Hi,
I am really struggling to implement the following; I need a watcher which determines if for a username 2 different events occur after each other in a 24h window.
Requirements
First event:
{
"@version": "1",
"useraudit": {
"datetime": "10-12-2019 11:07:35.843",
"message": "role admin granted for jane by system",
"level": "INFO",
"actor": "system",
"entity": "jane",
"security": true
},
"tags": [
"useraudit",
"system",
],
"logevent": "{\"datetime\":\"10-12-2019 11:07:35.843\",\"message\":\"role admin granted for jane by system\",\"entity\":\"jane\",\"actor\":\"system\",\"level\":\"INFO\",\"security\":true}",
"@timestamp": "2019-12-10T11:43:09.341Z",
"id": 850
}
So the watcher should look for these events, and then for every results, determine if for the entity (jane) the second event occured in 24hours since the first event.
Second event:
{
"@version": "1",
"useraudit": {
"datetime": "10-12-2019 13:07:35.843",
"message": "role admin revoked for jane by system",
"level": "INFO",
"actor": "system",
"entity": "jane",
"security": true
},
"tags": [
"useraudit",
"system",
],
"logevent": "{\"datetime\":\"10-12-2019 13:07:35.843\",\"message\":\"role admin revoked for jane by system\",\"entity\":\"jane\",\"actor\":\"system\",\"level\":\"INFO\",\"security\":true}",
"@timestamp": "2019-12-10T13:43:09.341Z",
"id": 851
}
Watcher
The watcher I have uses a chain input, search input for each query.
{
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"chain": {
"inputs": [
{
"granting": {
"search": {
"request": {
"indices": ["filebeat-*"],
"body": {
"size": 2,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-30d"
}
}
},
{
"match_phrase": {
"tags": "useraudit"
}
},
{
"match_phrase": {
"tags": "outsystems"
}
},
{
"wildcard": {
"useraudit.message": "role * granted for * by *"
}
}
]
}
}
}
}
}
}
},
{
"revoking": {
"search": {
"request": {
"indices": ["filebeat-*"],
"body": {
"size": 1,
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-30d"
}
}
},
{
"match_phrase": {
"tags": "useraudit"
}
},
{
"match_phrase": {
"tags": "outsystems"
}
},
{
"wildcard": {
"useraudit.message": "role * revoked for {{ctx._source.useraudit.entity}} by *"
}
}
]
}
}
}
}
}
}
}
]
}
},
"condition": {
"always": {
}
},
"actions": {
"mylog": {
"foreach": "ctx.payload.granting.hits.hits",
"logging": {
"level": "info",
"text": "The payload is: {{ctx.payload._source.useraudit.entity}}"
}
}
}
}
Using ctx.payload.granting.hits.hits.0._source.useraudit.entity
in the revoked query I am able to get the username for 1 entity. However how can I do this when the first query returns multiple hits?
And then the condition should be if both queries have gt: 0
for hits.total