I have the watcher as below but I would like to pass the value of the "message" field to the alert message to Slack. Can someone please help? I have my watch syntax as below:
"text": "user minhhungvn107 attempted to execute {{ctx.input.search.request.body.query.bool.must.match.message}} command as root" ---> this might not make sense at all since I dont have any experience with json but hopefully someone can help me understand how to do this and point me to the right direction of where I need to start to be able to write watches properly
{
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"command_history"
],
"types": [],
"body": {
"query": {
"bool": {
"must": {
"match": {
"message": "sudo"
}
},
"filter": {
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"notify-slack": {
"slack": {
"message": {
"to": [
"#slack-alert-from-siem"
],
"text": "user minhhungvn107 attempted to execute ("#I want to pass the value of the command here") command as root"
}
}
}
}
}