Muli query watcher

sholzhauer · December 27, 2019, 9:33am

I am trying to build a watcher which alerts me when the following occurs:

Event A (based on three tags and field result="InvalidPassword" for username=y) occurs three times.
Event A is followed by event B (based on three tags and field result="BlockedUser" for username=y) occurs once.

I have the following but this does not seem to work

{
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "chain":{
      "inputs": [
        {
          "InvalidPassword": {
            "search": {
              "request": {
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "must": [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-2m"
                            }
                          }
                        },
                        {
                          "match_phrase": {
                            "tags": "login"
                          }
                        },
                        {
                          "match_phrase": {
                            "result": "InvalidPassword"
                          }
                        }
                      ]
                    }
                  },
                  "aggs": {
                    "byUser": {
                      "terms": {
                        "field": "username"
                      }
                    }
                  }
                },
                "indices": [
                  "filebeat-*"
                ]
              }
            }
          }
        },
        {
          "BlockedUser": {
            "search": {
              "request": {
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "must": [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-2m"
                            }
                          }
                        },
                        {
                          "match_phrase": {
                            "tags": "login"
                          }
                        },
                        {
                          "match_phrase": {
                            "result": "BlockedUser"
                          }
                        }
                      ]
                    }
                  },
                  "aggs": {
                    "byUser": {
                      "terms": {
                        "field": "username"
                      }
                    }
                  }
                },
                "indices": [
                  "filebeat-*"
                ]
              }
            }
          }
        }
      ]
    }
  },
  "condition": {
    "script": {
      "source": "return ctx.payload.InvalidPassword.username == ctx.payload.BlockedUser.username"
    }
  },
  "actions": {
    //my action
  }
}

jakelandis · December 27, 2019, 3:55pm

To troubleshoot, I would suggest to output the payload to the log file. I suspect that the you need to find the username ctx.payload.InvalidPassword.aggregations.byUser.username.buckets[0].key , or something like that (and may need to compare arrays). Logging the full payload should help see exactly how to reference the values in the script compare.

  "actions": {
    "mylog": {
      "logging": {
        "text": "The payload is: {{ctx.payload}} "
      }
...

sholzhauer · December 28, 2019, 12:08pm

Hi @jakelandis , thanks for the hint.

Did help me a step forward, but now I don't know what to make of the results.
(I included my full watcher code below this time)

The response from a log event:

The payload is: {metadata=null, watch_id=soc_test, payload={BlockedUser=
{_shards={total=0, failed=0, successful=0, skipped=0}, hits={hits=[], total=0, 
max_score=0.0}, took=0, timed_out=false}, InvalidPassword={_shards={total=0, 
failed=0, successful=0, skipped=0}, hits={hits=[], total=0, max_score=0.0}, 
took=0, timed_out=false}}, 
id=soc_test_3c1dddfa-1187-4563-9a22-896b9defcc59-2019-12-28T12:00:22.969733Z, 
trigger={triggered_time=2019-12-28T12:00:22.969Z, 
scheduled_time=2019-12-28T12:00:22.738Z}, vars={}, 
execution_time=2019-12-28T12:00:22.969733Z}

However when I use the BlockedUser query directly on elasticsearch the response is:

{
    "took": 1129,
    "timed_out": false,
    "_shards": {
        "total": 2950,
        "successful": 2950,
        "skipped": 2911,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 2,
            "relation": "eq"
        },
        "max_score": null,
        "hits": []
    }
}

Watcher

{
  "trigger": {
    "schedule": {
      "interval": "30s"
    }
  },
  "input": {
    "chain": {
      "inputs": [
        {
          "InvalidPassword": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "filebeat-*"
                ],
                "rest_total_hits_as_int": true,
                "body": {
                  "size": 6,
                  "query": {
                    "bool": {
                      "must": [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-8m"
                            }
                          }
                        },
                        {
                          "match_phrase": {
                            "tags": "login"
                          }
                        },
                        {
                          "match_phrase": {
                            "tags": "outsystems"
                          }
                        },
                        {
                          "match_phrase": {
                            "envcode": "fac"
                          }
                        },
                        {
                          "match_phrase": {
                            "application": "outsystems"
                          }
                        },
                        {
                          "match_phrase": {
                            "result": "InvalidPassword"
                          }
                        }
                      ]
                    }
                  }
                }
              }
            }
          }
        },
        {
          "BlockedUser": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "filebeat-*"
                ],
                "rest_total_hits_as_int": true,
                "body": {
                  "size": 6,
                  "query": {
                    "bool": {
                      "must": [
                        {
                          "range": {
                            "@timestamp": {
                              "gte": "now-8m"
                            }
                          }
                        },
                        {
                          "match_phrase": {
                            "tags": "login"
                          }
                        },
                        {
                          "match_phrase": {
                            "tags": "outsystems"
                          }
                        },
                        {
                          "match_phrase": {
                            "envcode": "fac"
                          }
                        },
                        {
                          "match_phrase": {
                            "application": "outsystems"
                          }
                        },
                        {
                          "match_phrase": {
                            "result": "BlockedUser"
                          }
                        }
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      ]
    }
  },
  "condition": {
    "always": {}
  },
  "actions": {
    "mylog": {
      "logging": {
        "text": "The payload is: {{ctx}}"
      }
    }
  }
}

Elasticsearch wget

wget --quiet \
  --method GET \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Basic <auth>' \
  --header 'User-Agent: PostmanRuntime/7.20.1' \
  --header 'Accept: */*' \
  --header 'Cache-Control: no-cache' \
  --header 'Host: <elasticsearchhost>:9200' \
  --header 'Accept-Encoding: gzip, deflate' \
  --header 'Content-Length: 1013' \
  --header 'Connection: keep-alive' \
  --header 'cache-control: no-cache' \
  --body-data '{\n    "size": 0,\n    "query": {\n        "bool": {\n            "must": [\n                {\n                    "range": {\n                        "@timestamp": {\n                            "gte": "now-8m"\n                        }\n                    }\n                },\n                {\n                    "match_phrase": {\n                        "tags": "login"\n                    }\n                },\n                {\n                    "match_phrase": {\n                        "tags": "outsystems"\n                    }\n                },\n                {\n                    "match_phrase": {\n                        "envcode": "fac"\n                    }\n                },\n                {\n                    "match_phrase": {\n                        "application": "outsystems"\n                    }\n                },\n                {\n                    "match_phrase": {\n                        "result": "BlockedUser"\n                    }\n                }\n            ]\n        }\n    }\n}' \
  --output-document \
  - http://<elasticsearchhost>:9200/filebeat-%2A/_search

jakelandis · January 2, 2020, 4:37pm

It looks like your query is not returning any results.

I would suggest to pull the search request out of the Watch and ensure that it is returning what you expect. The query syntax is the same, so it should be mostly copy/paste to a normal _search request.

system · January 30, 2020, 4:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Chain input Watcher multi result Elasticsearch elastic-stack-alerting	2	1869	February 5, 2020
Multiple queries - action on second query if not met after x timeframe Elasticsearch elastic-stack-alerting	3	366	June 4, 2019
Help with Advanced Watcher Elasticsearch elastic-stack-alerting	3	406	December 30, 2019
Watchers: querying for multiple strings in timeframe Elasticsearch elastic-stack-alerting	2	987	August 20, 2020
Creating watcher script if particular value ina field occurs more than five times in five minutes interval of time Elasticsearch elastic-stack-alerting	1	309	January 19, 2021

Muli query watcher

Related topics