Fields include in watcher not working properly. (Email Alert)

tahseen_fatima · December 6, 2019, 7:57am

Hi,

I have set up of ELK 7.4.2 on a linux server. There I am receiving a palto alto logs and I want to trigger alert for any drop or deny event. I am able to fire alert for this. But when I am specifying the filed name in subject it is returning empty filed. Value is not there.
Below is the entire watcher:

   {
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "filebeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "match_phrase": {
                    "cef.device.vendor": {
                      "query": "Palo Alto Networks"
                    }
                  }
                },
                {
                  "term": {
                    "event.action": {
                      "value": "deny"
                    }
                  }
                },
                {
                  "exists": {
                    "field": "event.action"
                  }
                }
              ],
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-15m"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 0
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "xyz@companyname.com"
        ],
        "subject": "Alert : There is deny and drop req in the url",
        "body": {
          "text": "Timestamp:{{#ctx.payload.hits.hits}} {{_source.@timestamp}} {{/ctx.payload.hits.hits}}/n Action {{#ctx.payload.hits.hits}} {{_source.event.action}} {{/ctx.payload.hits.hits}}/n "
        }
      }
    }
  }
}

I am supposed to get the output something like this:
Timsestamp: 06-Dec-2019 12:01:54
Action: deny

But I am not getting the value it is empty.

And here is the output of execute watch API.

{
"watch_id": "8a0c0876-d546-4ffb-877d-7123957cc7c0",
"node": "Amf8D-gtTsGr0_Bv-ewuTQ",
"state": "executed",
"user": "elastic",
"status": {
"state": {
"active": true,
"timestamp": "2019-12-06T07:35:16.737Z"
},
"last_checked": "2019-12-06T07:36:16.856Z",
"last_met_condition": "2019-12-06T07:36:16.856Z",
"actions": {
"send_email": {
"ack": {
"timestamp": "2019-12-06T07:36:16.856Z",
"state": "ackable"
},
"last_execution": {
"timestamp": "2019-12-06T07:36:16.856Z",
"successful": true
},
"last_successful_execution": {
"timestamp": "2019-12-06T07:36:16.856Z",
"successful": true
}
}
},
"execution_state": "executed",
"version": -1
},
"trigger_event": {
"type": "schedule",
"triggered_time": "2019-12-06T07:36:16.856Z",
"schedule": {
"scheduled_time": "2019-12-06T07:36:16.774Z"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match_phrase": {
"cef.device.vendor": {
"query": "Palo Alto Networks"
}
}
},
{
"term": {
"event.action": {
"value": "deny"
}
}
},
{
"exists": {
"field": "event.action"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-15m"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 0
}
}
},
"metadata": {
"name": "try",
"xpack": {
"type": "json"
}
},
"result": {
"execution_time": "2019-12-06T07:36:16.856Z",
"execution_duration": 227,
"input": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 2,
"failed": 0,
"successful": 2,
"skipped": 0
},
"hits": {
"hits": [*],
"total": 10000,
"max_score": null
},
"took": 8,
"timed_out": false
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"match_phrase": {
"cef.device.vendor": {
"query": "Palo Alto Networks"
}
}
},
{
"term": {
"event.action": {
"value": "deny"
}
}
},
{
"exists": {
"field": "event.action"
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-15m"
}
}
}
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.hits.total": 10000
}
}
},
"actions": [
{
"id": "send_email",
"type": "email",
"status": "success",
"email": {
"account": "outlook_account",
"message": {
"id": "send_email_8a0c0876-d546-4ffb-877d-7123957cc7c0_623d1122-8072-4317-80ae-7e417f7556e9-2019-12-06T07:36:16.856681Z",
"from": "no-reply@siem.local",
"sent_date": "2019-12-06T07:36:16.907059Z",
"to": [
"xyz@companyname.com"
],
"subject": "Alert : There is deny and drop req in the url",
"body": {
"text": "Timestamp:/n Action /n "
}
}
}
}
]
},
"messages":
}

If anything more requires please tell I'll post it.

Kindly help
Thanks,
Tahseen

spinscale · December 6, 2019, 12:06pm

Hey,

you are using "size": 0 in your query, which basically omits any results.

--Alex

tahseen_fatima · December 6, 2019, 12:12pm

So should I have to make it 1.
Just let me try.

tahseen_fatima · December 9, 2019, 11:19am

It worked!!!
Thanks
Alex

system · January 6, 2020, 11:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.