *"
                              }
                          }
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      ]
    }
  },
  "condition": {
    "always": {
    }
  },
  "actions": {
    "mylog": {
      "foreach": "ctx.payload.granting.hits.hits",
      "logging": {
        "level": "info",
        "text": "The payload is: {{ctx.payload._source.useraudit.entity}}"
      }
    }
  }
}

Using ctx.payload.granting.hits.hits.0._source.useraudit.entity in the revoked query I am able to get the username for 1 entity. However how can I do this when the first query returns multiple hits?

And then the condition should be if both queries have gt: 0 for hits.total

You can transform input data in a chained input using a script transform, that may help you here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.