Need help creating advanced watcher

I am new to Watchers and Elasticsearch API.

I need to create an email alert that will notify me if someone inserts an unauthorized mass storage device into a USB slot of Windows machines. The watcher needs to query events collected by winlogbeat from Windows Event Logs of several machines.

The watcher needs to do the following:

  1. Run every 5 minutes.
  2. Query only events that took place between now and 15 minutes ago, ignoring any older events.
  3. Initiates action (email alert) if the following condition is met: "winlog.channel.keyword" field contains "Microsoft-Windows-Kernel-PnP/Configuration" AND "winlog.event_id.keyword" field contains "402".

The watcher runs every 5 minutes and reports that the condition was met every time it runs, although the insertion of unauthorized USB mass storage took place over 2 weeks ago and no new insertions took place since.

I therefore wonder:

  1. Is my time range specified correctly? Could it be that the watcher picks up that old event every time it runs.
  2. Is the watcher only looking for ""Microsoft-Windows-Kernel-PnP/Configuration" value in "winlog.channel.keyword" field, instead of checking also "winlog.event_id.keyword" field?

Below is the code of the advanced watcher I created and would appreciate your help in correcting the below code.

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "md-winevent-alias"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-30m"
                  }
                }
              },
              "must": [
                {
                  "match": {
                    "winlog.channel": "Microsoft-Windows-Kernel-PnP/Configuration"
                  }
                },
                {
                  "match": {
                    "winlog.event_id": "402"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 0
      }
    }
  },
  "actions": {
    "email_administrator": {
      "email": {
        "profile": "standard",
        "to": [
          "john.doe@somewhere.com"
        ],
        "subject": "KRAKEN - USB Insertion Detected",
        "body": {

          Unauthorized USB insertion reported. Please consult KRAKEN Kibana dashboards.
          """
        }
      }
    }
  }
}

I think I found solution to my problem.

My original condition was:

  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 0
      }
    }
  },

"gte" value was se to "0" so the action would be triggered every time the watcher run, even when there were no events to alert on. As soon as I changed "gte" value to "1", the watcher stopped sending email at every run. Now it will do so only when there is the actual event present.

  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.