How to pass the value of the query search to the message

VietCong · July 3, 2018, 6:41am

I have the watcher as below but I would like to pass the value of the "message" field to the alert message to Slack. Can someone please help? I have my watch syntax as below:

"text": "user minhhungvn107 attempted to execute {{ctx.input.search.request.body.query.bool.must.match.message}} command as root" ---> this might not make sense at all since I dont have any experience with json but hopefully someone can help me understand how to do this and point me to the right direction of where I need to start to be able to write watches properly

{
  "trigger": {
    "schedule": {
      "interval": "30s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "command_history"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "sudo"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "from": "now-5m",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "notify-slack": {
      "slack": {
        "message": {
          "to": [
            "#slack-alert-from-siem"
          ],
          "text": "user minhhungvn107 attempted to execute ("#I want to pass the value of the command here") command as root"
        }
      }
    }
  }
}

spinscale · July 3, 2018, 8:20am

Take a look at the examples repository, which contains a fair share of example watches. For example the errors_in_logs one is doing almost what you would like to do.

Side note: You can only access the response from a search, not the request itself.

--Alex

system · July 31, 2018, 8:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Send link to search in slack Elasticsearch elastic-stack-alerting	6	1893	May 8, 2017
Watcher:failed to send sample slack message to user Elasticsearch elastic-stack-alerting	7	2059	November 14, 2018
Cannot access the search results through the watch execution context - Ctx.payload.hits.total Elasticsearch elastic-stack-alerting	6	1035	April 19, 2018
Get some information in Message Watcher Elasticsearch elastic-stack-alerting	7	957	May 1, 2020
Watcher query Kibana	2	466	June 25, 2019

How to pass the value of the query search to the message

Related topics