Hi @spinscale,
I have had chance to get look into advanced watches again.
I am now getting values returned after looking at your advice.
"hits": {
"hits": [
{
"_index": "main",
"_type": "doc",
"_source": {
"process_id": 620,
"computer_name": "TEST",
"keywords": [
"Audit Failure"
],
"log_name": "Security",
"level": "Information",
"record_number": "57628",
"event_data": {
"Status": "0xc000006d",
"ProcessName": "-",
"LogonType": "3",
"IpPort": "0",
"SubjectLogonId": "0x0",
"TransmittedServices": "-",
"KeyLength": "0",
"LmPackageName": "-",
"SubjectUserName": "-",
"FailureReason": "%%2313",
"WorkstationName": "TEST",
"SubjectDomainName": "-",
"IpAddress": "TESTIP",
"ProcessId": "0x0",
"SubStatus": "0xc000006a",
"TargetDomainName": "TEST",
"LogonProcessName": "NtLmSsp ",
"SubjectUserSid": "S-1-0-0",
"TargetUserSid": "S-1-0-0",
"AuthenticationPackageName": "NTLM"
},
"opcode": "Info",
"tags": [
"beats_input_codec_plain_applied"
],
"thread_id": 496,
"@timestamp": "2018-02-05T10:33:50.722Z",
"task": "Logon",
"event_id": 4625,
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"activity_id": "{2BF93E71-95E4-0001-8B3E-F92BE495D301}",
"beat": {
"hostname": "TEST",
"name": "TEST",
"version": "5.6.3"
},
"host": "TEST",
"target_username": "TestUser",
"source_name": "Microsoft-Windows-Security-Auditing"
Above is the output from the watch query, I have set up the email body:
"actions": {
"email_admin": {
"throttle_period_in_millis": 50000,
"email": {
"profile": "standard",
"to": [
"george.townson@commissum.com"
],
"subject": "Warning: User Added to Security Enabled Group",
"body": {
"text": "A user was added to a security enabled group. {{#ctx.payload.hits.hits}} {{_source.name.target_username}} {{/ctx.payload.hits.hits}}"
}
}
}
}
Currently I see: "A user was added to a security enabled group. " as the output. How would I get the email callback to return every "target_username", so I can see which users failed to login?
cheers,
G