Condition In Watcher

 "condition": {
            "script": {
              "source": """
              def offenders = [];
                for (def source_ip: ctx.payload.aggregations.source_ip.buckets) {
                 for (def X_ID: source_ip.X_ID.buckets){
                   if (X_ID.doc_count >= 100) & (X_ID.doc_count < 500) {
                          'source_ip': source_ip.key,
                          'X_ID': X_ID.key,
                          'attempts': X_ID.doc_count,
                          'incident_name': 'XYZ',
                          'status_open' : 'open',
                          'description' : 'X X X X',
                          'incident_severity' : '10',
                          'conditions' : 'PasswordScan_SameDest_ManyAcct, 60mins',
                          'tenantId' : '67a76f18-487b-4033-a3d7-b706a8aa04f0'
      ctx.payload.offenders = offenders;
      return offenders.size() > 0;
      "lang": "painless"
  "actions": {
    "web_hook": {
      "webhook": {
        "scheme": "https",
        "host": "xxxx",
        "port": 443,

First, please format your messages properly using markdown snippts, this is impossible to read and thus super hard to help.

Second, please also include the search response you are trying to parse, otherwise everything would just be guesswork.


Hi @spinscale,

Thanks for your response. I have edited the post and formatted it properly (I hope).

The idea of the watch would be to trigger the Webhook if the count of "source_ip" is greater than or equal to 100 but less than 500.

I know that the rest of the condition works, it's just figuring out how to write the IF condition to trigger correctly.

I hope this makes some more sense



you did not show the search response so this is just guessing here. First you can use the min_doc_count parameter in the terms agg to ensure a minimal count.

you might want to create those offender object as part of a transform, and use the condition only to check if there are buckets with a doc count between 100/500.

This might be it already

return ctx.payload.aggregations.source_ip.buckets.anyMatch(b -> b.doc_count > 100 && b.doc_count < 5000);

Then you can do a transform like this

return ['offenders' : -> b.doc_count > 100 && b.doc_count < 500).map(b -> { return [YOUR_LIST_WITH_FIELDS_GOES_HERE] }).collect(Collectors.toList()) ]

this was on top of my head, so no guarantees, but should give you an idea.


1 Like

Thank you I'll have a look at this today :slight_smile:

The fix was just:

if (X_ID.doc_count >= 100 && X_ID.doc_count < 500).

I just had the wrong syntax I guess

Thanks for the support even with my lack of description

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.